Skip to content

[LFXV2-1318]: Create lfx-mcp secretstore#38

Merged
agaetep merged 9 commits intomainfrom
agaete/secrets
Mar 30, 2026
Merged

[LFXV2-1318]: Create lfx-mcp secretstore#38
agaetep merged 9 commits intomainfrom
agaete/secrets

Conversation

@agaetep
Copy link
Copy Markdown
Contributor

@agaetep agaetep commented Mar 24, 2026

This PR creates an lfx-mcp service account for the lfx-mcp-secrets secret store defined as a custom resource in the lfx-v2-argocd repository. It does not cut over the current secrets to pull from the new secretstore, that will be in another PR

Signed-off-by: Antonia Gaete <agaete@linuxfoundation.org>
Copilot AI review requested due to automatic review settings March 24, 2026 14:46
Copy link
Copy Markdown

@claude claude bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review.

Tip: disable this comment in your organization's Code Review settings.

Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds Helm chart configuration and templates to support External Secrets Operator (ESO) integration for lfx-mcp, including creating a dedicated Kubernetes ServiceAccount and defining a SecretStore/ExternalSecret to sync credentials from AWS Secrets Manager.

Changes:

  • Add serviceAccount and externalSecretsOperator configuration to values.yaml.
  • Add a ServiceAccount template for lfx-mcp.
  • Add ESO SecretStore and ExternalSecret templates to materialize Kubernetes Secrets from AWS Secrets Manager.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 7 comments.

File Description
charts/lfx-mcp/values.yaml Adds values for service account + ESO secret mapping defaults.
charts/lfx-mcp/templates/serviceaccount.yaml Creates a chart-managed ServiceAccount.
charts/lfx-mcp/templates/secretstore.yaml Adds a namespaced SecretStore using AWS Secrets Manager + SA JWT auth.
charts/lfx-mcp/templates/externalsecret.yaml Adds an ExternalSecret to sync remote values into a Kubernetes Secret.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread charts/lfx-mcp/templates/externalsecret.yaml Outdated
Comment thread charts/lfx-mcp/templates/externalsecret.yaml Outdated
Comment thread charts/lfx-mcp/templates/serviceaccount.yaml Outdated
Comment thread charts/lfx-mcp/values.yaml
Comment thread charts/lfx-mcp/values.yaml Outdated
Comment thread charts/lfx-mcp/templates/secretstore.yaml Outdated
Comment thread charts/lfx-mcp/templates/externalsecret.yaml Outdated
Signed-off-by: Antonia Gaete <agaete@linuxfoundation.org>
@emsearcy
Copy link
Copy Markdown
Contributor

I understand that we'd need logic to create or specify a service account (that seems like a "normal" Helm thing); however: I'd like to see if we can keep these open source repos "agnostic" of LF infrastructure (like ESO configuration and references to our AWS secrets manager paths).

If we were deploying an off-the-shelf Helm chart (like Heimdall), it would certainly also require references to secrets. But how those secrets are themselves managed is (IMO) outside the scope of the Helm chart for the "software distribution".

agaetep and others added 2 commits March 24, 2026 16:20
@agaetep
Copy link
Copy Markdown
Contributor Author

agaetep commented Mar 24, 2026

I understand that we'd need logic to create or specify a service account (that seems like a "normal" Helm thing); however: I'd like to see if we can keep these open source repos "agnostic" of LF infrastructure (like ESO configuration and references to our AWS secrets manager paths).

If we were deploying an off-the-shelf Helm chart (like Heimdall), it would certainly also require references to secrets. But how those secrets are themselves managed is (IMO) outside the scope of the Helm chart for the "software distribution".

That makes sense. If I'm understanding the setup correctly, right now the only way we pull secrets from AWS is through these service accounts. Are you proposing more of a direct secrets management approach, from lfx-secrets-management straight to a Kubernetes secret?

agaetep and others added 3 commits March 26, 2026 09:26
Signed-off-by: Antonia Gaete <agaete@linuxfoundation.org>
Signed-off-by: Antonia Gaete <agaete@linuxfoundation.org>
Comment thread charts/lfx-mcp/values.yaml
Comment thread charts/lfx-mcp/values.yaml Outdated
Comment thread charts/lfx-mcp/values.yaml
@agaetep agaetep merged commit f76eb29 into main Mar 30, 2026
7 checks passed
@agaetep agaetep deleted the agaete/secrets branch March 30, 2026 17:46
emsearcy added a commit that referenced this pull request Mar 30, 2026
The service account template was added in PR #38 but the deployment
template was never updated to reference it, so pods were still using
the default service account.

🤖 Generated with [GitHub Copilot](https://github.com/features/copilot) (via Zed)

Signed-off-by: Eric Searcy <eric@linuxfoundation.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants