43 lines
1.6 KiB
Markdown
43 lines
1.6 KiB
Markdown
# Provider-Agnostic Secret Provider Rollout
|
|
|
|
This package defines a provider-agnostic contract for secret lookup without binding to Vault, cloud providers, or environment files in core layers.
|
|
|
|
## Contract Surface
|
|
|
|
- `IBlueprintSecretProvider`
|
|
- `BlueprintSecretReference`
|
|
- `BlueprintSecretResolutionResult`
|
|
|
|
## Runtime Defaults
|
|
|
|
- `AddBlueprintKeyVaultModule(...)` now registers:
|
|
- `BlueprintKeyVaultRuntimeSettings` with:
|
|
- `VaultName`
|
|
- `SecretProviderName`
|
|
- `NoOpBlueprintSecretProvider` as default fallback.
|
|
|
|
The default fallback returns unresolved lookups and never introduces provider-specific behavior.
|
|
|
|
## Binding Strategy
|
|
|
|
1. Keep domain and application layers dependent only on `IBlueprintSecretProvider`.
|
|
2. Bind provider implementation at runtime through DI:
|
|
- Vault adapter
|
|
- Cloud secret manager adapter
|
|
- Environment/test adapter
|
|
3. Keep one active provider per deployment profile.
|
|
|
|
## Rollout Notes
|
|
|
|
- Stage 33 keeps this contract-only baseline.
|
|
- Concrete Vault/OIDC provider integration should be implemented in infrastructure/runtime layers only.
|
|
- Existing identity logic ownership remains in Thalos repositories.
|
|
|
|
## Runtime Ownership Note
|
|
|
|
Provider contract ownership and runtime operational ownership are separate concerns.
|
|
|
|
- Contract ownership for provider-agnostic secret access remains in Blueprint and consuming repos.
|
|
- Vault runtime ownership, bootstrap, and recovery operations currently remain documented in `general_information/Vault.md`.
|
|
- Demo runtime reconciliation guidance is documented in `docs/consumption/demo-runtime-source-of-truth.md`.
|