docs(secrets): complete secrets management guide with new-service setup procedure#43
Open
andrest50 wants to merge 16 commits into
Open
docs(secrets): complete secrets management guide with new-service setup procedure#43andrest50 wants to merge 16 commits into
andrest50 wants to merge 16 commits into
Conversation
…V2-1783) Adds the lfx-v2-secrets AI skill and expands the secrets-management.md Step 6 TODO into seven concise steps (6-12) covering the full one-time setup for a new LFX V2 service: - Step 6: IAM role registration in lfx-v2-opentofu (IRSA, tag-scoped Secrets Manager policy, account IDs for dev/staging/prod) - Step 7-9: ServiceAccount, SecretStore, and ExternalSecret Helm templates with both tag-discovery (recommended) and explicit-data patterns documented - Step 10: values.yaml defaults and the three ESO render gates - Step 11: per-environment lfx-v2-argocd values with IRSA role ARNs - Step 12: local development config (ESO disabled, manual K8s Secret) Jira: https://linuxfoundation.atlassian.net/browse/LFXV2-1783 Generated with [Claude Code](https://claude.ai/code) Signed-off-by: Andres Tobon <andrest2455@gmail.com>
Contributor
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
WalkthroughAdds a detailed Steps 1–12 "New service setup" flow to ChangesAWS Secrets Manager Documentation
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@lfx_one/skills/lfx-v2-secrets/SKILL.md`:
- Around line 76-83: The fenced code block containing "Service: invite-service
(short: invite)" is missing a language specifier and surrounding blank lines
which triggers markdownlint errors MD040 and MD031; update the block by adding
an explicit language (e.g., "text") after the opening triple backticks and
ensure there is a blank line before and after the fenced block so the example
block validates correctly.
- Around line 151-156: Add a blank line between the "**Tips**:" header and the
following list inside the blockquote so the list is separated from the header
(fixes MD032); update the block that contains the "**Tips**:" header and the
subsequent dash-list (the quoted list with entries like "Each secret..." and
"The `path` convention...") by inserting a single empty line after "**Tips**:".
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: dc651f79-45cd-4b31-bbc8-0dee52175ba7
📒 Files selected for processing (2)
lfx_one/secrets-management.mdlfx_one/skills/lfx-v2-secrets/SKILL.md
Contributor
There was a problem hiding this comment.
Pull request overview
This PR expands LFX V2 secrets documentation by adding a dedicated AI skill for ESO+IRSA setup and by replacing the previous Step 6 TODO in secrets-management.md with an end-to-end, multi-repo new-service setup flow.
Changes:
- Added a new
lfx-v2-secretsskill documenting ESO + IRSA secrets wiring for new services and for adding secrets to existing services. - Expanded
secrets-management.mdwith detailed Steps 6–12 covering OpenTofu IRSA role registration, service chart templates/values, Argo CD per-environment values, and local development guidance.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 21 comments.
| File | Description |
|---|---|
| lfx_one/skills/lfx-v2-secrets/SKILL.md | New skill doc covering ESO+IRSA architecture and step-by-step setup workflows. |
| lfx_one/secrets-management.md | Replaces Step 6 TODO with detailed, ordered Steps 6–12 for new-service secrets setup. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Add `text` language specifier to fenced example block (MD040) - Add blank line before example block (MD031) - Add blank line after **Tips**: header inside blockquote (MD032) Jira: https://linuxfoundation.atlassian.net/browse/LFXV2-1783 Generated with [Claude Code](https://claude.ai/code) Signed-off-by: Andres Tobon <andrest2455@gmail.com>
Contributor
Author
|
Addressed the two CodeRabbit findings in `SKILL.md`:
Both files now pass `markdownlint` locally. CI should be green on the new commit. |
Address review comments from copilot-pull-request-reviewer, coderabbitai:
- SKILL.md Step 2: add service_account_roles: top-level wrapper to both
template and example blocks for consistency with secrets-management.md
and the actual iam-service-accounts-definitions.yaml schema
(per copilot-pull-request-reviewer)
- SKILL.md Step 4 serviceaccount.yaml: add {{- if .Values.serviceAccount.create }}
guard; replace non-existent include helpers with inline {{ .Chart.Name }}
and {{ .Values.serviceAccount.name | default .Chart.Name }}; add namespace
and app label to match real service chart pattern
(per copilot-pull-request-reviewer)
- SKILL.md Step 4 secretstore.yaml: update apiVersion from v1beta1 to v1;
replace include helpers with direct Chart.Name references; add namespace
(per copilot-pull-request-reviewer, coderabbitai)
- SKILL.md Step 4 externalsecret.yaml: update apiVersion from v1beta1 to v1;
replace include helpers with direct Chart.Name references; add
{{- if .Values.externalSecretsOperator.externalSecret.data }} guard to
prevent rendering empty data block; update data item shape to
.secretKey/.remoteRef.key/.remoteRef.property matching real chart pattern;
add deletionPolicy: Retain and namespace
(per copilot-pull-request-reviewer)
- SKILL.md values.yaml example: update data: shape to show .secretKey /
.remoteRef.key / .remoteRef.property structure
Resolves 21 review threads (threads 1-2 were fixed in previous commit).
