feat: decrypt env vars in CTRL workflow before passing to Krane

[Flo4604]

What does this PR do?

This stores the current environment variables of the environment we are deploying into a snapshot for our deployments table.

It also decrypts the variables when deploying and passes them into krane.
(doesnt compile because protobuf is changed in the next pr.)

• Bug fix (non-breaking change which fixes an issue)
• Chore (refactoring code, technical debt, workflow improvements)
• Enhancement (small improvements)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How should this be tested?

Test in the last branch of the stack.

Checklist

Required

• Filled out the "How to test" section in this PR
• Read Contributing Guide
• Self-reviewed my own code
• Commented on my code in hard-to-understand areas
• Ran pnpm build
• Ran pnpm fmt
• Ran make fmt on /go directory
• Checked for warnings, there are none
• Removed all console.logs
• Merged the latest changes from main onto my branch with git pull origin main
• My changes don't cause any responsiveness issues

Appreciated

• If a UI change was made: Added a screen recording or screenshots to this PR
• Updated the Unkey Docs if changes were necessary

[changeset-bot]

⚠️ No Changeset found

Latest commit: a75e1b4

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
dashboard	Error			Dec 9, 2025 4:16pm

1 Skipped Deployment

Project	Deployment	Preview	Comments	Updated (UTC)
engineering	Ignored	Preview		Dec 9, 2025 4:16pm

[coderabbitai]

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Walkthrough

This PR adds vault integration for managing deployment secrets. It wires the vault service into deployment and certificate services, captures deployment environment variables as encrypted secrets during creation, and decrypts them during execution using the vault service.

Changes

Cohort / File(s)	Summary
Vault service initialization & wiring go/apps/ctrl/run.go, go/apps/ctrl/workflows/deploy/service.go	Added vault service field to Workflow struct and wired vaultSvc into DeploymentServiceServer and CertificateServiceServer configurations.
Secrets capture & encryption go/apps/ctrl/services/deployment/create_deployment.go	Implemented environment variable capture, SecretsConfig map construction, protobuf JSON marshaling, and storage of encrypted secrets blob with deployment insertion.
Secrets decryption & integration go/apps/ctrl/workflows/deploy/deploy_handler.go	Added SecretsConfig unmarshaling, Vault-based secret decryption per workspace, and integration of decrypted environment variables into Krane deployment requests.

Sequence Diagram

sequenceDiagram
    participant Client
    participant DeploymentService as Deployment Service
    participant Vault
    participant Database
    participant DeployHandler as Deploy Handler
    participant Krane

    Client->>DeploymentService: Create deployment (env vars)
    activate DeploymentService
    DeploymentService->>DeploymentService: Build SecretsConfig map
    DeploymentService->>DeploymentService: Marshal to protobuf JSON
    DeploymentService->>Database: Insert deployment + SecretsConfig blob
    Database-->>DeploymentService: Deployment created
    deactivate DeploymentService
    
    rect rgba(100, 200, 150, 0.3)
    Note over DeployHandler,Krane: Deployment execution phase
    DeployHandler->>Database: Fetch deployment + SecretsConfig
    Database-->>DeployHandler: Deployment with encrypted secrets
    DeployHandler->>DeployHandler: Unmarshal SecretsConfig (protobuf)
    
    loop For each secret
        DeployHandler->>Vault: Decrypt secret (workspace keyring)
        Vault-->>DeployHandler: Decrypted value
    end
    
    DeployHandler->>Krane: Create deployment (EnvVars map)
    Krane-->>DeployHandler: Deployment request processed
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• go/apps/ctrl/services/deployment/create_deployment.go: Verify environment variable capture, protobuf JSON marshaling correctness, and error handling for fetch/marshal operations
• go/apps/ctrl/workflows/deploy/deploy_handler.go: Review decryption logic, error propagation during unmarshal/decrypt, and null-safety checks for vault service
• go/apps/ctrl/run.go and go/apps/ctrl/workflows/deploy/service.go: Confirm vault service wiring is consistent across all service configurations

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/env-vars-ctrl-decryption

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b358cbf and a75e1b4.

📒 Files selected for processing (4)

• go/apps/ctrl/run.go (1 hunks)
• go/apps/ctrl/services/deployment/create_deployment.go (3 hunks)
• go/apps/ctrl/workflows/deploy/deploy_handler.go (3 hunks)
• go/apps/ctrl/workflows/deploy/service.go (4 hunks)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Flo4604]

• fix golint issues #4477
• feat: better env var injection #4468
• remove gw from k8s manifest, add agent fix ctrl vault for certs #4463
• feat: add customer-workload service account for pod isolation #4455
• feat: inject env vars into pod spec via Krane #4454
• feat: decrypt env vars in CTRL workflow before passing to Krane #4453 👈 (View in Graphite)
• feat: dashboard UI for environment variables management #4452
• feat: add SecretsConfig proto for encrypted env vars #4451
• feat: add environment variables db schema and queries #4450
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.