LUKS keyscript being ignored ... asks for password

Try the option "initramfs" in your /etc/crypttab (according to https://unix.stackexchange.com/a/447676/356711). Your /etc/crypttab would then look like this:

# UUID is not required here since the path to the LV won't change
secure      /dev/vg0/secure       none      luks,keyscript=/lib/cryptsetup/scripts/insecure,initramfs

Please note that it might be a problem that your root fs is in an LVM container. This issue is also mentioned in the article linked above: "But this currently only works (reliably) if the root device is not in an LVM." Fortunately, it seems that a workaround is provided.

My system looks like this:

$ lsblk
NAME                          MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda                             8:0    0 931.5G  0 disk
└─sda1                          8:1    0 931.5G  0 part
  └─md1                         9:1    0 931.4G  0 raid1
    └─md1_crypt               253:3    0 931.4G  0 crypt
      └─raid_crypt_vg-data_lv 253:4    0 931.4G  0 lvm   /raid
sdb                             8:16   0 931.5G  0 disk
└─sdb1                          8:17   0 931.5G  0 part
  └─md1                         9:1    0 931.4G  0 raid1
    └─md1_crypt               253:3    0 931.4G  0 crypt
      └─raid_crypt_vg-data_lv 253:4    0 931.4G  0 lvm   /raid
sdc                             8:32   0 465.8G  0 disk
├─sdc1                          8:33   0   953M  0 part  /boot
└─sdc2                          8:34   0 464.8G  0 part
  └─sdc2_crypt                253:0    0 464.8G  0 crypt
    ├─system_crypt_vg-data_lv 253:1    0   447G  0 lvm   /
    └─system_crypt_vg-swap_lv 253:2    0  17.8G  0 lvm   [SWAP]

... and the following /etc/crypttab does the decryption magic with a keyscript (!) in Ubuntu 18.04.2 LTS:

$ cat /etc/crypttab
# <target name> <source device>                           <key file> <options>
sdc2_crypt      UUID=[...]                                none       luks,discard,keyscript=/etc/decryptkeydevice/decryptkeydevice_keyscript.sh
md1_crypt       /dev/md1                                  none       luks,discard,keyscript=/etc/decryptkeydevice/decryptkeydevice_keyscript.sh,initramfs

Note that the decryption of sdc2_crypt with the provided keyscript works without the initramfs option (because it contains the root fs and is thus "automatically" considered in the initramfs boot phase). md1_crypt was only decrypted already during the initramfs boot phase (and thus with the keyscript according to the crypttab entry) after I added the initramfs option. The later decryption of md1_crypt during the systemd boot phase does not work with a keyscript given in crypttab because the "systemd cryptsetup" does not support the option keyscript, see https://github.com/systemd/systemd/pull/3007.