DOC-2043 Document AI gateway cloud secret store integration#520
DOC-2043 Document AI gateway cloud secret store integration#520
Conversation
✅ Deploy Preview for rp-cloud ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
Important Review skippedAuto incremental reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
📝 WalkthroughWalkthroughThis pull request adds documentation for AI Gateway Secret Management. The changes include a new navigation entry under the Administrators section, a comprehensive new documentation page explaining how provider API keys are stored in the Secrets Store with labeling and zero-downtime rotation workflows, updates to existing setup and configuration documentation to reference secret storage practices, and a new table documenting different secret scopes (AI Gateway, MCP Server, AI Agent, Cluster, Redpanda Connect) in the main Secrets documentation. Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related PRs
Suggested reviewers
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
- Use correct UI flow for adding API keys (Providers > Configuration > Add Configuration) - Label is managed-by:aigateway, not "managed by AI gateway" - Secrets are editable in the Secrets Store (value, scopes, tags) - Add "Edit AI Gateway secrets" section - Remove hardcoded Security nav path for Secrets Store - Remove AWS/GCP Secret Manager parenthetical from AI Hub config Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add AI Agent scope - Rename "Redpanda Cluster" to "Cluster" - Reorder scopes to match UI: AI Gateway, MCP Server, AI Agent, Cluster, Redpanda Connect Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
modules/ai-agents/partials/ai-hub/configure-ai-hub.adoc (1)
223-268:⚠️ Potential issue | 🟠 MajorUse the global Providers flow here, not per-gateway Settings.
This section still documents
Settings → Providers → Configure/Edit, but Line 225 says the credentials are workspace-shared, and the rest of this PR moves key management toAgentic → AI Gateway → Providers → Configuration → Add Configuration. As written, readers will look in the wrong place for both add/edit and rotation steps.📝 Proposed doc update
=== Manage provider credentials AI Hub gateways require provider credentials to route requests. Credentials are automatically stored in the xref:security:secrets.adoc[Secrets Store] and shared across all gateways in your workspace. For details on how AI Gateway manages secrets, see xref:ai-agents:ai-gateway/admin/secret-management.adoc[]. === Add OpenAI credentials -. Navigate to *Settings* → *Providers*. -. Select *OpenAI*. -. Click *Configure* (or *Edit* if already configured). +. Navigate to *Agentic* → *AI Gateway* → *Providers*. +. Select *OpenAI*. +. Click *Configuration* → *Add Configuration*. ... === Add Anthropic credentials -. Navigate to *Settings* → *Providers*. -. Select *Anthropic*. -. Click *Configure* (or *Edit* if already configured). +. Navigate to *Agentic* → *AI Gateway* → *Providers*. +. Select *Anthropic*. +. Click *Configuration* → *Add Configuration*. ... === Credential rotation To rotate credentials without downtime: -. Add a new API key to the provider configuration (don't delete the old one yet). +. In *Agentic* → *AI Gateway* → *Providers*, open the provider's *Configuration* tab and add a new API key (don't delete the old one yet).🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@modules/ai-agents/partials/ai-hub/configure-ai-hub.adoc` around lines 223 - 268, The documentation incorrectly instructs users to go to "Settings → Providers → Configure/Edit"; update the "Manage provider credentials", "Add OpenAI credentials", "Add Anthropic credentials", and "Credential rotation" steps to use the global Providers flow instead: replace all occurrences of "Settings → Providers → Configure/Edit" and related per-gateway phrasing with the new navigation "Agentic → AI Gateway → Providers → Configuration → Add Configuration" (and "Edit" where applicable), and adjust rotation steps to reference managing keys via the Providers Configuration screen so readers are directed to the workspace-shared provider configuration UI.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc`:
- Around line 15-20: Update the backing-store description sentence that
currently reads "Secrets are backed by the LLM provider's secret manager and
never leave the data plane." to refer to the Redpanda Cloud data plane’s backing
secret store instead (e.g., "Secrets are stored in the Redpanda Cloud data
plane's backing secret store and never leave the data plane.") so it doesn't
imply storage by OpenAI/Anthropic/Google; adjust the wording wherever the same
phrase appears in the secret-management.adoc content to maintain consistency
with the security docs.
- Line 24: Update the TIP sentence to accurately state that while the Provider
Configuration UI (Agentic → AI Gateway → Providers → select a provider →
Configuration) can create/delete provider API keys and update a secret's value,
edits to scopes or tags must be performed in the Secrets Store only; change the
existing TIP text (the TIP line about creating/deleting keys and updating secret
value/scopes/tags) to explicitly restrict scope/tag edits to the Secrets Store
and retain the guidance for creating/deleting keys and updating secret values
via the provider UI.
