ability to manage a default secret that would be always injected in services

Question

ability to manage a default secret that would be always injected in services

fcomte opened this issue 3 months ago · comments

Secrets are not often use by users because it's quite complex to use it.
One idea would be to manage a default secret (a list of secrets) that would be always injected without any effort from the user

Comte · Answer 1 · Fri Feb 23 2024 21:41:19 GMT+0800 (China Standard Time)

One implementation could be to maintain a list of all paths that should be automatycally injected.
A user can then opt-in very quickly for each secret.

qgau · Answer 2 · Fri Feb 23 2024 22:11:49 GMT+0800 (China Standard Time)

Thanks for creating this issue.

On my side, I was actually thinking about a more straitforward/naive experience: by default, all the user secrets are injected in the services environment as environment variables.
With, of course, a big banner to warn the users in the service configuration view, which would contain a direct link to vault configuration tab for example.

But then there is the question of secret variables with the same name, but in different secrets and/or directories. For these cases, I think we could actually not care about it and just overwrite variables previously defined in the environment, because this "default" behavior would be only for onboarding/newcomers users. Advanced users with plenty of secrets won't use this option anyway: they will care about what service has access to what secret.

That being said, a default secret at the root, called "default" and containing a "SECRET_EXAMPLE" variable could do the job perfectly.

BTW, reading @fcomte 's previous comment makes me think maybe the user uptake is difficult also because there is no auto-completion for the secret paths in the vault tab. I don't how difficult it is to implement that though.

My two cents!

Comte · Answer 3 · Fri Feb 23 2024 22:25:43 GMT+0800 (China Standard Time)

my idea is quite simple :

When a user write a secret he has the possibility to enable it by default for all services.

Behind the scene we maintain this path (somewhere in vault but silently)
And when we start vscode we create all the en var based on this secret list of path

I would prefer this kind of implementation in comparaison to the "one big default secret" because it's more maintenable by the user.

Comte · Answer 4 · Fri Feb 23 2024 22:27:19 GMT+0800 (China Standard Time)

we can also add a new icon here :

to let the user know that this specific secret is always put in services.

qgau · Answer 5 · Fri Feb 23 2024 22:29:20 GMT+0800 (China Standard Time)

Oh I see it now! This is really better than my idea 👍

Comte · Answer 6 · Fri Feb 23 2024 22:35:07 GMT+0800 (China Standard Time)

This is all your idea.. I think it can greatly improve the UX on the secret usage. thank you 🙏