Merged
Conversation
Contributor
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughReplaces AI/Observability gateway artifacts with an API Platform Gateway: adds gateway setup/stop scripts and Makefile targets, refactors port-forwarding to platform/gateway/grouped modes, renames chart/values/templates/resources from AI/obs to api-platform, updates OTEL targets, UI labels, docs, and quick-start flows. Changes
Sequence DiagramsequenceDiagram
participant Setup as Setup Script
participant AM as Agent Manager
participant Helm as Helm
participant Kube as Kubernetes API
participant OTEL as OTEL RestApi
Setup->>AM: GET /healthz (poll up to ~60s)
alt Agent Manager healthy
Setup->>Helm: helm upgrade --install api-platform-default-default (values)
Helm->>Kube: create/update APIGateway & resources
Helm->>Kube: wait for apigateway/* Programmed
Kube->>Helm: Programmed (ok) / timeout (warn)
Setup->>Kube: kubectl apply amp-otel-collector-tracing-rest-api
Kube->>OTEL: program RestApi
Kube->>Setup: RestApi Programmed or timeout (warn)
else timeout
Setup-->>Setup: exit 1
end
Estimated code review effort🎯 4 (Complex) | ⏱️ ~60 minutes Poem
🚥 Pre-merge checks | ✅ 3 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 9
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
deployments/scripts/setup-openchoreo.sh (1)
365-390:⚠️ Potential issue | 🟠 MajorScope RBAC verbs to least privilege instead of wildcard
*.
verbs: ["*"]forrestapis,apigateways, andbackendsgrants unnecessary cluster-wide mutation power tocluster-agent-dataplane. Please narrow this to required verbs.🔒 Suggested RBAC tightening
rules: - apiGroups: ["gateway.api-platform.wso2.com"] resources: ["restapis", "apigateways"] - verbs: ["*"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: ["gateway.kgateway.dev"] resources: ["backends"] - verbs: ["*"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@deployments/scripts/setup-openchoreo.sh` around lines 365 - 390, Replace the wildcard verbs in the ClusterRole named wso2-api-platform-gateway-module: update the rules for resources "restapis" and "apigateways" (apiGroup "gateway.api-platform.wso2.com") and "backends" (apiGroup "gateway.kgateway.dev") to use least-privilege verb lists instead of ["*"]; for example, restrict read-only operations to ["get","list","watch"] and scope mutation verbs to only those actually required (e.g., ["create","update","patch","delete"] as needed) so that the ServiceAccount cluster-agent-dataplane in namespace openchoreo-data-plane only receives the minimal necessary permissions.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In
`@deployments/helm-charts/wso2-amp-api-platform-gateway-extension/templates/_helpers.tpl`:
- Around line 56-61: The template define
"wso2-amp-gateway-extension.apiGatewayName" can emit mixed/upper-case components
(.Values.agentManager.orgName and .Values.gateway.environment) which may violate
DNS-1123; update the printf pipeline to apply the lower filter to those
components (and ensure the final result is lowercased) before
truncation/trimSuffix so the generated name always uses lowercase characters
while preserving the existing fallback on .Values.gateway.name.
- Around line 75-102: The templates "wso2-amp-gateway-extension.idpClientIdEnv"
and "wso2-amp-gateway-extension.idpClientSecretEnv" currently reference
.Values.agentManager.idp.existingSecretClientIdKey and
.Values.agentManager.idp.existingSecretClientSecretKey without validation;
update the secretKeyRef.key usages to wrap those values with the Helm required
function (e.g. required "message"
.Values.agentManager.idp.existingSecretClientIdKey) when
.Values.agentManager.idp.existingSecret is true so Helm fails with a clear error
if the key is unset, and provide a descriptive error string for each required
call to indicate which key is missing.
In
`@deployments/helm-charts/wso2-amp-api-platform-gateway-extension/templates/gateway-config.yaml`:
- Line 34: The template currently hardcodes insecure_skip_verify: true in
gateway-config.yaml which disables TLS verification; change the template to not
hardcode this value and instead read a values key (e.g.,
apiGateway.controlPlane.tls.insecureSkipVerify) so operators can set it; update
gateway-config.yaml to use the chart value for insecure_skip_verify and add
insecureSkipVerify: false as the default in values.yaml under
apiGateway.controlPlane.tls to preserve secure defaults.
In `@deployments/helm-charts/wso2-amp-api-platform-gateway-extension/values.yaml`:
- Around line 26-34: Remove the plaintext default by clearing the hardcoded
idp.clientSecret value and rely on idp.existingSecret (and
idp.existingSecretClientIdKey / idp.existingSecretClientSecretKey) for
production; update the values under the idp section so clientSecret is empty and
add a comment indicating that existingSecret should be used instead of shipping
a default secret (referencing idp.clientSecret, idp.existingSecret,
idp.existingSecretClientIdKey, idp.existingSecretClientSecretKey).
In `@deployments/scripts/port-forward.sh`:
- Around line 58-64: The summary block later still advertises the old
"Observability Gateway" link; update that banner to reference "API Platform
Gateway" and its new ports (HTTP 22893 and HTTPS 22894) so the printed URLs
match the port-forward commands that target
svc/api-platform-default-default-gateway-gateway-runtime; find the
summary/summary-printing section that mentions "Observability Gateway" and
replace the label and port numbers/URLs accordingly (ensure both HTTP and HTTPS
entries match 22893 and 22894).
In `@deployments/scripts/setup-gateway.sh`:
- Around line 45-49: The script currently prints a success message immediately
after launching kubectl port-forward into the background (using
PORT_FORWARD_PID) without verifying it started correctly; modify the block that
runs kubectl port-forward to capture its PID (PORT_FORWARD_PID), wait a short
period, then check that the process is still running and that kubectl did not
exit with an error (e.g., test the PID with kill -0 or check the process exists
and/or inspect the command's exit status), and if the check fails, print an
error and exit non‑zero; ensure the success echo ("✅ Port-forward established")
only runs when the liveness check of PORT_FORWARD_PID confirms the port-forward
is alive.
- Around line 53-55: The kubectl readiness check is waiting for the wrong
RestApi resource name; update the kubectl wait invocation that currently targets
"restapi/traces-api-secure" to wait on
"restapi/amp-otel-collector-tracing-rest-api" (the resource created by the otel
manifest) and adjust the corresponding success message to match that resource
name so the script recognizes the actual programmed API.
In `@deployments/values/otel-collector-rest-api.yaml`:
- Around line 4-7: The deployment manifest renamed the RestApi to
amp-otel-collector-tracing-rest-api but the bootstrap script still waits on
restapi/traces-api-secure; update deployments/scripts/setup-gateway.sh so its
wait/ready check targets the new RestApi name
(amp-otel-collector-tracing-rest-api) instead of restapi/traces-api-secure,
ensuring any kubectl/oc wait or resource polling logic references the new
resource identifier and namespace openchoreo-data-plane.
In `@Makefile`:
- Around line 50-60: The post-setup printed "Next steps" order is reversed
causing users to run make port-forward before the gateway exists; update the
Makefile echo block so the recommended sequence shows "1. make setup-gateway"
first and "2. make port-forward" second (refer to the echo lines that print "📊
Next steps — install the API Platform Gateway:" and the two following echo lines
listing "make port-forward" and "make setup-gateway") so users run setup-gateway
before port-forward.
---
Outside diff comments:
In `@deployments/scripts/setup-openchoreo.sh`:
- Around line 365-390: Replace the wildcard verbs in the ClusterRole named
wso2-api-platform-gateway-module: update the rules for resources "restapis" and
"apigateways" (apiGroup "gateway.api-platform.wso2.com") and "backends"
(apiGroup "gateway.kgateway.dev") to use least-privilege verb lists instead of
["*"]; for example, restrict read-only operations to ["get","list","watch"] and
scope mutation verbs to only those actually required (e.g.,
["create","update","patch","delete"] as needed) so that the ServiceAccount
cluster-agent-dataplane in namespace openchoreo-data-plane only receives the
minimal necessary permissions.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 8fd95062-fe0b-4522-a27f-138b51508a98
📒 Files selected for processing (18)
Makefileagent-manager-service/config/config_loader.godeployments/helm-charts/wso2-agent-manager/values.yamldeployments/helm-charts/wso2-amp-api-platform-gateway-extension/Chart.yamldeployments/helm-charts/wso2-amp-api-platform-gateway-extension/templates/_helpers.tpldeployments/helm-charts/wso2-amp-api-platform-gateway-extension/templates/gateway-bootstrap-job.yamldeployments/helm-charts/wso2-amp-api-platform-gateway-extension/templates/gateway-config.yamldeployments/helm-charts/wso2-amp-api-platform-gateway-extension/templates/gateway-cr.yamldeployments/helm-charts/wso2-amp-api-platform-gateway-extension/values-dev.yamldeployments/helm-charts/wso2-amp-api-platform-gateway-extension/values.yamldeployments/helm-charts/wso2-amp-platform-resources-extension/templates/component-traits/api-management-trait.yamldeployments/helm-charts/wso2-amp-platform-resources-extension/values.yamldeployments/quick-start/install.shdeployments/scripts/port-forward.shdeployments/scripts/setup-gateway.shdeployments/scripts/setup-openchoreo.shdeployments/values/obs-gateway.yamldeployments/values/otel-collector-rest-api.yaml
💤 Files with no reviewable changes (1)
- deployments/values/obs-gateway.yaml
AnoshanJ
changed the title
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
deployments/quick-start/install-helpers.sh (1)
371-371:⚠️ Potential issue | 🟡 MinorMissing
log_infofallback function.The script defines fallback implementations for
log_error(line 68) andlog_warning(line 74) but not forlog_info. If the sourcing script doesn't providelog_info, this line will fail with "command not found".Proposed fix — add fallback for log_info
if ! declare -f log_warning >/dev/null 2>&1; then log_warning() { echo "WARNING: $1" >&2 } fi + +if ! declare -f log_info >/dev/null 2>&1; then + log_info() { + echo "INFO: $1" + } +fi🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@deployments/quick-start/install-helpers.sh` at line 371, The script calls log_info but lacks a fallback; add a default no-op or stdout wrapper function named log_info analogous to the existing log_error and log_warning fallbacks so the script won't fail when the caller doesn't provide log_info; locate the existing fallback definitions for log_error and log_warning and implement the same pattern for log_info (same function name: log_info) to ensure safe logging calls.
🧹 Nitpick comments (2)
console/workspaces/pages/gateways/src/subComponents/AIGatewaysTable.tsx (1)
342-349: Normalize gateway type once and reuse the derived flag.The inline
toUpperCase()check is duplicated in this component (and also inViewGateway). DeriveisAIGatewayonce to reduce repetition and prevent divergence.Proposed local cleanup
+ const isAIGateway = gateway.gatewayType.toUpperCase() === "AI"; return ( <ListingTable.Row key={gateway.uuid} @@ <ListingTable.Cell align="center"> <Chip - label={gateway.gatewayType?.toUpperCase() === "AI" ? "AI" : "Regular"} + label={isAIGateway ? "AI" : "Regular"} size="small" variant="outlined" - color={gateway.gatewayType?.toUpperCase() === "AI" ? "info" : "default"} + color={isAIGateway ? "info" : "default"} /> </ListingTable.Cell>🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@console/workspaces/pages/gateways/src/subComponents/AIGatewaysTable.tsx` around lines 342 - 349, Derive a single normalized flag (e.g., const isAIGateway = (gateway.gatewayType || "").toUpperCase() === "AI") near the top of the component and use that flag for both the label and color props instead of repeating gateway.gatewayType?.toUpperCase() inline; update the ListingTable.Cell/Chip usage here and mirror the same refactor in ViewGateway to reuse isAIGateway so behavior stays consistent and duplication is removed.console/workspaces/pages/gateways/src/AddAIGateway.Organization.tsx (1)
123-126: Drop local mutationonErrorto keep error UX centralized.This local
onErroronly logs to console and can conflict with global React Query error handling patterns used across the app.Proposed simplification
createGateway( { params: { orgName: orgId ?? "" }, body: payload, }, { onSuccess: (data) => { const viewPath = generatePath( absoluteRouteMap.children.org.children.gateways.children.view.path, { orgId: orgId ?? "", gatewayId: data.uuid } ); navigate(viewPath); }, - onError: (e: unknown) => { - // eslint-disable-next-line no-console - console.error("Failed to create gateway:", e); - }, } );Based on learnings: In TSX React components that use React Query, implement global error handling for mutations via QueryClient cache callbacks and remove per-mutation
onErrorhandlers for consistency.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@console/workspaces/pages/gateways/src/AddAIGateway.Organization.tsx` around lines 123 - 126, Remove the local mutation onError handler in AddAIGateway.Organization.tsx (the inline onError: (e: unknown) => console.error(...) block) so the mutation no longer logs to console; rely on the app's global React Query error handling (e.g., QueryClient/QueryCache onError callbacks or setDefaultOptions) instead, and ensure no other per-mutation error side-effects remain in the createGateway mutation or its surrounding handler code.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@console/workspaces/libs/types/src/api/gateways.ts`:
- Line 21: GatewayType currently allows lowercase values ("ai"/"regular") that
don't match the backend enum; update the type definition for GatewayType to only
the backend-allowed string literals ("AI" and "REGULAR") so compile-time checks
prevent sending invalid values; locate the GatewayType alias in this file and
remove the lowercase alternatives, then run type checks to ensure callers are
updated to use "AI" or "REGULAR".
---
Outside diff comments:
In `@deployments/quick-start/install-helpers.sh`:
- Line 371: The script calls log_info but lacks a fallback; add a default no-op
or stdout wrapper function named log_info analogous to the existing log_error
and log_warning fallbacks so the script won't fail when the caller doesn't
provide log_info; locate the existing fallback definitions for log_error and
log_warning and implement the same pattern for log_info (same function name:
log_info) to ensure safe logging calls.
---
Nitpick comments:
In `@console/workspaces/pages/gateways/src/AddAIGateway.Organization.tsx`:
- Around line 123-126: Remove the local mutation onError handler in
AddAIGateway.Organization.tsx (the inline onError: (e: unknown) =>
console.error(...) block) so the mutation no longer logs to console; rely on the
app's global React Query error handling (e.g., QueryClient/QueryCache onError
callbacks or setDefaultOptions) instead, and ensure no other per-mutation error
side-effects remain in the createGateway mutation or its surrounding handler
code.
In `@console/workspaces/pages/gateways/src/subComponents/AIGatewaysTable.tsx`:
- Around line 342-349: Derive a single normalized flag (e.g., const isAIGateway
= (gateway.gatewayType || "").toUpperCase() === "AI") near the top of the
component and use that flag for both the label and color props instead of
repeating gateway.gatewayType?.toUpperCase() inline; update the
ListingTable.Cell/Chip usage here and mirror the same refactor in ViewGateway to
reuse isAIGateway so behavior stays consistent and duplication is removed.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 7b46ef22-523e-4dd3-a131-60f173780fde
📒 Files selected for processing (17)
.github/release-config.jsonconsole/workspaces/libs/types/src/api/gateways.tsconsole/workspaces/pages/gateways/src/AddAIGateway.Organization.tsxconsole/workspaces/pages/gateways/src/Gateways.Organization.tsxconsole/workspaces/pages/gateways/src/index.tsconsole/workspaces/pages/gateways/src/subComponents/AIGatewaysTable.tsxconsole/workspaces/pages/gateways/src/subComponents/AddAIGatewayForm.tsxconsole/workspaces/pages/gateways/src/subComponents/EditGatewayDrawer.tsxconsole/workspaces/pages/gateways/src/subComponents/ViewGateway.tsxdeployments/docker-compose.ymldeployments/helm-charts/wso2-amp-api-platform-gateway-extension/templates/gateway-cr.yamldeployments/quick-start/install-helpers.shdeployments/quick-start/install.shdeployments/scripts/port-forward.shdocumentation/docs/getting-started/_partials/_amp-installation.mdxdocumentation/docs/getting-started/on-k3d.mdxdocumentation/docs/getting-started/on-your-environment.mdx
✅ Files skipped from review due to trivial changes (7)
- console/workspaces/pages/gateways/src/Gateways.Organization.tsx
- .github/release-config.json
- console/workspaces/pages/gateways/src/subComponents/AddAIGatewayForm.tsx
- deployments/docker-compose.yml
- console/workspaces/pages/gateways/src/subComponents/EditGatewayDrawer.tsx
- deployments/helm-charts/wso2-amp-api-platform-gateway-extension/templates/gateway-cr.yaml
- console/workspaces/pages/gateways/src/index.ts
🚧 Files skipped from review as they are similar to previous changes (1)
- deployments/quick-start/install.sh
Contributor
There was a problem hiding this comment.
Actionable comments posted: 5
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
console/workspaces/pages/gateways/src/subComponents/AIGatewaysTable.tsx (1)
421-434:⚠️ Potential issue | 🟡 MinorDerive paginator visibility from
rowsPerPage.Hardcoding
5here means the pagination control can stay visible even when all rows fit on the page after the user changes the page size.Suggested fix
- {filteredGateways.length > 5 && ( + {filteredGateways.length > rowsPerPage && (🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@console/workspaces/pages/gateways/src/subComponents/AIGatewaysTable.tsx` around lines 421 - 434, The pagination visibility check is hardcoded to 5; change the conditional so the TablePagination is rendered only when filteredGateways.length > rowsPerPage (i.e., derive visibility from the rowsPerPage state), e.g. replace "filteredGateways.length > 5" with "filteredGateways.length > rowsPerPage" around the TablePagination component; keep the existing handlers (onPageChange, onRowsPerPageChange) and state refs (page, rowsPerPage, setPage, setRowsPerPage, filteredGateways) intact.
♻️ Duplicate comments (1)
deployments/helm-charts/wso2-amp-api-platform-gateway-extension/values.yaml (1)
29-34:⚠️ Potential issue | 🟠 MajorRemove plaintext default
clientSecretfrom base values.Line 29 currently ships a concrete secret value. Keep this empty in defaults and rely on
existingSecretkeys.🔒 Suggested fix
idp: tokenUrl: "http://amp-thunder-extension-service.amp-thunder.svc.cluster.local:8090/oauth2/token" clientId: "amp-api-client" - clientSecret: "amp-api-client-secret" # Prefer existingSecret; only set this for local/dev use + clientSecret: ""🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@deployments/helm-charts/wso2-amp-api-platform-gateway-extension/values.yaml` around lines 29 - 34, The base values currently set a plaintext default for clientSecret; remove that concrete value by leaving clientSecret empty (""), update the inline comment to explain defaults should rely on existingSecret and the existingSecretClientIdKey/existingSecretClientSecretKey keys, and ensure clientId/clientSecret are ignored when existingSecret is provided; change the clientSecret entry (symbol: clientSecret) to an empty default and keep existingSecret, existingSecretClientIdKey, and existingSecretClientSecretKey as the recommended production configuration.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@deployments/helm-charts/wso2-amp-api-platform-gateway-extension/values.yaml`:
- Around line 140-146: The base chart enables insecure TLS verification for JWKS
by setting skipTlsVerify: true under the ThunderKeyManager -> jwks -> remote
block; change that default to skipTlsVerify: false (or remove the key) in the
values.yaml and move any skipTlsVerify: true setting into values-dev.yaml so
only development overrides use insecure verification; update references around
the ThunderKeyManager jwks.remote.uri and any other jwks blocks to ensure
production uses strict TLS verification.
In `@deployments/scripts/port-forward.sh`:
- Around line 63-68: The start_forward function currently spawns kubectl
port-forward and immediately writes its PID to PID_FILE which can record dead
processes; change start_forward to capture the background PID (from $!), wait a
short interval, then verify the process is still running (e.g., kill -0 PID or
check /proc/PID) and only append the PID to PID_FILE if the process is alive; if
the process died, capture and log the kubectl exit output/exit code and do not
persist the PID. Ensure the checks reference start_forward, the captured PID
variable, and PID_FILE so stale PIDs are never recorded.
- Around line 34-39: Quote the CLUSTER_CONTEXT variable in both kubectl
invocations to prevent word-splitting/globbing: update the kubectl cluster-info
--context $CLUSTER_CONTEXT and kubectl config use-context $CLUSTER_CONTEXT calls
to use "$CLUSTER_CONTEXT" so the shell passes the context string intact.
In `@deployments/scripts/setup-gateway.sh`:
- Around line 16-19: The health-check URL for Agent Manager is hardcoded in the
until/curl loop; make it configurable by introducing an environment variable
(e.g., AGENT_MANAGER_HEALTH_URL) with a sensible default (such as
"http://localhost:9000/healthz"), set or exported at the top of the script, and
replace the literal URL in the until curl command with that variable (while
leaving ELAPSED and MAX_WAIT logic unchanged) so the script will honor custom
port mappings or external deployments.
In `@deployments/scripts/stop-port-forward.sh`:
- Around line 13-14: The current check uses kill -0 on $PID which only verifies
the PID exists; update the if-condition that references PID, kill -0, and KILLED
to also verify the process command belongs to kubectl port-forward (e.g., use ps
-p "$PID" -o args= or pgrep -f with the PID) and only perform kill "$PID" and
increment KILLED when the command string matches "kubectl port-forward"; ensure
the check is quoted and portable (fallback to different ps flags if needed) so a
stale PID for an unrelated process isn't terminated.
---
Outside diff comments:
In `@console/workspaces/pages/gateways/src/subComponents/AIGatewaysTable.tsx`:
- Around line 421-434: The pagination visibility check is hardcoded to 5; change
the conditional so the TablePagination is rendered only when
filteredGateways.length > rowsPerPage (i.e., derive visibility from the
rowsPerPage state), e.g. replace "filteredGateways.length > 5" with
"filteredGateways.length > rowsPerPage" around the TablePagination component;
keep the existing handlers (onPageChange, onRowsPerPageChange) and state refs
(page, rowsPerPage, setPage, setRowsPerPage, filteredGateways) intact.
---
Duplicate comments:
In `@deployments/helm-charts/wso2-amp-api-platform-gateway-extension/values.yaml`:
- Around line 29-34: The base values currently set a plaintext default for
clientSecret; remove that concrete value by leaving clientSecret empty (""),
update the inline comment to explain defaults should rely on existingSecret and
the existingSecretClientIdKey/existingSecretClientSecretKey keys, and ensure
clientId/clientSecret are ignored when existingSecret is provided; change the
clientSecret entry (symbol: clientSecret) to an empty default and keep
existingSecret, existingSecretClientIdKey, and existingSecretClientSecretKey as
the recommended production configuration.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 10faf561-ad50-46bb-94ea-eb0290e42360
📒 Files selected for processing (9)
Makefileconsole/workspaces/pages/gateways/src/subComponents/AIGatewaysTable.tsxdeployments/helm-charts/wso2-amp-api-platform-gateway-extension/templates/_helpers.tpldeployments/helm-charts/wso2-amp-api-platform-gateway-extension/templates/gateway-config.yamldeployments/helm-charts/wso2-amp-api-platform-gateway-extension/values-dev.yamldeployments/helm-charts/wso2-amp-api-platform-gateway-extension/values.yamldeployments/scripts/port-forward.shdeployments/scripts/setup-gateway.shdeployments/scripts/stop-port-forward.sh
🚧 Files skipped from review as they are similar to previous changes (2)
- Makefile
- deployments/helm-charts/wso2-amp-api-platform-gateway-extension/templates/_helpers.tpl
Contributor
There was a problem hiding this comment.
Actionable comments posted: 6
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
deployments/helm-charts/wso2-amp-api-platform-gateway-extension/templates/gateway-bootstrap-job.yaml (1)
230-238:⚠️ Potential issue | 🟠 Major | 🏗️ Heavy liftThe idempotency check only looks at the first 100 gateways.
If an org has more than 100 gateways, an existing gateway beyond that first page is missed here and the job can try to register a duplicate or fail the upgrade path. This needs pagination or a name-filtered lookup before deciding the gateway is absent.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@deployments/helm-charts/wso2-amp-api-platform-gateway-extension/templates/gateway-bootstrap-job.yaml` around lines 230 - 238, The current lookup only inspects the first page (LIST_RESPONSE) and can miss gateways beyond 100; update the logic that produces LIST_RESPONSE (the calls to http_get against "${AMP_API_URL}/orgs/${ORG_NAME}/gateways?limit=100") to either (a) paginate and aggregate all pages before extracting GATEWAY_ID (loop on offset/page, appending each response), or (b) use the API's name filter if available (call the gateways endpoint with a name query param) so the grep-based extraction for GATEWAY_ID using GATEWAY_NAME reliably finds existing gateways; ensure the final aggregated response is stored in the same LIST_RESPONSE variable and then run the existing grep/cut pipeline against that full result.
♻️ Duplicate comments (1)
deployments/scripts/port-forward.sh (1)
56-60:⚠️ Potential issue | 🟠 Major | ⚡ Quick winVerify each
kubectl port-forwardstays alive before advertising the endpoint.
start_forwardnow backgroundskubectl port-forwardand the script immediately prints the endpoint list. If a Service is missing or a local port is already bound,kubectlexits instantly and--backgroundstill reports success.Suggested fix
start_forward() { local desc="$1"; shift + local log_file pf_pid echo " $desc" - kubectl port-forward "$@" > /dev/null 2>&1 & + log_file=$(mktemp) + kubectl port-forward "$@" >"$log_file" 2>&1 & + pf_pid=$! + sleep 1 + if ! kill -0 "$pf_pid" 2>/dev/null; then + cat "$log_file" >&2 + rm -f "$log_file" + return 1 + fi + rm -f "$log_file" }🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@deployments/scripts/port-forward.sh` around lines 56 - 60, The start_forward function currently backgrounds kubectl port-forward and immediately prints endpoints; modify it to capture the backgrounded process PID after launching kubectl port-forward (from start_forward), wait a short configurable timeout, then verify the process is still running and that the local port is listening (e.g., simple connect check) before advertising the endpoint; if the PID has exited or the port is not bound, surface an error and do not list that endpoint (or retry/fail), ensuring any failure includes the kubectl exit output so the caller can debug.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@console/workspaces/pages/gateways/src/subComponents/AIGatewaysTable.tsx`:
- Line 73: The component AIGatewaysTable currently calls useListGateways({
orgName: orgId }) which fetches all gateways client-side and causes scalability
issues; update AIGatewaysTable to pass pagination and filter params (e.g.,
limit, offset, and search/type filters) into useListGateways so the hook calls
listGateways with those query params instead of fetching everything, wire the
table pagination controls and search input to update limit/offset (and any
filter keys) and ensure useListGateways forwards them to listGateways so the API
performs paging/filtering server-side.
In
`@deployments/helm-charts/wso2-amp-api-platform-gateway-extension/templates/gateway-config.yaml`:
- Around line 45-47: The chart now exposes the gateway on listener_port: 22893
and https_port: 22894, but the local k3d load‑balancer mappings and the
quick-start preflight still reserve the old host ports (8084/8243); update those
host-facing mappings to 22893 and 22894 respectively. Locate the k3d
load‑balancer configuration and change any references mapping
host:8084->service:22893 and host:8243->service:22894, and update the
quick-start port preflight checks/values to reserve 22893 and 22894 instead of
8084/8243; also apply the same change in the other template block that mirrors
these ports (the block corresponding to the lines referenced in the review).
In `@deployments/quick-start/install.sh`:
- Around line 1452-1459: The script currently applies the OTEL RestApi manifest
(RESTAPI_FILE) then exits without verifying readiness; update the block that
applies RESTAPI_FILE to wait for the RestApi resource named
restapi/amp-otel-collector-tracing-rest-api to reach condition Programmed (use
kubectl wait with a sensible timeout) after a successful kubectl apply,
mirroring the behavior in deployments/scripts/setup-gateway.sh, and only call
log_success once the wait completes (otherwise call log_warning/error on timeout
or failure).
In `@deployments/scripts/setup-gateway.sh`:
- Around line 30-37: The Helm invocation in setup-gateway.sh is passing
docker-compose hostnames (agent-manager-service) to the chart via --set
agentManager.apiUrl and --set apiGateway.controlPlane.host which are not
resolvable from the Kubernetes bootstrap Job; update the script so the values
passed to the helm upgrade command use the actual in-cluster Agent Manager
service DNS (e.g., replace "agent-manager-service" with the cluster service name
used by Agent Manager such as "amp-api" or the real Service name and correct
ports), or alternatively implement a network bridge/ExternalName Service that
maps the docker-compose host (used when checking localhost:9000) into the
cluster before running helm upgrade; modify setup-gateway.sh around the helm
upgrade invocation to use the chosen fix and ensure agentManager.apiUrl and
apiGateway.controlPlane.host point to the reachable in-cluster addresses.
In `@deployments/scripts/setup-openchoreo.sh`:
- Around line 395-399: Update the post-install banner text in
setup-openchoreo.sh: change the echo lines that reference "setup-platform.sh"
(the strings "Gateway chart will be installed by setup-platform.sh" and any
related guidance) to point to the new script "setup-gateway.sh" so operators are
directed to the correct next step; ensure both the short banner ("9️⃣ API
Resources...") and the explanatory echo are updated to mention setup-gateway.sh.
In `@documentation/docs/getting-started/on-your-environment.mdx`:
- Around line 980-981: Remove the stale "AI Gateway" row from the access table
so only the new "API Platform Gateway" entry remains; specifically delete the
table row containing the "**AI Gateway** | http://localhost:8084" entry and
ensure the table now only lists "**API Platform Gateway** |
http://localhost:22893/otel" (update any surrounding punctuation/spacing if
needed).
---
Outside diff comments:
In
`@deployments/helm-charts/wso2-amp-api-platform-gateway-extension/templates/gateway-bootstrap-job.yaml`:
- Around line 230-238: The current lookup only inspects the first page
(LIST_RESPONSE) and can miss gateways beyond 100; update the logic that produces
LIST_RESPONSE (the calls to http_get against
"${AMP_API_URL}/orgs/${ORG_NAME}/gateways?limit=100") to either (a) paginate and
aggregate all pages before extracting GATEWAY_ID (loop on offset/page, appending
each response), or (b) use the API's name filter if available (call the gateways
endpoint with a name query param) so the grep-based extraction for GATEWAY_ID
using GATEWAY_NAME reliably finds existing gateways; ensure the final aggregated
response is stored in the same LIST_RESPONSE variable and then run the existing
grep/cut pipeline against that full result.
---
Duplicate comments:
In `@deployments/scripts/port-forward.sh`:
- Around line 56-60: The start_forward function currently backgrounds kubectl
port-forward and immediately prints endpoints; modify it to capture the
backgrounded process PID after launching kubectl port-forward (from
start_forward), wait a short configurable timeout, then verify the process is
still running and that the local port is listening (e.g., simple connect check)
before advertising the endpoint; if the PID has exited or the port is not bound,
surface an error and do not list that endpoint (or retry/fail), ensuring any
failure includes the kubectl exit output so the caller can debug.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 56f2bc0a-c01d-471c-beee-fe947056ad69
📒 Files selected for processing (34)
.github/release-config.jsonMakefileagent-manager-service/config/config_loader.goconsole/workspaces/pages/gateways/src/AddAIGateway.Organization.tsxconsole/workspaces/pages/gateways/src/Gateways.Organization.tsxconsole/workspaces/pages/gateways/src/index.tsconsole/workspaces/pages/gateways/src/subComponents/AIGatewaysTable.tsxconsole/workspaces/pages/gateways/src/subComponents/AddAIGatewayForm.tsxconsole/workspaces/pages/gateways/src/subComponents/EditGatewayDrawer.tsxconsole/workspaces/pages/gateways/src/subComponents/ViewGateway.tsxdeployments/docker-compose.ymldeployments/helm-charts/wso2-agent-manager/values.yamldeployments/helm-charts/wso2-amp-api-platform-gateway-extension/Chart.yamldeployments/helm-charts/wso2-amp-api-platform-gateway-extension/templates/_helpers.tpldeployments/helm-charts/wso2-amp-api-platform-gateway-extension/templates/gateway-bootstrap-job.yamldeployments/helm-charts/wso2-amp-api-platform-gateway-extension/templates/gateway-config.yamldeployments/helm-charts/wso2-amp-api-platform-gateway-extension/templates/gateway-cr.yamldeployments/helm-charts/wso2-amp-api-platform-gateway-extension/values-dev.yamldeployments/helm-charts/wso2-amp-api-platform-gateway-extension/values.yamldeployments/helm-charts/wso2-amp-platform-resources-extension/templates/component-traits/api-management-trait.yamldeployments/helm-charts/wso2-amp-platform-resources-extension/values.yamldeployments/quick-start/install-helpers.shdeployments/quick-start/install.shdeployments/scripts/port-forward.shdeployments/scripts/setup-colima.shdeployments/scripts/setup-gateway.shdeployments/scripts/setup-openchoreo.shdeployments/scripts/stop-port-forward.shdeployments/values/api-platform-operator-full-config.yamldeployments/values/obs-gateway.yamldeployments/values/otel-collector-rest-api.yamldocumentation/docs/getting-started/_partials/_amp-installation.mdxdocumentation/docs/getting-started/on-k3d.mdxdocumentation/docs/getting-started/on-your-environment.mdx
💤 Files with no reviewable changes (2)
- deployments/values/obs-gateway.yaml
- deployments/values/api-platform-operator-full-config.yaml
✅ Files skipped from review due to trivial changes (13)
- console/workspaces/pages/gateways/src/Gateways.Organization.tsx
- .github/release-config.json
- console/workspaces/pages/gateways/src/subComponents/AddAIGatewayForm.tsx
- deployments/helm-charts/wso2-amp-platform-resources-extension/values.yaml
- deployments/scripts/setup-colima.sh
- agent-manager-service/config/config_loader.go
- console/workspaces/pages/gateways/src/AddAIGateway.Organization.tsx
- console/workspaces/pages/gateways/src/subComponents/EditGatewayDrawer.tsx
- deployments/helm-charts/wso2-amp-api-platform-gateway-extension/Chart.yaml
- deployments/values/otel-collector-rest-api.yaml
- deployments/helm-charts/wso2-agent-manager/values.yaml
- console/workspaces/pages/gateways/src/index.ts
- deployments/helm-charts/wso2-amp-api-platform-gateway-extension/values-dev.yaml
🚧 Files skipped from review as they are similar to previous changes (8)
