AgileWebs/blueprint-platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
5c0408fa1c
blueprint-platform/docs/consumption/secret-provider-rollout.md
José René White Enciso 57c406302b docs(blueprint-platform): add stage 40 workspace guardrails
2026-03-31 15:59:38 -06:00

1.6 KiB
Raw Blame History

Provider-Agnostic Secret Provider Rollout

This package defines a provider-agnostic contract for secret lookup without binding to Vault, cloud providers, or environment files in core layers.

Contract Surface

  • IBlueprintSecretProvider
  • BlueprintSecretReference
  • BlueprintSecretResolutionResult

Runtime Defaults

  • AddBlueprintKeyVaultModule(...) now registers:
    • BlueprintKeyVaultRuntimeSettings with:
      • VaultName
      • SecretProviderName
    • NoOpBlueprintSecretProvider as default fallback.

The default fallback returns unresolved lookups and never introduces provider-specific behavior.

Binding Strategy

  1. Keep domain and application layers dependent only on IBlueprintSecretProvider.
  2. Bind provider implementation at runtime through DI:
    • Vault adapter
    • Cloud secret manager adapter
    • Environment/test adapter
  3. Keep one active provider per deployment profile.

Rollout Notes

  • Stage 33 keeps this contract-only baseline.
  • Concrete Vault/OIDC provider integration should be implemented in infrastructure/runtime layers only.
  • Existing identity logic ownership remains in Thalos repositories.

Runtime Ownership Note

Provider contract ownership and runtime operational ownership are separate concerns.

  • Contract ownership for provider-agnostic secret access remains in Blueprint and consuming repos.
  • Vault runtime ownership, bootstrap, and recovery operations currently remain documented in general_information/Vault.md.
  • Demo runtime reconciliation guidance is documented in docs/consumption/demo-runtime-source-of-truth.md.