Secrets in FTL

# Secrets in FTL **Author**: Lizzy Worstell **Status**: draft / in-review / accepted / implemented / ==superceded== ## Description Provide support in FTL for managing secrets. ## Goals - Propose initial (V0) and subsequent (V1) approach for secrets management - V0 should be extensible to V1 ## Design ## V0 We will pass environment variables containing secrets to the runner subprocesses during deployment. In this iteration, all secrets will be available across all runners. ### Production Users will create secrets by provisioning environment variables directly to their Kubernetes pod*. ##### _*How do we do this?_ ### Development Users will create secrets as local environment variables prefixed with `FTL_SECRET_<NAME>`. ### APIs We will expose APIs for fetching secrets in application code: ```kotlin data class Secret(private val value: String) { override fun toString(): String { return "redacted" } } object Secrets { fun get(name: String): Secret { // load from env variable } } fun main() { val apiKey = Secrets.get("api-key") } ``` The `Secrets.get(...)` is a Kotlin runtime library and its invocation will simply load the secret from env variables. ## V1 This design proposes [Vault](https://github.com/hashicorp/vault) as its underlying secrets manager. Unlike V0, calling `Secrets.get(...)` will invoke a GRPC call to the runner, which can access these secrets in its local file-system in the directory `ftl/secrets/<module-name>`. The runner will then attempt to fetch the requested secret and return its value unencrypted. Thus this API must only be accessed locally and never over the network*. ##### _*TODO: Determine how to restrict access to GetSecret endpoint so that only local requests are permitted._ ### Production Vault server will be deployed to a Kubernetes pod. We will provision a [Vault Agent](https://developer.hashicorp.com/vault/tutorials/kubernetes/kubernetes-sidecar) sidecar in runner pods. This agent is responsible for providing credentials and orchestrating a hand-off to write specified Vault secrets to the local file-system in the pod. ![Screenshot 2024-01-10 at 1.45.39 AM](https://hackmd.io/_uploads/BJT8vknd6.png) ### Development Vault development server is run as a Docker container. To simulate production behavior: `ftl serve` will copy secrets from the Vault dev server into the local file-system in directories of the same structure as production, `ftl/secrets/<module-name>`. ### APIs We will provide FTL commands to manage secrets: ```bash # Create a new secret. ftl secrets create <module> <name> <value> # Update an existing secret. ftl secrets update <module> <name> <value> # Delete an existing secret. ftl secrets delete <module> <name> <value> # List secrets available by module. Optional parameter to specify modules # in comma-separated list. ftl secrets list <modules> ``` These APIs will wrap the Vault server itself.