Skip to content

fix(sluice): use virtual key for deploy smoke#135

Merged
JustAGhosT merged 1 commit into
devfrom
fix/deploy-smoke-vkey
Jul 14, 2026
Merged

fix(sluice): use virtual key for deploy smoke#135
JustAGhosT merged 1 commit into
devfrom
fix/deploy-smoke-vkey

Conversation

@JustAGhosT

@JustAGhosT JustAGhosT commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Summary

  • use the dashboard playground LiteLLM virtual key for deploy smoke tests instead of the master gateway key
  • configure the Entra dashboard BFF to inject the dashboard virtual key from Key Vault
  • document the split between Terraform's AIGATEWAY_KEY and user-facing virtual-key smoke traffic

Verification

  • terraform -chdir=infra/env/prod fmt -check -recursive
  • terraform -chdir=infra/env/prod validate
  • pnpm exec prettier --check .github/workflows/deploy-environment.yaml docs/CI_CD.md
  • live smoke with Key Vault vkey-dashboard-playground: /v1/models=200, /v1/embeddings=200

Note: local dashboard pnpm install is blocked by Windows ACL errors under dashboard/node_modules, so dashboard vitest/next build were not rerun for this workflow/Terraform-only follow-up.

Summary by CodeRabbit

  • New Features

    • Deployment smoke tests now use the environment’s virtual gateway key from Key Vault.
    • Entra-authenticated dashboard deployments can forward a designated virtual gateway key.
  • Bug Fixes

    • Improved gateway key selection for Entra deployments, with fallback support when no virtual key is configured.
  • Documentation

    • Clarified the distinction between virtual gateway keys used for smoke tests and the master key used for infrastructure configuration.

Copilot AI review requested due to automatic review settings July 14, 2026 17:15
@qodo-code-review

Copy link
Copy Markdown

Qodo reviews are paused for this user.

Troubleshooting steps vary by plan Learn more →

On a Teams plan?
Reviews resume once this user has a paid seat and their Git account is linked in Qodo.
Link Git account →

Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center?
These require an Enterprise plan - Contact us
Contact us →

@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

The dashboard Terraform module can resolve an Entra gateway proxy key from Key Vault, production configures vkey-dashboard-playground, and deployment smoke tests retrieve and use that virtual key instead of AIGATEWAY_KEY.

Changes

Gateway proxy key authentication

Layer / File(s) Summary
Terraform gateway key resolution
infra/modules/dashboard_aca/variables.tf, infra/modules/dashboard_aca/main.tf
The module supports an optional Key Vault secret name, resolves its versionless ID with a fallback, validates Entra configuration, and wires the resolved key into the container app.
Production dashboard wiring
infra/env/prod/main.tf
The production dashboard module receives vkey-dashboard-playground as the gateway proxy key secret name.
Smoke test key retrieval
.github/workflows/deploy-environment.yaml, docs/CI_CD.md
The workflow retrieves and validates the Key Vault virtual key for smoke tests, and the documentation distinguishes it from AIGATEWAY_KEY.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Suggested reviewers: copilot

Sequence Diagram(s)

sequenceDiagram
  participant DeployWorkflow
  participant AzureKeyVault
  participant GatewaySmokeTest
  DeployWorkflow->>AzureKeyVault: Read vkey-dashboard-playground
  AzureKeyVault-->>DeployWorkflow: Return virtual key
  DeployWorkflow->>GatewaySmokeTest: Pass validated smoke_key output
Loading
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly matches the main change: switching deploy smoke tests to a virtual key.
Description check ✅ Passed Covers summary and verification well; only non-critical template sections like Deployment Notes and Risk/Rollback are missing.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/deploy-smoke-vkey

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates Sluice’s deploy smoke tests and dashboard Entra “BFF” configuration to use a LiteLLM virtual key (user-facing traffic) rather than the master gateway key (Terraform/runtime configuration), and documents the distinction to reduce operational confusion.

Changes:

  • Switch GitHub Actions deploy smoke tests to fetch vkey-dashboard-playground from the environment Key Vault and use it for gateway smoke calls.
  • Extend the dashboard_aca Terraform module to optionally source the BFF’s gateway proxy key by Key Vault secret name (virtual key), falling back to the existing versionless secret ID.
  • Document the separation between AIGATEWAY_KEY (master key) and smoke traffic virtual keys in docs/CI_CD.md.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
infra/modules/dashboard_aca/variables.tf Adds gateway_proxy_key_secret_name and repositions gateway_key_versionless_id as a fallback, clarifying Entra/Key Vault requirements.
infra/modules/dashboard_aca/main.tf Reads the configured virtual-key secret (by name) and injects its versionless ID into the dashboard Container App secret when in Entra mode.
infra/env/prod/main.tf Wires prod dashboard Entra config to use vkey-dashboard-playground as the gateway proxy key.
docs/CI_CD.md Documents that deploy smoke tests use the Key Vault virtual key while AIGATEWAY_KEY remains the master key for Terraform/runtime config.
.github/workflows/deploy-environment.yaml Fetches vkey-dashboard-playground from Key Vault and passes it to the smoke-test composite action instead of secrets.AIGATEWAY_KEY.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +309 to +311
set -euo pipefail
KV_NAME=$(printf 'pvc-%s-%s-kv' "${TF_VAR_env}" "${TF_VAR_projname}" | tr '[:upper:]_' '[:lower:]-' | cut -c1-24)
KEY=$(az keyvault secret show --vault-name "${KV_NAME}" --name vkey-dashboard-playground --query value -o tsv)

