fix(platform): DSPX-2933 align KAS root key env var with Viper config path

[jp-ayyappan]

Summary

The Helm deployment template currently injects the KAS root key secret as the environment variable {PREFIX}_KAS_ROOT_KEY (e.g. DSP_KAS_ROOT_KEY). However, Viper maps the YAML config path services.kas.root_key to the env var {PREFIX}_SERVICES_KAS_ROOT_KEY — the SERVICES_KAS_ segment was missing.

This PR updates:

• charts/platform/templates/deployment.yaml — changes _KAS_ROOT_KEY → _SERVICES_KAS_ROOT_KEY
• tests/chart_platform_template_test.go — updates the unit test assertion from OPENTDF_KAS_ROOT_KEY → OPENTDF_SERVICES_KAS_ROOT_KEY

This aligns the chart with the documentation updated in virtru-corp/data-security-platform#2826, which documents DSP_SERVICES_KAS_ROOT_KEY as the correct env var.

⚠️ Breaking Change Note

Deployments that rely on the chart's auto-injected root_key_secret env var will see the variable name change from {PREFIX}_KAS_ROOT_KEY to {PREFIX}_SERVICES_KAS_ROOT_KEY. Existing extraEnv overrides that already set DSP_SERVICES_KAS_ROOT_KEY are unaffected. Deployments using the old chart-injected variable should verify their KAS pods pick up the root key correctly after upgrading.

Test plan

• Verify Test_KeyManagement_Enabled_With_RootKeySecret_Expect_EnvVar_Set passes with the updated assertion
• Deploy to a dev cluster and confirm KAS starts successfully with key management enabled

Summary by CodeRabbit

• Chores
  • Renamed the Kas root key environment variable to the services-prefixed form (OPENTDF_SERVICES_KAS_ROOT_KEY) for consistency.
• Documentation
  • Updated chart README and values comments to document the injected services-prefixed root key and clarify it’s generated as a random 32-byte hex value (openssl rand 32 -hex).

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 47852daa-8c9e-4a3f-958c-fa3bb48801e9

📥 Commits

Reviewing files that changed from the base of the PR and between b67ea38 and 8633d5a.

📒 Files selected for processing (2)

• charts/platform/README.md
• charts/platform/values.yaml

✅ Files skipped from review due to trivial changes (1)

• charts/platform/README.md

🚧 Files skipped from review as they are similar to previous changes (1)

• charts/platform/values.yaml

---

📝 Walkthrough

Walkthrough

The PR renames the KAS root key environment variable from _KAS_ROOT_KEY to _SERVICES_KAS_ROOT_KEY in the Helm deployment template, updates the corresponding unit test, and adjusts values.yaml and README documentation to reference the new injected env-var name.

Changes

KAS root key env rename

Layer / File(s)	Summary
Deployment template charts/platform/templates/deployment.yaml	Env var name changed from _KAS_ROOT_KEY to _SERVICES_KAS_ROOT_KEY within the kas config preview key management block.
Unit test assertion tests/chart_platform_template_test.go	Test Test_KeyManagement_Enabled_With_RootKeySecret_Expect_EnvVar_Set updated to assert OPENTDF_SERVICES_KAS_ROOT_KEY instead of OPENTDF_KAS_ROOT_KEY.
Values comment charts/platform/values.yaml	Comment/example for services.kas.config.root_key updated to state the generated root key is injected as {PREFIX}_SERVICES_KAS_ROOT_KEY and shows the openssl rand 32 -hex example.
Chart README charts/platform/README.md	services.kas.root_key_secret description updated to mention the {PREFIX}_SERVICES_KAS_ROOT_KEY env-var injection and the generated-root-key mechanism.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

• elizabethhealy

Poem

"A rabbit nibbles at a line,
Renames a key to fit the sign,
Tests wake up and nod in tune,
Docs and charts hum the new rune,
A tiny hop — the change is fine." 🐇

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: aligning the KAS root key environment variable name with Viper's configuration path mapping, supported by all four modified files and the PR objectives.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch DSPX-2933-a7k3m9x2p1

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request renames the KAS root key environment variable from _KAS_ROOT_KEY to _SERVICES_KAS_ROOT_KEY in the Helm chart deployment template and updates the corresponding test case to reflect this change. I have no feedback to provide.

[jp-ayyappan]

Related PR

This chart fix is a companion to virtru-corp/data-security-platform#2826, which updated the admin guide documentation to reference DSP_SERVICES_KAS_ROOT_KEY as the correct environment variable. That doc PR did not update the underlying Helm chart template, which still generated the incorrect {PREFIX}_KAS_ROOT_KEY.

The bug affects both upstream OpenTDF and DSP — the Viper config path services.kas.root_key is identical in both opentdf/platform and virtru-corp/data-security-platform.

[jp-ayyappan]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@charts/platform/values.yaml`:
- Line 482: The README table breaks because the comment line containing "openssl
rand 32 -hex | kubectl create secret generic kas-root-key
--from-file=root_key=/dev/stdin" includes an unescaped pipe; edit the comment in
charts/platform/values.yaml and escape the pipe by replacing "|" with "\|" so
helm-docs emits a literal pipe in the generated Markdown (preserving the rest of
the line exactly) to prevent the table column split.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: efea1f80-2cd5-4fbb-84a9-ff9146cf323b

📥 Commits

Reviewing files that changed from the base of the PR and between b7bce13 and b67ea38.

📒 Files selected for processing (2)

• charts/platform/README.md
• charts/platform/values.yaml