Skip to content

feat(infra): add optional external-secrets integration via rag-setup … #277

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
a-klos wants to merge 10 commits into
base: main
Choose a base branch
from
Open

feat(infra): add optional external-secrets integration via rag-setup … #277

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
9dedc7e
feat(infra): add optional external-secrets integration via rag-setup …
a-klos Feb 13, 2026
eb69075
Merge branch 'main' into feat/external-secrets-rag-setup
a-klos Feb 17, 2026
ff870a1
feat: update external-secrets version to 2.0.0 in Chart.yaml and Char…
a-klos Feb 17, 2026
3e40918
Merge branch 'feat/external-secrets-rag-setup' of https://github.com/…
a-klos Feb 17, 2026
d9e3f4c
feat(terraform): expose redis connection outputs (#278)
a-klos Feb 17, 2026
98cf188
feat: add one-command production deployment script and Helm value gen…
a-klos Feb 17, 2026
47c6356
feat: enhance deployment scripts and documentation for external secre…
a-klos Feb 18, 2026
87db5e3
feat: remove rag-core-library and rag-infrastructure submodules
a-klos Feb 18, 2026
186aec3
feat(terraform): update DNS name validation and documentation for cla…
a-klos Feb 18, 2026
c39bc4d
feat: enhance deploy script for external secrets integration and add …
a-klos Feb 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion infrastructure/.gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
**/.backend.hcl
**/kubeconfig.yaml
**/*.lock.*

**/values.prod.auto.yaml
auth

.DS_Store
Expand Down
44 changes: 43 additions & 1 deletion infrastructure/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -598,7 +598,49 @@ For deployment of the *NGINX Ingress Controller* and a cert-manager, the followi

[base-setup](server-setup/base-setup/Chart.yaml)

The email in the [cert-issuer template](server-setup/base-setup/templates/cert-issuer.yaml) should be changed from `<replace@me.com>` to a real email address.
Set a real ACME email for cert-manager via the deploy script (`--issuer-email`) or via `base-setup` value `certIssuer.email`.

For deploying RAG together with External Secrets Operator integration, use the wrapper chart:

[rag-setup](server-setup/rag-setup/Chart.yaml)

`rag-setup` defaults are production-oriented and reference ESO-managed secrets.
Its `rag` dependency is resolved from the published GitHub Pages chart repo (`https://stackitcloud.github.io/rag-template`) with a pinned chart version.

Notes:
- Local development with Tilt is unchanged: Tilt deploys `infrastructure/rag` directly, so External Secrets Operator from `rag-setup` is not deployed by default.
- Fastest production path (one command after you prepared `seed-secrets/terraform.tfvars` with app/API values in `rag_secrets`):
- Before running, ensure `infrastructure/terraform/terraform.tfvars` includes at least `project_id`, `dns_name`, and `rag_cluster_name`.

```bash
./infrastructure/scripts/deploy-rag-prod.sh \
--issuer-email you@example.com \
--auto-approve
```

- The script performs all steps:
- Terraform backend bootstrap (if needed) and infra apply
- seed-secrets apply (with Terraform-derived overrides for PostgreSQL/Redis/S3 and STACKIT model-serving keys, plus auto-generated app secrets when placeholders are present)
- generation of `server-setup/rag-setup/values.prod.auto.yaml`
- deployment of `base-setup` and `rag-setup`

- `STACKIT_CERT_MANAGER_SA_JSON` is not generated by Terraform in this flow. Provide it in `seed-secrets/terraform.tfvars`.

- Manual fallback: generate the rag values override directly from Terraform outputs:

```bash
cd infrastructure/terraform
./scripts/generate-rag-setup-prod-values.sh \
--output ../server-setup/rag-setup/values.prod.auto.yaml
```

- Manual fallback: deploy rag-setup with:

```bash
helm upgrade --install rag-setup infrastructure/server-setup/rag-setup \
-f infrastructure/server-setup/rag-setup/values.yaml \
-f infrastructure/server-setup/rag-setup/values.prod.auto.yaml
```

## 3. Contributing

Expand Down
Loading