Jira: https://linuxfoundation.atlassian.net/browse/LFXV2-1783
Generated with [Claude Code](https://claude.ai/code)
Signed-off-by: Andres Tobon <andrest2455@gmail.com>
Contributor
Author
Review Feedback AddressedCommits: 0b7429a (prior), d8b20e9 (this iteration) Changes Made (d8b20e9)All changes are in
Fixed in Prior Commit (0b7429a)
Threads Resolved23 of 23 unresolved threads addressed and resolved. |
Rearrange step-by-step procedure so first-time infrastructure setup (Steps 1-7: IAM role, ServiceAccount, SecretStore, ExternalSecret, values.yaml, argocd values, local dev) comes before per-secret steps (Steps 8-12: 1Password, YAML config, PR, deploy, consume in K8s). Add a prominent callout at the top of the procedure: services already wired can skip directly to Step 8. Update AWS Secrets Manager tag format throughout from the legacy service: <name> to the current service-<name>: enabled convention. This format allows a single secret to carry tags for multiple consuming services simultaneously. Updates affect: - Service Tag Integration section (description + role name example) - Mermaid architecture diagram (ASM and ExternalSecret labels) - ExternalSecret tag-discovery template (new format listed first) - Configuration Example (destinations.aws_secretsmanager.tags) - Configuration Breakdown (tags field description) Fix outdated role name example (k8s-secret-access-pcc -> lfx-v2-pcc). Fix cross-references from step renumbering throughout prose. Fix prose typo: "and the in the corresponding" -> "and in the". Jira: https://linuxfoundation.atlassian.net/browse/LFXV2-1783 Generated with [Claude Code](https://claude.ai/code) Signed-off-by: Andres Tobon <andrest2455@gmail.com>
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@lfx_one/secrets-management.md`:
- Around line 602-604: The product name casing is inconsistent: change the
lowercase "argocd" in the sentence that mentions "extending the
`externalSecretsOperator.externalSecret.data` list in the argocd values
(explicit data)" to the proper "ArgoCD" so it matches the rest of the document
and maintains consistent capitalization.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: a0b1baf8-d22f-4e27-ad26-95e66925516d
📒 Files selected for processing (1)
lfx_one/secrets-management.md
Address review comments from copilot-pull-request-reviewer:
- SKILL.md: replace envs: with environments: in all lfx-secrets-management
YAML examples (Mode 1 template, Mode 1 example, Mode 2 template, and
tips text) to match the schema documented in secrets-management.md
- SKILL.md: replace fields: <scalar> with json_fields: [list] in all three
onepassword source blocks (Mode 1 template, Mode 1 example, Mode 2
template) to match the actual lfx-secrets-management schema
- SKILL.md: fix argocd values externalSecret.data item shape from
{key, path} to {secretKey, remoteRef: {key}} in both the Mode 1
global values example and the Mode 2 values example, aligning with
the ExternalSecret template that ranges over these items
- SKILL.md: update Mode 2 deployment secretKeyRef name from hard-coded
{{ .Chart.Name }} to {{ .Values.app.jwtSecretName | default .Chart.Name }}
for consistency with Mode 1's values-driven approach
- secrets-management.md: clarify that serviceAccount.create defaults to
true (SA always created) while global.awsRegion and
externalSecretsOperator.enabled default to off; the prior wording
"all default to off" was misleading
Resolves 11 review threads.
