feat: reword phase to epic, update mkdocs
This commit is contained in:
68
docs/content/stories/epic5/5.6-secret-store.md
Normal file
68
docs/content/stories/epic5/5.6-secret-store.md
Normal file
@@ -0,0 +1,68 @@
|
||||
# Story 5.6: Secret Store Integration
|
||||
|
||||
## Metadata
|
||||
- **Story ID**: 5.6
|
||||
- **Title**: Secret Store Integration
|
||||
- **Epic**: 5 - Infrastructure Adapters
|
||||
- **Status**: Pending
|
||||
- **Priority**: Medium
|
||||
- **Estimated Time**: 4-5 hours
|
||||
- **Dependencies**: 0.2
|
||||
|
||||
## Goal
|
||||
Implement secret store integration supporting HashiCorp Vault and AWS Secrets Manager for secure secret management.
|
||||
|
||||
## Description
|
||||
This story implements secret store adapters that can retrieve secrets from external secret management systems, with integration into the configuration system.
|
||||
|
||||
## Deliverables
|
||||
|
||||
### 1. Secret Store Interface (`pkg/infra/secret/secret.go`)
|
||||
- `SecretStore` interface with:
|
||||
- `GetSecret(ctx context.Context, key string) (string, error)`
|
||||
- `GetSecrets(ctx context.Context, prefix string) (map[string]string, error)`
|
||||
|
||||
### 2. Vault Implementation (`internal/infra/secret/vault_store.go`)
|
||||
- HashiCorp Vault client
|
||||
- Support KV v2 secrets
|
||||
- Authentication (token, app role)
|
||||
- Secret caching
|
||||
|
||||
### 3. AWS Secrets Manager (`internal/infra/secret/aws_secrets.go`)
|
||||
- AWS Secrets Manager client
|
||||
- Secret retrieval
|
||||
- Secret caching
|
||||
|
||||
### 4. Configuration Integration
|
||||
- Integrate with config loader
|
||||
- Overlay secrets on top of file/env config
|
||||
- Load secrets lazily (cache)
|
||||
- Secret key resolution
|
||||
|
||||
### 5. Configuration
|
||||
- Secret store config in `config/default.yaml`:
|
||||
- Provider (vault, aws, none)
|
||||
- Connection settings
|
||||
- Cache settings
|
||||
|
||||
### 6. DI Integration
|
||||
- Provider function for SecretStore
|
||||
- Register in DI container (optional, via config)
|
||||
|
||||
## Acceptance Criteria
|
||||
- [ ] Secret store interface is defined
|
||||
- [ ] Vault implementation works
|
||||
- [ ] AWS Secrets Manager implementation works
|
||||
- [ ] Secrets are loaded into config
|
||||
- [ ] Secret caching works
|
||||
- [ ] Configuration integration works
|
||||
- [ ] Secret store is optional (can be disabled)
|
||||
|
||||
## Files to Create/Modify
|
||||
- `pkg/infra/secret/secret.go` - Secret store interface
|
||||
- `internal/infra/secret/vault_store.go` - Vault implementation
|
||||
- `internal/infra/secret/aws_secrets.go` - AWS implementation
|
||||
- `internal/config/loader.go` - Integrate secret loading
|
||||
- `internal/di/providers.go` - Add secret store provider
|
||||
- `config/default.yaml` - Add secret store config
|
||||
|
||||
Reference in New Issue
Block a user