If you want to use secret configuration which you don't want to store the code repository during developing ASP.NET Core app, what will you do? ASP.NET Core provides Secret Manager tool. Then how about developing on OpenShift? I'd like to talk about Secret Manager tool and working OpenShift secrets for ASP.NET Core in this blog.

Secret Manager tool

Let's try to use following the document. At first, make ASP.NET Core web project. Then add Microsoft.Extensions.SecretManager.Tools, Microsoft.Extensions.Configuration.UserSecrets and userSecretsId to the tools section of the project.json file. Be sure to make the userSecretsId value unique.

"dependencies": {
  "Microsoft.Extensions.Configuration.UserSecrets": "1.0.0-rc2-final"
},
"userSecretsId": "aspnet-WebApp1-c23d27a4-eb88-4b18-9b77-2a93f3b15119",
"tools": {
  "Microsoft.Extensions.SecretManager.Tools": "1.0.0-preview2-final"
}
$ dotnet user-secrets set MySecret ValueOfMySecret

Once command is executed, the secrets.json file is generated at ~/.microsoft/usersecrets//secrets.json

$ cat ~/.microsoft/usersecrets/aspnet-WebApp1-c23d27a4-eb88-4b18-9b77-2a93f3b15119/secrets.json
{
  "MySecret": "ValueOfMySecret"
}

Then we can refer this secret value from code as below.

public Startup(IHostingEnvironment env)
{
    var builder = new ConfigurationBuilder()
        .SetBasePath(env.ContentRootPath)
        .AddJsonFile("appsettings.json", optional: true, reloadOnChange: true)
        .AddJsonFile($"appsettings.{env.EnvironmentName}.json", optional: true);

    if (env.IsDevelopment())
    {
        // For more details on using the user secret store see http://go.microsoft.com/fwlink/?LinkID=532709
        builder.AddUserSecrets();
    }

    builder.AddEnvironmentVariables();
    Configuration = builder.Build();
}

Now it works storing secret data. However, this secret is stored in local machine folder. So how do we use secret on OpenShift?

OpenShift secret

OpenShift has a secret feature. To use OpenShift secret, we create yaml file as below. "strindData" field is a new feature at OpenShift v3.3. So if you use OpenShift 3.2 or lower, please use "data" field and value must be base64-encoded.

apiVersion: "v1"
kind: "Secret"
metadata:
  name: "mysecret"
stringData:
  mysecretconfig: '{"MySecret": "ValueOfMySecret"}'

Then create secret with oc command.

$ oc create -f mysecret.yaml

Secret is mounted as a volume, so edit the deploymentconfig to mount the volume. If you haven't tried ASP.NET Core app on OpenSift, s2i-aspnet is a good starting point. In this example, secret data file located at /etc/secret-volume/mySecret.

$ oc edit dc <your_dc>
spec:
<snip>
  containers:
    - name: myapp
      <snip>
      volumeMounts:
          # name must match the volume name below
          - name: secret-volume
            mountPath: /etc/secret-volume
            readOnly: true
  <snip>
  volumes:
    - name: secret-volume
      secret:
        secretName: mysecret
  restartPolicy: Never

Or use oc command.

$  oc volumes dc/<dc_name> --add --type=secret --secret-name=mysecret --mount-path=/etc/secret-volume

To use this mounted secret file as a configuration, simply call Configuration.AddJsonFile method with file path.

public Startup(IHostingEnvironment env)
{
    var builder = new ConfigurationBuilder()
        .SetBasePath(env.ContentRootPath)
        .AddJsonFile("appsettings.json", optional: true, reloadOnChange: true)
        .AddJsonFile($"appsettings.{env.EnvironmentName}.json", optional: true);

    if (Directory.Exists("/etc/secret-volume"))
        builder.AddJsonFile("/etc/secret-volume/mysecretconfig", true);

    builder.AddEnvironmentVariables();
    Configuration = builder.Build();

    Console.WriteLine(Configuration["MySecret"]);
}

Finally, you can refer the secret data from ASP.NET Core app on OpenShift. The full example project can be seen in my GitHub repo.

For additional information and articles on .NET Core visit our .NET Core web page for more on this topic.

Last updated: March 22, 2023