Jira: https://linuxfoundation.atlassian.net/browse/LFXV2-1783
Generated with [Claude Code](https://claude.ai/code)
Signed-off-by: Andres Tobon <andrest2455@gmail.com>
Contributor
Author
Review Feedback AddressedCommit: 3d33acd Changes Made`lfx_one/skills/lfx-v2-secrets/SKILL.md` (per copilot-pull-request-reviewer):
`lfx_one/secrets-management.md` (per copilot-pull-request-reviewer):
Threads Resolved11 of 11 unresolved threads addressed and resolved. |
…istency Address review comments from coderabbitai, copilot-pull-request-reviewer: - secrets-management.md: fix ArgoCD casing in prose (was lowercase argocd) (per coderabbitai) - secrets-management.md mermaid diagram: update SA role labels from k8s-secret-access-pcc to lfx-v2-pcc and ExternalSecret filter labels from Filters by service: pcc to Filters by service-pcc: enabled to match the updated tag and IRSA naming conventions throughout the document (per copilot-pull-request-reviewer) - SKILL.md Mode 1 template: add destinations.aws_secretsmanager.tags (service-<service>: enabled), accounts mapping (dev/staging/prod), and fix regions from scalar to list form — required for IRSA tag-scoped access and consistent with the secrets-management.md Configuration Example (per copilot-pull-request-reviewer) - SKILL.md Mode 1 invite-service example: same additions as template (per copilot-pull-request-reviewer) - SKILL.md Mode 2 template: same additions as Mode 1 template (per copilot-pull-request-reviewer) - SKILL.md verification checklist: fix fields: reference to json_fields: (per copilot-pull-request-reviewer) - SKILL.md eso_service_tag note: correct the description — eso_service_tag scopes the IAM role's Secrets Manager access policy and must match the service-* AWS tag; it is not read by lfx-secrets-management directly (per copilot-pull-request-reviewer) Resolves 7 review threads. Jira: https://linuxfoundation.atlassian.net/browse/LFXV2-1783 Generated with [Claude Code](https://claude.ai/code) Signed-off-by: Andres Tobon <andrest2455@gmail.com>
Contributor
Author
Review Feedback AddressedCommit: ca698e2 Changes Made`lfx_one/secrets-management.md`:
`lfx_one/skills/lfx-v2-secrets/SKILL.md`:
Threads Resolved7 of 7 unresolved threads addressed and resolved. |
andrest50
changed the title
andrest50
changed the title
Signed-off-by: Antonia Gaete <agaete@linuxfoundation.org>
Comment on lines
355
to
+358
| ## Step-by-Step Process | ||
|
|
||
| ### 1. Add Secret to 1Password | ||
| > **Already set up?** If your service already has an IAM role, ServiceAccount, SecretStore, and | ||
| > ExternalSecret configured, **skip to [Step 4](#4-add-secret-to-1password)** to add a new secret. |
| - **External Secrets Operator**: Automatically discovers and merges secrets into Kubernetes | ||
| - **IRSA Authentication**: Secure role assumption without storing credentials | ||
| - **10-minute Refresh**: Secrets are automatically refreshed every 10 minutes | ||
| - **Event-Based Refresh**: An AWS Lambda listens for tagged secret updates/creations for automatic refreshing of External Secrets Operator |
| subgraph "Dev External Secrets" | ||
| SS1["pcc-secret-store<br/>🏪 SecretStore<br/>🔗 Uses IRSA"] | ||
| ES1["pcc-secrets<br/>📊 ExternalSecret<br/>🏷️ Filters by service: pcc<br/>⏱️ Refreshes every 10m"] | ||
| ES1["pcc-secrets<br/>📊 ExternalSecret<br/>🏷️ Filters by service-pcc: enabled<br/>⏱️ Refreshes every 10m"] |
| 3. **Deployment**: GitHub Actions deploy secrets to AWS Secrets Manager with appropriate tags | ||
| 4. **Discovery**: External Secrets Operator uses IRSA to authenticate and discover tagged secrets | ||
| 5. **Synchronization**: Secrets are merged into Kubernetes secrets and refreshed every 10 minutes | ||
| 5. **Synchronization**: Secrets are merged into Kubernetes secrets and refreshed upon event |
Comment on lines
+484
to
+488
| apiVersion: external-secrets.io/v1 | ||
| kind: ExternalSecret | ||
| metadata: | ||
| name: lfx-v2-myresource-service | ||
| namespace: lfx-v2-myresource-service |
| production: LFX V2 - Production | ||
| item: LiteLLM LFXv2 Key | ||
| json_fields: | ||
| fields: |
| - **Environments**: List of environments where this secret should be deployed | ||
| - **Source**: 1Password configuration with vault mappings and item details | ||
| - **source.onepassword.json_fields**: Specifies which fields from the 1Password item to include in the secret | ||
| - **source.onepassword.fields**: Specifies which fields from the 1Password item to include in the secret |
Comment on lines
+460
to
+463
| serviceAccount: | ||
| annotations: | ||
| eks.amazonaws.com/role-arn: arn:aws:iam::788942260905:role/lfx-v2-myresource-service | ||
| automountServiceAccountToken: true |
|
|
||
| ### 1Password Item Field Names | ||
|
|
||
| The `fields` configuration when using 1Password as a source determins the name of the secret value |
| `lfx-v2-pcc` service account uses role `arn:aws:iam::788942260905:role/lfx-v2-pcc` in dev to only | ||
| access secrets tagged `"aws:ResourceTag/service-pcc": "enabled"` | ||
| 2. **Auto-Discovery**: The External Secrets Operator automatically finds and merges all secrets with the | ||
| service tag into a single Kubernetes Secret. Then, the approriate Secret Store is annotated for sync. |
Signed-off-by: Antonia Gaete <agaete@linuxfoundation.org>
Signed-off-by: Antonia Gaete <agaete@linuxfoundation.org>
Comment on lines
+63
to
+66
| - **Tag-Based Access**: Services only access secrets tagged with their service name | ||
| - **External Secrets Operator**: Automatically discovers and merges secrets into Kubernetes | ||
| - **IRSA Authentication**: Secure role assumption without storing credentials | ||
| - **10-minute Refresh**: Secrets are automatically refreshed every 10 minutes | ||
| - **Event-Based Refresh**: An AWS Lambda listens for tagged secret updates/creations for automatic refreshing of External Secrets Operator |
Comment on lines
204
to
209
| 1. **Source**: Secrets are stored in environment-specific 1Password vaults | ||
| 2. **Configuration**: YAML files define the secret mapping and deployment rules | ||
| 3. **Deployment**: GitHub Actions deploy secrets to AWS Secrets Manager with appropriate tags | ||
| 4. **Discovery**: External Secrets Operator uses IRSA to authenticate and discover tagged secrets | ||
| 5. **Synchronization**: Secrets are merged into Kubernetes secrets and refreshed every 10 minutes | ||
| 5. **Synchronization**: Secrets are merged into Kubernetes secrets and refreshed upon event | ||
| 6. **Consumption**: Applications reference the service account and secret to access environment variables |
| `lfx-v2-pcc` service account uses role `arn:aws:iam::788942260905:role/lfx-v2-pcc` in dev to only | ||
| access secrets tagged `"aws:ResourceTag/service-pcc": "enabled"` | ||
| 2. **Auto-Discovery**: The External Secrets Operator automatically finds and merges all secrets with the | ||
| service tag into a single Kubernetes Secret. Then, the approriate Secret Store is annotated for sync. |
|
|
||
| ### 1Password Item Field Names | ||
|
|
||
| The `fields` configuration when using 1Password as a source determins the name of the secret value |
| serviceAccount: | ||
| annotations: | ||
| eks.amazonaws.com/role-arn: arn:aws:iam::788942260905:role/lfx-v2-myresource-service | ||
| automountServiceAccountToken: true |
Comment on lines
+499
to
+502
| decodingStrategy: None | ||
| tags: | ||
| service-lfx-v2-myresource-service: enabled | ||
| rewrite: |
Comment on lines
+560
to
+563
| decodingStrategy: None | ||
| tags: | ||
| service-lfx-v2-myresource-service: enabled | ||
| rewrite: |
Comment on lines
+380
to
+386
| By default, the namespace, service account name, and service tag are the same as the top level | ||
| entry of the service account role. In the case above, when this PR is merged and applied by CI, | ||
| OpenTofu creates per environment: | ||
|
|
||
| - An IAM role `lfx-v2-myresource-service` with an OIDC trust policy bound to | ||
| `system:serviceaccount:myresource-service:lfx-v2-myresource-service` | ||
| - Tag-scoped `secretsmanager:GetSecretValue` policies granting access to secrets tagged either |
| The `annotations` block is empty by default and is populated per environment in `lfx-v2-argocd` | ||
| with the IRSA role ARN (shown below). | ||
|
|
||
| ### Register the service account: |
Signed-off-by: Antonia Gaete <agaete@linuxfoundation.org>
Signed-off-by: Antonia Gaete <agaete@linuxfoundation.org>
Comment on lines
49
to
52
| - **Centralized Management**: All secrets are managed through a single repository | ||
| - **Environment Isolation**: Separate vaults and AWS accounts for dev, staging, and production | ||
| - **Automated Deployment**: Secrets are deployed using GitHub Actions or local tooling | ||
| - **Automated Deployment**: Secrets are deployed using GitHub Actions | ||
| - **Security**: Secrets never leave secure storage systems during transit |
Comment on lines
63
to
+67
| - **Tag-Based Access**: Services only access secrets tagged with their service name | ||
| - **External Secrets Operator**: Automatically discovers and merges secrets into Kubernetes | ||
| - **IRSA Authentication**: Secure role assumption without storing credentials | ||
| - **10-minute Refresh**: Secrets are automatically refreshed every 10 minutes | ||
| - **Event-Based Refresh**: An AWS Lambda listens for tagged secret updates/creations for automatic | ||
| refreshing of External Secrets Operator |
Comment on lines
205
to
210
| 1. **Source**: Secrets are stored in environment-specific 1Password vaults | ||
| 2. **Configuration**: YAML files define the secret mapping and deployment rules | ||
| 3. **Deployment**: GitHub Actions deploy secrets to AWS Secrets Manager with appropriate tags | ||
| 4. **Discovery**: External Secrets Operator uses IRSA to authenticate and discover tagged secrets | ||
| 5. **Synchronization**: Secrets are merged into Kubernetes secrets and refreshed every 10 minutes | ||
| 5. **Synchronization**: Secrets are merged into Kubernetes secrets and refreshed upon event via Lambda | ||
| 6. **Consumption**: Applications reference the service account and secret to access environment variables |
Comment on lines
+361
to
+366
| The steps below are split into two phases: | ||
|
|
||
| - **First-time setup (Steps 1–3):** One-time infrastructure wiring for a new service across three | ||
| repositories. Do this once per service. | ||
| - **Adding a secret (Steps 4–8):** Repeat these steps each time you need to add a new secret to | ||
| the service. |
Comment on lines
+382
to
+387
| By default, the namespace, service account name, and service tag are the same as the top level | ||
| entry of the service account role. In the case above, when this PR is merged and applied by CI, | ||
| OpenTofu creates per environment: | ||
|
|
||
| - An IAM role `lfx-v2-myresource-service` with an OIDC trust policy bound to | ||
| `system:serviceaccount:myresource-service:lfx-v2-myresource-service` |
Comment on lines
+461
to
+465
| serviceAccount: | ||
| annotations: | ||
| eks.amazonaws.com/role-arn: arn:aws:iam::788942260905:role/lfx-v2-myresource-service | ||
| automountServiceAccountToken: true | ||
| ``` |
Comment on lines
+608
to
+612
| directory. See the [Configuration Example](#configuration-example) for the full schema. | ||
|
|
||
| The key field to note is `destinations.aws_secretsmanager.tags` — use `service-<name>: enabled` | ||
| format (e.g., `service-myresource: enabled`) to tag the secret for each service the secret needs | ||
| to be deployed into. |
Comment on lines
+388
to
+390
| - Tag-scoped `secretsmanager:GetSecretValue` policies granting access to secrets tagged either | ||
| `service-myresource = enabled` or `service = myresource` | ||
|
|
Signed-off-by: Antonia Gaete <agaete@linuxfoundation.org>
Signed-off-by: Antonia Gaete <agaete@linuxfoundation.org>
| conversionStrategy: Default | ||
| decodingStrategy: None | ||
| tags: | ||
| service-lfx-v2-myresource-service: enabled |
| conversionStrategy: Default | ||
| decodingStrategy: None | ||
| tags: | ||
| service-lfx-v2-myresource-service: enabled |
Comment on lines
+66
to
+67
| - **Event-Based Refresh**: An AWS Lambda listens for tagged secret updates/creations for automatic | ||
| refreshing of External Secrets Operator |
| 3. **Deployment**: GitHub Actions deploy secrets to AWS Secrets Manager with appropriate tags | ||
