# Add secrets to Keeper

At Workleap, most pipeline secrets are centralized in Keeper to simplify management and ensure smooth rotation when values expire. This guide explains how to add a new secret to Keeper so it can be securely used in a Chromatic pipeline.

To add a new pipeline secret to Keeper, follow those steps 👇

# Create the secrets in Keeper

To access production secrets in Keeper, request PIM access to the Keeper production group associated to your product or pipeline.
Go to Keeper Secret Manager.
Create the secrets in the folder associated to your product or pipeline.
Configure the Slack channel for expiration alerts (it's a field in Keeper).
Note down the UID of the secrets generated by Keeper.

Use dashes (-) and not underscores (_) in the secret names (Azure key vault does not support underscores)

# Update Terraform

Open a PR in the production Terraform repository.
Add the secrets declaration with the Keeper UID in the module pipeline-secrets.

# Apply Terraform changes

Once the PR is merged, trigger a run in Terraform Cloud:
- Production: workspace wl-prod-foundation

# Create the ADO variable group

A variable group cannot be hybrid (reference key vault and have hardcoded variables).

Create a new variable group or use an existing one.
If a new variable group is created:
- Toggle the Link secrets from an Azure key vault as a variable switch.
- Set a value for Azure subscription and Key vault name.

Add new variables to the group by selecting the secrets created earlier in Terraform.

# Update the ADO pipeline

Modify the pipelines to:
- Reference the variable group created in the previous steps (or an existing one).
- Use the variables of the secrets added in the previous steps.

chromatic.yml
variables:
  - group: Chromatic-kv

pool: workleap

steps:
  - task: CmdLine@2
    displayName: Chromatic
    inputs:
      script: pnpm dlx @workleap/chromado
    env:
      CHROMATIC_PROJECT_TOKEN: $(CHROMATIC-PROJECT-TOKEN-WL-NAVBAR)
      CHROMATIC_PULL_REQUEST_COMMENT_ACCESS_TOKEN: $(PULL-REQUEST-COMMENT-ACCESS-TOKEN)
      CHROMATIC_DEBUG: true

Ensure the pipeline run on private agents (mandatory to access the key vault).

# Key point to remember

✅ Always use dashes (-) in names
✅ Configure the correct Slack channel for alerts
✅ A Terraform PR is mandatory for each new secret
✅ Pipelines must run on private agents to access the Key Vault
✅ A variable group cannot be hybrid (reference key vault and have hardcoded variables)

# Additional resources

Migration generation pipeline