You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I agree to follow the Code of Conduct that this project adheres to.
I have searched the issue tracker for an issue that matches the one I want to file, without success.
Problem Description
Configuring connectors via the database is very convenient but it currently forces secret material to be in plaintext in the database in the config column (same goes for using the config file, but there are some good enough established ways to deal with that situation).
Proposed Solution
It would be great if in every place where secret material is provided one could specify a config to read a key from a vault server.
The changes to do this are actually quite simple, and with a bit of diligence could even be done in a backward-compatible way where providing a plain string would just use whatever is passed, and when it's an object then it's parsed.
Alternatives Considered
What we're currently doing is redeploy our dex server every time we add a new connector, but since this is done dynamically by customers providing us with SSO configs, this isn't exactly a great experience since there are some fundamental race conditions involved in this and so if dex could natively support this use case, that would be ideal.
Additional Information
We'd be happy to give implementing this a shot in the coming weeks.
The text was updated successfully, but these errors were encountered:
@brancz, hello and welcome back! This is a great idea, and we would love to have it in Dex 👍
Some thoughts:
I'd like to see a more generic implementation of a secret store integration. Something like an interface with different implementations to get secrets from env variables, files, vault, etc. This feature has to be extendable.
Before diving into implementation, it would be awesome to discuss the design first. We suggest writing a proposal first to make the feature-accepting process smoother.
Preflight Checklist
Problem Description
Configuring connectors via the database is very convenient but it currently forces secret material to be in plaintext in the database in the
config
column (same goes for using the config file, but there are some good enough established ways to deal with that situation).Proposed Solution
It would be great if in every place where secret material is provided one could specify a config to read a key from a vault server.
The changes to do this are actually quite simple, and with a bit of diligence could even be done in a backward-compatible way where providing a plain string would just use whatever is passed, and when it's an object then it's parsed.
Alternatives Considered
What we're currently doing is redeploy our dex server every time we add a new connector, but since this is done dynamically by customers providing us with SSO configs, this isn't exactly a great experience since there are some fundamental race conditions involved in this and so if dex could natively support this use case, that would be ideal.
Additional Information
We'd be happy to give implementing this a shot in the coming weeks.
The text was updated successfully, but these errors were encountered: