ROB-2395: docs for secrets sinks config

[nherment]

• More prominent docs for key sinks
• Basic link to secret management for all other sinks

[coderabbitai]

Walkthrough

Adds guidance and example snippets across sink documentation showing how to load secrets into environment variables (Kubernetes Secrets -> runner.additional_env_vars) and reference them in sink configs via {{ env.VAR_NAME }}; plus a general tip in the sinks index.

Changes

Cohort / File(s)	Summary
Sink docs — add secret/env guidance docs/configuration/sinks/DataDog.rst, docs/configuration/sinks/Opsgenie.rst, docs/configuration/sinks/PagerDuty.rst, docs/configuration/sinks/ms-teams.rst, docs/configuration/sinks/RobustaUI.rst, docs/configuration/sinks/ServiceNow.rst, docs/configuration/sinks/VictorOps.rst, docs/configuration/sinks/YandexMessenger.rst, docs/configuration/sinks/discord.rst, docs/configuration/sinks/google_chat.rst, docs/configuration/sinks/jira.rst, docs/configuration/sinks/kafka.rst, docs/configuration/sinks/mail.rst, docs/configuration/sinks/mattermost.rst, docs/configuration/sinks/pushover.rst, docs/configuration/sinks/rocketchat.rst, docs/configuration/sinks/telegram.rst, docs/configuration/sinks/webex.rst, docs/configuration/sinks/webhook.rst, docs/configuration/sinks/zulip.rst	Inserted notes/admonitions and example YAML snippets demonstrating securing API keys, tokens, webhook URLs, and credentials via Kubernetes Secrets -> runner.additional_env_vars and using {{ env.VARIABLE_NAME }} in sink configurations. Changes are documentation-only and additive.
Slack docs — directive + example docs/configuration/sinks/slack.rst	Replaced a warning with a tip and added an example showing loading SLACK_API_KEY from a Kubernetes Secret into runner.additional_env_vars and referencing it in the Slack sink. Documentation-only change.
Sinks index — global tip docs/configuration/sinks/index.rst	Added a tip advising use of Kubernetes Secrets with {{ env.VARIABLE_NAME }} syntax to secure API keys/tokens across sink configs.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Mostly homogeneous, additive documentation updates across many sink files.
• Review focus:
  • Consistency of {{ env.VAR_NAME }} examples and variable names.
  • Correct references/links to "Managing Secrets".
  • Slack directive replacement for tone/accuracy.

Suggested reviewers

• arikalon1
• aantn

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	No description was provided by the author, making it impossible to assess whether a description relates to the changeset.	Add a pull request description explaining the purpose of the documentation updates and how they help users secure their sink configurations.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: documentation updates for secrets management in sink configurations across multiple files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch rob-2395_improved_secret_docs_for_sinks

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

docs/configuration/sinks/DataDog.rst (2)

38-44: Clarify Kubernetes Secret prerequisite in documentation.

The example references a Kubernetes Secret named robusta-secrets with key datadog_key. Consider adding a brief note about whether users should create this secret manually or if it's automatically provisioned, to reduce setup confusion.

Consider adding a comment or preceding note like:

+Before using environment variables, ensure your Kubernetes Secret exists:
+
+.. code-block:: bash
+
+   kubectl create secret generic robusta-secrets --from-literal=datadog_key=<your-api-key>
+
 .. code-block:: yaml
 
    runner:

Alternatively, reference the prerequisites in the :ref:Managing Secrets`` section that users are directed to read.

---

36-49: Template syntax is consistent, but documentation sections are incomplete.

The {{ env.DATADOG_API_KEY }} syntax is correct and consistently applied across all sinks (DataDog, Opsgenie, PagerDuty, ms-teams, slack). However, PagerDuty, ms-teams, and slack are missing "Using Environment Variables for API Keys" documentation sections, while DataDog and Opsgenie include them. For consistency, add similar explanatory sections to the missing sinks showing how to load API keys from Kubernetes Secrets using environment variables.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8419c1c and 8d52191.

📒 Files selected for processing (6)

• docs/configuration/sinks/DataDog.rst (1 hunks)
• docs/configuration/sinks/Opsgenie.rst (1 hunks)
• docs/configuration/sinks/PagerDuty.rst (1 hunks)
• docs/configuration/sinks/index.rst (1 hunks)
• docs/configuration/sinks/ms-teams.rst (1 hunks)
• docs/configuration/sinks/slack.rst (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: run_tests
• GitHub Check: run_tests
• GitHub Check: Deploy docs

🔇 Additional comments (6)

docs/configuration/sinks/Opsgenie.rst (2)

62-83: Documentation addition follows security best practices.

