2.1 KiB
2.1 KiB
Story 5.6: Secret Store Integration
Metadata
- Story ID: 5.6
- Title: Secret Store Integration
- Epic: 5 - Infrastructure Adapters
- Status: Pending
- Priority: Medium
- Estimated Time: 4-5 hours
- Dependencies: 0.2
Goal
Implement secret store integration supporting HashiCorp Vault and AWS Secrets Manager for secure secret management.
Description
This story implements secret store adapters that can retrieve secrets from external secret management systems, with integration into the configuration system.
Deliverables
1. Secret Store Interface (pkg/infra/secret/secret.go)
SecretStoreinterface with:GetSecret(ctx context.Context, key string) (string, error)GetSecrets(ctx context.Context, prefix string) (map[string]string, error)
2. Vault Implementation (internal/infra/secret/vault_store.go)
- HashiCorp Vault client
- Support KV v2 secrets
- Authentication (token, app role)
- Secret caching
3. AWS Secrets Manager (internal/infra/secret/aws_secrets.go)
- AWS Secrets Manager client
- Secret retrieval
- Secret caching
4. Configuration Integration
- Integrate with config loader
- Overlay secrets on top of file/env config
- Load secrets lazily (cache)
- Secret key resolution
5. Configuration
- Secret store config in
config/default.yaml:- Provider (vault, aws, none)
- Connection settings
- Cache settings
6. DI Integration
- Provider function for SecretStore
- Register in DI container (optional, via config)
Acceptance Criteria
- Secret store interface is defined
- Vault implementation works
- AWS Secrets Manager implementation works
- Secrets are loaded into config
- Secret caching works
- Configuration integration works
- Secret store is optional (can be disabled)
Files to Create/Modify
pkg/infra/secret/secret.go- Secret store interfaceinternal/infra/secret/vault_store.go- Vault implementationinternal/infra/secret/aws_secrets.go- AWS implementationinternal/config/loader.go- Integrate secret loadinginternal/di/providers.go- Add secret store providerconfig/default.yaml- Add secret store config