Proposal: long-term conformation to other service building tool

[houshengbo]

Currently, if we configure other services to be used by openwhisk actions, we have to manually configure the credentials in openwhisk, which leads to some degree of inconvenience and security concerns.

To plan for the long term, openwhisk deploy can be integrated to other service building tool, for example, terraform, to resolve the above use case. When the user asks for a service to be used by openwhisk, service building tool can deploy the service, and openwhisk deploy tool can directly use the service during the deployment without passing sensitive data like credentials.

[mrutkows]

The consideration of handling credentials is very important; however, in general, the OpenWhisk platform and CLI have this issue as well (as does any service that performs deployments or orchestration). Terraform is one example of a deployment technology that would work for platform providers (perhaps like IBM), but that is not a general solution for the overall Apache project.

[mrutkows]

Another thought on this topic, is that we could describe how encrypted credentials (tokens) could be used (as we do today for openwhisk-catalog for connecting to other services). What metadata might we need (grammar changes, keys, etc.) in the specification to describe that could be used be a Provider of OpenWhisk (to decrypt)?