The new "Using Environment Variables for API Keys" section appropriately demonstrates secure credential management by:

• Loading secrets from Kubernetes Secret resources (Lines 71-75)
• Referencing environment variables in sink configuration via template syntax (Line 80)
• Cross-linking to centralized security documentation (Line 83)

The YAML structure and formatting are consistent with the existing documentation style. This aligns well with the security guidance pattern described in the PR objectives.

---

62-83: No action required—all verification checks passed.

The documentation addition correctly demonstrates secure credential management using Kubernetes Secrets. The :ref:Managing Secrets`` cross-reference resolves properly, the template syntax {{ env.OPSGENIE_API_KEY }} is correct, and the YAML structure is consistent with patterns used in DataDog, PagerDuty, MS Teams, and Slack sink documentation.

docs/configuration/sinks/ms-teams.rst (1)

27-47: Template syntax and cross-reference verified—documentation follows established patterns.

The new section is well-placed and provides practical guidance for securing webhook URLs using Kubernetes Secrets. The YAML structure follows Kubernetes best practices, and the documentation flow is intuitive.

Verification confirms:

• The template syntax {{ env.MSTEAMS_WEBHOOK }} is officially supported and documented in docs/setup-robusta/configuration-secrets.rst
• The cross-reference target :ref:Managing Secrets`` exists and is established across multiple sink documentation files (Slack, PagerDuty, OpsGenie, DataDog)
• This pattern is applied consistently throughout the sink documentation as noted in the documentation index

The code is ready to merge.

docs/configuration/sinks/PagerDuty.rst (1)

62-82: Template syntax, reference link, and secret naming conventions verified as consistent.

The documentation is well-structured and follows established patterns across the other sink documentation updates. Verification confirms:

• Template syntax ({{ env.PAGERDUTY_KEY }}) is the correct Robusta templating pattern, used consistently across all sinks (DataDog, OpsGenie, MS Teams, Slack, and PagerDuty)
• Reference link (:ref:Managing Secrets``) resolves correctly to docs/setup-robusta/configuration-secrets.rst and is referenced consistently throughout the documentation
• Secret naming (robusta-secrets as secret name, pagerduty_key as key) is consistent with DataDog, OpsGenie, and MS Teams documentation updates (Slack uses a sink-specific secret name, which appears intentional)

The security guidance is appropriate and aligns with best practices demonstrated in the parallel documentation updates for other sinks.

docs/configuration/sinks/index.rst (1)

16-19: No action needed. The cross-reference :ref:Managing Secrets`` is valid and points to the section heading in docs/setup-robusta/configuration-secrets.rst. Sphinx automatically creates reference targets from section headings, and this target is already used consistently across multiple files in the documentation (Opsgenie.rst, ms-teams.rst, DataDog.rst, PagerDuty.rst, slack.rst, and others), confirming it is properly defined and accessible.

docs/configuration/sinks/slack.rst (1)

44-66: Excellent documentation for secure credential handling.

The tip section provides clear, actionable guidance on loading Slack API keys from Kubernetes Secrets. The YAML example correctly demonstrates the standard pattern using secretKeyRef to load credentials from a Secret into an environment variable, then referencing it via template syntax in the sink config. This is a solid security best practice.

The cross-reference to "Managing Secrets" is sufficient—that section contains a complete step-by-step walkthrough including the exact kubectl create secret generic command for creating Kubernetes Secrets, the Helm values pattern with secretKeyRef, and documentation of the {{ env.VARIABLE_NAME }} template syntax. The template syntax used here is consistent across all other sink configurations in the codebase.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

docs/configuration/sinks/RobustaUI.rst (1)

43-47: Note placement could be enhanced for emphasis.

The security note is well-positioned after the basic setup. However, consider whether it should be integrated into the initial setup instructions (lines 32-42) rather than as an afterthought, to emphasize security as part of standard configuration from the start.

If you want to make security guidance more prominent, consider restructuring the setup section to include a security subsection immediately after the code block, or merge the note into the main setup instructions directly.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8d52191 and a83367f.

