feat: implement enterprise secrets management with AWS Secrets Manager

- Add ExternalSecret for auth secrets (SESSION_SECRET, GitHub OAuth) via AWS Secrets Manager - Separate user-configurable provider API keys into dedicated K8s Secret - Update deployment to use three-layer configuration model: * ConfigMap: non-sensitive public settings * ExternalSecret → Secret: infrastructure auth secrets from AWS * Secret: user-configurable provider API keys managed via UI - Add comprehensive documentation for AWS Secrets Manager setup - Include K8s deployment architecture guide with troubleshooting commands - Enable secure, auditable, and rotatable secrets management for production This follows enterprise security best practices with proper separation of concerns between infrastructure and user secrets.
2025-06-26 18:26:38 +00:00 · 2025-05-31 16:21:18 -04:00 · 2025-05-31 16:21:18 -04:00 · db9a2c9292
commit db9a2c9292
parent b1af370120
3 changed files with 65 additions and 20 deletions
--- a/k8s/backup/secret.yaml
+++ b/k8s/backup/secret.yaml
@ -2,29 +2,34 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: buildify-secrets
+  name: buildify-user-provider-secrets
  namespace: buildify
 type: Opaque
 data:
-  # These are placeholders. In a real environment, replace with actual base64-encoded values
-  # or use a secret management solution like Sealed Secrets, Vault, or AWS Secrets Manager
+  # User-configurable API keys for various LLM providers
+  # These keys can be set through the application frontend by users
+  # and are NOT managed by AWS Secrets Manager
+  #
+  # Authentication secrets (SESSION_SECRET, GITHUB_CLIENT_ID, GITHUB_CLIENT_SECRET)
+  # are managed separately through AWS Secrets Manager via ExternalSecret
+  #
+  # These are placeholders. In production, they will be populated by user input
+  # through the application settings UI.
  # Example: echo -n "your-api-key" | base64
+  
+  # LLM Provider API Keys - User Configurable
  GROQ_API_KEY: ""
  OPENAI_API_KEY: ""
  ANTHROPIC_API_KEY: ""
  GOOGLE_GENERATIVE_AI_API_KEY: ""
  TOGETHER_API_KEY: ""
  AWS_BEDROCK_CONFIG: ""
+  BAYER_MGA_API_KEY: ""
+  MISTRAL_API_KEY: ""
+  COHERE_API_KEY: ""
+  PERPLEXITY_API_KEY: ""
+  XAI_API_KEY: ""
  
-  # Session secret for secure cookie encryption and authentication
-  # CRITICAL: Generate a strong random value for production environments
-  # Command: echo -n $(openssl rand -hex 32) | base64
-  # Different secrets should be used per environment (dev, staging, prod)
-  # Rotate this secret periodically (every 3-6 months) for security best practices
-  SESSION_SECRET: ""
-  
-  # GitHub OAuth secrets for authentication
-  # Create these at: https://github.com/settings/developers
-  # Make sure the callback URL is set to: https://buildify.phexhub-np.int.bayer.com/auth/callback
-  GITHUB_CLIENT_ID: ""
-  GITHUB_CLIENT_SECRET: ""
+  # Note: This secret only contains user-configurable provider API keys
+  # Infrastructure-level authentication secrets are stored in AWS Secrets Manager
+  # and injected via the buildify-auth-secrets ExternalSecret
--- a/k8s/deployment.yaml
+++ b/k8s/deployment.yaml
@ -38,12 +38,21 @@ spec:
              cpu: "1500m"
              memory: "1.5Gi"
          envFrom:
-            -
-              configMapRef:
+            # Non-sensitive configuration (public settings)
+            - configMapRef:
                name: buildify-config
-            -
-              secretRef:
-                name: buildify-secrets
+            
+            # Authentication secrets from AWS Secrets Manager via ExternalSecret
+            # Contains: SESSION_SECRET, GITHUB_CLIENT_ID, GITHUB_CLIENT_SECRET
+            # These are infrastructure-level secrets managed by DevOps
+            - secretRef:
+                name: buildify-auth-secrets
+            
+            # User-configurable API keys for LLM providers
+            # These are set through the application UI and can vary per user
+            # Contains: OPENAI_API_KEY, ANTHROPIC_API_KEY, BAYER_MGA_API_KEY, etc.
+            - secretRef:
+                name: buildify-user-provider-secrets
          livenessProbe:
            httpGet:
              path: /
--- a/k8s/external-secret.yaml
+++ b/k8s/external-secret.yaml
@ -0,0 +1,31 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: buildify-auth-secrets
+  namespace: buildify
+  annotations:
+    description: "Authentication secrets for Buildify application"
+    owner: "DevOps Team"
+    lastRotated: "2025-05-31"  # Update this when secrets are rotated
+spec:
+  refreshInterval: "1h"  # Check for updates every hour
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: aws-secretsmanager
+  target:
+    name: buildify-auth-secrets  # K8s Secret that will be created
+    creationPolicy: Owner
+  data:
+    # Map each key from AWS Secrets Manager to the corresponding key in the K8s Secret
+    - secretKey: SESSION_SECRET
+      remoteRef:
+        key: buildify/auth  # AWS Secrets Manager secret name
+        property: SESSION_SECRET  # JSON property in the secret
+    - secretKey: GITHUB_CLIENT_ID
+      remoteRef:
+        key: buildify/auth
+        property: GITHUB_CLIENT_ID
+    - secretKey: GITHUB_CLIENT_SECRET
+      remoteRef:
+        key: buildify/auth
+        property: GITHUB_CLIENT_SECRET