linuxfoundation · andrest50 · Nov 19, 2025 · Nov 14, 2025 · Nov 15, 2025 · Nov 17, 2025
diff --git a/README.md b/README.md
@@ -39,16 +39,15 @@ export OPENFGA_STORE_ID="your-store-id-here"
 
 #### Authentication Tokens
 
-Generate impersonated Heimdall JWTs for service calls using the provided helper script:
+A Heimdall JWT secret is needed to use the `!jwt` macro in playbooks. If you
+export it as an environmental variable, you can pass it to the mock data tool
+as a command line argument. No `export` step is needed as this is used only
+to populate arguments to the mock data tool shell invocation.
 
 ```bash
-PROJECTS_TOKEN="$(./scripts/mock-heimdall-jwt.sh lfx-v2-project-service "clients@m2m_helper")"
-COMMITTEES_TOKEN="$(./scripts/mock-heimdall-jwt.sh lfx-v2-committee-service "clients@m2m_helper")"
-export PROJECTS_TOKEN COMMITTEES_TOKEN
+JWT_RSA_SECRET="$(kubectl get secret/heimdall-signer-cert -n lfx -o json | jq -r '.data["signer.pem"]' | base64 --decode)"
 ```
 
-*Note: in the future we may replace this with a YAML `!jwt` macro, and pass in the just the signing key as an environment variable.*
-
 ## Usage
 
 ### Running Mock Data Generation
@@ -58,14 +57,16 @@ Use uv to run the mock data tool (uv will automatically manage Python versions a
 ```bash
 # Test the script (uv will create the virtual environment automatically).
 uv run lfx-v2-mockdata --help
+
 # Load some data!
-uv run lfx-v2-mockdata -t playbooks/projects/{root_project_access,base_projects,extra_projects} playbooks/committees/base_committees
+uv run lfx-v2-mockdata --jwt-rsa-secret "$JWT_RSA_SECRET" -t playbooks/projects/{root_project_access,base_projects,extra_projects} playbooks/committees/base_committees
 ```
 
 **Important Notes:**
 - **Order matters!** Playbook directories run in the order specified on the command line.
 - Within each directory, playbooks execute in alphabetical order.
 - Dependencies between playbooks should be considered when organizing execution order. Multiple passes are made to allow `!ref` calls to be resolved, but the right order will improve performance and help avoid max-retry errors.
+- The `!jwt` macro will attempt to detect the JWKS key ID from the endpoint at `http://lfx-platform-heimdall.lfx.svc.cluster.local:4457/.well-known/jwks`. If this URL is not accessible from the execution environment, you must pass an explicit JWT key ID using the `--jwt-key-id` argument.
 
 ### Wiping Existing Data
 

diff --git a/playbooks/committees/base_committees/buf_committees.yaml b/playbooks/committees/base_committees/buf_committees.yaml
@@ -14,7 +14,7 @@ buf_committees:
     url: {{ environ.COMMITTEES_URL | default("http://lfx-v2-committee-service.lfx.svc.cluster.local:8080/committees") }}
     method: POST
     headers:
-      Authorization: Bearer {{ environ.COMMITTEES_TOKEN | default("-") }}
+      Authorization: !jwt bearer=true,aud=lfx-v2-committee-service,principal=clients@m2m_helper
   steps:
     - json:
         name: Governing Board
@@ -60,9 +60,9 @@ buf_board_members:
     url: !sub "{{ environ.COMMITTEES_URL | default('http://lfx-v2-committee-service.lfx.svc.cluster.local:8080/committees') }}/${ buf_committees.steps[?json.name == 'Governing Board']._response.uid | [0] }/members?v=1"
     method: POST
     headers:
-      Authorization: Bearer {{ environ.COMMITTEES_TOKEN | default("-") }}
+      Authorization: !jwt bearer=true,aud=lfx-v2-committee-service,principal=clients@m2m_helper
   steps:
-    {% for i in range(1) %}
+    {% for i in range(8) %}
     - json:
         appointed_by: Membership Entitlement
         email: {{ fake.ascii_company_email() }}
@@ -71,17 +71,19 @@ buf_board_members:
         organization:
           name: {{ fake.company() }}
           website: {{ fake.url() }}
-        {% if i == 0 %}
         role:
+          {% if i == 0 %}
           name: Chair
-        {% endif %}
+          {% else %}
+          name: None
+          {% endif %}
         status: Active
         voting:
           {% set start_date = fake.date_this_year() %}
           # 365 days later
           {% set end_date = start_date + timedelta(days=365) %}
-          start_date: "{{ start_date.isoformat().replace('+00:00', 'Z') }}"
-          end_date: "{{ end_date.isoformat().replace('+00:00', 'Z') }}"
+          start_date: "{{ start_date.isoformat() }}"
+          end_date: "{{ end_date.isoformat() }}"
           status: {{ [
             "Alternate Voting Rep",
             "Voting Rep",