- deployments/scripts/stop-port-forward.sh
- deployments/helm-charts/wso2-amp-platform-resources-extension/templates/component-traits/api-management-trait.yaml
- console/workspaces/pages/gateways/src/subComponents/ViewGateway.tsx
- documentation/docs/getting-started/on-k3d.mdx
- deployments/helm-charts/wso2-amp-api-platform-gateway-extension/values.yaml
- documentation/docs/getting-started/_partials/_amp-installation.mdx
- deployments/helm-charts/wso2-amp-api-platform-gateway-extension/templates/_helpers.tpl
- Makefile
AnoshanJ
force-pushed
the
feat/unify-gw
branch
4 times, most recently
from
22cfe3f to
ba4dd28
Compare
Signed-off-by: Anoshan Jayahanthan <101160077+AnoshanJ@users.noreply.github.com>
Signed-off-by: Anoshan Jayahanthan <101160077+AnoshanJ@users.noreply.github.com>
Signed-off-by: Anoshan Jayahanthan <101160077+AnoshanJ@users.noreply.github.com>
Signed-off-by: Anoshan Jayahanthan <101160077+AnoshanJ@users.noreply.github.com>
Signed-off-by: Anoshan Jayahanthan <101160077+AnoshanJ@users.noreply.github.com>
Signed-off-by: Anoshan Jayahanthan <101160077+AnoshanJ@users.noreply.github.com>
Signed-off-by: Anoshan Jayahanthan <101160077+AnoshanJ@users.noreply.github.com>
Signed-off-by: Anoshan Jayahanthan <101160077+AnoshanJ@users.noreply.github.com>
Signed-off-by: Anoshan Jayahanthan <101160077+AnoshanJ@users.noreply.github.com>
Signed-off-by: Anoshan Jayahanthan <101160077+AnoshanJ@users.noreply.github.com>
Signed-off-by: Anoshan Jayahanthan <101160077+AnoshanJ@users.noreply.github.com>
Signed-off-by: Anoshan Jayahanthan <101160077+AnoshanJ@users.noreply.github.com>
Signed-off-by: Anoshan Jayahanthan <101160077+AnoshanJ@users.noreply.github.com>
Signed-off-by: Anoshan Jayahanthan <101160077+AnoshanJ@users.noreply.github.com>
Signed-off-by: Anoshan Jayahanthan <101160077+AnoshanJ@users.noreply.github.com>
Signed-off-by: Anoshan Jayahanthan <101160077+AnoshanJ@users.noreply.github.com>
Signed-off-by: Anoshan Jayahanthan <101160077+AnoshanJ@users.noreply.github.com>
Signed-off-by: Anoshan Jayahanthan <101160077+AnoshanJ@users.noreply.github.com>
…tions Signed-off-by: Anoshan Jayahanthan <101160077+AnoshanJ@users.noreply.github.com>
Signed-off-by: Anoshan Jayahanthan <101160077+AnoshanJ@users.noreply.github.com>
Signed-off-by: Anoshan Jayahanthan <101160077+AnoshanJ@users.noreply.github.com>
Signed-off-by: Anoshan Jayahanthan <101160077+AnoshanJ@users.noreply.github.com>
Signed-off-by: Anoshan Jayahanthan <101160077+AnoshanJ@users.noreply.github.com>
Signed-off-by: Anoshan Jayahanthan <101160077+AnoshanJ@users.noreply.github.com>
…yaml Signed-off-by: Anoshan Jayahanthan <101160077+AnoshanJ@users.noreply.github.com>
Signed-off-by: Anoshan Jayahanthan <101160077+AnoshanJ@users.noreply.github.com>
Signed-off-by: Anoshan Jayahanthan <101160077+AnoshanJ@users.noreply.github.com>
Signed-off-by: Anoshan Jayahanthan <101160077+AnoshanJ@users.noreply.github.com>
This reverts commit 4e9dcf3. Signed-off-by: Anoshan Jayahanthan <101160077+AnoshanJ@users.noreply.github.com>
Signed-off-by: Anoshan Jayahanthan <101160077+AnoshanJ@users.noreply.github.com>
Signed-off-by: Anoshan Jayahanthan <101160077+AnoshanJ@users.noreply.github.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Anoshan Jayahanthan <101160077+AnoshanJ@users.noreply.github.com>
Signed-off-by: Anoshan Jayahanthan <101160077+AnoshanJ@users.noreply.github.com>
AnoshanJ
force-pushed
the
feat/unify-gw
branch
2 times, most recently
from
7f4390b to
78dc5ba
Compare
menakaj
approved these changes
May 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Purpose
The platform used two separate gateways (obs-gateway for trace ingestion/ingress and wso2-amp-ai-gateway-extension for AI gateway registration). This PR streamlines the both gw installation and management.
Goals
obs-gatewayandwso2-amp-ai-gateway-extensionwith a newwso2-amp-api-platform-gateway-extensionHelm chart that serves as the single API Platform Gateway for both ingress (agent traffic) and egress (AI APIs)values.yamland rendered viagateway-config.yamltemplate, eliminating the need for separate ConfigMap filesapi-managementtrait template now uses Helm-templatedgateway.backendHost/gateway.backendPortvalues instead of a hardcodedobs-gatewayservice nameregulartype gateways alongsideaitypeobs-gateway.yaml,api-platform-operator-full-config.yaml,api-platform-operator-local-config.yaml, and the oldwso2-amp-ai-gateway-extensionchartaApproach
User stories
Release note
Documentation
Training
Certification
Marketing
Automation tests
Security checks
Samples
Related PRs
Migrations (if applicable)
Test environment
Learning
Summary by CodeRabbit
New Features
Chores
Documentation