Adding Voice Agent support to installation scripts

[connerhughes-dg]

No description provided.

[entelligence-ai-pr-reviews]

EntelligenceAI PR Summary

Introduces full Voice Agent (VOICE_AGENT) deployment type support to the Kubernetes/AWS EKS self-hosted wizard, alongside existing STT and TTS modes.

• config.py: Adds LLM provider secret ref field mapping, Aura-2 UUID defaults, engine replica keys, new top-level config keys, and extract_llm_provider_api_keys() / extended strip_secrets() utilities
• kubernetes_aws.py: Implements three-tier LLM API key resolution (in-memory → env var → config file) via _resolve_llm_provider_secrets / _create_llm_provider_secrets; dry-run now writes my-values.yaml
• kubernetes_aws_workflow.py: Conditionally renders agent block, Aura-2 TTS block, per-pool engine replica dict, forced cluster-autoscaler.enabled: false, and third-party credential secret refs based on deployment type
• wizard.py: Adds four new wizard prompt helpers for VA defaults, Aura-2 per-language config, engine/agent replica counts, and LLM provider K8s secret refs; gates prompts on is_voice_agent flag
• summary.py: Adds VOICE_AGENT-specific summary rows for agent replicas, Aura-2 status, and LLM providers
• README.md / kubernetes/aws/README.md: Full documentation update covering new wizard steps, Helm values differences, UUID refresh, and env var precedence
• tests/test_kubernetes_aws_workflow.py: 11 new tests covering end-to-end VOICE_AGENT workflow, secret resolution hierarchy, and sanitization

---

Confidence Score: 3/5 - Review Recommended

Likely safe but review recommended — this PR introduces solid Voice Agent deployment support with a three-tier LLM API key resolution mechanism, but two medium-impact gaps deserve attention before merging. Specifically, _third_party_credentials in kubernetes_aws_workflow.py omits LLM provider secrets from its external-mode warning, meaning users relying on that code path may misconfigure their Helm values with missing K8s secret references. Additionally, edit_field in wizard.py bypasses the full Voice Agent setup sequence (_apply_voice_agent_defaults, _ask_aura2, _ask_engine_agent_replicas, _ask_third_party_credentials) that run_eks_wizard correctly invokes, creating an inconsistent user experience and potentially leaving Voice Agent configs in a partially-initialized state.

Key Findings:

• edit_field in wizard.py (lines 455+) does not call the Voice Agent setup helpers (_apply_voice_agent_defaults, _ask_aura2, _ask_engine_agent_replicas, _ask_third_party_credentials) that run_eks_wizard invokes, so a user switching to VOICE_AGENT deployment type via the edit path will receive an incomplete configuration without the Aura-2 defaults and third-party credentials being properly populated.
• _third_party_credentials in kubernetes_aws_workflow.py (lines 319-326) maps all config['third_party_credentials'] entries into Helm values as named K8s secret references, but the external-mode warning does not mention LLM provider secrets, leaving operators unaware they must also create those K8s secrets for the Voice Agent Helm chart to render correctly.
• The missing in-memory notification for LLM API keys (parallel to the existing env-var hint at lines 100–105) is a low-severity UX gap but could lead to silent re-run failures where standard secret warnings are shown but LLM key warnings are not, making debugging harder in non-interactive deployments.
• The core three-tier resolution logic (_resolve_llm_provider_sec...) and config.py additions (extract_llm_provider_api_keys, strip_secrets extensions) appear well-structured and follow established patterns in the codebase, which is a positive sign for maintainability.

Files requiring special attention

• src/deepgram_self_hosted/wizard.py
• src/deepgram_self_hosted/providers/kubernetes_aws.py

[entelligence-ai-pr-reviews]

⚠️ Major: edit_field VOICE_AGENT path skips all Voice Agent setup helpers — wizard.py:run_eks_wizard (lines 143-172) calls _apply_voice_agent_defaults, _ask_aura2, _ask_engine_agent_replicas, and _ask_third_party_credentials when deployment type is VOICE_AGENT. wizard.py:edit_field (lines 455-458) only calls _annotated_select when the user changes deployment.type to VOICE_AGENT through the summary-screen edit menu — none of the Voice Agent helpers are invoked. Control returns to kubernetes_aws.py:_summary_loop, which immediately calls render_summary → summary.py:_other_table (line 85), which detects VOICE_AGENT and displays Agent replica, Aura-2, and LLM-provider rows with silent defaults. If the user then deploys, kubernetes_aws_workflow.py:render_values emits agent.enabled: True with 1-replica defaults, no aura2 block, and no thirdPartyCredentials, resulting in an incomplete, possibly broken Voice Agent Helm release with no user warning.

🤖 AI Agent Prompt for Cursor/Windsurf

📋 Copy this prompt to your AI coding assistant (Cursor, Windsurf, etc.) to get help fixing this issue

In `wizard.py:edit_field`, after updating `deployment.type` to VOICE_AGENT (lines 455-458), call `_apply_voice_agent_defaults(config)`, `_ask_aura2(config)`, `_ask_engine_agent_replicas(config)`, and `_ask_third_party_credentials(config)` to mirror the main wizard flow. Alternatively, when changing away from VOICE_AGENT, reset `aura2.enabled` and `third_party_credentials`.

[entelligence-ai-pr-reviews]

🔧 Nit: Add in-memory notification for LLM API keys parallel to standard secrets notice — setup() prints a warning (lines 100–105) telling users which env vars to set for non-interactive re-runs when standard secrets are held in memory, but no equivalent message is printed when llm_api_keys_in_memory is non-empty. Users who complete the Voice Agent wizard with mode=create won't know to set DG_OPENAI_API_KEY etc. until they hit the deploy-time ValueError on a re-run.

🤖 AI Agent Prompt for Cursor/Windsurf

📋 Copy this prompt to your AI coding assistant (Cursor, Windsurf, etc.) to get help fixing this issue

In `src/deepgram_self_hosted/providers/kubernetes_aws.py`, after line 105 (the closing of the `if secrets_in_memory:` block), add a parallel notification for LLM API keys:

```python
if llm_api_keys_in_memory:
    console.print(
        "[yellow]LLM provider API keys kept in memory only; not written to disk.[/yellow] "
        "For non-interactive re-runs, set "
        f"{', '.join(LLM_PROVIDER_ENV_VARS[p] for p in llm_api_keys_in_memory if p in LLM_PROVIDER_ENV_VARS)}."
    )

This mirrors the existing block at lines 100–105 that warns about standard secrets.

</details>
<!-- ai_prompt_end -->

[entelligence-ai-pr-reviews]

File: src/deepgram_self_hosted/providers/kubernetes_aws.py (Lines 238-242)

⚠️ Major: External-mode warning omits LLM provider secrets required by rendered Helm values — kubernetes_aws_workflow.py:_third_party_credentials (lines 319-326) maps every entry in config['third_party_credentials'] into global.thirdPartyCredentials inside the Helm values YAML, referencing named K8s secrets. When secrets_mode == 'external', kubernetes_aws.py:_run_native_setup (lines 238-242) skips _create_llm_provider_secrets entirely and prints a warning that only mentions dg-regcred and dg-self-hosted-api-key. A VOICE_AGENT deployment with third-party credentials configured will reference K8s secrets (e.g. openai-api-key) that are never created and never mentioned in any warning, leading to a silent Helm deploy failure when the agent pods start.

---

Note: This comment was posted as a general PR comment because the specific line could not be resolved in the diff.