Skip to content

feat(gateway): update admin password handling and add secret for cont… #629

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Tharsanan1 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(gateway): update admin password handling and add secret for cont… #629

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion .github/workflows/operator-integration-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -283,7 +283,7 @@ jobs:
# password_hashed: true
# roles: ["developer", "viewer"]
- username: "admin"
password: "admin"
password: ""
password_hashed: false
roles: ["admin"]
# Server configuration
Expand Down Expand Up @@ -591,6 +591,8 @@ jobs:
labels: {}

controller:
auth:
adminPassword: "admin"
image:
repository: localhost/gateway-controller
tag: test
Expand Down Expand Up @@ -681,6 +683,9 @@ jobs:
replicaCount: 1
volumeMountPath: /app/data
extraEnv: []
extraEnvFrom:
- secretRef:
name: '{{ include "gateway-operator.fullname" . }}-controller-auth'
env:
xdsServerAddress: ""
extraVolumeMounts: []
Expand Down
6 changes: 3 additions & 3 deletions kubernetes/helm/gateway-helm-chart/templates/gateway/controller/deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,10 +92,10 @@ spec:
{{- range $deployment.extraEnv }}
- {{- toYaml . | nindent 14 }}
{{- end }}
{{- with $deployment.extraEnvFrom }}
{{- with $deployment.extraEnvFrom }}
envFrom:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
ports:
- name: rest
containerPort: {{ $controller.service.ports.rest }}
Expand Down
11 changes: 11 additions & 0 deletions kubernetes/helm/gateway-helm-chart/templates/gateway/controller/secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{{- if .Values.gateway.controller.auth.adminPassword }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "gateway-operator.fullname" . }}-controller-auth
labels:
{{- include "gateway-operator.componentLabels" (list . "controller" (dict)) | nindent 4 }}
type: Opaque
stringData:
GATEWAY_GATEWAY__CONTROLLER_AUTH_BASIC_USERS_0_PASSWORD: {{ .Values.gateway.controller.auth.adminPassword | quote }}
{{- end }}
Comment on lines +1 to +11
Copy link
Contributor

@coderabbitai coderabbitai bot Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Potential deployment failure when adminPassword is empty or unset.

The Secret is created conditionally ({{- if .Values.gateway.controller.auth.adminPassword }}), but extraEnvFrom in values.yaml unconditionally references this secret. If a user sets adminPassword to empty or removes it, the deployment will fail because Kubernetes cannot find the referenced secret.

Consider one of these fixes:

  1. Make the secretRef optional in the deployment template
  2. Also make extraEnvFrom conditional on adminPassword in the deployment template
  3. Document that adminPassword must be set (even if to a custom value)
🔎 Proposed fix: Make secretRef optional

In deployment.yaml, modify the envFrom rendering to add optional: true:

{{- with $deployment.extraEnvFrom }}
envFrom:
  {{- range . }}
  {{- if .secretRef }}
  - secretRef:
      name: {{ tpl .secretRef.name $ }}
      optional: true
  {{- else }}
  - {{- tpl (toYaml .) $ | nindent 12 }}
  {{- end }}
  {{- end }}
{{- end }}

Alternatively, wrap the extraEnvFrom block with the same condition:

+{{- if .Values.gateway.controller.auth.adminPassword }}
 {{- with $deployment.extraEnvFrom }}
 envFrom:
   {{- tpl (toYaml .) $ | nindent 12 }}
 {{- end }}
+{{- end }}

Note: The YAMLlint syntax error is a false positive—Helm template syntax {{- is valid and will be processed correctly.

Committable suggestion skipped: line range outside the PR's diff.

🧰 Tools
🪛 YAMLlint (1.37.1)

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

🤖 Prompt for AI Agents 
In @kubernetes/helm/gateway-helm-chart/templates/gateway/controller/secret.yaml
around lines 1-11, The Secret creation is conditional on
.Values.gateway.controller.auth.adminPassword in the Secret template (template
generating name via include "gateway-operator.fullname"), but the Deployment's
extraEnvFrom unconditionally references that secret which will break if
adminPassword is empty; update the Deployment template where extraEnvFrom is
rendered (the block that iterates over extraEnvFrom and emits secretRef with tpl
.secretRef.name) to either add optional: true to the secretRef entries or wrap
the entire extraEnvFrom block in the same condition
(.Values.gateway.controller.auth.adminPassword) so the secret is only referenced
when created; ensure you update the envFrom rendering logic that handles
.secretRef to include optional: true or to be guarded by the adminPassword
check.

8 changes: 6 additions & 2 deletions kubernetes/helm/gateway-helm-chart/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ gateway:
enabled: true
users:
- username: "admin"
password: "admin"
password: ""
password_hashed: false
roles: ["admin"]
idp:
Expand Down Expand Up @@ -310,6 +310,8 @@ gateway:
labels: {}

controller:
auth:
adminPassword: "admin"
image:
repository: ghcr.io/wso2/api-platform/gateway-controller
tag: "0.2.0"
Expand Down Expand Up @@ -403,7 +405,9 @@ gateway:
# extraEnvFrom:
# - secretRef:
# name: my-secret
extraEnvFrom: []
extraEnvFrom:
- secretRef:
name: '{{ include "gateway-operator.fullname" . }}-controller-auth'
env:
xdsServerAddress: ""
extraVolumeMounts: []
Expand Down
10 changes: 9 additions & 1 deletion kubernetes/helm/operator-helm-chart/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@ gateway:
enabled: true
users:
- username: "admin"
password: "admin"
password: ""
password_hashed: false
roles: ["admin"]
# Server configuration
Expand Down Expand Up @@ -368,6 +368,8 @@ gateway:
labels: {}

controller:
auth:
adminPassword: "admin"
image:
repository: ghcr.io/wso2/api-platform/gateway-controller
tag: "0.2.0"
Expand Down Expand Up @@ -458,6 +460,12 @@ gateway:
replicaCount: 1
volumeMountPath: /app/data
extraEnv: []
# extraEnvFrom:
# - secretRef:
# name: my-secret
extraEnvFrom:
- secretRef:
name: '{{ include "gateway-operator.fullname" . }}-controller-auth'
env:
xdsServerAddress: ""
extraVolumeMounts: []
Expand Down
Loading