wstrange/secret-spec.yaml

## secret-spec.yaml
# A CRD that describes secrets required by the platform, how to generate/find them,
#  how to mount them, etc.
# This should be able to cover all FRaaS and CDM use cases:
# 1) All random secrets every time this CRD is deployed
# 2) All secrets come from the GCP SM - assumed to be pre-created
# 3) Pull secret from GCP SM if available, otherwise generate random, then store in GCP SM for future use
# 4) Random on first install, but prefer an existing K8S secret if available
# 5) Other combinations of the above...
kind: org.forgerock.SecretSpec
apiVersion: betav1
metadata:
  name: platform-secrets-spec
  # This is namespaced resource. If we want secrets across namespaces we should
  # create multiple instances.
  namespace: prod
spec:
  # Spec for how to interface to a secret source
  # The built in source "kubernetes" is provided - i.e. an existing k8s secret
  secretSource:
  # A platform secret source - e.g. GCP Secret Manager
  - name: sm
    gcp:
      project: blah-blah
  # A source that generates random 32 char values
  - name: random32
    random:
      length: 32
  # A source for TLS certs
  - name: tls-rsa
    rsa: {} # todo...

  # This section is the default treatment of secrets unless it is specifically overridden
  # TODO: Can we get rid of this default section by enhancing the secretSource above with
  # priority info.
  secretDefaults:
    # An ordered list of how to lookup the secret. If not found in the first source, try the second, etc.
    # sm -> look up in the gcp secret manager first (if one is defined)
    # kubernetes -> Use the existing k8s secret of the same name
    # random -> generate a value.
    source: [ "sm", "kubernetes", "random32"]
    # Where to save the secret. Saves to *all* destinations in the list
    # The example below saves to a k8s secret (if required), and the secret manager
    destination: ["kubernetes", "sm"]
    # Needs more thought - but the idea is if the secret itself is
    # encyrpted with a master password. For example, an AM instance key
    encrypted: {}

  # Now we list all the secrets. The idea is to make it easy to introduce new secrets
  # Todo: What about keystores, TLS certs, etc?
  secrets:
  # Each secret has a unique name. A k8s secret with this name will be created.
  # For this secret we use all the defaults
  - name: idrepo-admin-password
  # The secret below can only come from the secret manager
  - name: oauth2-idm-client-secret
    source: ["sm"]
    # Getting fancy here... the spec below deterimines how
    # the secret gets presented to a pod (env var or mounted).
    # To keep it simple - follow a convention.
    # This would be implemented by an admission controller
    podSelector:
      # Inject as env var
      env:
        # Match label expression.
        # https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
        app: amster
      # Or a secret file. Mounted at /var/run/secrets/$secret-name
      path:
        # Again - a match label expression
        app: amster
# todo:
# What about secret rotation?
	# A CRD that describes secrets required by the platform, how to generate/find them,
	# how to mount them, etc.
	# This should be able to cover all FRaaS and CDM use cases:
	# 1) All random secrets every time this CRD is deployed
	# 2) All secrets come from the GCP SM - assumed to be pre-created
	# 3) Pull secret from GCP SM if available, otherwise generate random, then store in GCP SM for future use
	# 4) Random on first install, but prefer an existing K8S secret if available
	# 5) Other combinations of the above...
	kind: org.forgerock.SecretSpec
	apiVersion: betav1
	metadata:
	name: platform-secrets-spec
	# This is namespaced resource. If we want secrets across namespaces we should
	# create multiple instances.
	namespace: prod
	spec:
	# Spec for how to interface to a secret source
	# The built in source "kubernetes" is provided - i.e. an existing k8s secret
	secretSource:
	# A platform secret source - e.g. GCP Secret Manager
	- name: sm
	gcp:
	project: blah-blah
	# A source that generates random 32 char values
	- name: random32
	random:
	length: 32
	# A source for TLS certs
	- name: tls-rsa
	rsa: {} # todo...

	# This section is the default treatment of secrets unless it is specifically overridden
	# TODO: Can we get rid of this default section by enhancing the secretSource above with
	# priority info.
	secretDefaults:
	# An ordered list of how to lookup the secret. If not found in the first source, try the second, etc.
	# sm -> look up in the gcp secret manager first (if one is defined)
	# kubernetes -> Use the existing k8s secret of the same name
	# random -> generate a value.
	source: [ "sm", "kubernetes", "random32"]
	# Where to save the secret. Saves to all destinations in the list
	# The example below saves to a k8s secret (if required), and the secret manager
	destination: ["kubernetes", "sm"]
	# Needs more thought - but the idea is if the secret itself is
	# encyrpted with a master password. For example, an AM instance key
	encrypted: {}

	# Now we list all the secrets. The idea is to make it easy to introduce new secrets
	# Todo: What about keystores, TLS certs, etc?
	secrets:
	# Each secret has a unique name. A k8s secret with this name will be created.
	# For this secret we use all the defaults
	- name: idrepo-admin-password
	# The secret below can only come from the secret manager
	- name: oauth2-idm-client-secret
	source: ["sm"]
	# Getting fancy here... the spec below deterimines how
	# the secret gets presented to a pod (env var or mounted).
	# To keep it simple - follow a convention.
	# This would be implemented by an admission controller
	podSelector:
	# Inject as env var
	env:
	# Match label expression.
	# https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
	app: amster
	# Or a secret file. Mounted at /var/run/secrets/$secret-name
	path:
	# Again - a match label expression
	app: amster
	# todo:
	# What about secret rotation?