stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

save checkpoint

Browse Source
This commit is contained in:
master
2026-02-14 09:11:48 +02:00
parent 9ca2de05df
commit e9aeadc040
1512 changed files with 30863 additions and 4728 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
docs/features/checked/scanner/surface-secrets-provider-chain.md Normal file
View File

@@ -0,0 +1,58 @@
# Surface.Secrets Provider Chain
## Module
Scanner
## Status
VERIFIED
## Description
Pluggable secret provider chain with backends for Kubernetes mounted secrets, file-based secrets, and offline credential stores. Provides typed handles for attestation signing keys, CAS tokens, and registry credentials.
## Implementation Details
- **Provider Interface**:
- `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/ISurfaceSecretProvider.cs` - `ISurfaceSecretProvider` interface for pluggable secret providers
- **Provider Implementations**:
- `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/Providers/CompositeSurfaceSecretProvider.cs` - `CompositeSurfaceSecretProvider` chaining multiple providers with fallback
- `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/Providers/KubernetesSurfaceSecretProvider.cs` - `KubernetesSurfaceSecretProvider` reading secrets from Kubernetes mounted volumes
- `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/Providers/FileSurfaceSecretProvider.cs` - `FileSurfaceSecretProvider` reading secrets from file system paths
- `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/Providers/InlineSurfaceSecretProvider.cs` - `InlineSurfaceSecretProvider` for inline/environment-variable secrets
- `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/Providers/InMemorySurfaceSecretProvider.cs` - In-memory provider for testing
- `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/Providers/OfflineSurfaceSecretProvider.cs` - `OfflineSurfaceSecretProvider` for air-gapped credential stores
- `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/Providers/AuditingSurfaceSecretProvider.cs` - `AuditingSurfaceSecretProvider` wrapping providers with access auditing
- `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/Providers/CachingSurfaceSecretProvider.cs` - `CachingSurfaceSecretProvider` caching secret lookups
- **Typed Secret Handles**:
- `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/AttestationSecret.cs` - `AttestationSecret` typed handle for attestation signing keys
- `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/CasAccessSecret.cs` - `CasAccessSecret` typed handle for CAS (Content-Addressable Storage) tokens
- `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/RegistryAccessSecret.cs` - `RegistryAccessSecret` typed handle for container registry credentials
- **Request Model**:
- `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/SurfaceSecretRequest.cs` - Request model for secret retrieval
- `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/SurfaceSecretHandle.cs` - Handle wrapping resolved secrets
- `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/SurfaceSecretNotFoundException.cs` - Exception when secrets are not found
- `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/SurfaceSecretsOptions.cs` - Configuration options
- **DI & Integration**:
- `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/ServiceCollectionExtensions.cs` - DI registration for surface secrets
- `src/Scanner/StellaOps.Scanner.Worker/Options/ScannerStorageSurfaceSecretConfigurator.cs` - Worker-side secret configuration
- `src/Scanner/StellaOps.Scanner.WebService/Options/ScannerSurfaceSecretConfigurator.cs` - WebService-side secret configuration
- **Tests**:
- `src/Scanner/__Tests/StellaOps.Scanner.Surface.Secrets.Tests/InlineSurfaceSecretProviderTests.cs` - Inline provider tests
- `src/Scanner/__Tests/StellaOps.Scanner.Surface.Secrets.Tests/FileSurfaceSecretProviderTests.cs` - File provider tests
## E2E Test Plan
- [ ] Configure a composite provider chain (Kubernetes -> File -> Offline) and verify secrets are resolved from the first available provider
- [ ] Verify `KubernetesSurfaceSecretProvider` reads secrets from Kubernetes mounted volumes at expected paths
- [ ] Verify `AttestationSecret` typed handle correctly provides attestation signing key material
- [ ] Verify `RegistryAccessSecret` typed handle provides registry credentials for authenticated pulls
- [ ] Verify `AuditingSurfaceSecretProvider` logs all secret access for audit trail
- [ ] Verify `OfflineSurfaceSecretProvider` works in air-gapped environments without network access
---
## Verification
| Check | Result |
|-------|--------|
| Tier 0 - Source files exist | PASS |
| Tier 1 - Build + code review | PASS |
| Tier 2 - Integration tests | PASS |
| Verified | 2026-02-13T18:10:00Z |