Status: Draft

Sponsor User: Anylog/Edge Lake

Date of Submission: Apr 14, 2025

Submitted by: @Joe Pearson

Affiliation(s): IBM

<Please fill out the above fields, and the Overview, Design and User Experience sections below for an initial review of the proposed feature.>

Scope and Signoff: Agent, Agbot, and Exchange (small)

Overview

The Secrets Management functionality in Open Horizon is designed to generate a file containing secrets serialized into JSON objects. Some services expect bare secret values in the file with no adornment. Provide a configuration property that will trigger this behavior.

Design

Today, in a Service Definition file, secrets can be defined in the “deployment” property:

With the above example configuration, the deployed workload would have the three secrets serialized into JSON files available at the following paths in the container:

• /open-horizon-secrets/secret_user

• /open-horizon-secrets/secret_password

• /open-horizon-secrets/secret_db

And the contents of those files would be something like this:

{"key":"user","value":"jpearson"}

{"key":"password","value":"notapw"}

{"key":"db","value":"MYdatabase"}

We are proposing to add an optional key/value pair in each secret Array in the Service Definition that would allow overriding this behavior:

Resulting in the contents of the serialized secrets files being:

jpearson

notapw

MYdatabase

User Experience

<Describe which user roles are related to the problem AND the solution, e.g. admin, deployer, node owner, etc. If you need to define a new role in your design, make that very clear. Remember this is about what a user is thinking when interacting with the system before and after this design change. This section is not about a UI, it's more abstract than that. This section should explain all the aspects of the proposed feature that will surface to users.>

Command Line Interface

Booz: In the CLI, the secret related commands all "force" the user to CRUD secrets as name value pairs: Key and Value. This is why the mounted secret file contents are structured JSON. It would be interesting to understand if Vault supports any other kinds of secrets (besides the Key/Value secrets) that might also align with this design proposal. What I'm wondering is if we could support an additional Vault secret type that inherently works like a bare credential, without the need to extend the OH metadata with the "format" config option.

External Components

<Describe any new or changed interactions with components that are not the agent or the management hub.>

Affected Components

<List all of the internal components (agent, MMS, Exchange, etc) which need to be updated to support the proposed feature. Include a link to the github epic for this feature (and the epic should contain the github issues for each component).>

Security

<Describe any related security aspects of the solution. Think about security of components interacting with each other, users interacting with the system, components interacting with external systems, permissions of users or components>

APIs

<Describe and new/changed/deprecated APIs, including before and after snippets for clarity. Include which components or users will use the APIs.>

Build, Install, Packaging

<Describe any changes to the way any component of the system is built (e.g. agent packages, containers, etc), installed (operators, manual install, batch install, SDO), configured, and deployed (consider the hub and edge nodes).>

Documentation Notes

<Describe the aspects of documentation that will be new/changed/updated. Be sure to indicate if this is new or changed doc, the impacted artifacts (e.g. technical doc, website, etc) and links to the related doc issue(s) in github.>

Test

<Summarize new automated tests that need to be added in support of this feature, and describe any special test requirements that you can foresee.>