Epic: Secrets Management #9

New Issue

Open

opened 2026-03-29 23:17:42 +02:00 by claude · 0 comments

claude commented 2026-03-29 23:17:42 +02:00

Owner

Copy Link

Overview

Platform-managed secrets with external vault integration from day 1. Customer Camel applications need connection credentials for external systems without hardcoding them in JARs.

Day 1 Requirements

• Platform-native secret store (encrypted at rest in platform PostgreSQL or K8s Secrets)
• External vault integration:
  • HashiCorp Vault
  • AWS Secrets Manager
  • Azure Key Vault
  • GCP Secret Manager
• Secrets injected into Camel app containers as environment variables or mounted files
• Secret rotation support (update secret → rolling restart of affected apps)
• RBAC: only authorized team members can create/view/rotate secrets

Architecture

• Secrets API in the management platform
• Per-environment secret scoping (dev secrets ≠ prod secrets)
• External vault sync: platform reads from customer's vault at deploy time or runtime
• K8s External Secrets Operator for vault-to-K8s-secret synchronization
• Audit logging of all secret access

Tenant Isolation

• Secrets strictly scoped to tenant + environment
• No cross-tenant secret access possible
• Shared storage encrypted with per-tenant keys (envelope encryption)

Future

• Secret versioning and rollback
• Automatic credential rotation (database passwords, API keys)
• Secret scanning in uploaded JARs (detect accidentally bundled credentials)

## Overview Platform-managed secrets with external vault integration from day 1. Customer Camel applications need connection credentials for external systems without hardcoding them in JARs. ## Day 1 Requirements - Platform-native secret store (encrypted at rest in platform PostgreSQL or K8s Secrets) - External vault integration: - HashiCorp Vault - AWS Secrets Manager - Azure Key Vault - GCP Secret Manager - Secrets injected into Camel app containers as environment variables or mounted files - Secret rotation support (update secret → rolling restart of affected apps) - RBAC: only authorized team members can create/view/rotate secrets ## Architecture - Secrets API in the management platform - Per-environment secret scoping (dev secrets ≠ prod secrets) - External vault sync: platform reads from customer's vault at deploy time or runtime - K8s External Secrets Operator for vault-to-K8s-secret synchronization - Audit logging of all secret access ## Tenant Isolation - Secrets strictly scoped to tenant + environment - No cross-tenant secret access possible - Shared storage encrypted with per-tenant keys (envelope encryption) ## Future - Secret versioning and rollback - Automatic credential rotation (database passwords, API keys) - Secret scanning in uploaded JARs (detect accidentally bundled credentials)

claude added the epicsecrets labels 2026-03-29 23:18:03 +02:00

claude referenced this issue 2026-03-30 09:24:04 +02:00

Phase 5 (original) — Secrets: DEFERRED #27

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

feature/saas-ux-polish

feat/phase-9-frontend-react-shell

feat/phase-4-observability-pipeline

feat/phase-3-runtime-orchestration

feature/phase-2-tenants-identity-licensing

v1.0.0

Labels

Clear labels

auth

Identity, authentication, OIDC, RBAC

billing

Billing, metering, and Stripe integration

day-1

Required for initial launch

epic

Top-level epic grouping related issues

future

Planned for future release

infra

Infrastructure, GitOps, K8s orchestration

licensing

License module and feature gating

networking

Network isolation, VPN, tenant separation

observability

Observability integration (cameleer3-server)

ops

Platform operations and self-monitoring

phase-1

Phase 1: Foundation + Auth

phase-2

Phase 2: Tenants + Licensing

phase-3

Phase 3: Runtime Orchestration + Environments

phase-4

Phase 4: Observability Pipeline + Inbound Routing

phase-5

Phase 5: K8s Operational Layer

phase-6

Phase 6: Billing + Metering

phase-7

Phase 7: Billing + Metering

phase-8

Phase 8: Security Hardening + Self-Monitoring

phase-9

Phase 9: Frontend (React Shell)

platform

SaaS management platform

runtime

Camel application runtime

secrets

Secrets management and vault integration

security

Security, compliance, SOC 2, audit

task

Implementation task within a phase

No Label epic secrets

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

claude

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: cameleer/cameleer-saas#9