Support for hashicorp vault

[shivabasu]

Support hashicorp vault vault to store DNS Auth keys. So that DNS keys are encrypted and kept and end-users will not have access to them.

[WouterTinus]

It'd be useful to have some more input from the community about this possible enhancement. Like which authentication method(s) you'd prefer to connect to the Vault and whether you use the Vault Agent or not.

[shivabasu]

In the Intranet use case, we need auto-renewal functionality with the DNS validation method. Due to security reasons, we can't share google DNS service account with our end users.
( --validation gcpdns --serviceaccountkey xxx --projectid xxx ).

Instead of this we would like to integrate with hashicorp vault to store Google DNS Service key or

Vault static secrets will be preferred
https://learn.hashicorp.com/tutorials/vault/static-secrets

[WouterTinus]

Possible library to use for this: https://github.com/rajanadar/VaultSharp

[webprofusion-chrisc]

Their http API is quite useful if you don't want to take a dependency on a library, I've only used it for storing certs

https://github.com/webprofusion/certify-plugins/blob/development/src/DeploymentTasks/Core/Providers/HashicorpVault.cs

[WouterTinus]

The next release will make it possible to load external plugins for the secret vault in the same way that you can now load plugins for different stages of the certificate renewal process. But since I don't have access to or experience with any Hashicorp product, someone else would have to implement the interface in a seperate project.