dotnet-kube-client icon indicating copy to clipboard operation
dotnet-kube-client copied to clipboard

Published 20 hours ago verified publisher icon tintoy

KubeClient & Core Data Protection

Open rriverak opened this issue 5 years ago • 15 comments

Hey, thank you for this very handy client!
I currently have the need to enable Data Protection in my distributed dotnet application(s).

I would like to use native Kubernetes Secrets for this. A third-party Secret-Vault like HashiCorp Vault seems oversized to me. In my opinion, this scenario can be covered by Kubernetes alone.

A Package based on KubeClient.Extensions.Configuration could do that safely and quickly.

I think we just need some GlueCode between DataProtection and KubeClient.

services.AddDataProtection()
// Get Key-Signing Certificate from a Kuberenetes Secret
.ProtectKeysWithKubernetesSecret(...)
// Store signed Rotated-Keys in a Kubernetes Secret
.PersistKeysToKubernetesSecret(...)

It would then end in an KubeClient.Extensions.DataProtection package.

How can I contribute something like that? or do you see something like this outside of this project?

rriverak avatar Sep 13 '19 08:09 rriverak

Hi - this sounds like a great idea :)

I’m happy for you to open a PR if you would like to have a go at this (and am happy to help out if there’s anywhere you get stuck that I actually know something about).

tintoy avatar Sep 13 '19 09:09 tintoy

If you’re not sure how to start I could create a branch and sketch out the project structure so you could drop your code in)...

tintoy avatar Sep 13 '19 09:09 tintoy

Hey, thanks for the very fast answer :) I would first write a small application and test the procedure in minikube.

If this works as expected, I will transfer it to a netstandard2.0 library. After or during that, I would contact you again to get a branch and sketch out the project structure.

Many thanks!

rriverak avatar Sep 13 '19 12:09 rriverak

Soo, after the first few test.. I would not build ontop of KubeClient.Extensions.Configuration package..
The Idea was to hook the secret loading implementation but theres I see no clean way outside of IConfiguration...

The real Proleme here is that the IConfiguration contains the plain DataProtection Keys over the hole runtime and this could be a bad idea ;)

For now, I start the implementation with the pure KubeClient and request / create / update the Secret directly...

rriverak avatar Sep 13 '19 15:09 rriverak

That seems to work well now.

Here is my test repository: https://github.com/rriverak/KubeClient.Extensions.DataProtection

rriverak avatar Sep 13 '19 18:09 rriverak

Wow - you work fast :)

I'm happy to handle this 1 of 2 ways (although feel free to suggest something else if you have other preferences):

  1. I can pull your code into this repository and get it released and published along the rest of KubeClient (I'll add you as a repo contributor so you can help maintain it).
  2. I can help you set up CI to get your package built and published from your own repo in a way that's similar/compatible to how it's done for KubeClient (you'll decide when you want to release new versions of you your package). Given the way KubeClient was designed and built, this is also a totally valid way to release additional functionality for it.

tintoy avatar Sep 13 '19 21:09 tintoy

I'm a fan of monorepos ;-) I would be very happy to see my code in the KubeClient repository :)

rriverak avatar Sep 13 '19 21:09 rriverak

Ok, I’ll have a go at integrating your code this weekend on a branch and get you do do a review when it’s ready. How’s that sound?

tintoy avatar Sep 13 '19 22:09 tintoy

What version of ASP.NET Core are you expecting to target? This will affect the library’s TargetFramework (I think 3.x, for example, only supports netcoreapp from memory but I could be mistaken - I’m on my phone at the moment).

tintoy avatar Sep 14 '19 09:09 tintoy

(technically netstandard2.1 but we’ll have to multi-target if you want to support ASP.NET Core 2.x as well)

tintoy avatar Sep 14 '19 09:09 tintoy

I think it's good to support .NET Core 2.2. After all, there is an LTS release for .NET Core 2.2.

The target of Microsoft.AspNetCore.DataProtection 2.2.x is netstandard2.0. I think we can follow that for now.

In 3.0.0-preview9 they target both netstandard2.0;netcoreapp3.0

rriverak avatar Sep 14 '19 12:09 rriverak

Good-o, I’ll get started on this first thing tomorrow (it’s 10pm here).

tintoy avatar Sep 14 '19 12:09 tintoy

many thanks for your effort! I have no time pressure on this topic. :)

rriverak avatar Sep 14 '19 12:09 rriverak

Sorry this has taken so long, work’s been a bit crazy!

I’m going to try to get this finished off over the weekend.

tintoy avatar Oct 04 '19 08:10 tintoy

Ok - I've published a build of the new package to the dev package feed (https://www.myget.org/F/dotnet-kube-client/api/v3/index.json).

Would you mind trying out the package and letting me know if it works for you? You're looking for KubeClient.Extensions.DataProtection, version 2.4.0-data-protection0006.

tintoy avatar Oct 05 '19 07:10 tintoy

And, years later, this has finally been implemented; sorry it took so long 🙂

Published as KubeClient.Extensions.DataProtection v2.5.8.

tintoy avatar May 19 '24 01:05 tintoy