Skip to main content

Integration Secrets Backend

SecretProvider is the seam for integration credential secret resolution.

Implemented:

  • LocalDevSecretProvider for local/dev/test only.
  • Deterministic non-production local://<tenant>/<purpose>/<key>/<version> references.
  • KubernetesSecretProvider for production-shaped Kubernetes Secret reads.
  • Canonical Kubernetes refs: k8s://namespace/secret-name/key or k8s://secret-name/key when the namespace is configured.
  • Tenant/purpose-aware Kubernetes Secret naming, for example oneprotect-acme-health-webhook-signing-dest-acme-generic-webhook.
  • External provider seam for future direct Vault or cloud-specific providers.
  • Worker resolves signing secrets at delivery time.
  • Missing or unavailable secrets fail delivery safely and persist an attempt.
  • Credential rotation updates metadata and audit without returning secret values.

Planned:

  • External Secrets Operator, CSI, Vault Agent, or platform sync to populate Kubernetes Secrets.
  • Exact production RBAC resourceNames once tenant integration secret names are known.
  • Dual-secret rollover for receiver migration windows.
  • Receiver replay-window verification fixtures.

Source architecture note: docs/architecture/integration-secrets-backend.md.