feat(Playbook): Secret parameter

* KMS connections

Author: adityathebe

common/src/components/Fields.jsx

@@ -118,6 +118,89 @@ export default function Fields({ common = [], rows = [], oneOf, anyOf, connectio
     return a.field.localeCompare(b.field)
   }
 
+  // Common AWS connection fields
+  const awsFields = [
+    {
+      field: oss ? null : "connection",
+      description: "The connection url to use, mutually exclusive with `accessKey` and `secretKey`",
+      scheme: "Connection",
+    },
+    {
+      field: "accessKey",
+      description: "Access Key ID",
+      scheme: "EnvVar"
+    },
+    {
+      field: "secretKey",
+      description: "Secret Access Key",
+      scheme: "EnvVar"
+    },
+    {
+      field: "region",
+      description: "The AWS region",
+      scheme: "string"
+    },
+    {
+      field: "endpoint",
+      scheme: "string",
+      description: "Custom AWS Endpoint to use",
+    },
+    {
+      field: "skipTLSVerify",
+      description: "Skip TLS verify when connecting to AWS",
+      scheme: 'bool'
+    }
+  ]
+
+  // Common GCP connection fields
+  const gcpFields = [
+    {
+      field: oss ? null : 'connection',
+      description:
+        'The connection url to use, mutually exclusive with `credentials`',
+      scheme: 'Connection'
+    },
+    {
+      field: 'credentials',
+      description: 'The credentials to use for authentication',
+      scheme: 'EnvVar'
+    },
+    {
+      field: 'endpoint',
+      description: 'Custom GCP Endpoint to use',
+      scheme: 'string'
+    },
+    {
+      field: 'skipTLSVerify',
+      description: 'Skip TLS verification when connecting to GCP',
+      scheme: 'bool'
+    }
+  ]
+
+  // Common Azure connection fields
+  const azureFields = [
+    {
+      field: oss ? null : "connection",
+      description: "The connection url to use, mutually exclusive with `tenantId`, `clientId`, and `clientSecret`",
+      scheme: "Connection",
+    },
+    {
+      field: "tenantId",
+      description: "The Azure Active Directory tenant ID",
+      required: true
+    },
+    {
+      field: "clientId",
+      description: "The Azure client/application ID",
+      scheme: "EnvVar"
+    },
+    {
+      field: "clientSecret",
+      description: "The Azure client/application secret",
+      scheme: "EnvVar"
+    }
+  ]
+
   if (connection == "url") {
     rows = rows.concat([
       {
@@ -200,62 +283,9 @@ export default function Fields({ common = [], rows = [], oneOf, anyOf, connectio
       }
     ])
   } else if (connection == "aws") {
-    rows = rows.concat([
-      {
-        field: oss ? null : "connection",
-        description: "The connection url to use, mutually exclusive with `accessKey` and `secretKey`",
-        scheme: "Connection",
-      },
-      {
-        field: "accessKey",
-        description: "Access Key ID",
-        scheme: "EnvVar"
-      },
-      {
-        field: "secretKey",
-        description: "Secret Access Key",
-        scheme: "EnvVar"
-      },
-      {
-        field: "region",
-        description: "The AWS region",
-        scheme: "string"
-      },
-      {
-        field: "endpoint",
-        scheme: "string",
-        description: "Custom AWS Endpoint to use",
-      },
-      {
-        field: "skipTLSVerify",
-        description: "Skip TLS verify when connecting to AWS",
-        scheme: 'bool'
-      }
-    ])
+    rows = rows.concat(awsFields)
   } else if (connection == "gcp") {
-    rows = rows.concat([
-      {
-        field: oss ? null : 'connection',
-        description:
-          'The connection url to use, mutually exclusive with `credentials`',
-        scheme: 'Connection'
-      },
-      {
-        field: 'credentials',
-        description: 'The credentials to use for authentication',
-        scheme: 'EnvVar'
-      },
-      {
-        field: 'endpoint',
-        description: 'Custom GCP Endpoint to use',
-        scheme: 'string'
-      },
-      {
-        field: 'skipTLSVerify',
-        description: 'Skip TLS verification when connecting to GCP',
-        scheme: 'bool'
-      }
-    ])
+    rows = rows.concat(gcpFields)
   } else if (connection == "sftp") {
     rows = rows.concat([
       {
@@ -347,34 +377,7 @@ export default function Fields({ common = [], rows = [], oneOf, anyOf, connectio
         scheme: "[CNRM](/reference/connections/kubernetes/#cnrm-connection)",
       }])
   } else if (connection == "azure") {
-    rows = rows.concat([
-      {
-        field: oss ? null : "connection",
-        description: "The connection url to use, mutually exclusive with `tenantId`, `subscriptionId`, `clientId`, and `clientSecret`",
-        scheme: "Connection",
-      },
-      {
-        field: "tenantId",
-        description: "The Azure Active Directory tenant ID",
-        required: true
-      },
-      {
-        field: "subscriptionId",
-        description: "The Azure subscription ID",
-        required: true,
-        scheme: "EnvVar"
-      },
-      {
-        field: "clientId",
-        description: "The Azure client/application ID",
-        scheme: "EnvVar"
-      },
-      {
-        field: "clientSecret",
-        description: "The Azure client/application secret",
-        scheme: "EnvVar"
-      }
-    ])
+    rows = rows.concat(azureFields)
   } else if (connection == "openai") {
     rows = rows.concat([
       {
@@ -618,6 +621,33 @@ export default function Fields({ common = [], rows = [], oneOf, anyOf, connectio
   } else if (connection == "prometheus") {
     // Prometheus extends HTTP connection, so HTTP fields will be included
     rows = rows.concat([])
+  } else if (connection == "aws_kms") {
+    rows = rows.concat(awsFields.concat([
+      {
+        field: "keyID",
+        description: "KMS key ID, alias, or ARN. Can include region specification for aliases (e.g., alias/ExampleAlias?region=us-east-1)",
+        scheme: "string",
+        required: true
+      }
+    ]))
+  } else if (connection == "gcp_kms") {
+    rows = rows.concat(gcpFields.concat([
+      {
+        field: "keyID",
+        description: "KMS key resource path in the format: projects/PROJECT/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY",
+        scheme: "string",
+        required: true
+      }
+    ]))
+  } else if (connection == "azure_key_vault") {
+    rows = rows.concat(azureFields.concat([
+      {
+        field: "keyID",
+        description: "Key Vault key URL in the format: https://vault-name.vault.azure.net/keys/key-name",
+        scheme: "string",
+        required: true
+      }
+    ]))
   }
 
