feat: secrets management skill#60
Open
agaetep wants to merge 13 commits into
Open
Conversation
Signed-off-by: Antonia Gaete <agaete@linuxfoundation.org>
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new lfx-v2-secrets skill documenting the standard workflow for managing LFX V2 microservice secrets via External Secrets Operator (ESO) + IRSA on AWS, covering both full initial setup and incremental secret additions.
Changes:
- Introduces a new
lfx-v2-secrets/SKILL.mdwith two operational modes (new service vs. existing service). - Documents end-to-end steps spanning
lfx-v2-opentofu,lfx-secrets-management, service Helm chart changes, andlfx-v2-argocd. - Provides templates, verification checklists, and common troubleshooting workflows.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Antonia Gaete <agaete@linuxfoundation.org>
Signed-off-by: Antonia Gaete <agaete@linuxfoundation.org>
| annotations: | ||
| {{- toYaml . | nindent 4 }} | ||
| {{- end }} | ||
| automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken | default true }} |
|
|
||
| Ask the user to collect: | ||
|
|
||
| 1. **Service name** — fully qualified name (e.g., `lfx-v2-invite-service`, `lfx-v2-email-service`) |
| |------|-------| | ||
| | AWS Region | `us-west-2` | | ||
| | K8s Secret name | `lfx-v2-<service>-secrets` (e.g., `lfx-v2-invite-service-secrets`) | | ||
| | SecretStore name | `{{ .Chart.Name }}` | |
| conversionStrategy: Default | ||
| decodingStrategy: None | ||
| tags: | ||
| service-lfx-v2-<service>: enabled |
| > | ||
| > - Each secret in the lfx-secrets-management source becomes a separate AWS SM path entry | ||
| > - The `path` convention is `cloud/<service-short-name>/<secret-group>` | ||
| > - Use the `environments` list to sync to all three environments in parallel |
detjensrobert
previously approved these changes
Jun 5, 2026
Comment on lines
+158
to
+169
| > **Important**: All secrets must be stored as JSON in AWS SM, even single-field ones. | ||
| > Two equivalent ways to express this: | ||
| > | ||
| > ```yaml | ||
| > # implicit JSON (list form) | ||
| > fields: | ||
| > - <field_name> | ||
| > | ||
| > # explicit JSON (scalar + flag) | ||
| > fields: <field_name> | ||
| > store_as_json: true | ||
| > ``` |
There was a problem hiding this comment.
Is this a new requirement from AWS SM? I don't remember this being a restriction for previous secrets.
Author
There was a problem hiding this comment.
This is a kubernetes ESO requirement, based on how we use dataFrom to pull secrets into a single secret store. A single string without a key causes errors in the secret store pull
Signed-off-by: Antonia Gaete <agaete@linuxfoundation.org>
| whenever someone says "set up secrets", "wire up ESO", "add a secret to this service", | ||
| "IRSA configuration", "External Secrets for V2", or any mention of AWS Secrets Manager | ||
| integration with Kubernetes for LFX V2 services. | ||
| allowed-tools: Bash, Read, Glob, Grep, AskUserQuestion, WebFetch |
Comment on lines
+313
to
+314
| automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken | default true }} | ||
| {{- end }} |
Comment on lines
+377
to
+378
| tags: | ||
| service-lfx-v2-<service>: enabled |
Comment on lines
+386
to
+388
| > **Tag-based discovery**: ESO finds and merges all AWS SM secrets tagged | ||
| > `service-lfx-v2-<service>: enabled` into a single Kubernetes Secret named | ||
| > `lfx-v2-<service>-secrets`. No manual `data` list is needed — new secrets are picked up |
| |------|-------| | ||
| | AWS Region | `us-west-2` | | ||
| | K8s Secret name | `lfx-v2-<service>-secrets` (e.g., `lfx-v2-invite-service-secrets`) | | ||
| | SecretStore name | `{{ .Chart.Name }}` | |
|
|
||
| Then ask the user to collect: | ||
|
|
||
| 1. **Service name** — fully qualified name (e.g., `lfx-v2-invite-service`, `lfx-v2-email-service`) |
| | IAM account — staging | `844790888233` | | ||
| | IAM account — prod | `372256339901` | | ||
| | IRSA role ARN pattern | `arn:aws:iam::<account-id>:role/lfx-v2-<service>` | | ||
| | AWS SM path pattern | `cloud/<3rd-party-service>/<name_or_identifier>` | |
| ```yaml | ||
| <Secret Name>: | ||
| tags: [auth0, <service_tag>] | ||
| envs: [development, staging, production] |
Signed-off-by: Antonia Gaete <agaete@linuxfoundation.org>
Comment on lines
+1
to
+5
| --- | ||
| name: lfx-v2-secrets | ||
| description: > | ||
| Guide an agent through wiring up secrets for LFX V2 microservices using External Secrets | ||
| Operator (ESO) + IRSA. Supports two modes: (1) full setup for new services touching |
| whenever someone says "set up secrets", "wire up ESO", "add a secret to this service", | ||
| "IRSA configuration", "External Secrets for V2", or any mention of AWS Secrets Manager | ||
| integration with Kubernetes for LFX V2 services. | ||
| allowed-tools: Bash, Read, Glob, Grep, AskUserQuestion, WebFetch |
Signed-off-by: Antonia Gaete <agaete@linuxfoundation.org>
Signed-off-by: Antonia Gaete <agaete@linuxfoundation.org>
Comment on lines
+1
to
+12
| --- | ||
| name: lfx-v2-secrets | ||
| description: > | ||
| Guide an agent through wiring up secrets for LFX V2 microservices using External Secrets | ||
| Operator (ESO) + IRSA. Supports two modes: (1) full setup for new services touching | ||
| lfx-v2-opentofu, lfx-secrets-management, the service Helm chart, and lfx-v2-argocd; | ||
| (2) adding secrets to existing services already configured with ESO. Use this skill | ||
| whenever someone says "set up secrets", "wire up ESO", "add a secret to this service", | ||
| "IRSA configuration", "External Secrets for V2", or any mention of AWS Secrets Manager | ||
| integration with Kubernetes for LFX V2 services. | ||
| allowed-tools: Bash, Read, Glob, Grep, AskUserQuestion, WebFetch | ||
| --- |
Comment on lines
+185
to
+189
| <Secret Name>: | ||
| tags: [lfx_v2, <service_tag>, <type_tag>] | ||
| environments: [development, staging, production] | ||
| source: | ||
| onepassword: |
Comment on lines
+221
to
+224
| - aws_secretsmanager: | ||
| tags: | ||
| service: pcc | ||
| path: cloud/supabase/api_key |
Comment on lines
+314
to
+324
| metadata: | ||
| name: {{ .Values.serviceAccount.name | default .Chart.Name }} | ||
| namespace: {{ .Release.Namespace }} | ||
| labels: | ||
| app: {{ .Chart.Name }} | ||
| {{- with .Values.serviceAccount.annotations }} | ||
| annotations: | ||
| {{- toYaml . | nindent 4 }} | ||
| {{- end }} | ||
| automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken | default true }} | ||
| {{- end }} |
Comment on lines
+387
to
+389
| tags: | ||
| service-lfx-v2-<service>: enabled | ||
| rewrite: |
Comment on lines
+396
to
+399
| > **Tag-based discovery**: ESO finds and merges all AWS SM secrets tagged | ||
| > `service-lfx-v2-<service>: enabled` into a single Kubernetes Secret named | ||
| > `lfx-v2-<service>-secrets`. No manual `data` list is needed — new secrets are picked up | ||
| > automatically after the next sync. |
Signed-off-by: Antonia Gaete <agaete@linuxfoundation.org>
Signed-off-by: Antonia Gaete <agaete@linuxfoundation.org>
| 2. ESO's **SecretStore** uses that ServiceAccount's JWT token to authenticate to AWS | ||
| 3. ESO watches **ExternalSecret** manifests and syncs matching secrets from AWS SM into K8s Secrets | ||
| 4. Application deployments reference the K8s Secret via environment variable or volume mount | ||
| 5. Local development skips ESO entirely and injects secret values directly via `environment` in values |
|
|
||
| Then ask the user to collect: | ||
|
|
||
| 1. **Service name** — fully qualified name (e.g., `lfx-v2-invite-service`, `lfx-v2-email-service`) |
| **1Password example:** | ||
|
|
||
| ```text | ||
| Service: lfx-v2-invite-service |
| `auth0` (client_secret, simpler M2M or BFF clients): | ||
|
|
||
| ```text | ||
| Service: lfx-v2-invite-service |
| `auth0_jwt` (JWT private key, standard for LFX V2 microservices): | ||
|
|
||
| ```text | ||
| Service: lfx-v2-invite-service |
Comment on lines
+229
to
+231
| > - Each secret in the lfx-secrets-management source becomes a separate AWS SM path entry | ||
| > - The `path` convention is `cloud/<service-short-name>/<secret-group>` | ||
| > - Use the `envs` list to sync to all three environments in parallel |
Signed-off-by: Antonia Gaete <agaete@linuxfoundation.org>
Signed-off-by: Antonia Gaete <agaete@linuxfoundation.org>
| > | ||
| > - Each secret becomes a separate AWS SM path entry | ||
| > - The `path` must include the service name: `<3rd-party-service>/<service>` (e.g., `atlassian/lfx-v2-committee-service`) | ||
| > - The `tags` list must include the service tag (`eso_service_tag` from Step 2a) so the secret is identifiable by service |
Comment on lines
+323
to
+325
| In the [lfx-secrets-management](https://github.com/linuxfoundation/lfx-secrets-management) repo, | ||
| add an entry for each secret to `secrets/lfx/<service>.yml` — one file per LFX V2 service. | ||
| If the file doesn't exist yet, create it. If it already exists, append the new entry. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a new Claude Code skill
lfx-v2-secrets/SKILL.mdthat guides an agent through wiring up secrets for LFX V2 services using External Secrets Operator + IRSA on AWS.