Appendix A: Glossary and Indexes
A.1 Term Definitions
| Term | Definition |
|---|---|
| AWS Secrets Manager | A managed AWS service that stores, retrieves, and rotates secrets with built-in encryption at rest via AWS KMS. Used as the sole secret store during the interim period. |
| AWS IAM | Amazon's identity and access management service. Provides authentication and authorization for access to AWS services including Secrets Manager. |
| AWS SDK | AWS Software Development Kit. A set of libraries for programmatic access to AWS services from application code. |
| AWS CloudTrail | AWS service that provides API call logging and monitoring for AWS resources, including Secrets Manager access auditing. |
| On-Premises Infrastructure | Locally hosted servers and virtual machines running application workloads without container orchestration. Used during the interim period before Kubernetes adoption. |
| ExternalSecret | A Kubernetes custom resource (external-secrets.io) that synchronizes secrets from external stores into Kubernetes Secrets. Used in Phase 1 and Phase 2 of migration. |
| External Secrets Operator (ESO) | A Kubernetes operator that reconciles ExternalSecret resources, pulling secrets from external stores and materializing them as Kubernetes Secrets. |
| GitOps | An operational framework where Git repositories serve as the source of truth for declarative infrastructure and application configuration. |
| HashiCorp Vault | A secrets management platform providing dynamic secrets, encryption, access control, and audit logging. The target secret store defined in RFC-SECOPS-0001. |
| IRSA (IAM Roles for Service Accounts) | An AWS EKS feature that associates Kubernetes service accounts with IAM roles, eliminating the need for long-lived access keys. |
| Interim Architecture | The temporary secret management system defined by this RFC, designed to be superseded by RFC-SECOPS-0001. |
| Invariant | A rule that MUST hold true at all times. Violation of an invariant invalidates the architecture. |
| PushSecret | A Kubernetes custom resource (external-secrets.io) that pushes secrets from Kubernetes to an external secret store. Used in Phase 2 for internal secret distribution. |
| Secret Config Module | A centralized application-level module responsible for all interactions with the secret store (AWS SDK calls during the interim period). |
| SecretStore / ClusterSecretStore | Kubernetes custom resources (external-secrets.io) that define connection parameters to an external secret store. |
| Secrets Inventory Manifest | A Git-tracked YAML file (secrets-inventory.yaml) that records metadata about all platform secrets without containing secret values. |
| Superseded | An RFC status indicating the document has been replaced by a newer RFC and is frozen. |
A.2 Diagram Index
| Diagram | Section | Type | Description |
|---|---|---|---|
| System Overview | 3.1 | flowchart | High-level architecture showing Secrets Manager, on-premises VMs, and Git |
| Trust Boundaries | 3.3 | flowchart | Server-to-AWS and IAM-to-Secrets Manager trust boundaries |
| Secret Population Flow | 3.4.1 | sequenceDiagram | Operator populating secrets into Secrets Manager |
| Secret Consumption Flow | 3.4.2 | sequenceDiagram | Application retrieving secrets via SDK |
| Component Interaction | 4.3 | flowchart | Interaction between application, SDK, IAM, and Secrets Manager |
| Migration Phases | 5.1 | stateDiagram-v2 | Phase 0 → Phase 1 → Phase 2 state transitions |