Secrets Management in Open Horizon

Open Horizon provides a secure mechanism for managing sensitive information like authentication credentials, certificates, and encryption keys. This documentation guides you through all aspects of secrets management in Open Horizon.

What are secrets?

Secrets are sensitive pieces of information that your edge services need to function properly. They can be:

• Authentication credentials (usernames and passwords)
• API keys
• Certificates
• Encryption keys
• Any other sensitive data

Why use secrets management?

Secrets managent in Open Horizon provides several key benefits:

• Security: Secrets are stored securely and only accessible to authorized services
• Flexibility: Secrets can be updated without redeploying services
• Organization: Secrets can be managed at organization or user level
• Node-specific: Secrets can be specific to individual nodes
• Audit: All secret operations are tracked and logged

Basic concepts

Secrets Manager

The Secrets Manager is a component of Open Horizon that securely stores and manages secrets. Compatible secrets backend providers include OpenBao and HashiCorp Vault.

Secret types

• Organization-wide secrets: Accessible to all services and nodes in an organization
• User private secrets: Only accessible to services and nodes owned by a specific user
• Node-specific user private secrets: Specific to individual edge nodes registered to a specific user
• Node-specific organization-wide secrets: Specific to individual edge nodes in an organization

Secret lifecycle

1. Creation: Secrets are created by organization admins or users
2. Binding: Secrets are bound to services in deployment patterns or policies
3. Deployment: Secrets are securely deployed to edge nodes
4. Usage: Services access secrets through mounted files
5. Updates: Secrets can be updated without service redeployment
6. Deletion: Secrets can be removed when no longer needed

Quick start

To get started with secrets management:

1. Create a secret:

   hzn secretsmanager secret add --secretKey <key> --secretDetail <value> <secret-name>
   

2. Add the secret to your service definition:

   "secrets": {
     "my_secret": { "description": "My secret description" }
   }
   

3. Bind the secret in your deployment pattern or policy:

   "secretBinding": [
     {
       "serviceOrgid": "yourOrg",
       "serviceUrl": "yourService",
       "secrets": [
         {"my_secret": "your-secret-name"}
       ]
     }
   ]
   

4. Access the secret in your service:

   cat /open-horizon-secrets/my_secret
   

Next steps

• Learn more about managing secrets
• Understand how to develop services with secrets
• Explore advanced topics
• Try the Hello Secret World example

Table of contents

• Managing Secrets
• Developing Services with Secrets
• Advanced Topics
• Examples