stevedunn / vogen

Overview

This documentation provides detailed guidance on how the stevedunn/vogen project manages and stores secrets in production environments. Given the complexity involved in handling sensitive information, it is essential to adopt robust practices for secure management.

Storing Secrets

Environment Variables

Environment variables serve as a common method for storing sensitive information, such as API keys and database connection strings, in a secure way.

Example Usage in Dockerfile

In the provided Dockerfile, you can set environment variables as follows:

FROM mcr.microsoft.com/dotnet/sdk:7.0

# Set environment variables
ENV DATABASE_CONNECTION_STRING="your_connection_string_here"

COPY . .

ENTRYPOINT [ "powershell.exe", "./Build.ps1" ]

By utilizing the ENV command, the sensitive information can be passed into the container at build time.

Configuration Files

Alternatively, secrets can also be managed through configuration files, such as appsettings.Development.json. However, exercise caution with this approach, as files may be checked into version control.

Example Configuration

An example of a configuration file that might contain secrets is as follows:

{
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft.AspNetCore": "Warning"
    }
  },
  "ConnectionStrings": {
    "DefaultConnection": "Server=myServer;Database=myDB;User Id=myUser;Password=myPassword;"
  }
}

Note: Ensure that sensitive configurations are not included in public repositories.

Accessing Secrets

.NET Secret Manager

For development purposes, secrets can be managed using the .NET Secret Manager.

Setting Up Secrets

Execute the following command to set a secret:

dotnet user-secrets set "DatabasePassword" "your_secure_password"

Accessing Secrets

The secrets can be accessed in your application as shown below:

var builder = WebApplication.CreateBuilder(args);

// Add services to the container
builder.Services.AddControllersWithViews();

var dbPassword = builder.Configuration["DatabasePassword"];

Azure Key Vault

For production scenarios, integrating Azure Key Vault is a highly secure method to manage secrets, providing access control and monitoring.

Example Configuration for Azure Key Vault

To configure Azure Key Vault for stevedunn/vogen, you can use the following setup:

var builder = WebApplication.CreateBuilder(args);

builder.Configuration.AddAzureKeyVault(
    new Uri("https://<your-key-vault-name>.vault.azure.net/"),
    new DefaultAzureCredential());

This will allow your application to pull secrets directly from Azure Key Vault at runtime, ensuring they remain secure.

Best Practices

  • Never hard-code secrets in your source code or configuration files that are checked into version control.

  • Use .gitignore to exclude sensitive files from being tracked.

  • Rotate secrets regularly and review permission access to ensure that only necessary applications and developers have access.

  • Monitor and log access to secrets to detect any unauthorized access.

Conclusion

Managing secrets in production environments for the stevedunn/vogen project involves a combination of environment variables, configuration files, and integration with services like Azure Key Vault. It is critical to follow best practices to ensure sensitive information is handled securely.

For further details, please refer to the official guidelines provided in the repository.

Sources utilized for this documentation:

  • Dockerfile example
  • Configuration file example
  • .NET Secret Manager
  • Azure Key Vault integration