There should be capabilities in secretless.yml to supply custom settings to providers

[sgnn7]

Is your feature request related to a problem? Please describe.

Currently there is no good way to pass additional information to providers via configuration file so other ways (eg env vars) are being used for this, leading to a poor UX.

Describe the solution you would like

• Add capability to supply a provider with extra configuration data via the main broker's configuration file.

Describe alternatives you have considered

N/A

Additional context

This may require changing the API for providers.

Related issue:

• Support Vault AppRole auth method in provider #1335

[michael2m]

How about an extension to the current configuration. Instead of only having services also have a section for named providers with their provider configuration, that can be referred to within service configurations. For example:

version: 2

providers:
  my-provider:
    type: vault
 ...

services:
  echo_tcp:
    connector: example-tcp-connector
    listenOn: tcp://0.0.0.0:6175
    credentials:
      address:
        from: my-provider
        get: some-secret
...

Behavior can be kept backwards compatible by allowing a number of built-in providers. Question remains what happens if you configure a provider (like above) with a name of another (possibly built-in), e.g. redefine literal, env or file. This may be an error.

[izgeri]

@michael2m we already deal with this with the connectors, so we'd definitely want to be consistent.

The code for that is here:
https://github.com/cyberark/secretless-broker/blob/master/pkg/secretless/plugin/sharedobj/available_plugins.go#L88-L103

The checkPluginIDConflicts method panics if there is a conflict.