Secure configuration using Vault.
Adds the secured and centralized configuration storage integration using Vault.
dotnet add package Convey.Configurations.Vault
Extend Program.cs
-> CreateDefaultBuilder()
with UseVault()
that will add the required services and fetch the options from Vault key-value secret storage during an application startup.
public static IWebHostBuilder GetWebHostBuilder(string[] args)
=> WebHost.CreateDefaultBuilder(args)
.ConfigureServices(services => services.AddConvey().Build())
.UseVault();
enabled
- determines whether Vault integration is going to be available.url
- URL of the Vault service.authType
- authentication type, possible values: token
, userpass
.token
- a secret token used to authenticate to Vault, used when authType
= token
.username
- name of the user used to authenticate to Vault, used when authType
= userpass
.password
- password of the user used to authenticate to Vault, used when authType
= userpass
.kv
- KV storage used for loading JSON settings during application startup."vault": {
"enabled": true,
"url": "http://localhost:8200",
"authType": "token",
"token": "secret",
"username": "user",
"password": "secret",
"kv": {
"enabled": true,
"engineVersion": 2,
"mountPoint": "kv",
"path": "some-service/settings"
},
"pki": {
"enabled": true,
"roleName": "some-service",
"commonName": "some-service.some-app.io"
},
"lease": {
"mongo": {
"type": "database",
"roleName": "some-service",
"enabled": true,
"autoRenewal": true,
"templates": {
"connectionString": "mongodb://:@localhost:27017"
}
}
}
}
Beware that storing the secret token or other type of credentials used while authenticating to Vault during an application startup in appsettings.json
file is not really secure. Instead, you should set these values by using e.g. environment variables when deploying your services to the server/cloud - such scenario can be done in a numerous ways, either by CI/CD tools or even with the usage of manual deployment.
Each setting within the appsettings.json
file can be overriden with a proper environment variable. You can also override Vault settings with the following (custom) environment variables: