59 lines
4.4 KiB
Markdown
59 lines
4.4 KiB
Markdown
# Surface.Secrets Provider Chain
|
|
|
|
## Module
|
|
Scanner
|
|
|
|
## Status
|
|
VERIFIED
|
|
|
|
## Description
|
|
Pluggable secret provider chain with backends for Kubernetes mounted secrets, file-based secrets, and offline credential stores. Provides typed handles for attestation signing keys, CAS tokens, and registry credentials.
|
|
|
|
## Implementation Details
|
|
- **Provider Interface**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/ISurfaceSecretProvider.cs` - `ISurfaceSecretProvider` interface for pluggable secret providers
|
|
- **Provider Implementations**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/Providers/CompositeSurfaceSecretProvider.cs` - `CompositeSurfaceSecretProvider` chaining multiple providers with fallback
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/Providers/KubernetesSurfaceSecretProvider.cs` - `KubernetesSurfaceSecretProvider` reading secrets from Kubernetes mounted volumes
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/Providers/FileSurfaceSecretProvider.cs` - `FileSurfaceSecretProvider` reading secrets from file system paths
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/Providers/InlineSurfaceSecretProvider.cs` - `InlineSurfaceSecretProvider` for inline/environment-variable secrets
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/Providers/InMemorySurfaceSecretProvider.cs` - In-memory provider for testing
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/Providers/OfflineSurfaceSecretProvider.cs` - `OfflineSurfaceSecretProvider` for air-gapped credential stores
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/Providers/AuditingSurfaceSecretProvider.cs` - `AuditingSurfaceSecretProvider` wrapping providers with access auditing
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/Providers/CachingSurfaceSecretProvider.cs` - `CachingSurfaceSecretProvider` caching secret lookups
|
|
- **Typed Secret Handles**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/AttestationSecret.cs` - `AttestationSecret` typed handle for attestation signing keys
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/CasAccessSecret.cs` - `CasAccessSecret` typed handle for CAS (Content-Addressable Storage) tokens
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/RegistryAccessSecret.cs` - `RegistryAccessSecret` typed handle for container registry credentials
|
|
- **Request Model**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/SurfaceSecretRequest.cs` - Request model for secret retrieval
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/SurfaceSecretHandle.cs` - Handle wrapping resolved secrets
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/SurfaceSecretNotFoundException.cs` - Exception when secrets are not found
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/SurfaceSecretsOptions.cs` - Configuration options
|
|
- **DI & Integration**:
|
|
- `src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/ServiceCollectionExtensions.cs` - DI registration for surface secrets
|
|
- `src/Scanner/StellaOps.Scanner.Worker/Options/ScannerStorageSurfaceSecretConfigurator.cs` - Worker-side secret configuration
|
|
- `src/Scanner/StellaOps.Scanner.WebService/Options/ScannerSurfaceSecretConfigurator.cs` - WebService-side secret configuration
|
|
- **Tests**:
|
|
- `src/Scanner/__Tests/StellaOps.Scanner.Surface.Secrets.Tests/InlineSurfaceSecretProviderTests.cs` - Inline provider tests
|
|
- `src/Scanner/__Tests/StellaOps.Scanner.Surface.Secrets.Tests/FileSurfaceSecretProviderTests.cs` - File provider tests
|
|
|
|
## E2E Test Plan
|
|
- [ ] Configure a composite provider chain (Kubernetes -> File -> Offline) and verify secrets are resolved from the first available provider
|
|
- [ ] Verify `KubernetesSurfaceSecretProvider` reads secrets from Kubernetes mounted volumes at expected paths
|
|
- [ ] Verify `AttestationSecret` typed handle correctly provides attestation signing key material
|
|
- [ ] Verify `RegistryAccessSecret` typed handle provides registry credentials for authenticated pulls
|
|
- [ ] Verify `AuditingSurfaceSecretProvider` logs all secret access for audit trail
|
|
- [ ] Verify `OfflineSurfaceSecretProvider` works in air-gapped environments without network access
|
|
|
|
---
|
|
|
|
## Verification
|
|
|
|
| Check | Result |
|
|
|-------|--------|
|
|
| Tier 0 - Source files exist | PASS |
|
|
| Tier 1 - Build + code review | PASS |
|
|
| Tier 2 - Integration tests | PASS |
|
|
| Verified | 2026-02-13T18:10:00Z |
|