| 4. **Discovery**: External Secrets Operator uses IRSA to authenticate and discover tagged secrets | ||
| 5. **Synchronization**: Secrets are merged into Kubernetes secrets and refreshed every 10 minutes | ||
| 5. **Synchronization**: Secrets are merged into Kubernetes secrets and refreshed upon event via Lambda |
| make audit-aws ACCOUNTS="lfx-development" | ||
| ``` | ||
|
|
||
| ## Best Practices |
Comment on lines
+363
to
+366
| - **First-time setup (Steps 1–3):** One-time infrastructure wiring for a new service across three | ||
| repositories. Do this once per service. | ||
| - **Adding a secret (Steps 4–8):** Repeat these steps each time you need to add a new secret to | ||
| the service. |
Signed-off-by: Antonia Gaete <agaete@linuxfoundation.org>
Signed-off-by: Antonia Gaete <agaete@linuxfoundation.org>
Signed-off-by: Antonia Gaete <agaete@linuxfoundation.org>
Comment on lines
+66
to
+67
| - **Event-Based Refresh**: An AWS Lambda listens for tagged secret updates/creations for automatic | ||
| refreshing of External Secrets Operator |
Comment on lines
208
to
210
| 4. **Discovery**: External Secrets Operator uses IRSA to authenticate and discover tagged secrets | ||
| 5. **Synchronization**: Secrets are merged into Kubernetes secrets and refreshed every 10 minutes | ||
| 5. **Synchronization**: Secrets are merged into Kubernetes secrets and refreshed upon event via Lambda | ||
| 6. **Consumption**: Applications reference the service account and secret to access environment variables |
Comment on lines
+454
to
+456
| In the [lfx-v2-argocd](https://github.com/linuxfoundation/lfx-v2-argocd) repository, in | ||
| **`values/dev/lfx-v2-myresource-service.yaml`** (repeat for staging and prod with the | ||
| matching account ID) — set the AWS region and the IRSA role ARN: |
| data: | ||
| - secretKey: username | ||
| remoteRef: | ||
| key: /cloudops/lfx-v2/myresource-username |
Comment on lines
+698
to
+706
| envs: [development, staging, production] | ||
| source: | ||
| onepassword: | ||
| vaults: | ||
| development: LFX V2 - Development | ||
| staging: LFX V2 - Staging | ||
| production: LFX V2 - Production | ||
| item: LiteLLM LFXv2 Key | ||
| json_fields: | ||
| fields: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR completes the LFX V2 secrets management documentation in two ways:
lfx_one/secrets-management.md— fills in the Step 6 TODO placeholder and restructures the full step-by-step procedure into 12 clear, ordered stepslfx_one/skills/lfx-v2-secrets/SKILL.md— adds a new AI skill providing complete secrets setup guidance for Claude CodeWhat changed in
secrets-management.mdStep reordering — Infrastructure setup now comes first (Steps 1–7), so the one-time wiring is done before adding any secrets. Per-secret work follows as Steps 8–12. A prominent callout at the top lets existing services skip directly to Step 8.
lfx-v2-opentofu)serviceaccount.yamlHelm templatesecretstore.yamlHelm templateexternalsecret.yaml— tag-discovery (recommended) and explicit-data patternsvalues.yamldefaults and document the three ESO render gatesTag format updated throughout from the legacy
service: pcctoservice-pcc: enabled. This convention allows a single secret to carry tags for multiple consuming services simultaneously. Updated in: mermaid diagram, Service Tag Integration section, Configuration Example, Configuration Breakdown.Other fixes: outdated role name examples (
k8s-secret-access-pcc→lfx-v2-pcc), mermaid ExternalSecret filter labels, ArgoCD casing in prose, clarified default values wording forserviceAccount.create.What the
lfx-v2-secretsskill coversThe AI skill provides end-to-end guidance in two modes:
lfx-v2-opentofu, service Helm chart, andlfx-v2-argocd— IRSA role, ServiceAccount/SecretStore/ExternalSecret templates, values defaults, per-env ArgoCD values, local dev config, and lfx-secrets-management YAMLAll YAML examples are grounded in the real
lfx-v2-email-serviceandlfx-v2-invite-serviceimplementations and match thelfx-secrets-managementschema (environments:,json_fields:,service-*: enabledtags,accountsmapping,regionsas list).Ticket
N/A
🤖 Generated with Claude Code