35 lines
1.1 KiB
Markdown
35 lines
1.1 KiB
Markdown
# Provider-Agnostic Secret Provider Rollout
|
|
|
|
This package defines a provider-agnostic contract for secret lookup without binding to Vault, cloud providers, or environment files in core layers.
|
|
|
|
## Contract Surface
|
|
|
|
- `IBlueprintSecretProvider`
|
|
- `BlueprintSecretReference`
|
|
- `BlueprintSecretResolutionResult`
|
|
|
|
## Runtime Defaults
|
|
|
|
- `AddBlueprintKeyVaultModule(...)` now registers:
|
|
- `BlueprintKeyVaultRuntimeSettings` with:
|
|
- `VaultName`
|
|
- `SecretProviderName`
|
|
- `NoOpBlueprintSecretProvider` as default fallback.
|
|
|
|
The default fallback returns unresolved lookups and never introduces provider-specific behavior.
|
|
|
|
## Binding Strategy
|
|
|
|
1. Keep domain and application layers dependent only on `IBlueprintSecretProvider`.
|
|
2. Bind provider implementation at runtime through DI:
|
|
- Vault adapter
|
|
- Cloud secret manager adapter
|
|
- Environment/test adapter
|
|
3. Keep one active provider per deployment profile.
|
|
|
|
## Rollout Notes
|
|
|
|
- Stage 33 keeps this contract-only baseline.
|
|
- Concrete Vault/OIDC provider integration should be implemented in infrastructure/runtime layers only.
|
|
- Existing identity logic ownership remains in Thalos repositories.
|