fix(adr-023/024/025): restaurer diagrammes Mermaid
Les diagrammes Mermaid sont utiles pour visualiser l'architecture et ne posent pas de problème de doublon code/doc. Restauration des 3 diagrammes : - ADR-023 : Flux modération (Client → API → Worker → IA → Dashboard) - ADR-024 : Stack monitoring (Services → Prometheus/Grafana → Alerting) - ADR-025 : Architecture secrets (Dev/Prod → Vault → Encryption) Code textuel (SQL, bash, Go, YAML) reste retiré comme demandé. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
jpgiannetti
@@ -30,15 +30,55 @@ Stratégie **secrets management + encryption at rest + HTTPS** avec stack self-h
|
||||
|
||||
### Architecture Secrets
|
||||
|
||||
**Environnements** :
|
||||
- **Développement** : Fichier .env local (non versionné)
|
||||
- **Production** : HashiCorp Vault (self-hosted)
|
||||
```mermaid
|
||||
graph TB
|
||||
subgraph Dev["Environnement Dev"]
|
||||
EnvFile[".env file<br/>(local uniquement)"]
|
||||
end
|
||||
|
||||
**Flux** :
|
||||
1. **Vault** stocke secrets sensibles (JWT signing key, DB credentials, Mangopay API key, encryption master key)
|
||||
2. **Backend API** récupère secrets depuis Vault au démarrage
|
||||
3. **Encryption layer** : AES-256-GCM pour PII, TLS 1.3 pour transport
|
||||
4. **Stockage** : PostgreSQL (data encrypted at rest), Redis (TLS enabled)
|
||||
subgraph Prod["Production"]
|
||||
Vault["HashiCorp Vault<br/>(secrets storage)"]
|
||||
API["Backend Go API"]
|
||||
DB["PostgreSQL<br/>(encrypted at rest)"]
|
||||
Redis["Redis<br/>(TLS enabled)"]
|
||||
end
|
||||
|
||||
subgraph Encryption["Encryption Layer"]
|
||||
AES["AES-256-GCM<br/>(PII encryption)"]
|
||||
TLS["TLS 1.3<br/>(transport)"]
|
||||
end
|
||||
|
||||
subgraph Secrets["Secrets Stockés"]
|
||||
JWT["JWT Signing Key<br/>(RS256 private key)"]
|
||||
DBCreds["DB Credentials<br/>(user/pass)"]
|
||||
Mangopay["Mangopay API Key<br/>(sandbox + prod)"]
|
||||
EncKey["Encryption Master Key<br/>(AES-256)"]
|
||||
end
|
||||
|
||||
EnvFile -.->|dev only| API
|
||||
Vault --> API
|
||||
|
||||
Vault --- JWT
|
||||
Vault --- DBCreds
|
||||
Vault --- Mangopay
|
||||
Vault --- EncKey
|
||||
|
||||
API --> AES
|
||||
API --> TLS
|
||||
AES --> DB
|
||||
TLS --> DB
|
||||
TLS --> Redis
|
||||
|
||||
classDef devStyle fill:#fff3e0,stroke:#e65100
|
||||
classDef prodStyle fill:#e3f2fd,stroke:#1565c0
|
||||
classDef encStyle fill:#f3e5f5,stroke:#6a1b9a
|
||||
classDef secretStyle fill:#ffebee,stroke:#c62828
|
||||
|
||||
class Dev,EnvFile devStyle
|
||||
class Prod,Vault,API,DB,Redis prodStyle
|
||||
class Encryption,AES,TLS encStyle
|
||||
class Secrets,JWT,DBCreds,Mangopay,EncKey secretStyle
|
||||
```
|
||||
|
||||
### Secrets Management avec Vault
|
||||
|
||||
|
||||
Reference in New Issue
Block a user