I'm in the process of implementing IdentityServer4 into my ASP.NET Core web application, which will be deployed to a Kubernetes cluster using Continuous Deployment.
The documentation talks about adding signing credentials (AddSigningCredential
) and most tutorials/guides demonstrate how to use this by loading a .pfx
file from the file system, or by using the local certificate store and searching by the subject name.
Is there a commonly accepted way of storing, retrieving and rotating the signing credentials when deployed to a Kubernetes cluster with minimal intervention?
I think using a secret is the best option in Kubernetes. K8s have a secret kind that can be deployed with other ressource, here is a link to the official doc: https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/ Or you could also use another secret manager , like Vault. If I am not mistaken , I think it's the best practice.