feat(gateway): update admin password handling and add secret for cont…

[Tharsanan1]

…roller auth

Purpose

$subject

Summary by CodeRabbit

• Configuration Changes
  • Updated gateway controller authentication to use secret-based password management
  • Removed hardcoded admin password from default gateway configuration
  • Controller deployment now sources additional environment variables from configured secrets

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Admin password management is restructured across Helm charts. The hardcoded gateway controller password is removed from inline configuration, moved to a Kubernetes Secret resource that is created conditionally, and injected into the deployment via environment variables using the extraEnvFrom mechanism.

Changes

Cohort / File(s)	Summary
Kubernetes Secret Template kubernetes/helm/gateway-helm-chart/templates/gateway/controller/secret.yaml	New template file that creates a Kubernetes Secret resource containing the gateway controller's admin password when the adminPassword value is set. Secret uses Opaque type and maps the password to GATEWAY_GATEWAY__CONTROLLER_AUTH_BASIC_USERS_0_PASSWORD environment variable.
Deployment Template Changes kubernetes/helm/gateway-helm-chart/templates/gateway/controller/deployment.yaml	Modified extraEnvFrom rendering to use tpl(toYaml .) for dynamic template evaluation instead of direct rendering, enabling runtime variable interpolation within the envFrom configuration block.
Helm Values Configuration kubernetes/helm/gateway-helm-chart/values.yaml, kubernetes/helm/operator-helm-chart/values.yaml	Added gateway.controller.auth.adminPassword field ("admin"); changed gateway.config.gateway_controller.auth.basic.users[0].password from "admin" to empty string; added gateway.controller.deployment.extraEnvFrom with secretRef pointing to the controller-auth secret.
CI/CD Workflow Configuration .github/workflows/operator-integration-test.yml	Inline password value changed from "admin" to empty string, aligning with the new secret-based password delivery approach.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

---

🐰 A secret was born, tucked safe away,
No passwords plain in sight today,
With extraEnvFrom, they gently flow,
Into controllers, secure and low. 🔐

Pre-merge checks

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is largely incomplete, missing critical sections like Goals, Approach, User stories, Documentation, Testing, Security checks, and Test environment.	Complete the PR description template by filling in Goals, Approach, User stories, Documentation, Automation tests, Security checks, and Test environment sections.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: updating admin password handling and adding a secret for controller auth, which aligns with the file changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Fix all issues with AI Agents 🤖

In @kubernetes/helm/gateway-helm-chart/templates/gateway/controller/secret.yaml:
- Around line 1-11: The Secret creation is conditional on
.Values.gateway.controller.auth.adminPassword in the Secret template (template
generating name via include "gateway-operator.fullname"), but the Deployment's
extraEnvFrom unconditionally references that secret which will break if
adminPassword is empty; update the Deployment template where extraEnvFrom is
rendered (the block that iterates over extraEnvFrom and emits secretRef with tpl
.secretRef.name) to either add optional: true to the secretRef entries or wrap
the entire extraEnvFrom block in the same condition
(.Values.gateway.controller.auth.adminPassword) so the secret is only referenced
when created; ensure you update the envFrom rendering logic that handles
.secretRef to include optional: true or to be guarded by the adminPassword
check.

🧹 Nitpick comments (1)

kubernetes/helm/gateway-helm-chart/values.yaml (1)

408-410: Verify default extraEnvFrom doesn't cause issues when customizing.

The default extraEnvFrom includes the controller-auth secretRef. If users want to add their own extraEnvFrom entries while keeping the secret injection, they need to include both. Consider documenting this behavior, or providing a separate dedicated field for the auth secret reference to avoid accidental override.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a5dbad4 and e53a176.

📒 Files selected for processing (5)

• .github/workflows/operator-integration-test.yml
• kubernetes/helm/gateway-helm-chart/templates/gateway/controller/deployment.yaml
• kubernetes/helm/gateway-helm-chart/templates/gateway/controller/secret.yaml
• kubernetes/helm/gateway-helm-chart/values.yaml
• kubernetes/helm/operator-helm-chart/values.yaml

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: tharindu1st
Repo: wso2/api-platform PR: 514
File: gateway/gateway-controller/config/config.yaml:0-0
Timestamp: 2025-12-19T06:57:38.504Z
Learning: In gateway/gateway-controller/config/config.yaml, the default admin user with plaintext password "admin" is intentionally provided for testing purposes only and must be changed to secure hashed passwords for production deployments.

📚 Learning: 2025-12-19T06:57:38.504Z

Learnt from: tharindu1st
Repo: wso2/api-platform PR: 514
File: gateway/gateway-controller/config/config.yaml:0-0
Timestamp: 2025-12-19T06:57:38.504Z
Learning: In gateway/gateway-controller/config/config.yaml, the default admin user with plaintext password "admin" is intentionally provided for testing purposes only and must be changed to secure hashed passwords for production deployments.

