Blip.Starter.Common.Secrets
0.0.23
dotnet add package Blip.Starter.Common.Secrets --version 0.0.23
NuGet\Install-Package Blip.Starter.Common.Secrets -Version 0.0.23
<PackageReference Include="Blip.Starter.Common.Secrets" Version="0.0.23" />
paket add Blip.Starter.Common.Secrets --version 0.0.23
#r "nuget: Blip.Starter.Common.Secrets, 0.0.23"
// Install Blip.Starter.Common.Secrets as a Cake Addin #addin nuget:?package=Blip.Starter.Common.Secrets&version=0.0.23 // Install Blip.Starter.Common.Secrets as a Cake Tool #tool nuget:?package=Blip.Starter.Common.Secrets&version=0.0.23
Blip.Starter.Common.Secrets
First of all, please read all pages of our Secrets documentation.
Secrets are confidential information that should not be exposed in your code. This includes passwords, API keys, tokens, etc.
This library provides a way to retrieve secrets from a secret storage. Currently, we support Hashicorp Vault as our secret storage.
Follow the configuration above to be able to configure. Please also read our documentation about .NET secrets accesses.
Configuring your application
To configure your application you need to add Blip.Starter.Common.Secrets
NuGet package to your project.
The NuGet package is published in our private NuGet repository: https://dev.azure.com/curupira/BLiP/_artifacts/feed/BlipNuget/NuGet/Blip.Starter.Common.Secrets/overview
To access it locally you will need to install Azure Artifacts credential provider.
To configure this library you need to provide a ISecretConfiguration
. You may create yourself one programatically or use
the DefaultSecretConfiguration
which uses several environment variables to configure the library:
Environment Variable | Description | Default Value | Available Values |
---|---|---|---|
SECRETS_ENABLED |
Enable or disable the secrets configuration | true |
true , false |
SECRETS_ENGINE |
The secret engine to be used. You can also disable by using Null or Noop engines. |
HashicorpVault |
HashicorpVault , Noop , Null |
SECRETS_PATHS |
Additional paths to be used to retrieve secrets. | "" |
Any valid string |
SECRETS_ENABLE_TENANT_PATH |
To add default's tenant path as a secret path to load. | false |
true , false |
SECRETS_ENABLE_HOST_SERVICE_NAME_PATH |
To add default's application service name as a secret path to load. | false |
true , false |
Here's specific engine configuration:
Environment Variable | Description | Default Value | Available Values |
---|---|---|---|
SECRETS_HASHICORP_VAULT_URL |
The URL of the Vault server. | http://localhost:8200 |
Any valid URL |
SECRETS_HASHICORP_VAULT_ROLE_NAME |
The role name to be used to authenticate in Vault. | The same as the environment's HostServiceName which is configured by the environment variable HOST_SERVICE_NAME |
Any valid string |
SECRETS_HASHICORP_VAULT_MOUNT_POINT |
The mount point to be used to authenticate in Vault. | The same as the environment's ClusterName which is configured by the environment variable CLUSTER_NAME |
Any valid string |
SECRETS_HASHICORP_VAULT_SERVICE_ACCOUNT_PATH |
The path to the service account file to be used to authenticate in Vault. | /var/run/secrets/kubernetes.io/serviceaccount/token |
Any valid string |
ASP.NET Core
To integrate this library with a ASP.NET Core application, go to your Startup.cs
file or anywhere you configure the
framework and add the following code:
// You can change the configuration if needed, but prefer changing the configuration with environment variables without hardcoding it to your code.
ISecretConfiguration configuration = DefaultSecretConfiguration();
// Creates the environment from environment variables.
var environment = Blip.Starter.Common.Env.Environment.FromEnvironmentVariables();
// Adds the secrets to the configuration builder, using the 'SecretConfigurationExtensions' extension.
// You may ommit all attributes and let the configuration be loaded from environment variables.
