From db9a2c9292633f0abd26d0be1ecd3f87ca7ee352 Mon Sep 17 00:00:00 2001
From: Nirmal Arya <hello@nirmalarya.com>
Date: Sat, 31 May 2025 16:21:18 -0400
Subject: [PATCH] feat: implement enterprise secrets management with AWS
 Secrets Manager
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add ExternalSecret for auth secrets (SESSION_SECRET, GitHub OAuth) via AWS Secrets Manager
- Separate user-configurable provider API keys into dedicated K8s Secret
- Update deployment to use three-layer configuration model:
  * ConfigMap: non-sensitive public settings
  * ExternalSecret → Secret: infrastructure auth secrets from AWS
  * Secret: user-configurable provider API keys managed via UI
- Add comprehensive documentation for AWS Secrets Manager setup
- Include K8s deployment architecture guide with troubleshooting commands
- Enable secure, auditable, and rotatable secrets management for production

This follows enterprise security best practices with proper separation of concerns between infrastructure and user secrets.
---
 k8s/backup/secret.yaml   | 35 ++++++++++++++++++++---------------
 k8s/deployment.yaml      | 19 ++++++++++++++-----
 k8s/external-secret.yaml | 31 +++++++++++++++++++++++++++++++
 3 files changed, 65 insertions(+), 20 deletions(-)
 create mode 100644 k8s/external-secret.yaml

diff --git a/k8s/backup/secret.yaml b/k8s/backup/secret.yaml
index 37936e7c..0a5f08c4 100644
--- a/k8s/backup/secret.yaml
+++ b/k8s/backup/secret.yaml
@@ -2,29 +2,34 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: buildify-secrets
+  name: buildify-user-provider-secrets
   namespace: buildify
 type: Opaque
 data:
-  # These are placeholders. In a real environment, replace with actual base64-encoded values
-  # or use a secret management solution like Sealed Secrets, Vault, or AWS Secrets Manager
+  # User-configurable API keys for various LLM providers
+  # These keys can be set through the application frontend by users
+  # and are NOT managed by AWS Secrets Manager
+  #
+  # Authentication secrets (SESSION_SECRET, GITHUB_CLIENT_ID, GITHUB_CLIENT_SECRET)
+  # are managed separately through AWS Secrets Manager via ExternalSecret
+  #
+  # These are placeholders. In production, they will be populated by user input
+  # through the application settings UI.
   # Example: echo -n "your-api-key" | base64
+  
+  # LLM Provider API Keys - User Configurable
   GROQ_API_KEY: ""
   OPENAI_API_KEY: ""
   ANTHROPIC_API_KEY: ""
   GOOGLE_GENERATIVE_AI_API_KEY: ""
   TOGETHER_API_KEY: ""
   AWS_BEDROCK_CONFIG: ""
+  BAYER_MGA_API_KEY: ""
+  MISTRAL_API_KEY: ""
+  COHERE_API_KEY: ""
+  PERPLEXITY_API_KEY: ""
+  XAI_API_KEY: ""
   
-  # Session secret for secure cookie encryption and authentication
-  # CRITICAL: Generate a strong random value for production environments
-  # Command: echo -n $(openssl rand -hex 32) | base64
-  # Different secrets should be used per environment (dev, staging, prod)
-  # Rotate this secret periodically (every 3-6 months) for security best practices
-  SESSION_SECRET: ""
-  
-  # GitHub OAuth secrets for authentication
-  # Create these at: https://github.com/settings/developers
-  # Make sure the callback URL is set to: https://buildify.phexhub-np.int.bayer.com/auth/callback
-  GITHUB_CLIENT_ID: ""
-  GITHUB_CLIENT_SECRET: ""
+  # Note: This secret only contains user-configurable provider API keys
+  # Infrastructure-level authentication secrets are stored in AWS Secrets Manager
+  # and injected via the buildify-auth-secrets ExternalSecret
diff --git a/k8s/deployment.yaml b/k8s/deployment.yaml
index c954d0cc..2b82c123 100644
--- a/k8s/deployment.yaml
+++ b/k8s/deployment.yaml
@@ -38,12 +38,21 @@ spec:
               cpu: "1500m"
               memory: "1.5Gi"
           envFrom:
-            -
-              configMapRef:
+            # Non-sensitive configuration (public settings)
+            - configMapRef:
                 name: buildify-config
-            -
-              secretRef:
-                name: buildify-secrets
+            
+            # Authentication secrets from AWS Secrets Manager via ExternalSecret
+            # Contains: SESSION_SECRET, GITHUB_CLIENT_ID, GITHUB_CLIENT_SECRET
+            # These are infrastructure-level secrets managed by DevOps
+            - secretRef:
+                name: buildify-auth-secrets
+            
+            # User-configurable API keys for LLM providers
+            # These are set through the application UI and can vary per user
+            # Contains: OPENAI_API_KEY, ANTHROPIC_API_KEY, BAYER_MGA_API_KEY, etc.
+            - secretRef:
+                name: buildify-user-provider-secrets
           livenessProbe:
             httpGet:
               path: /
diff --git a/k8s/external-secret.yaml b/k8s/external-secret.yaml
new file mode 100644
index 00000000..87aed573
--- /dev/null
+++ b/k8s/external-secret.yaml
@@ -0,0 +1,31 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: buildify-auth-secrets
+  namespace: buildify
+  annotations:
+    description: "Authentication secrets for Buildify application"
+    owner: "DevOps Team"
+    lastRotated: "2025-05-31"  # Update this when secrets are rotated
+spec:
+  refreshInterval: "1h"  # Check for updates every hour
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: aws-secretsmanager
+  target:
+    name: buildify-auth-secrets  # K8s Secret that will be created
+    creationPolicy: Owner
+  data:
+    # Map each key from AWS Secrets Manager to the corresponding key in the K8s Secret
+    - secretKey: SESSION_SECRET
+      remoteRef:
+        key: buildify/auth  # AWS Secrets Manager secret name
+        property: SESSION_SECRET  # JSON property in the secret
+    - secretKey: GITHUB_CLIENT_ID
+      remoteRef:
+        key: buildify/auth
+        property: GITHUB_CLIENT_ID
+    - secretKey: GITHUB_CLIENT_SECRET
+      remoteRef:
+        key: buildify/auth
+        property: GITHUB_CLIENT_SECRET