Applied to files:

• kubernetes/helm/gateway-helm-chart/templates/gateway/controller/secret.yaml
• .github/workflows/operator-integration-test.yml
• kubernetes/helm/operator-helm-chart/values.yaml
• kubernetes/helm/gateway-helm-chart/values.yaml

🪛 YAMLlint (1.37.1)

kubernetes/helm/gateway-helm-chart/templates/gateway/controller/secret.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

🔇 Additional comments (6)

kubernetes/helm/operator-helm-chart/values.yaml (2)

371-372: Acknowledge default password for testing purposes.

The default adminPassword: "admin" aligns with the documented testing convention. Based on learnings, this default is intentionally provided for testing and must be changed to a secure hashed password for production deployments. Consider adding a comment here to make this explicit for users.

---

463-468: extraEnvFrom configuration looks good with tpl templating.

The secretRef uses a Helm template expression that will be evaluated via tpl in the deployment template. This correctly enables dynamic secret name resolution.

.github/workflows/operator-integration-test.yml (1)

286-288: Test configuration correctly mirrors helm chart changes.

The integration test ConfigMap properly reflects the new password handling pattern: empty password in config (line 286), adminPassword field for secret creation (lines 594-595), and extraEnvFrom for secret injection (lines 686-688).

Also applies to: 594-595, 686-688

kubernetes/helm/gateway-helm-chart/templates/gateway/controller/deployment.yaml (1)

95-98: Good use of tpl for dynamic template evaluation.

Using tpl (toYaml .) $ correctly enables Helm template expressions (like {{ include "gateway-operator.fullname" . }}) within the extraEnvFrom values to be evaluated. The root context $ is properly passed to ensure template functions have access to the full chart context.

kubernetes/helm/gateway-helm-chart/values.yaml (2)

31-33: Password field cleared as expected.

The password is now set to empty string in the config, with the actual value to be injected via the GATEWAY_GATEWAY__CONTROLLER_AUTH_BASIC_USERS_0_PASSWORD environment variable from the controller-auth secret.

---

313-314: Default admin password for testing.

Based on learnings, this default "admin" password is intentionally provided for testing purposes. Users must change this to a secure value (preferably hashed) for production deployments.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Potential deployment failure when adminPassword is empty or unset.

The Secret is created conditionally ({{- if .Values.gateway.controller.auth.adminPassword }}), but extraEnvFrom in values.yaml unconditionally references this secret. If a user sets adminPassword to empty or removes it, the deployment will fail because Kubernetes cannot find the referenced secret.

Consider one of these fixes:

1. Make the secretRef optional in the deployment template
2. Also make extraEnvFrom conditional on adminPassword in the deployment template
3. Document that adminPassword must be set (even if to a custom value)

🔎 Proposed fix: Make secretRef optional

In deployment.yaml, modify the envFrom rendering to add optional: true:

{{- with $deployment.extraEnvFrom }}
envFrom:
  {{- range . }}
  {{- if .secretRef }}
  - secretRef:
      name: {{ tpl .secretRef.name $ }}
      optional: true
  {{- else }}
  - {{- tpl (toYaml .) $ | nindent 12 }}
  {{- end }}
  {{- end }}
{{- end }}

Alternatively, wrap the extraEnvFrom block with the same condition:

+{{- if .Values.gateway.controller.auth.adminPassword }}
 {{- with $deployment.extraEnvFrom }}
 envFrom:
   {{- tpl (toYaml .) $ | nindent 12 }}
 {{- end }}
+{{- end }}

Note: The YAMLlint syntax error is a false positive—Helm template syntax {{- is valid and will be processed correctly.

Committable suggestion skipped: line range outside the PR's diff.

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

🤖 Prompt for AI Agents

In @kubernetes/helm/gateway-helm-chart/templates/gateway/controller/secret.yaml
around lines 1-11, The Secret creation is conditional on
.Values.gateway.controller.auth.adminPassword in the Secret template (template
generating name via include "gateway-operator.fullname"), but the Deployment's
extraEnvFrom unconditionally references that secret which will break if
adminPassword is empty; update the Deployment template where extraEnvFrom is
rendered (the block that iterates over extraEnvFrom and emits secretRef with tpl
.secretRef.name) to either add optional: true to the secretRef entries or wrap
the entire extraEnvFrom block in the same condition
(.Values.gateway.controller.auth.adminPassword) so the secret is only referenced
when created; ensure you update the envFrom rendering logic that handles
.secretRef to include optional: true or to be guarded by the adminPassword
check.