Skip to content

refactor: Migrate to .env-based secret management #34

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jeremyeder merged 3 commits into from
Dec 20, 2025
Merged

refactor: Migrate to .env-based secret management #34

jeremyeder merged 3 commits into from
Dec 20, 2025

Conversation

@jeremyeder
Copy link
Owner

@jeremyeder jeremyeder commented Dec 20, 2025

Summary

  • Migrate from tracked secrets.yaml to gitignored .env file for API key storage
  • Use Kustomize secretGenerator to create K8s secrets from .env
  • Prevents accidental commit of Anthropic API keys to git history
  • Updates all documentation to reflect new workflow

Changes

Configuration

  • kustomization.yaml: Remove secrets.yaml from resources, add secretGenerator config
  • .gitignore: Add overlays/*/secrets.yaml pattern
  • secrets.yaml: Removed from git tracking (deleted)
  • secrets.yaml.example: New template with placeholders for reference
  • .env: Gitignored file for real API keys (not committed)

Documentation

  • PHASE1.md: Updated "Configure API Key" section and troubleshooting
  • README.md: Updated deployment instructions

Benefits

Security:

  • ✅ API keys never committed to git (.env gitignored)
  • ✅ Git history clean (secrets.yaml removed from tracking)
  • ✅ Template files only have placeholders

Usability:

  • ✅ Clear workflow: cp .env.example .env → edit → deploy
  • ✅ Consistent with platform patterns (frontend, backend use same approach)
  • ✅ Easy to add new secrets (just add to .env)
  • ✅ Kustomize handles secret generation automatically

Test Plan

  • Created .env file from template
  • Deployed with make phase1-deploy (successful)
  • Verified secrets created: litellm-secrets-kbbf2mgmg5
  • Verified API key present in secret (base64 decoded)
  • Health checks passed
  • Chatting works in UI (no API key errors)
  • Confirmed .env is gitignored (git status clean)

Migration Guide

For existing deployments:

cd components/open-webui-llm/overlays/phase1-kind
cp .env.example .env
# Edit .env with your Anthropic API key
make phase1-deploy

🤖 Generated with Claude Code

jeremyeder and others added 3 commits December 20, 2025 15:00
@jeremyeder @claude
feat: Update LiteLLM to v1.80.10.rc.5 and Open WebUI to v0.6.41
1114ef9 
Replace rolling tags (main-latest, main) with specific versions for reproducibility and to enable new features. Increases LiteLLM memory limits to support v1.80's Agent Gateway and MCP features.

Changes:
- LiteLLM: main-latest → v1.80.10.rc.5 (Agent Gateway, MCP support, 50% memory leak reduction)
- Open WebUI: main → v0.6.41 (rate limiting, group channels, folders)
- LiteLLM memory: 512Mi/2Gi → 1Gi/3Gi (supports new features and Phase 2 Claude service)

These versions are fully compatible with Phase 2 migration plan (OAuth, Claude service, OpenShift Routes).

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@jeremyeder @claude
refactor: Replace vteam.local with ambient.local
84ba1c5 
Updates all hostname references from vteam.local to ambient.local to align with Ambient Code Platform branding.

Changes:
- Ingress hostname: vteam.local → ambient.local
- Documentation (README.md, PHASE1.md)
- Makefile help text and deployment messages

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@jeremyeder
refactor: migrate to .env-based secret management
899e883 
- Use Kustomize secretGenerator to create secrets from .env file
- Remove secrets.yaml from git tracking (add to .gitignore)
- Add secrets.yaml.example for reference
- Update documentation to use .env workflow
- Prevents accidental commit of API keys to git history
@jeremyeder jeremyeder merged commit 57583bd into feature/openwebui-litellm-deployment Dec 20, 2025
2 of 3 checks passed
@github-actions
Copy link

github-actions bot commented Dec 20, 2025
edited
Loading

Claude Code Review

Summary

This PR migrates Open WebUI + LiteLLM secret management from tracked secrets.yaml to gitignored .env files with Kustomize secretGenerator. The approach is security-focused and aligns with platform patterns. However, there are critical blockers and several important issues to address before merge.

Issues by Severity

🚫 Blocker Issues

1. Missing .env.example File

The PR documentation and commit message reference:

cp .env.example .env

But .env.example is NOT included in the PR. Users cannot complete the setup without this template file.

Location: components/open-webui-llm/overlays/phase1-kind/.env.example

Required content (based on kustomization.yaml secretGenerator):

# Anthropic API Key (required)
ANTHROPIC_API_KEY=sk-ant-YOUR-KEY-HERE

# LiteLLM Master Key (can use default for dev)
LITELLM_MASTER_KEY=sk-litellm-dev-master-key

# Open WebUI Configuration
WEBUI_AUTH=false
OPENAI_API_BASE_URL=http://litellm-service:4000/v1
OPENAI_API_KEY=sk-litellm-dev-master-key

Action: Add components/open-webui-llm/overlays/phase1-kind/.env.example to the PR.

2. Inconsistent Secret Key Names in kustomization.yaml

The secretGenerator creates secrets from .env, but the secret key names don't match what the deployments expect.

Problem:

  • Kustomize secretGenerator with envs: [.env] creates secrets with keys exactly as they appear in .env
  • But openwebui-secrets expects key OPENAI_API_KEY
  • The .env file would need OPENAI_API_KEY=... for this to work

Current config:

secretGenerator:
- name: openwebui-secrets
  namespace: openwebui
  envs:
  - .env

Issues:

  1. litellm-secrets needs: ANTHROPIC_API_KEY, LITELLM_MASTER_KEY
  2. openwebui-secrets needs: OPENAI_API_KEY

All keys must be present in the same .env file, which means you're sharing the .env across both secrets. This works, but only if the .env contains ALL keys:

# Required for litellm-secrets
ANTHROPIC_API_KEY=sk-ant-xxx
LITELLM_MASTER_KEY=sk-litellm-dev-master-key

# Required for openwebui-secrets  
OPENAI_API_KEY=sk-litellm-dev-master-key

Action: Ensure .env.example includes ALL required keys (currently missing OPENAI_API_KEY).

🔴 Critical Issues

3. Deprecated secrets.yaml.example Has Misleading Comment

secrets.yaml.example:1-9:

# DEPRECATED: Use .env file instead (see .env.example)
# This file is kept for reference only
#
# To configure secrets:
# 1. Copy .env.example to .env
# 2. Fill in your actual API keys
# 3. Deploy with: make phase1-deploy

Problem: References .env.example which doesn't exist (see blocker #1).

Action: Update comment after adding .env.example.

4. Documentation References Non-Existent vteam.local Domain

Multiple files were updated to change vteam.localambient.local, but this appears to be unrelated to the secret management refactor.

Changed files:

  • Makefile (lines 23, 26, 42, 43)
  • README.md (lines 48, 49, 116, 118, 129, 211, 231)
  • docs/PHASE1.md (lines 109, 114, 238, 250, 255)
  • overlays/phase1-kind/ingress.yaml (line 15)

Issue: This is scope creep - the PR title says "Migrate to .env-based secret management", but includes a hostname rename.

According to CLAUDE.md Section "Documentation Standards":

"Default to improving existing documentation rather than creating new files."

According to Git Workflow standards:

"Branch verification: Always check current branch before file modifications"

Recommendation:

  • If hostname change is intentional and related, update PR title/description to reflect this
  • If unintentional, revert hostname changes and create separate PR
  • Current state mixes two unrelated changes, making review harder

5. Missing WEBUI_AUTH and OPENAI_API_BASE_URL in Secret References

The documentation in docs/PHASE1.md:54-61 shows a .env example with:

LITELLM_MASTER_KEY=sk-litellm-dev-master-key
WEBUI_AUTH=false
OPENAI_API_BASE_URL=http://litellm-service:4000/v1

But these keys aren't referenced in the original secrets.yaml that was deleted.

Question: Are WEBUI_AUTH and OPENAI_API_BASE_URL actually needed in secrets? Or are they environment variables set elsewhere?

Action: Clarify which keys belong in secrets vs. ConfigMap/Deployment env vars.

🟡 Major Issues

6. Memory Limits Increased Without Justification

base/litellm/deployment.yaml:52-55:

requests:
  memory: 1Gi  # Was 512Mi
limits:
  memory: 3Gi  # Was 2Gi

Issue: This is unrelated to secret management and not mentioned in PR description.

According to CLAUDE.md "Doing tasks" section:

"Avoid over-engineering. Only make changes that are directly requested or clearly necessary."

Action: Either:

  1. Document why memory increase is needed in PR description
  2. Move to separate PR
  3. Revert if not essential to this refactor

7. Image Tags Pinned Without Explanation

kustomization.yaml:40-43:

images:
- name: ghcr.io/berriai/litellm
  newTag: v1.80.10.rc.5  # Was main-latest
- name: ghcr.io/open-webui/open-webui
  newTag: v0.6.41  # Was main

Issue: Tag pinning is a breaking change and unrelated to secret management.

