Secret Management

Open

The secrets are held in: GitHub Secrets and Vault

The secrets are managed by:

The secrets are accessed from Iac …?

The management of secrets is complicated.  Below are some requirements for the solution.  If we can tick off all these, we’ll have a winner.

Must be able to manage:

-       carrier secrets

-       api keys

-       aais secrets

-       common secrets

-       cloud provider secrets

-       database secrets

-       hlf network secrets like certs

-       application secrets

-       distributed secrets

Must:

-       rotate passwords

-       be encrypted

-       permissioned so only visible to specific individuals or ci/cd

-       manageable - update / delete / create / view

-       auditable - know what changed and that no breaches have occurred

-       be accessible from IaC - terraform

-       be accessible from IaC - helm

-       be accessible during CI/CD

-       be cloud agnostic for use

-       be multi-cloud

-       have a health check of the system - at startup and intervals

-       provide logging and notifications of updates

-       exhibit CIA - confidentiality, integrity, access

-       have a user interface for managing the secrets

Options:

-       tools

o   vault

o   aws secrets manager

-        

Automation of Hyperleger Fabric Network Setup

Open

Use Blockchain Automation Framework (BAF)

BAF will be used to set up the network automatically.

BAF will run on a pod inside the kubernetes cluster so it has access to the required credentials and certificates that are stored in Vault.

The Vault instance is running inside the private cloud, so the automation cannot run from GitHub actions.        

User Authentication for Application Access

Open

User Authentication is Platform Specific or can it use Okta

The authentication of users must be cloud specific for access to applications because there is no generic authentication provider.

-       start with aws strategy - cognito

-       want to offload identiy to identity provider

-       can we use okta as the main identity management and link it to the underlying provider thus acting as a common api for the applications?

DA - Extraction Processing

Open

TBD

Open

In openIDL when a data call (or a stat reporting) is "consented to" by the carrier, the data must first be accessed from somewhere and then transformed into the result format and lastly converted into a report that the target party (usually a regulator) can access or be sent.

The transformation of the data from its "harmonized" state to the result state is called the "extraction", "extraction pattern" or "extraction process".

Since accessing the data can take multiple forms (see other architecture decision "Harmonized Data", there is some variability in this decision while that decision is undecided.  

We can assume that the data being accessed for the extraction is "harmonized", meaning for every execution of the extraction on a single node or multiple nodes for a single carrier or multiple carrier, the schema and semantics of the data are known and consistent.

Creation and Management of extractions can be organization specific.  For stat reporting, this is the stat-agent (such as AAIS), for data calls, it could be the regulator or a representative like the stat-agent.

In either option from the diagrams above, the extraction processor will access the data through an api instead of accessing a database directly.

It is proposed that graphQL be considered as the language used to access for extraction and summarization.  The extraction processor could apply some correlation to the data, like using an address to look up census data or similar.  This means the extraction is more than just a data access. 

See the diagram above for how this component may be architected.

DA - Harmonized Data Scope

Proposed

Proposal:

data format / schema will be standardized across nodes, for a given use case

The data available for extraction must be normalized for multiple extractions across multiple use cases across multiple members.

Is this one single model?

Is the data at rest in the same model as the data in motion?

DA - Harmonized Data Loading / Normalization

Proposed

Proposal:

If the HDS is at rest, the loading of that data is the responsibility of the member owner of the node.

If the HDS is an API, the maintenance of that API is the responsibility of the Technical Steering Committee and the mapping to other data sources is the responsibility of the member owner of the node.

1. Loading data will be via an API, IDM or ...? Will a direct SQL load be allowed?  This will use the ingestion model.

2. We should consider using graphQL as the extraction processing language or part of the extraction processing component to replace the current map reduce "extraction pattern"

DA - Harmonized Data Format Governance

Proposed

Proposal:

data schema, enumerations and the data dictionary will be standardized, and endorsed by the RRSC (and other groups per use case)

The Technical Steering Committee, Regulatory Reporting Steering Committee and the Data Model Steering Committee are all possible owners of this.

DA - Harmonized Data Store

Proposed

Proposal:

1. HDS can be persistent or transient. It's a member's decision. See next

2. HDS can be persistent and can be used by member's as a "warehouse on the edge" for sharing data via openIDL

3. Either way, the member is responsible for configuring the API that accesses the data.

The data available for extraction must be normalized for multiple extractions across multiple use cases across multiple members.

Is this one single model?

Is this one database?