   rows = rows.concat(common.filter(row => row.required)).filter(i => i.field != null)

mission-control-chart

@@ -0,0 +1,43 @@
+---
+title: Sensitive Data
+sidebar_custom_props:
+  icon: material-symbols-light:security
+---
+
+Sensitive data includes passwords, API keys, tokens, and other confidential information that requires protection from unauthorized access or exposure. Mission Control provides comprehensive protection for sensitive data throughout the entire playbook lifecycle.
+
+## Secret Parameters
+
+Use `secret` type parameters to handle sensitive data in playbooks:
+
+```yaml
+parameters:
+  - name: database_password
+    type: secret
+    label: "Database Password"
+    description: "Password for database connection"
+    required: true
+```
+
+## KMS Connection
+
+:::info
+Your Mission Control instance **must** have a KMS connection configured to use secret parameters. 
+:::
+
+Configure this using the `--secret-keeper-connection` flag:
+
+```bash
+mission-control serve --secret-keeper-connection "connection://default/my-kms-key"
+```
+
+or in the helm chart:
+
+```yaml
+kmsConnection: "connection://default/my-kms-key"
+```
+
+Supported connection types:
+- AWS KMS
+- Azure Key Vault  
+- GCP KMS

mission-control/docs/guide/playbooks/concepts/sensitive-data.mdx

@@ -12,6 +12,7 @@ import Container  from './_properties_container.mdx'
 | otel.serviceName                             | Defaults to `mission-control`                      |
 | properties.incidents.disable                 | Defaults to `{}`                                   |
 | properties.logs.disable                      | Defaults to `true`                                 |
+| kmsConnection | Provide the KMS connection string to use for secret parameters. See [KMS connection documentation](/reference/connections/KMS/) for details. | |
 | replicas                                     | Defaults to `1`                                    |
 | resources.limits.cpu                         | Defaults to `500m`                                 |
 | resources.limits.memory                      | Defaults to `1024Mi`                               |

mission-control/docs/installation/_properties_mission_control.mdx

@@ -0,0 +1,15 @@
+---
+title: AWS KMS
+sidebar_custom_props:
+  icon: aws
+---
+
+<!-- Source: modules/duty/connection/awskms.go:12#AWSKMS -->
+
+<Fields connection="aws_kms"/>
+
+## Example
+
+```yaml title="awskms.yaml" file=<rootDir>/modules/mission-control/fixtures/connections/awskms.yaml
+
+```

mission-control/docs/reference/connections/KMS/aws-kms.mdx

@@ -0,0 +1,33 @@
+---
+title: Azure Key Vault
+sidebar_custom_props:
+  icon: azure
+---
+
+<!-- Source: modules/duty/connection/azurekeyvault.go:14#AzureKeyVault -->
+
+<Fields connection="azure_key_vault"/>
+
+## Example
+
+```yaml title="azure-key-vault-connection.yaml"
+apiVersion: v1
+kind: Connection
+metadata:
+  name: azure-key-vault-connection
+spec:
+  type: azure_key_vault
+  clientID:
+    valueFrom:
+      secretKeyRef:
+        name: azure-credentials
+        key: AZURE_CLIENT_ID
+  clientSecret:
+    valueFrom:
+      secretKeyRef:
+        name: azure-credentials
+        key: AZURE_CLIENT_SECRET
+  tenantID: your-tenant-id
+  properties:
+    keyID: https://your-vault.vault.azure.net/keys/mission-control-key
+```

mission-control/docs/reference/connections/KMS/azure-key-vault.mdx

@@ -0,0 +1,15 @@
+---
+title: GCP KMS
+sidebar_custom_props:
+  icon: gcp
+---
+
+<!-- Source: modules/duty/connection/gcpkms.go:12#GCPKMS -->
+
+<Fields connection="gcp_kms"/>
+
+## Example
+
+```yaml title="gcpkms.yaml" file=<rootDir>/modules/mission-control/fixtures/connections/gcpkms.yaml
+
+```

mission-control/docs/reference/connections/KMS/gcp-kms.mdx

@@ -0,0 +1,9 @@
+---
+title: KMS
+sidebar_custom_props:
+  icon: material-symbols-light:security
+---
+
+import DocCardList from '@theme/DocCardList';
+
+<DocCardList />

mission-control/docs/reference/connections/KMS/index.mdx

@@ -0,0 +1,11 @@
+---
+title: Notifications
+sidebar_position: 2
+
+sidebar_custom_props:
+  icon: ix:alarm-bell
+---
+
+import DocCardList from '@theme/DocCardList';
+
+<DocCardList />