Add key vault abilities

BenjaminMichaelis · BenjaminMichaelis · commit e44137b895cd · 2025-10-12T21:11:57.000-07:00
diff --git a/Directory.Packages.props b/Directory.Packages.props
@@ -17,6 +17,7 @@
   </ItemGroup>
   <ItemGroup>
     <PackageVersion Include="AspNet.Security.OAuth.GitHub" Version="8.3.0" />
+    <PackageVersion Include="Azure.Extensions.AspNetCore.Configuration.Secrets" Version="1.4.0" />
     <PackageVersion Include="Azure.Identity" Version="1.12.1" />
     <PackageVersion Include="Azure.Monitor.OpenTelemetry.AspNetCore" Version="1.3.0" />
     <PackageVersion Include="Microsoft.ApplicationInsights.Profiler.AspNetCore" Version="2.6.0" />
@@ -51,4 +52,4 @@
     <PackageVersion Include="xunit" Version="2.9.3" />
     <PackageVersion Include="xunit.runner.visualstudio" Version="3.0.1" />
   </ItemGroup>
-</Project>
+</Project>
diff --git a/EssentialCSharp.Chat/EssentialCSharp.Chat.csproj b/EssentialCSharp.Chat/EssentialCSharp.Chat.csproj
@@ -18,6 +18,7 @@
   </PropertyGroup>
   
     <ItemGroup>
+    <PackageReference Include="Azure.Extensions.AspNetCore.Configuration.Secrets" />
     <PackageReference Include="Microsoft.SemanticKernel" />
     <PackageReference Include="Microsoft.SemanticKernel.Connectors.PgVector" />
     <PackageReference Include="ModelContextProtocol" />
diff --git a/EssentialCSharp.Chat/Program.cs b/EssentialCSharp.Chat/Program.cs
@@ -358,16 +358,61 @@ void WriteChunkingResult(FileChunkingResult result, TextWriter writer)
 
     /// <summary>
     /// Creates and configures the IConfiguration used by multiple commands.
-    /// This method centralizes the common configuration setup to reduce code duplication.
+    /// Supports Azure Key Vault integration for secure secret management.
     /// </summary>
     /// <returns>The configured IConfigurationRoot</returns>
+    /// <remarks>
+    /// Configuration precedence (highest to lowest):
+    /// 1. Environment Variables
+    /// 2. Azure Key Vault (if configured)
+    /// 3. User Secrets (development only)
+    /// 4. appsettings.json
+    /// 
+    /// To enable Key Vault, set the "KeyVaultName" configuration value in appsettings.json or user secrets:
+    /// {
+    ///   "KeyVaultName": "your-keyvault-name"
+    /// }
+    /// 
+    /// The application will use DefaultAzureCredential for authentication, which supports:
+    /// - Managed Identity (in Azure)
+    /// - Azure CLI (local development)
+    /// - Visual Studio (local development)
+    /// - Environment variables (AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID)
+    /// </remarks>
     private static IConfigurationRoot CreateConfiguration()
     {
-        return new ConfigurationBuilder()
+        var configBuilder = new ConfigurationBuilder()
             .SetBasePath(IntelliTect.Multitool.RepositoryPaths.GetDefaultRepoRoot())
-            .AddJsonFile("EssentialCSharp.Web/appsettings.json")
-            .AddUserSecrets<Program>()
-            .AddEnvironmentVariables()
-            .Build();
+            .AddJsonFile("EssentialCSharp.Web/appsettings.json", optional: false, reloadOnChange: true)
+            .AddJsonFile($"EssentialCSharp.Web/appsettings.{Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT") ?? "Production"}.json", optional: true, reloadOnChange: true)
+            .AddUserSecrets<Program>(optional: true)
+            .AddEnvironmentVariables();
+
+        // Build a temporary configuration to check for Key Vault settings
+        var tempConfig = configBuilder.Build();
+        var keyVaultName = tempConfig["KeyVaultName"];
+
+        // If Key Vault is configured, add it to the configuration pipeline
+        if (!string.IsNullOrEmpty(keyVaultName))
+        {
+            try
+            {
+                var keyVaultUri = new Uri($"https://{keyVaultName}.vault.azure.net/");
+
+                // Use DefaultAzureCredential which works both locally and in Azure
+                var credential = new DefaultAzureCredential();
+
+                configBuilder.AddAzureKeyVault(keyVaultUri, credential);
+
+                Console.WriteLine($"✅ Connected to Azure Key Vault: {keyVaultName}");
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine($"⚠️  Warning: Could not connect to Azure Key Vault '{keyVaultName}': {ex.Message}");
+                Console.WriteLine("   Continuing with other configuration sources...");
+            }
+        }
+
+        return configBuilder.Build();
     }
 }
