docs: add secret management proposal

KusionStack · Nov 27, 2023 · ac30220 · ac30220
1 parent 087aa81
commit ac30220
Showing 1 changed file with 40 additions and 12 deletions.
diff --git a/docs/design/secret_management.md b/docs/design/secret_management.md
@@ -14,31 +14,59 @@ A secret is any piece of sensitive information that must be kept confidential an
 
 #### Threat Model
 
-This blog talks about a rudimentary threat model for Kubernetes Secrets, which exposes an inconvenient truth that storing secrets is hard since the plaintext version has to exist somewhere (in contrast to e.g. password hashes). There are indeed complex alternative solutions 
+This [blog](https://www.macchaffee.com/blog/2022/k8s-secrets/) talks about a rudimentary [Threat Model](https://en.wikipedia.org/wiki/Threat_model) for Kubernetes Secrets, which exposes an inconvenient truth that storing secrets is hard since the plaintext version has to exist somewhere (in contrast to e.g. password hashes). There are indeed complex alternative solutions to plain Kubernetes Secrets offer enough extra security, however those enough security out of the complex arragement might not be worth it. From Kusion's perspective, mitigate the overall attack surface of plain Kubernetes Secrets is extremely difficult, also out of scope, so we just assume plain Kubernetes Secrets are fine, instead we provide comprehensive integration with popular cloud secret managers. 
 
 #### API Types
 
 To support popular cloud secret managers, we need to have multiple secret store. We could define a simple interface along the lines of: 
 
 ```Go
-// SecretStore is an interface that must be implemented to integrate with
-// various popular cloud native secret managers, e.g. Hashicorp Vault
+// SecretStore provides the interface to interact with various cloud secret manager.
 type SecretStore interface {
-	// CreateSecret calls external cloud secret manager to store secret information.
-	CreateSecret(key string, value string) error
-	// GetSecret retrieves plain secret information from external cloud secret manager.
-	GetSecret(key string) (string, error)
+	// GetSecret retrieves ref secret from various cloud secret manager.
+	GetSecret(ctx context.Context, ref secretsapi.ExternalSecretRef) ([]byte, error)
 }
 ```
 
-and different secret stores just need to implement this interface.
+and different secret stores just need to implement this interface. For different secret stores, the initialization process is quite different, so we adopt the factory method pattern:
+
+```Go
+// SecretStoreFactory is a factory type for secret store.
+type SecretStoreFactory interface {
+	// NewSecretStore constructs a usable secret store with specific provider spec.
+	NewSecretStore(spec secretsapi.SecretStoreSpec) (SecretStore, error)
+}
+```
+
+Based on the specifications predefined by platform team, secret store factory constructs proper secret store instance, and the specifications as shown below: 
+
+```Go
+// SecretStoreSpec contains configuration to describe target secret store.
+type SecretStoreSpec struct {
+	Provider *ProviderSpec `yaml:"provider" json:"provider"`
+}
+
+// ProviderSpec contains provider-specific configuration.
+type ProviderSpec struct {
+	// AWS configures a store to retrieve secrets from AWS Secrets Manager.
+	AWS *AWSProvider `yaml:"aws,omitempty" json:"aws,omitempty"`
+}
+
+// AWSProvider configures a store to retrieve secrets from AWS Secrets Manager.
+type AWSProvider struct {
+	// AWS Region to be used to interact with AWS Secrets Manager.
+	// Examples are us-east-1, us-west-2, etc.
+	Region string `yaml:"region" json:"region"`
+}
+```
 
 #### The Workflow
 
-1. During the environmental initialization phase, platform team setup the target secret store, including necessary credentials info to access secret store.
-2. The application developers specify the ref sources of sensitive information that the workload depends on, as well as how the workload consumes this sensitive information, within the configuration code.
-3. Once configuration code submit, the Kusion engine fetchs secrets from target secret store and creates corresponding Kubernetes secrets.
-4. Application process consume Kubernetes secrets during runtime.
+During the environmental initialization phase, platform team setup the target secret store, including necessary credentials info to access secret store.
+
+The application developers specify the ref sources of sensitive information that the workload depends on, as well as how the workload consumes this sensitive information, within the configuration code.
+
+Once configuration code submit, the Kusion engine fetchs secrets from target secret store and creates corresponding Kubernetes secrets. Application process consume Kubernetes secrets during runtime.
 
 ### References