diff --git a/playbooks/projects/base_projects/1_tlf.yaml b/playbooks/projects/base_projects/1_tlf.yaml
@@ -7,7 +7,7 @@ base_projects:
     url: {{ environ.PROJECTS_URL | default("http://lfx-v2-project-service.lfx.svc.cluster.local:8080/projects") }}
     method: POST
     headers:
-      Authorization: Bearer {{ environ.PROJECTS_TOKEN | default("-") }}
+      Authorization: !jwt bearer=true,aud=lfx-v2-project-service,principal=clients@m2m_helper
   steps:
     - json:
         slug: tlf

diff --git a/playbooks/projects/base_projects/2_incorporated.yaml b/playbooks/projects/base_projects/2_incorporated.yaml
@@ -10,27 +10,27 @@ extra_incorporated:
     url: {{ environ.PROJECTS_URL | default("http://lfx-v2-project-service.lfx.svc.cluster.local:8080/projects") }}
     method: POST
     headers:
-      Authorization: Bearer {{ environ.PROJECTS_TOKEN | default("-") }}
+      Authorization: !jwt bearer=true,aud=lfx-v2-project-service,principal=clients@m2m_helper
   steps:
     {% for outer in range(12) %}
-    {% set project_name = generate_name(style='capital') %}
+    {% set project_name = fake.catch_phrase().title() %}
     {% set outer_stage = ["Active", "Formation - Engaged"] | random %}
     - json:
         slug: extra_inc_{{ outer }}
         name: &extra_inc_{{ outer }}_name
           {{ project_name + ([" Foundation", " Project", ""] | random) }}
         description: >-
           {{ project_name }}
-          {{ lorem.get_sentence().lower() }}
-          {{ lorem.get_sentence() }}
+          {{ fake.sentence().lower() }}
+          {{ fake.sentence() }}
         public: {{ outer_stage == "Active" }}
         parent_uid: !ref "root_project.steps[0]._response"
         legal_entity_name: *extra_inc_{{ outer }}_name
         legal_entity_type: Incorporated Entity
         repository_url: https://example.com/extra_inc_{{ outer }}
         stage: {{ outer_stage }}
     {% for inner in range([0, 0, 1, 2] | random) %}
-    {% set inner_project_name = generate_name(style='capital') %}
+    {% set inner_project_name = fake.catch_phrase().title() %}
     {% set inner_stage = ["Active", "Formation - Engaged"] | random %}
     - json:
         slug: extra_inc_{{ outer }}_{{ inner }}

