-
Notifications
You must be signed in to change notification settings - Fork 134
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve SecretsManager API for easier configuration #9485
Comments
This proposal SGMT overall. Maybe nitpicking, but the URN rfc8141 provides means to define components specific to the URN resolution process and to the (resolved) resource. WDYT about a URN like the following?
|
Indeed we could use an r-component for the provider – but going down that route, I'd use an f-component for the secret key:
The only thing that annoys me is that the original syntax is easier to understand for users, i.e. But I like the r-component the idea :-) |
How about delegating resolution to runtime? That is URN: In this case Things like |
Most setups will have one - maybe two (Quarkus config + one secrets manager) sources. So too much flexibility doesn't add a lot of value. |
Issue description
I wonder if it's possible to change the
SecretsManager
API a bit to make the secret configuration experience more user-friendly.Here's an example of env vars for an ADLS account name + secret:
That's verbose, but I'm OK with that. But when we add caching + secret reloading on top of that (see #8707), I guess we'd need to get rid of mounting secrets that way, and instead we'd get something like this:
While this is way more concise, it's also a bit more opaque to the user, since 2 options were grouped together. In fact the grouping is rather for technical reasons: it's done merely to facilitate secret reloading and avoid broken rotated credentials.
If instead we can do the reloading at
SecretsManager
level, maybe we can keep the user-facing env vars more intuitive, and still achieve caching + reloading:In the above example, two keys come from the same secret
adls-account-secret
; the secret would befetched only once and cached. When the cache expires the secret is fetched again and all the keys
are updated together.
In this design each
URI
in the configuration points to exactly one value. The fact that some values might be declared in the same container (like a K8s Secret) becomes an implementation detail. This could also simplify theSecret
hierarchy as the application doesn't need to know if a secret is aTokenSecret
or aBasicCredentials
etc.The text was updated successfully, but these errors were encountered: