From f2c45577dab85a0ea9b9a72daeca8a43c69f13d3 Mon Sep 17 00:00:00 2001
From: Jp Ayyappan <108297634+jp-ayyappan@users.noreply.github.com>
Date: Wed, 6 May 2026 09:33:29 -0400
Subject: [PATCH 1/3] fix(platform): DSPX-2933 align KAS root key env var with
 Viper config path

Update the deployment template to use DSP_SERVICES_KAS_ROOT_KEY instead of
DSP_KAS_ROOT_KEY. The Viper config path is services.kas.root_key, so the
correct environment variable override is DSP_SERVICES_KAS_ROOT_KEY.

Also update the corresponding unit test assertion.

Co-authored-by: CoopAgent <coopagent@users.noreply.github.com>
---
 charts/platform/templates/deployment.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/platform/templates/deployment.yaml b/charts/platform/templates/deployment.yaml
index 22a2a14e..6823c491 100644
--- a/charts/platform/templates/deployment.yaml
+++ b/charts/platform/templates/deployment.yaml
@@ -91,7 +91,7 @@ spec:
                 key: {{ .Values.sdk_config.existingSecret.key }}
           {{- end }}
           {{- if and (or (contains "all" .Values.mode) (contains "kas" .Values.mode)) .Values.services.kas.config.preview.key_management }}
-          - name: {{include "platform.envVarPrefix" .}}_KAS_ROOT_KEY
+          - name: {{include "platform.envVarPrefix" .}}_SERVICES_KAS_ROOT_KEY
             valueFrom:
               secretKeyRef:
                 name: {{ .Values.services.kas.root_key_secret.name }}

From b7bce13f95a27c29c49836f53685f1f754fe3cfa Mon Sep 17 00:00:00 2001
From: Jp Ayyappan <108297634+jp-ayyappan@users.noreply.github.com>
Date: Wed, 6 May 2026 09:34:20 -0400
Subject: [PATCH 2/3] test(platform): DSPX-2933 update unit test for renamed
 KAS root key env var

Co-authored-by: CoopAgent <coopagent@users.noreply.github.com>
---
 tests/chart_platform_template_test.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/chart_platform_template_test.go b/tests/chart_platform_template_test.go
index 4ca0bde1..83b65bd4 100644
--- a/tests/chart_platform_template_test.go
+++ b/tests/chart_platform_template_test.go
@@ -944,7 +944,7 @@ func (s *PlatformChartTemplateSuite) Test_KeyManagement_Enabled_With_RootKeySecr
 	envVarFound := false
 	for _, container := range deployment.Spec.Template.Spec.Containers {
 		for _, envVar := range container.Env {
-			if envVar.Name == "OPENTDF_KAS_ROOT_KEY" {
+			if envVar.Name == "OPENTDF_SERVICES_KAS_ROOT_KEY" {
 				s.Require().Equal("my-root-key-secret", envVar.ValueFrom.SecretKeyRef.Name)
 				s.Require().Equal("my-root-key", envVar.ValueFrom.SecretKeyRef.Key)
 				envVarFound = true

From b67ea38079450f00cca082041f9c6f7568c31ba8 Mon Sep 17 00:00:00 2001
From: jp-ayyappan <jp@as2max.com>
Date: Wed, 6 May 2026 09:51:25 -0400
Subject: [PATCH 3/3] docs(platform): document SERVICES_KAS_ROOT_KEY env var
 for root_key_secret

Update the root_key_secret comment to reference the correct injected env
var name {PREFIX}_SERVICES_KAS_ROOT_KEY and regenerate README via helm-docs.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
---
 charts/platform/README.md   | 2 +-
 charts/platform/values.yaml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/charts/platform/README.md b/charts/platform/README.md
index 9f9db6b2..6042126e 100644
--- a/charts/platform/README.md
+++ b/charts/platform/README.md
@@ -214,7 +214,7 @@ Download the [keycloak_data.yaml](https://raw.githubusercontent.com/opentdf/plat
 | services.kas.config.registered_kas_uri | string | `nil` | Used by key management, if present. |
 | services.kas.privateKeysSecret | string | `"kas-private-keys"` | KAS secret containing keys @deprecated Use `private_keys_secret` instead. This value will be removed in a future release. |
 | services.kas.private_keys_secret | string | `""` | KAS secret containing keys kas-private.pem , kas-cert.pem , kas-ec-private.pem , kas-ec-cert.pem |
-| services.kas.root_key_secret | object | `{"key":"root_key","name":"kas-root-key"}` | Key needed when key_management feature is enabled (openssl rand 32 -hex) openssl rand 32 -hex | kubectl create secret generic kas-root-key --from-file=root_key=/dev/stdin |
+| services.kas.root_key_secret | object | `{"key":"root_key","name":"kas-root-key"}` | Key needed when key_management feature is enabled. Injected as `{PREFIX}_SERVICES_KAS_ROOT_KEY` env var (openssl rand 32 -hex) openssl rand 32 -hex | kubectl create secret generic kas-root-key --from-file=root_key=/dev/stdin |
 | tolerations | list | `[]` | Tolerations to apply to the pod (https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) |
 | trace.enabled | bool | `false` | Enable distributed tracing |
 | trace.provider.file.compress | string | `nil` | Enable compression of trace files |
diff --git a/charts/platform/values.yaml b/charts/platform/values.yaml
index 9ecc79a1..f6ff50ca 100644
--- a/charts/platform/values.yaml
+++ b/charts/platform/values.yaml
@@ -478,7 +478,7 @@ services:
           alg: ec:secp256r1
         - kid: r1
           alg: rsa:2048
-    # -- Key needed when key_management feature is enabled (openssl rand 32 -hex)
+    # -- Key needed when key_management feature is enabled. Injected as `{PREFIX}_SERVICES_KAS_ROOT_KEY` env var (openssl rand 32 -hex)
     # openssl rand 32 -hex | kubectl create secret generic kas-root-key --from-file=root_key=/dev/stdin
     root_key_secret:
       name: kas-root-key