diff --git a/playbooks/projects/base_projects/3_umbrellas.yaml b/playbooks/projects/base_projects/3_umbrellas.yaml
@@ -7,7 +7,7 @@ sample_umbrella_buf:
     url: {{ environ.PROJECTS_URL | default("http://lfx-v2-project-service.lfx.svc.cluster.local:8080/projects") }}
     method: POST
     headers:
-      Authorization: Bearer {{ environ.PROJECTS_TOKEN | default("-") }}
+      Authorization: !jwt bearer=true,aud=lfx-v2-project-service,principal=clients@m2m_helper
   steps:
     - json:
         slug: buf
@@ -26,14 +26,14 @@ sample_umbrella_buf:
         stage: Active
         website_url: https://buf-foundation.example/
     {% for buf_child in range(25) %}
-    {% set buf_child_name = generate_name(style='capital') %}
+    {% set buf_child_name = fake.catch_phrase().title() %}
     - json:
         slug: {{ buf_child_name | lower | replace(" ", "-") }}
         name: {{ buf_child_name }} Project
         description: >-
           {{ buf_child_name }}
-          {{ lorem.get_sentence().lower() }}
-          {{ lorem.get_sentence() }}
+          {{ fake.sentence().lower() }}
+          {{ fake.sentence() }}
         public: true
         # Children's parent is the umbrella; legal parent is Linux Foundation.
         parent_uid: !ref "sample_umbrella_buf.steps[0]._response.uid"
@@ -69,14 +69,14 @@ sample_umbrella_iubp:
         repository_url: https://example.com/iubp-consortium
         website_url: https://iubp.example/
     {% for iubp_child in range(15) %}
-    {% set iubp_child_name = generate_name(style='capital') %}
+    {% set iubp_child_name = fake.catch_phrase().title() %}
     - json:
         slug: {{ iubp_child_name | lower | replace(" ", "-") }}
         name: {{ iubp_child_name }} Project
         description: >-
           {{ iubp_child_name }}
-          {{ lorem.get_sentence().lower() }}
-          {{ lorem.get_sentence() }}
+          {{ fake.sentence().lower() }}
+          {{ fake.sentence() }}
         public: true
         # Of course, despite looking like valid Series LLC names, these are of
         # course FAKE and for testing only.

diff --git a/playbooks/projects/extra_projects/n_depth.yaml b/playbooks/projects/extra_projects/n_depth.yaml
@@ -15,29 +15,29 @@ n_depth:
     url: {{ environ.PROJECTS_URL | default("http://lfx-v2-project-service.lfx.svc.cluster.local:8080/projects") }}
     method: POST
     headers:
-      Authorization: Bearer {{ environ.PROJECTS_TOKEN | default("-") }}
+      Authorization: !jwt bearer=true,aud=lfx-v2-project-service,principal=clients@m2m_helper
   steps:
-    {% set project_name = generate_name(style='capital') %}
+    {% set project_name = fake.catch_phrase().title() %}
     - json:
         slug: depth_test_0
         name: {{ project_name + " Foundation" }}
         description: >-
           {{ project_name }}
-          {{ lorem.get_sentence().lower() }}
-          {{ lorem.get_sentence() }}
+          {{ fake.sentence().lower() }}
+          {{ fake.sentence() }}
         public: true
         parent_uid: !ref "n_depth_tlf_lookup.steps[0]._response"
         legal_parent_uid: !ref "n_depth_tlf_lookup.steps[0]._response"
         stage: Active
     {% for depth in range(1, 15) %}
-    {% set project_name = generate_name(style='capital') %}
+    {% set project_name = fake.catch_phrase().title() %}
     - json:
         slug: depth_test_{{ depth }}
         name: {{ project_name + " Project" }}
         description: >-
           {{ project_name }}
-          {{ lorem.get_sentence().lower() }}
-          {{ lorem.get_sentence() }}
+          {{ fake.sentence().lower() }}
+          {{ fake.sentence() }}
         public: true
         parent_uid: !ref "n_depth.steps[?json.slug == 'depth_test_{{ depth - 1 }}']._response.uid | [0]"
         legal_parent_uid: !ref "n_depth_tlf_lookup.steps[0]._response"

diff --git a/playbooks/projects/recreate_root_project/root.yaml b/playbooks/projects/recreate_root_project/root.yaml
@@ -12,7 +12,7 @@ recreate_root_project_slug:
     key: slug/ROOT
   steps:
     - raw: &root_project_uid
-        "{{ environ.PROJECTS_ROOT_UID | default(uuid()) }}"
+        "{{ environ.PROJECTS_ROOT_UID | default(fake.uuid4()) }}"
 
 recreate_root_project:
   type: nats-kv-put