Is this data at rest and/or available through an API

DA - Harmonized Data Access

Proposed

Proposal:

1. All access to "Harmonized Data" is through an API

2. Member is responsible for the quality of the data retrieved and for certifying that a "request" for the data is supported.

If we determine that a standing harmonized store is not required, then we must establish an API with a standardized payload format that can be used to access the data.

The member must "certify" that the data is available and quality in order to consent to a data extraction.

The consent and certification can be captured on the ledger.

The call to the API will come from the extraction processor. 

The extraction processor can run on the member node.

Can the extraction processor run on the Analytics Node?

If the extraction runs outside the member node, how does this work?  Can it call the API directly?  Must we use HLF to "transport" the data?

DA - Harmonized Datastore DBMS Implementation

Open

Proposal:

If the HDS is a physical db inside the node, then the HDS DBMS must support our chosen access language (graphQL?)

HDS will be a relational database. It cannot be a noSQL, graph, document DB etc.

technical implementation of a HDS is non-prescriptive i.e. it can be MySQL, MS SQL, Oracle etc.  

If data is at rest in the harmonized datastore, what is the technology?

Does it need to be a single dbms?

Should it be noSQL?

Can it just be an interface?

DA - Harmonized Data Model

Open

??

The data available for extraction must be normalized for multiple extractions across multiple use cases across multiple carriers.

The data must be produced by the carrier from their original sources.

Is this an ETL process?

What is the format of the load data?  Is it the schema of a standing HDS database or is it a messaging format?

Is there just one "in transit" model or are there different ones for different contexts?  Contexts might be the data call, the line of business, etc.

DA - Export Data Model

Open

Proposal:

The export data model is specific to each use case and must be specified in that data call / regulatory report

The extraction process results in an export of data in an agreed format.  The format of this must be defined as part of the specific data call or regulatory report.

Common UI Code Management

Open

Single Application Angular UI Variations will utilize angular libraries

The library will be a different kind of angular app located in the same super library as all apps that use it. This is the approach for the data-call-ui. (openidl-ui and openidl-carrier-ui)

For common / shared libraries we will use an npm registry.

Local Kubernetes Development

Open

Use Minikube for Local Kubernetes Runtime

There are multiple options for local kubernetes deployment.  We chose Minikube over Kind because of it's simplicity.

Infrastructure as Code

Open

Use a combination of solutions depending on application.

• Cloud

  • Terraform for Infrastructure Provisioning in the Cloud

  • GitHub actions for CI/CD and execution of Terraform

  • Ansible for Deploying ??

  • Helm for managing Kubernetes

  • Flux for provisioning and managing distributed nodes

• Local Reference

  • Bash scripts for provisioning local

Provide options for selection upon setup.

• Terraform Cloud

• Terraform Enterprise

• GitHub Actions

• Manual

All provisioning artifacts are managed in git

The customer will have a github / gitlab account that is private to them.

We may or may not have access to that repository.

To accept updates, the customer will accept a merge/pull request into their repository with our changes.

That update in git will automatically trigger the workflow.

The workflow may allow automatic provisioning or require an acceptance from the customer.

-       milestones

1. start with github actions, forked repos and manual execution

2. move to terraform cloud for aais node

target will have two options for node owners

• use terraform cloud

• use terraform on-prem (terraform enterprise)

Infrastructure as Code

Open

Use Terraform to provision cloud specific services

Infrastructure as Code

Open

Execute Terraform using GitHub actions

If possible use GitHub actions - see above for options
If there is some reason to use cloud specific
-       cost of implementation
-       complexity etc

Infrastructure as Code

Open

Use Flux v2 for Deployment of Kubernetes artifacts

This technology enables GitOps in build and deployment

Infrastructure as Code

Open

Use Helm Charts for Application and Network provisioning in Kubernetes

Helm is a very popular way to provision Kubernetes clusters

DevOps

Open

Publish Common Libs as images to NPM Registry in GitHub

Any common components should be packaged as images and published to the GitHub packages.

DevOps

Open

Images should be published in the GitHub packages container registry

Since we separate building of images from their deployment, we can build the images into the registry and then refer to that registry when deploying

Secrets Management

Open

secret management should be cloud agnostic

Notes
-       the secrets for the each cloud might be managed differently
-       hashicorp makes a popular opensource solution called vault
-       if cloud specific, we should have a layer that normalizes the access of secrets so the scripts / config files don’t need to change from cloud to cloud

Secret Management

Open

Secrets are applied during deployment, not in the image