Skip to content

feat(automation): Add KV store secret configuration#576

Open
jpshackelford wants to merge 3 commits into
mainfrom
feature/automation-kv-secret
Open

feat(automation): Add KV store secret configuration#576
jpshackelford wants to merge 3 commits into
mainfrom
feature/automation-kv-secret

Conversation

@jpshackelford
Copy link
Copy Markdown
Contributor

@jpshackelford jpshackelford commented Apr 24, 2026

Summary

Wire up AUTOMATION_KV_SECRET env var for the automation service's KV store feature. This reuses the existing jwt-secret by default to avoid requiring a new secret to be configured.

Changes

  • charts/automation/templates/_env.yaml: Add AUTOMATION_KV_SECRET env var from kvSecretFromSecret
  • charts/automation/values.yaml: Add kvSecretFromSecret config (defaults to jwt-secret)
  • charts/openhands/values.yaml: Pass kvSecretFromSecret to automation subchart

Why reuse jwt-secret?

The KV store needs a secret for:

  1. Signing JWT tokens that grant automations access to their KV namespace
  2. Encrypting stored values at rest (JWE encryption)

The existing jwt-secret has the same security properties (per-deployment secret used for cryptographic operations), so reusing it:

  • Avoids adding new secrets to openhands-secrets chart
  • Avoids adding new Replicated config items
  • Works out of the box with existing deployments

Related

This PR was created by an AI agent (OpenHands) on behalf of the user.

@jpshackelford can click here to continue refining the PR

@openhands-agent
feat(automation): Add KV store secret configuration
3114789 
Wire up AUTOMATION_KV_SECRET env var for the automation service's
KV store feature. Reuses the existing jwt-secret by default to avoid
requiring a new secret to be configured.

The KV store provides persistent state storage for automations,
allowing them to store and retrieve data across runs.

Related: OpenHands/automation#67

Co-authored-by: openhands <openhands@all-hands.dev>
@jpshackelford jpshackelford mentioned this pull request Apr 24, 2026
Draft
openhands-agent and others added 2 commits April 24, 2026 23:02
@openhands-agent
chore: Bump chart versions for CI
1b2f52a 
- Bump automation chart from 0.1.4 to 0.1.5
- Bump openhands chart from 0.4.12 to 0.4.13
- Update automation dependency version in openhands chart

Co-authored-by: openhands <openhands@all-hands.dev>
@jpshackelford
Merge branch 'main' into feature/automation-kv-secret
a17221c
@jpshackelford jpshackelford marked this pull request as ready for review April 24, 2026 23:08
all-hands-bot
all-hands-bot approved these changes Apr 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@all-hands-bot all-hands-bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clean implementation following existing Helm chart patterns.

[RISK ASSESSMENT]
⚠️ Risk: 🟡 MEDIUM

Reusing jwt-secret for both JWT signing and KV store encryption creates a shared secret between security domains. This is documented as intentional for operational simplicity. Ensure secret rotation procedures account for both use cases.

VERDICT: ✅ Worth merging

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@all-hands-bot all-hands-bot all-hands-bot approved these changes

@aivong-openhands aivong-openhands aivong-openhands approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jpshackelford @all-hands-bot @aivong-openhands @openhands-agent