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@infra/modules/dashboard_aca/main.tf`:
- Around line 19-20: Update the gateway_proxy_key_secret_id expression to
determine whether the conditional data source exists by checking the length of
data.azurerm_key_vault_secret.gateway_proxy_key, rather than
gateway_proxy_key_secret_name. Preserve the existing fallback to
var.gateway_key_versionless_id when the data source array is empty.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c53d63be-1ee5-4213-aa1f-cb0e5285a28c

📥 Commits

Reviewing files that changed from the base of the PR and between 87294b1 and a0f4abe.

📒 Files selected for processing (5)
  • .github/workflows/deploy-environment.yaml
  • docs/CI_CD.md
  • infra/env/prod/main.tf
  • infra/modules/dashboard_aca/main.tf
  • infra/modules/dashboard_aca/variables.tf

Comment on lines +19 to +20
gateway_proxy_key_secret_name = trimspace(var.gateway_proxy_key_secret_name)
gateway_proxy_key_secret_id = local.gateway_proxy_key_secret_name != "" ? data.azurerm_key_vault_secret.gateway_proxy_key[0].versionless_id : var.gateway_key_versionless_id

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🔴 Critical | ⚡ Quick win

Fix "Index out of bounds" evaluation error.

When a secret name is provided but auth_mode is not "entra", the ternary condition local.gateway_proxy_key_secret_name != "" will evaluate to true. This causes Terraform to evaluate data.azurerm_key_vault_secret.gateway_proxy_key[0]. Since local.use_entra is false, the data source count is 0, causing an immediate "Index out of bounds" failure during plan/apply.

Check the length of the conditionally created data source array instead.

🐛 Proposed fix
   gateway_proxy_key_secret_name = trimspace(var.gateway_proxy_key_secret_name)
-  gateway_proxy_key_secret_id = local.gateway_proxy_key_secret_name != "" ? data.azurerm_key_vault_secret.gateway_proxy_key[0].versionless_id : var.gateway_key_versionless_id
+  gateway_proxy_key_secret_id = length(data.azurerm_key_vault_secret.gateway_proxy_key) > 0 ? data.azurerm_key_vault_secret.gateway_proxy_key[0].versionless_id : var.gateway_key_versionless_id
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
gateway_proxy_key_secret_name = trimspace(var.gateway_proxy_key_secret_name)
gateway_proxy_key_secret_id = local.gateway_proxy_key_secret_name != "" ? data.azurerm_key_vault_secret.gateway_proxy_key[0].versionless_id : var.gateway_key_versionless_id
gateway_proxy_key_secret_name = trimspace(var.gateway_proxy_key_secret_name)
gateway_proxy_key_secret_id = length(data.azurerm_key_vault_secret.gateway_proxy_key) > 0 ? data.azurerm_key_vault_secret.gateway_proxy_key[0].versionless_id : var.gateway_key_versionless_id
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@infra/modules/dashboard_aca/main.tf` around lines 19 - 20, Update the
gateway_proxy_key_secret_id expression to determine whether the conditional data
source exists by checking the length of
data.azurerm_key_vault_secret.gateway_proxy_key, rather than
gateway_proxy_key_secret_name. Preserve the existing fallback to
var.gateway_key_versionless_id when the data source array is empty.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a0f4abe868

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread infra/env/prod/main.tf
entra_client_id = var.entra_client_id
key_vault_id = module.sluice.key_vault_id
gateway_key_versionless_id = module.sluice.gateway_key_versionless_id
gateway_proxy_key_secret_name = "vkey-dashboard-playground"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Preserve admin credentials for the dashboard proxy

When prod runs in the default Entra mode, this wires the BFF's LITELLM_GATEWAY_KEY to the dashboard-playground virtual key instead of the master key. The dashboard admin page is restricted to dashboard.admin but its key explorer calls /key/list through dashboard/hooks/use-keys.ts; LiteLLM documents the master key as the Proxy Admin key (https://docs.litellm.ai/docs/proxy/virtual_keys), while the generated dashboard-playground key in scripts/keys.yaml only has model/budget limits. As a result, signed-in admins will no longer be able to list/manage gateway keys through the Entra dashboard and will fall back to seeing only that virtual key or a permission error. Keep the admin BFF path on the master/admin credential, or split playground/smoke traffic onto the virtual key separately.

Useful? React with 👍 / 👎.

@JustAGhosT
JustAGhosT merged commit 938b66f into dev Jul 14, 2026
2 checks passed
@JustAGhosT
JustAGhosT deleted the fix/deploy-smoke-vkey branch July 14, 2026 17:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants