Allow reading secrets from Vault

[brancz]

Preflight Checklist

• I agree to follow the Code of Conduct that this project adheres to.
• I have searched the issue tracker for an issue that matches the one I want to file, without success.

Problem Description

Configuring connectors via the database is very convenient but it currently forces secret material to be in plaintext in the database in the config column (same goes for using the config file, but there are some good enough established ways to deal with that situation).

Proposed Solution

It would be great if in every place where secret material is provided one could specify a config to read a key from a vault server.

The changes to do this are actually quite simple, and with a bit of diligence could even be done in a backward-compatible way where providing a plain string would just use whatever is passed, and when it's an object then it's parsed.

Alternatives Considered

What we're currently doing is redeploy our dex server every time we add a new connector, but since this is done dynamically by customers providing us with SSO configs, this isn't exactly a great experience since there are some fundamental race conditions involved in this and so if dex could natively support this use case, that would be ideal.

Additional Information

We'd be happy to give implementing this a shot in the coming weeks.

[nabokihms]

@brancz, hello and welcome back! This is a great idea, and we would love to have it in Dex 👍

Some thoughts:

1. I'd like to see a more generic implementation of a secret store integration. Something like an interface with different implementations to get secrets from env variables, files, vault, etc. This feature has to be extendable.
2. Before diving into implementation, it would be awesome to discuss the design first. We suggest writing a proposal first to make the feature-accepting process smoother.

Looking forward to working on this one together.