Fancy Secrets Support

[swankjesse]

Would be really nice to be able to declare config like so:

data class MyPartnerConfig(
    val base_url: String,
    val credential: SecretRef<MyPartnerCredential>
)

data class MyPartnerCredential(
    val auth_scheme: String,
    val auth_credential: String
)

With this app config YAML:

my_partner_service:
  base_url: https://example.com/v2/
  credential: filesystem:/etc/secrets/my_partner_credential.yaml

And this my_partner_credential.yaml:

auth_scheme: Bearer
auth_credential: peanutbutter

This uses a Misk-provided class for referencing secrets.

interface SecretRef<T> { 
    val value: T
}

It would also be nice to have it work if the partner credential is a different format. Some initial kinds:

• A .txt file for a single string. This is referenced as SecretRef<String> and decoded as UTF-8 and then trimmed.
• A .pem file for a private key. This referenced as a SecretRef<TrustStore> and parsed with SslLoader.
• A .json file for a JSON file. This is referenced as a SecretRef<MyObject> and parsed with Moshi.

Secrets are loaded and parsed at config-parsing time. So if a secret is bad, we find out during startup!

[acostama]

Would the intent to access the credential be: myPartnerConfig.credential.auth_credential? Or would myPartnerConfig.credential["auth_credential"] work as well. Or even with some intermediary field myPartnerConfig.credential.value.auth_credential.

[swankjesse]

I think it’s myPartnerConfig.credential.value.auth_credential.