---
Outside diff comments:
In `@modules/ai-agents/partials/ai-hub/configure-ai-hub.adoc`:
- Around line 223-268: The documentation incorrectly instructs users to go to
"Settings → Providers → Configure/Edit"; update the "Manage provider
credentials", "Add OpenAI credentials", "Add Anthropic credentials", and
"Credential rotation" steps to use the global Providers flow instead: replace
all occurrences of "Settings → Providers → Configure/Edit" and related
per-gateway phrasing with the new navigation "Agentic → AI Gateway → Providers →
Configuration → Add Configuration" (and "Edit" where applicable), and adjust
rotation steps to reference managing keys via the Providers Configuration screen
so readers are directed to the workspace-shared provider configuration UI.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 190319c0-1345-47e2-bea0-0395dddeadb8
📒 Files selected for processing (5)
modules/ROOT/nav.adocmodules/ai-agents/pages/ai-gateway/admin/secret-management.adocmodules/ai-agents/pages/ai-gateway/admin/setup-guide.adocmodules/ai-agents/partials/ai-hub/configure-ai-hub.adocmodules/security/pages/secrets.adoc
modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc
Outdated
Show resolved
Hide resolved
Link to the secrets page instead of duplicating the scopes table. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
alenkacz
left a comment
alenkacz
left a comment
There was a problem hiding this comment.
Thanks, left some comments and questions
modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc
Outdated
Show resolved
Hide resolved
modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc
Outdated
Show resolved
Hide resolved
|
|
||
| . Click *Save*. | ||
|
|
||
| == Rotate provider API keys |
There was a problem hiding this comment.
I am not sure this work or not like this. Where is this coming from?
| . Verify the new key works by sending a test request through the gateway. | ||
| . Remove the old API key. | ||
|
|
||
| Each provider configuration supports multiple API keys. AI Gateway automatically load-balances across them, which allows zero-downtime rotation. For more details, see the credential rotation steps in xref:ai-gateway/admin/setup-guide.adoc[]. |
There was a problem hiding this comment.
I am not sure this happens automatically, I would have to test it. It depends on how your routing/backends are set up
There was a problem hiding this comment.
you can do this loadbalancing but I am not sure it happens automatically for all gateways 🤔
| == Manage provider credentials | ||
|
|
||
| AI Hub gateways require provider credentials to route requests. Credentials are stored encrypted and shared across all gateways in your workspace. | ||
| AI Hub gateways require provider credentials to route requests. Credentials are automatically stored in the xref:security:secrets.adoc[Secrets Store] and shared across all gateways in your workspace. For details on how AI Gateway manages secrets, see xref:ai-agents:ai-gateway/admin/secret-management.adoc[]. |
There was a problem hiding this comment.
oh wow, what is this? AI hub does not even exists right now 🤔
There was a problem hiding this comment.
AI Hub content is a WIP, initial stuff from Camilo when we thought it might make it in Package 1. It's in a partial: none of the files in the partials folder render in our docs.
modules/security/pages/secrets.adoc
Outdated
| | Scope | Description | Management | ||
|
|
||
| | AI Gateway | ||
| | Provider API keys for LLM providers (OpenAI, Anthropic, Google AI). Labeled `managed-by:aigateway` in the Secrets Store. |
There was a problem hiding this comment.
it could also be MCP server secrets. Let's just say it's secrets to which the AI gateway has access to
There was a problem hiding this comment.
How's this: Secrets used by the AI Gateway for authentication and integration.
There was a problem hiding this comment.
I'm going to remove the Secrets scope table for now. Denis showed me a much more detailed table of secret scopes coming soon.
modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc
Outdated
Show resolved
Hide resolved
|
|
||
| include::ai-agents:partial$adp-la.adoc[] | ||
|
|
||
| When you add a provider API key through the AI Gateway configuration UI, the key is automatically stored in the xref:security:secrets.adoc[Secrets Store]. |
There was a problem hiding this comment.
When and why would you need to use this--what is the benefit? Need a brief "benefit of using this" statement.
modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc
Outdated
Show resolved
Hide resolved
| You can also edit AI Gateway secrets directly in the Secrets Store. The secret ID cannot be changed, but you can update the secret value, scopes, and tags. | ||
|
|
||
| TIP: To create or delete provider API keys, use the AI Gateway provider configuration UI (*Agentic* → *AI Gateway* → *Providers* → select a provider → *Configuration*). To update an existing secret's value, scopes, or tags, go to the Secrets Store. | ||
|
|
There was a problem hiding this comment.
Are there any prereqs or limitations?
modules/ai-agents/pages/ai-gateway/admin/secret-management.adoc
Outdated
Show resolved
Hide resolved
Co-authored-by: Joyce Fee <102751339+Feediver1@users.noreply.github.com>
Co-authored-by: Joyce Fee <102751339+Feediver1@users.noreply.github.com>
modules/security/pages/secrets.adoc
Outdated
| secrets managed through Redpanda Console never leave their corresponding | ||
| data plane account or network. They stay securely stored in AWS Secrets Manager or | ||
| GCP Secret Manager. | ||
|
|
There was a problem hiding this comment.
Where is the source for the first paragraph in this file? Wondering why you italicized the terms there rather than making them glossterms? dynamic secrets, static secrets
3 participants
Description
Document integration between AI Gateway and the Secrets Store in Redpanda Cloud. Provider API keys added through the Gateway UI are now automatically stored in the Secrets Store, labeled "managed-by:aigateway".
Resolves https://redpandadata.atlassian.net/browse/DOC-2043
Review deadline:
Page previews
AI Gateway Secret Management
Secrets
Checks