feat(Playbook): Secret parameter

[adityathebe]

• KMS connections

resolves: #423

Summary by CodeRabbit

• New Features

  • Added Key Management Service (KMS) support for AWS KMS, Azure Key Vault, and GCP KMS.
  • Introduced secret parameters in playbooks for handling encrypted sensitive data.

• Documentation

  • Added KMS connection reference documentation for all three supported providers.
  • Published guide for sensitive data handling in playbooks.
  • Updated installation guides with KMS setup and configuration instructions.

[netlify]

✅ Deploy Preview for canarychecker canceled.

Name	Link
🔨 Latest commit	bdfb297
🔍 Latest deploy log	https://app.netlify.com/projects/canarychecker/deploys/6996bbdbe81dd10008b502a4

[netlify]

✅ Deploy Preview for flanksource-docs ready!

Name	Link
🔨 Latest commit	11cfaa9
🔍 Latest deploy log	https://app.netlify.com/projects/flanksource-docs/deploys/68c7a29afa504b0008e243a1
😎 Deploy Preview	https://deploy-preview-424--flanksource-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs	Ready	Preview	Feb 19, 2026 7:30am

[Copilot]

Pull Request Overview

This PR introduces secret parameter support for playbooks with KMS encryption capabilities. It adds the ability to handle sensitive data like passwords and API keys securely by integrating with cloud KMS services.

Key changes:

• Added new secret parameter type for playbooks with KMS encryption
• Added documentation for AWS KMS, Azure Key Vault, and GCP KMS connections
• Updated submodule references across multiple mission-control components

Reviewed Changes

Copilot reviewed 14 out of 14 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
mission-control/docs/reference/playbooks/parameters.mdx	Added documentation for the new secret parameter type
mission-control/docs/reference/connections/KMS/*.mdx	Created documentation pages for AWS KMS, Azure Key Vault, and GCP KMS connections
mission-control/docs/guide/playbooks/concepts/sensitive-data.mdx	Added comprehensive guide on handling sensitive data in playbooks
mission-control/docs/installation/_properties_mission_control.mdx	Added kmsConnection configuration property
common/src/components/Fields.jsx	Added field definitions for KMS connection types
modules/*	Updated submodule commits to incorporate KMS functionality

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[moshloop]

Can we update the setup guides for AWS/GCP for the creation of this key, and connection and the updates to the IAM binding needed.

This is also I think a post-setup task as it requires the ability to create the connection first

[coderabbitai]

Warning

Rate limit exceeded

@adityathebe has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 13 minutes and 9 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

Walkthrough

This PR introduces KMS (Key Management Service) integration to support encrypted secret parameters in playbooks. Changes include refactoring shared field definitions for cloud provider connections (AWS, GCP, Azure), adding three new KMS connection types, and providing comprehensive documentation for KMS setup, configuration, and usage across AWS, GCP, and Azure platforms.

Changes

Cohort / File(s)	Summary
Component Field Definitions common/src/components/Fields.jsx	Consolidated AWS, GCP, and Azure connection field definitions into shared reusable arrays (awsFields, gcpFields, azureFields). Added three new KMS connection variants (aws_kms, gcp_kms, azure_key_vault) with keyID field appended to each shared field set.
KMS Connection Reference Documentation mission-control/docs/reference/connections/KMS/*	Added four new documentation pages: index.mdx (KMS overview), aws-kms.mdx, gcp-kms.mdx, and azure-key-vault.mdx, each referencing their respective connection implementations and providing YAML fixture examples.
Installation & Configuration Guides mission-control/docs/installation/_aws_iam.mdx, mission-control/docs/installation/_gke_iam.mdx	Enhanced AWS and GCP IAM documentation with new sections detailing optional KMS setup, including step-by-step instructions for creating KMS keys, policies, workload identity bindings, and Helm configuration references.
Feature & Playbook Documentation mission-control/docs/guide/playbooks/concepts/sensitive-data.mdx, mission-control/docs/reference/playbooks/parameters.mdx, mission-control/docs/reference/connections/_properties_mission_control.mdx	Introduced new documentation for handling encrypted sensitive data in playbooks, added secret parameter type definition, and documented the kmsConnection configuration property.
Connection Reference & Navigation mission-control/docs/reference/connections/index.mdx, mission-control/docs/reference/connections/Notifications/index.mdx	Updated connections index to include new "Key Management" category with links to KMS documentation. Added new Notifications reference index page with notification channel links.
Infrastructure & Administrative modules/mission-control, styles/ignore/words-with-suggestions.txt	Updated mission-control submodule pointer to latest commit. Extended spell-check ignore list with kmsConnection, serviceAccount, and Ollama entries.

Suggested reviewers

• moshloop

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat(Playbook): Secret parameter' clearly summarizes the main feature being introduced—a secret parameter capability for playbooks.
Linked Issues check	✅ Passed	The pull request comprehensively addresses the linked issue #423 by implementing KMS connections and secret parameter functionality across code and documentation.
Out of Scope Changes check	✅ Passed	All changes are directly related to implementing secret parameters and KMS connections, with no unrelated or out-of-scope modifications detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/sensitive-playbook-parameter

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@common/src/components/Fields.jsx`:
- Around line 188-191: The tenantId field object (field: "tenantId") is missing
its scheme property so the docs render an empty "Scheme" column; update the
tenantId entry in Fields.jsx to include the appropriate scheme (e.g., "string"
or "EnvVar") to match the other shared fields—choose "EnvVar" if it should map
to an environment variable or "string" for a plain string, and add scheme:
"<chosen>" to the tenantId object.

In `@mission-control/docs/guide/playbooks/concepts/sensitive-data.mdx`:
- Around line 13-15: The documentation references a missing fixture via the
fenced code block titled "http-secret-parameter.yaml" using the file= directive;
either add a new fixture file named http-secret-parameter.yaml with a
representative example (matching the intended YAML shown in the docs) into the
fixtures/playbooks directory, or update the fenced code block's file= value to
point to an existing fixture file or inline the YAML content directly in the
MDX; ensure the filename in the code block and the file= directive match the
actual fixture name so the build will include the example.

In `@mission-control/docs/installation/_gke_iam.mdx`:
- Around line 178-183: The snippet uses undefined variables PROJECT_NUMBER and
KSA_NAME; update the docs so the variables are set or iterate over service
accounts: either add explicit export lines for PROJECT_NUMBER and
KSA_NAME/NAMESPACE before the gcloud command (e.g., export PROJECT_NUMBER and
export NAMESPACE) or replace the single gcloud invocation with a loop over the
three KSA names ("mission-control-sa", "canary-checker-sa", "config-db-sa") to
run the gcloud projects add-iam-policy-binding command for each KSA_NAME; ensure
references to PROJECT_ID, PROJECT_NUMBER, NAMESPACE, and KSA_NAME in the command
match the variables you export or iterate.

[moshloop]

@copilot fix merge conflicts using the latest modules

[Copilot]

@moshloop I've opened a new pull request, #489, to work on those changes. Once the pull request is ready, I'll request review from you.