feat: add SecretsConfig proto for encrypted env vars

[Flo4604]

What does this PR do?

This adds a new protobuf so we can snapshot the env vars.

it's a protobuf so we can maybe in the future extend it if we want too with other information e.g who created / edited it last whatever.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• Chore (refactoring code, technical debt, workflow improvements)
• Enhancement (small improvements)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How should this be tested?

Not at all.

Checklist

Required

• Filled out the "How to test" section in this PR
• Read Contributing Guide
• Self-reviewed my own code
• Commented on my code in hard-to-understand areas
• Ran pnpm build
• Ran pnpm fmt
• Ran make fmt on /go directory
• Checked for warnings, there are none
• Removed all console.logs
• Merged the latest changes from main onto my branch with git pull origin main
• My changes don't cause any responsiveness issues

Appreciated

• If a UI change was made: Added a screen recording or screenshots to this PR
• Updated the Unkey Docs if changes were necessary

[changeset-bot]

⚠️ No Changeset found

Latest commit: 1f4644b

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
dashboard	Error			Dec 9, 2025 4:14pm

1 Skipped Deployment

Project	Deployment	Preview	Comments	Updated (UTC)
engineering	Ignored	Preview		Dec 9, 2025 4:14pm

[coderabbitai]

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Walkthrough

Adds a new protobuf definition file for control-plane secrets management. Introduces the SecretsConfig message with a single map field to store encrypted secret key-value pairs, representing environment variables snapshotted at deployment time.

Changes

Cohort / File(s)	Change Summary
Protobuf Secrets Data Model go/proto/ctrl/v1/secrets.proto	New file. Defines SecretsConfig message in ctrl.v1 package with map<string, string> secrets field for storing encrypted environment variables.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

• Simple protobuf message definition with minimal logic
• Single new file with straightforward data structure (one map field)
• No control flow or complex interactions to review

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/env-vars-secrets-proto

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 14cf21b and 1f4644b.

⛔ Files ignored due to path filters (2)

• apps/dashboard/gen/proto/ctrl/v1/secrets_pb.ts is excluded by !**/gen/**
• go/gen/proto/ctrl/v1/secrets.pb.go is excluded by !**/*.pb.go, !**/gen/**

📒 Files selected for processing (1)

• go/proto/ctrl/v1/secrets.proto (1 hunks)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Flo4604]

• fix golint issues #4477
• feat: better env var injection #4468
• remove gw from k8s manifest, add agent fix ctrl vault for certs #4463
• feat: add customer-workload service account for pod isolation #4455
• feat: inject env vars into pod spec via Krane #4454
• feat: decrypt env vars in CTRL workflow before passing to Krane #4453
• feat: dashboard UI for environment variables management #4452
• feat: add SecretsConfig proto for encrypted env vars #4451 👈 (View in Graphite)
• feat: add environment variables db schema and queries #4450
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[Flo4604]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.