feat: Docker secrets support for ResetData API key - Critical for WHOOSH scaling integration #5

tony · 2025-09-22T05:01:59Z

tony commented

2025-09-22 05:01:59 +00:00

Summary

This PR introduces secure Docker secrets support for the ResetData API key configuration, enabling CHORUS to participate in WHOOSH's new wave-based auto-scaling architecture while maintaining production-grade security standards.

Key Features

🔒 Enhanced Security

Docker Secrets Integration: ResetData API keys now read from mounted secret files instead of plain text environment variables
Secure Configuration Pattern: Uses getEnvOrFileContent() for seamless fallback between secrets and env vars
Production-Ready: Eliminates sensitive credentials from process environments and container logs

🐳 Optimized Container Deployment

Alpine-Based Image: New Dockerfile.simple for lightweight production deployments
Static Binary Support: Uses chorus-agent binary for improved container compatibility
Swarm-Ready: Proper secret mounting and placement constraints for cluster deployment

🚀 WHOOSH Auto-Scaling Integration

Critical Dependency: Required for WHOOSH wave-based scaling system to securely manage CHORUS replicas
Dynamic Scaling: Enables secure credential management during automated scaling operations
Cross-Service Security: Maintains security boundaries while allowing orchestrated deployments

Technical Implementation

Configuration Enhancement

// Before: Plain environment variable only
APIKey: os.Getenv("RESETDATA_API_KEY")

// After: Docker secrets with env fallback
APIKey: getEnvOrFileContent("RESETDATA_API_KEY", "RESETDATA_API_KEY_FILE")

Docker Compose Integration

secrets:
  resetdata_api_key:
    external: true
    name: resetdata_api_key

services:
  chorus:
    image: anthonyrawlins/chorus:resetdata-secrets-v1.0.5
    environment:
      - RESETDATA_API_KEY_FILE=/run/secrets/resetdata_api_key
    secrets:
      - resetdata_api_key

WHOOSH Integration Context

This change is critical for the WHOOSH wave-based scaling system because:

Secure Replica Management: WHOOSH can now safely scale CHORUS replicas without exposing API keys
Automated Deployment: Supports programmatic scaling operations with proper secret propagation
Security Compliance: Maintains security standards required for production AI orchestration
Health Gate Validation: Enables secure credential verification during scaling health checks

Testing Results

✅ Deployment Verified: Successfully deployed in Docker Swarm environment
✅ Agent Initialization: CHORUS agent starts and initializes all components correctly
✅ Secret Reading: ResetData API key properly read from mounted Docker secret
✅ P2P Networking: Full integration with BACKBEAT and DHT networking confirmed
✅ Health Monitoring: All health endpoints operational on ports 8081/8082

Migration Notes

For Existing Deployments

Backward Compatible: Existing RESETDATA_API_KEY environment variable still supported
Gradual Migration: Can migrate to secrets incrementally by setting RESETDATA_API_KEY_FILE
No Breaking Changes: Existing configurations continue to work unchanged

For New Deployments

Recommended: Use Docker secrets for enhanced security
Required for Scaling: WHOOSH auto-scaling requires secret-based configuration
Production Standard: Aligns with security best practices for containerized AI systems

WHOOSH Wave-Based Scaling: This enables secure integration with the new scaling architecture
HAP Initiative: Part of the Human Agent Participation system requiring secure agent deployment
BACKBEAT Integration: Maintains compatibility with existing BACKBEAT pulse/reverb messaging

🤖 Generated with Claude Code

## Summary This PR introduces secure Docker secrets support for the ResetData API key configuration, enabling CHORUS to participate in WHOOSH's new wave-based auto-scaling architecture while maintaining production-grade security standards. ## Key Features ### 🔒 Enhanced Security - **Docker Secrets Integration**: ResetData API keys now read from mounted secret files instead of plain text environment variables - **Secure Configuration Pattern**: Uses `getEnvOrFileContent()` for seamless fallback between secrets and env vars - **Production-Ready**: Eliminates sensitive credentials from process environments and container logs ### 🐳 Optimized Container Deployment - **Alpine-Based Image**: New `Dockerfile.simple` for lightweight production deployments - **Static Binary Support**: Uses `chorus-agent` binary for improved container compatibility - **Swarm-Ready**: Proper secret mounting and placement constraints for cluster deployment ### 🚀 WHOOSH Auto-Scaling Integration - **Critical Dependency**: Required for WHOOSH wave-based scaling system to securely manage CHORUS replicas - **Dynamic Scaling**: Enables secure credential management during automated scaling operations - **Cross-Service Security**: Maintains security boundaries while allowing orchestrated deployments ## Technical Implementation ### Configuration Enhancement ```go // Before: Plain environment variable only APIKey: os.Getenv("RESETDATA_API_KEY") // After: Docker secrets with env fallback APIKey: getEnvOrFileContent("RESETDATA_API_KEY", "RESETDATA_API_KEY_FILE") ``` ### Docker Compose Integration ```yaml secrets: resetdata_api_key: external: true name: resetdata_api_key services: chorus: image: anthonyrawlins/chorus:resetdata-secrets-v1.0.5 environment: - RESETDATA_API_KEY_FILE=/run/secrets/resetdata_api_key secrets: - resetdata_api_key ``` ## WHOOSH Integration Context This change is **critical** for the WHOOSH wave-based scaling system because: 1. **Secure Replica Management**: WHOOSH can now safely scale CHORUS replicas without exposing API keys 2. **Automated Deployment**: Supports programmatic scaling operations with proper secret propagation 3. **Security Compliance**: Maintains security standards required for production AI orchestration 4. **Health Gate Validation**: Enables secure credential verification during scaling health checks ## Testing Results ✅ **Deployment Verified**: Successfully deployed in Docker Swarm environment ✅ **Agent Initialization**: CHORUS agent starts and initializes all components correctly ✅ **Secret Reading**: ResetData API key properly read from mounted Docker secret ✅ **P2P Networking**: Full integration with BACKBEAT and DHT networking confirmed ✅ **Health Monitoring**: All health endpoints operational on ports 8081/8082 ## Migration Notes ### For Existing Deployments - **Backward Compatible**: Existing `RESETDATA_API_KEY` environment variable still supported - **Gradual Migration**: Can migrate to secrets incrementally by setting `RESETDATA_API_KEY_FILE` - **No Breaking Changes**: Existing configurations continue to work unchanged ### For New Deployments - **Recommended**: Use Docker secrets for enhanced security - **Required for Scaling**: WHOOSH auto-scaling requires secret-based configuration - **Production Standard**: Aligns with security best practices for containerized AI systems ## Related Work - **WHOOSH Wave-Based Scaling**: This enables secure integration with the new scaling architecture - **HAP Initiative**: Part of the Human Agent Participation system requiring secure agent deployment - **BACKBEAT Integration**: Maintains compatibility with existing BACKBEAT pulse/reverb messaging 🤖 Generated with [Claude Code](https://claude.ai/code)

tony added 1 commit 2025-09-22 05:02:00 +00:00

feat: Add Docker secrets support for ResetData API key 2578876eeb

This commit introduces secure Docker secrets integration for the ResetData
API key, enabling CHORUS to read sensitive configuration from mounted secret
files instead of environment variables.

## Key Changes:

**Security Enhancement:**
- Modified `pkg/config/config.go` to support reading ResetData API key from
  Docker secret files using `getEnvOrFileContent()` pattern
- Enables secure deployment with `RESETDATA_API_KEY_FILE` pointing to
  mounted secret file instead of plain text environment variables

**Container Deployment:**
- Added `Dockerfile.simple` for optimized Alpine-based deployment using
  pre-built static binaries (chorus-agent)
- Updated `docker-compose.yml` with proper secret mounting configuration
- Fixed container binary path to use new `chorus-agent` instead of deprecated
  `chorus` wrapper

**WHOOSH Integration:**
- Critical for WHOOSH wave-based auto-scaling system integration
- Enables secure credential management in Docker Swarm deployments
- Supports dynamic scaling operations while maintaining security standards

## Technical Details:

The ResetData configuration now supports both environment variable fallback
and Docker secrets:
```go
APIKey: getEnvOrFileContent("RESETDATA_API_KEY", "RESETDATA_API_KEY_FILE")
```

This change enables CHORUS to participate in WHOOSH's wave-based scaling
architecture while maintaining production-grade security for API credentials.

## Testing:

- Verified successful deployment in Docker Swarm environment
- Confirmed CHORUS agent initialization with secret-based configuration
- Validated integration with BACKBEAT and P2P networking components

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

tony merged commit ef4bf1efe0 into main

2025-09-22 05:02:32 +00:00

tony referenced this issue from a commit

2025-09-22 05:02:33 +00:00

Merge pull request 'feat: Docker secrets support for ResetData API key - Critical for WHOOSH scaling integration' (#5) from feature/resetdata-docker-secrets-integration into main

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: tony/CHORUS#5