📒 Files selected for processing (16)

• docs/configuration/sinks/RobustaUI.rst (1 hunks)
• docs/configuration/sinks/ServiceNow.rst (1 hunks)
• docs/configuration/sinks/VictorOps.rst (1 hunks)
• docs/configuration/sinks/YandexMessenger.rst (1 hunks)
• docs/configuration/sinks/discord.rst (1 hunks)
• docs/configuration/sinks/google_chat.rst (1 hunks)
• docs/configuration/sinks/jira.rst (1 hunks)
• docs/configuration/sinks/kafka.rst (1 hunks)
• docs/configuration/sinks/mail.rst (1 hunks)
• docs/configuration/sinks/mattermost.rst (1 hunks)
• docs/configuration/sinks/pushover.rst (1 hunks)
• docs/configuration/sinks/rocketchat.rst (1 hunks)
• docs/configuration/sinks/telegram.rst (1 hunks)
• docs/configuration/sinks/webex.rst (1 hunks)
• docs/configuration/sinks/webhook.rst (1 hunks)
• docs/configuration/sinks/zulip.rst (1 hunks)

✅ Files skipped from review due to trivial changes (7)

• docs/configuration/sinks/pushover.rst
• docs/configuration/sinks/mattermost.rst
• docs/configuration/sinks/google_chat.rst
• docs/configuration/sinks/webhook.rst
• docs/configuration/sinks/discord.rst
• docs/configuration/sinks/ServiceNow.rst
• docs/configuration/sinks/webex.rst

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: run_tests
• GitHub Check: run_tests
• GitHub Check: Deploy docs

🔇 Additional comments (7)

docs/configuration/sinks/VictorOps.rst (1)

28-30: The cross-reference to :ref:Managing Secrets`` is valid and properly anchored in docs/setup-robusta/configuration-secrets.rst. The reference pattern is applied consistently across all sink configuration files in the documentation, confirming this is an intentional, coordinated documentation update.

docs/configuration/sinks/telegram.rst (1)

56-58: Reference target verified and correct.

The :ref:Managing Secrets`` reference exists in docs/setup-robusta/configuration-secrets.rst and resolves correctly. The referenced section documents Kubernetes Secrets handling with the `{{ env.VARIABLE_NAME }}` syntax. This change follows the established pattern used consistently across other sink documentation files and requires no changes.

docs/configuration/sinks/rocketchat.rst (1)

69-71: No issues found. The :ref:Managing Secrets`` cross-reference is valid and properly defined in docs/configuration-secrets.rst. The security guidance is consistent with the pattern applied across other sink documentation files.

docs/configuration/sinks/YandexMessenger.rst (1)

62-64: Good addition—reference target confirmed.

The note provides helpful security guidance in an appropriate location. The reStructuredText syntax is correct, and the :ref:Managing Secrets`` cross-reference resolves to the section defined in docs/setup-robusta/configuration-secrets.rst. This change follows the established pattern used consistently across other sink documentation (Slack, Telegram, Discord, Jira, etc.).

docs/configuration/sinks/kafka.rst (1)

43-45: Note placement and consistency look good.

The admonition follows the existing pattern in the file and provides actionable guidance on secrets management, aligning with the PR's objective to add documentation on securing sink credentials via Kubernetes Secrets and environment variables.

docs/configuration/sinks/mail.rst (1)

195-199: Both cross-references are valid and properly defined in the documentation.

The :ref:Managing Secrets reference points to `docs/setup-robusta/configuration-secrets.rst` and is used consistently across 27+ other sink documentation files. The `:ref:`Helm Upgrade <Simple Upgrade> reference is also valid and defined in docs/setup-robusta/upgrade.rst.

The placement of line 195 is intentional and follows the established documentation pattern used in 40+ locations. This sequence—troubleshooting issues, then applying a Helm upgrade, then securing credentials—is standard throughout the codebase and appropriate for this section.

docs/configuration/sinks/zulip.rst (1)

57-59: The cross-reference is valid and the implementation is consistent with other sink documentation.

The :ref:Managing Secrets`` target exists in docs/setup-robusta/configuration-secrets.rst and this reference pattern is used consistently across all sink documentation files (webhook.rst, telegram.rst, discord.rst, and 15+ others). The note-only approach without embedded examples follows the standard documentation pattern for most sinks, with detailed guidance provided on the centralized "Managing Secrets" page.