Consequences:

  • Users won't get latest updates
  • Requires manual tag updates for security patches

Action: Either:

  1. Justify in PR description (e.g., "for reproducibility in testing")
  2. Revert to main-latest/main
  3. Move to separate PR

🔵 Minor Issues

8. Gitignore Pattern May Be Too Broad

.gitignore:6-7:

# Secrets manifests (use secretGenerator with .env instead)
overlays/*/secrets.yaml

Pattern: overlays/*/secrets.yaml

Potential Issue: This ignores secrets.yaml in ALL overlay directories. If a future overlay needs a tracked secrets.yaml (e.g., for non-sensitive config), this pattern prevents it.

Recommendation: Consider more specific pattern:

overlays/phase1-kind/secrets.yaml
# Or document that secrets.yaml is NEVER tracked

9. Makefile Help Text Still References Old Secrets File

Makefile:20:

@echo "  2. API key configured (edit: overlays/phase1-kind/secrets.yaml)"

Issue: References secrets.yaml which no longer exists.

Should be:

@echo "  2. API key configured (edit: overlays/phase1-kind/.env)"

10. No Validation for .env File Existence

The Makefile deploys without checking if .env exists:

phase1-deploy:
	kubectl kustomize overlays/phase1-kind | kubectl apply -f -

Risk: If user forgets to create .env, Kustomize will fail with cryptic error.

Recommendation: Add validation:

phase1-deploy:
	@if [ \! -f overlays/phase1-kind/.env ]; then \
		echo "❌ Error: overlays/phase1-kind/.env not found"; \
		echo "Run: cp overlays/phase1-kind/.env.example overlays/phase1-kind/.env"; \
		exit 1; \
	fi
	kubectl kustomize overlays/phase1-kind | kubectl apply -f -

Positive Highlights

Security improvement - API keys no longer tracked in git
Follows platform patterns - Consistent with backend/frontend .env usage
Good documentation - Updated README.md and PHASE1.md comprehensively
Proper gitignore - .env and generated secrets excluded
Kustomize integration - Clean use of secretGenerator
Test verification - PR description shows thorough testing

Recommendations

Prioritized Action Items

Before Merge (Blockers):

  1. ✅ Add overlays/phase1-kind/.env.example with all required keys
  2. ✅ Verify .env.example contains: ANTHROPIC_API_KEY, LITELLM_MASTER_KEY, OPENAI_API_KEY
  3. ⚠️ Clarify scope: Is hostname change (vteam.localambient.local) intentional?
  4. ⚠️ Clarify scope: Is memory increase intentional? If yes, document why.
  5. ⚠️ Clarify scope: Is image tag pinning intentional? If yes, document why.

After Addressing Blockers:
6. Fix Makefile help text (line 20) to reference .env not secrets.yaml
7. Add .env existence check to Makefile phase1-deploy target
8. Update secrets.yaml.example comment to reference correct .env.example path

Nice-to-Have:
9. Consider more specific gitignore pattern for secrets.yaml
10. Add comment explaining why OPENAI_API_KEY uses same value as LITELLM_MASTER_KEY

Overall Assessment

Concept: ✅ Excellent - Security-focused, follows platform standards
Execution: ⚠️ Needs work - Missing critical .env.example file, scope creep
Documentation: ✅ Good - Comprehensive updates (once .env.example exists)
Testing: ✅ Verified - PR author tested thoroughly

Recommendation: Request Changes - Address blocker issues before merge.

🤖 Generated with Claude Code

🔍 View AI decision process (logs available for 90 days)

📋 View memory system files loaded (click to expand)

What Amber Loaded for Code Review

Amber automatically loaded these repository standards from the memory system:

  1. CLAUDE.md - Master project instructions, development standards
  2. backend-development.md - Go backend, K8s integration patterns
  3. frontend-development.md - NextJS, Shadcn UI, React Query patterns
  4. security-standards.md - Auth, RBAC, token handling
  5. k8s-client-usage.md - User token vs service account patterns
  6. error-handling.md - Consistent error patterns
  7. react-query-usage.md - Data fetching patterns

Impact: This review used your repository's specific code quality standards, security patterns, and best practices from the memory system (PRs ambient-code#359, ambient-code#360) - not just generic code review guidelines.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jeremyeder