69 lines
2.1 KiB
Markdown
69 lines
2.1 KiB
Markdown
# Story 5.6: Secret Store Integration
|
|
|
|
## Metadata
|
|
- **Story ID**: 5.6
|
|
- **Title**: Secret Store Integration
|
|
- **Epic**: 5 - Infrastructure Adapters
|
|
- **Status**: Pending
|
|
- **Priority**: Medium
|
|
- **Estimated Time**: 4-5 hours
|
|
- **Dependencies**: 0.2
|
|
|
|
## Goal
|
|
Implement secret store integration supporting HashiCorp Vault and AWS Secrets Manager for secure secret management.
|
|
|
|
## Description
|
|
This story implements secret store adapters that can retrieve secrets from external secret management systems, with integration into the configuration system.
|
|
|
|
## Deliverables
|
|
|
|
### 1. Secret Store Interface (`pkg/infra/secret/secret.go`)
|
|
- `SecretStore` interface with:
|
|
- `GetSecret(ctx context.Context, key string) (string, error)`
|
|
- `GetSecrets(ctx context.Context, prefix string) (map[string]string, error)`
|
|
|
|
### 2. Vault Implementation (`internal/infra/secret/vault_store.go`)
|
|
- HashiCorp Vault client
|
|
- Support KV v2 secrets
|
|
- Authentication (token, app role)
|
|
- Secret caching
|
|
|
|
### 3. AWS Secrets Manager (`internal/infra/secret/aws_secrets.go`)
|
|
- AWS Secrets Manager client
|
|
- Secret retrieval
|
|
- Secret caching
|
|
|
|
### 4. Configuration Integration
|
|
- Integrate with config loader
|
|
- Overlay secrets on top of file/env config
|
|
- Load secrets lazily (cache)
|
|
- Secret key resolution
|
|
|
|
### 5. Configuration
|
|
- Secret store config in `config/default.yaml`:
|
|
- Provider (vault, aws, none)
|
|
- Connection settings
|
|
- Cache settings
|
|
|
|
### 6. DI Integration
|
|
- Provider function for SecretStore
|
|
- Register in DI container (optional, via config)
|
|
|
|
## Acceptance Criteria
|
|
- [ ] Secret store interface is defined
|
|
- [ ] Vault implementation works
|
|
- [ ] AWS Secrets Manager implementation works
|
|
- [ ] Secrets are loaded into config
|
|
- [ ] Secret caching works
|
|
- [ ] Configuration integration works
|
|
- [ ] Secret store is optional (can be disabled)
|
|
|
|
## Files to Create/Modify
|
|
- `pkg/infra/secret/secret.go` - Secret store interface
|
|
- `internal/infra/secret/vault_store.go` - Vault implementation
|
|
- `internal/infra/secret/aws_secrets.go` - AWS implementation
|
|
- `internal/config/loader.go` - Integrate secret loading
|
|
- `internal/di/providers.go` - Add secret store provider
|
|
- `config/default.yaml` - Add secret store config
|
|
|