// You may also hardcode the engine to be used here, by providing the engine parameter, but prefer using the environment variable.
builder.Configuration.AddSecrets(
environment: environment,
configuration: configuration);
Manual configuration
If you are not using ASP.NET you can configure the library manually and get the secrets dictionary manually, without integrating it with the Microsoft's ConfigurationBuilder
:
// You can change the configuration if needed, but prefer changing the configuration with environment variables without hardcoding it to your code.
ISecretConfiguration configuration = DefaultSecretConfiguration();
// Creates the environment from environment variables.
var environment = Blip.Starter.Common.Env.Environment.FromEnvironmentVariables();
// Load the secrets from the secret storage.
// If disabled (default) this will return an empty dictionary.
var dictionary = await SecretStarter.Load(
engine: SecretEngine.Vault,
environment: environment,
configuration: configuration);
// Access the secrets using the returned dictionary.
// Embedded json objects are also supported, but to access them you need to use ':' to separate the keys.
// Example: "secretKey:myEmbeddedSecret"
Writing custom secrets
Your application can also write custom secrets under a specific folder structure that fits your needs.
Step one
Insert the .AddVaultEngine
on your DI
registration so it can use an IEngine
, like the example below.
//first scenario: you already initialized your environment and configuration values
builder.Services.AddVaultEngine(
environment: environment,
configuration: configuration
);
//or let the library initiate the service
builder.Services.AddVaultEngine();
Step two
In your application code, you can receive an IEngine
instance through the DI
container, like the example below
private readonly IEngine _engine;
public WeatherForecastController(IEngine engine)
{
_engine = engine;
}
Step three
Now you can invoke the methods with the following parameters
PatchSecretsAsync
: allows you to update if the data already exists or create the secrets data
var path = "testbot@msging.net/sense-config";
Dictionary<string, object> dictionaryToSave = new Dictionary<string, object>();
await _engine.PatchSecretsAsync(path, dictionaryToSave);
CreateSecretsAsync
: allows you to create the secrets data and/or replace all the stored date
var path = "testbot@msging.net/sense-config";
Dictionary<string, object> dictionaryToSave = new Dictionary<string, object>();
await _engine.CreateSecretsAsync(path, dictionaryToSave);
Reading custom secrets
All custom secrets will be stored on vault in a specific directory. If your application is named msging-server
and is inside the take
cluster, if you save to the path testbot@msging.net/sense-config
the final stored key value will be the following:
take / msging-server / custom / testbot@msging.net / sense-configs
To read you may use the ReadSecretsAsync
from the IEngine
:
var path = "testbot@msging.net/sense-config";
// Using same values as the writing example, this will read the secret on the custom's secret path:
// take / msging-server / custom / testbot@msging.net / sense-configs
var secrets = await _engine.ReadSecretAsync(path);
Adding secrets to the secret storage
To add new secrets in our production secret storage you must create a new service request.
TODO: add SR link and owner team
Product | Versions Compatible and additional computed target framework versions. |
---|---|
.NET | net6.0 is compatible. net6.0-android was computed. net6.0-ios was computed. net6.0-maccatalyst was computed. net6.0-macos was computed. net6.0-tvos was computed. net6.0-windows was computed. net7.0 was computed. net7.0-android was computed. net7.0-ios was computed. net7.0-maccatalyst was computed. net7.0-macos was computed. net7.0-tvos was computed. net7.0-windows was computed. net8.0 was computed. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. |
-
net6.0
- Blip.Starter.Common.Env (>= 0.0.23)
- Microsoft.Extensions.Configuration (>= 6.0.1)
- Microsoft.Extensions.Configuration.Json (>= 6.0.0)
- Microsoft.Extensions.Logging (>= 6.0.0)
- VaultSharp (>= 1.13.0.1)
NuGet packages
This package is not used by any NuGet packages.
GitHub repositories
This package is not used by any popular GitHub repositories.