Adding k8s templates related to gateway to apim sync mode

[CrowleyRajapakse]

Purpose

Adding k8s templates related to gateway to apim sync mode

[coderabbitai]

Warning

Rate limit exceeded

@CrowleyRajapakse has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 32 minutes and 23 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 082d4870-883d-4aa9-b65b-78219107161b

📥 Commits

Reviewing files that changed from the base of the PR and between 7747516 and 08e4f1e.

📒 Files selected for processing (6)

• kubernetes/gateway-operator/config/gateway_values.yaml
• kubernetes/helm/gateway-helm-chart/templates/gateway/gateway-config.yaml
• kubernetes/helm/gateway-helm-chart/values.yaml
• kubernetes/helm/operator-helm-chart/values.yaml
• kubernetes/helm/resources/apim-apigateway-restapi-operator-demo/01-gateway-values-configmap.yaml
• kubernetes/helm/resources/apim-gateway-api-operator-demo/01-gateway-values-configmap.yaml

📝 Walkthrough

Walkthrough

This pull request adds new Helm values and template output to configure gateway controller control-plane connectivity and APIM OAuth2 credentials. It introduces gateway.config.controller.server.controlplane fields for TLS verification, reconnect/backoff timings, polling interval, deployment push enablement, sync batching, and gateway_name. It also adds OAuth2 credential fields (apim_oauth2_client_id, apim_oauth2_client_secret, apim_oauth2_username, apim_oauth2_password) for client-credentials and resource-owner-password flows. Separately, a new gateway.immutable_gateway/gatewayRuntime.immutable_gateway section (enabled flag and artifacts_dir) is added to surface immutable/static API artifact handling. Changes appear in operator and gateway Helm chart values, gateway template rendering, and demo ConfigMaps.

Sequence Diagram(s)

sequenceDiagram
  participant GatewayPod as Gateway Pod
  participant GatewayController as Gateway Controller
  participant APIMAuth as APIM OAuth2
  participant ControlPlane as Control Plane API

  GatewayController->>APIMAuth: Request token (client-credentials or ROPC)
  APIMAuth-->>GatewayController: Access token
  GatewayController->>ControlPlane: Establish control-plane connection (TLS, reconnect/backoff)
  ControlPlane-->>GatewayController: Connection acknowledged
  GatewayController->>ControlPlane: Poll for updates (polling_interval)
  ControlPlane-->>GatewayController: Update events
  GatewayController->>GatewayPod: Push deployments (if deployment_push_enabled)
  GatewayPod-->>GatewayController: Ack
  Note over GatewayPod,GatewayController: If immutable_gateway.enabled -> mount artifacts from artifacts_dir

Loading

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is incomplete. It provides only a minimal purpose statement but lacks goals, approach, user stories, documentation, testing details, security checks, samples, and test environment information required by the template.	Expand the description to include all template sections: goals explaining what functionality is added, approach details, user stories, documentation links or N/A justification, unit/integration test details, security verification checklist completion, and test environment specifications.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the main change: adding Kubernetes templates for gateway-to-APIM synchronization mode, which is confirmed by the file summaries showing new Helm values and templates for control-plane connectivity.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@kubernetes/helm/gateway-helm-chart/templates/gateway/gateway-config.yaml`:
- Around line 52-55: The ConfigMap template is embedding sensitive values
apim_oauth2_client_secret and apim_oauth2_password directly into
gateway-config.toml; remove those two keys from the ConfigMap and instead read
them from a Kubernetes Secret (e.g., create a Secret with keys
apim_oauth2_client_secret and apim_oauth2_password) and wire them into the
gateway pod via secretKeyRef or by mounting the secret as a file so the gateway
reads them at runtime; keep non-sensitive fields like apim_oauth2_client_id and
apim_oauth2_username in the ConfigMap and update the Deployment/StatefulSet
template to inject the secret values into the process environment or file path
the app expects.

In
`@kubernetes/helm/resources/apim-gateway-api-operator-demo/01-gateway-values-configmap.yaml`:
- Around line 22-23: The values apim_oauth2_username and apim_oauth2_password
currently contain hardcoded credentials; replace their literal "admin" values
with empty placeholders (e.g., "") and update templating to read from a
Kubernetes Secret at deploy time so credentials are injected via Secret
overrides rather than committed in 01-gateway-values-configmap.yaml; ensure any
Helm templates or values consumers (apim_oauth2_username, apim_oauth2_password)
are adjusted to fall back to the Secret or fail-fast if left empty.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 02cae552-3afe-4a14-b5a0-81d89e2bb017

📥 Commits

Reviewing files that changed from the base of the PR and between b3399f4 and 88f2d73.

📒 Files selected for processing (6)

• kubernetes/gateway-operator/config/gateway_values.yaml
• kubernetes/helm/gateway-helm-chart/templates/gateway/gateway-config.yaml
• kubernetes/helm/gateway-helm-chart/values.yaml
• kubernetes/helm/operator-helm-chart/values.yaml
• kubernetes/helm/resources/apim-apigateway-restapi-operator-demo/01-gateway-values-configmap.yaml
• kubernetes/helm/resources/apim-gateway-api-operator-demo/01-gateway-values-configmap.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Move OAuth2 secret material out of ConfigMap data.

Line 53 and Line 55 render secret values directly into config.toml inside a ConfigMap. Please source apim_oauth2_client_secret and apim_oauth2_password from a Kubernetes Secret (or secret-backed env/file) and keep only non-sensitive fields in this ConfigMap.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@kubernetes/helm/gateway-helm-chart/templates/gateway/gateway-config.yaml`
around lines 52 - 55, The ConfigMap template is embedding sensitive values
apim_oauth2_client_secret and apim_oauth2_password directly into
gateway-config.toml; remove those two keys from the ConfigMap and instead read
them from a Kubernetes Secret (e.g., create a Secret with keys
apim_oauth2_client_secret and apim_oauth2_password) and wire them into the
gateway pod via secretKeyRef or by mounting the secret as a file so the gateway
reads them at runtime; keep non-sensitive fields like apim_oauth2_client_id and
apim_oauth2_username in the ConfigMap and update the Deployment/StatefulSet
template to inject the secret values into the process environment or file path
the app expects.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Avoid committed default credentials in demo values.

Line 22 and Line 23 hardcode admin/admin. Use empty placeholders and provide credentials via Secret-based overrides during deployment.

Suggested change

-            apim_oauth2_username: "admin"
-            apim_oauth2_password: "admin"
+            apim_oauth2_username: ""
+            apim_oauth2_password: ""

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	apim_oauth2_username: "admin"
	apim_oauth2_password: "admin"
	apim_oauth2_username: ""
	apim_oauth2_password: ""

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@kubernetes/helm/resources/apim-gateway-api-operator-demo/01-gateway-values-configmap.yaml`
around lines 22 - 23, The values apim_oauth2_username and apim_oauth2_password
currently contain hardcoded credentials; replace their literal "admin" values
with empty placeholders (e.g., "") and update templating to read from a
Kubernetes Secret at deploy time so credentials are injected via Secret
overrides rather than committed in 01-gateway-values-configmap.yaml; ensure any
Helm templates or values consumers (apim_oauth2_username, apim_oauth2_password)
are adjusted to fall back to the Secret or fail-fast if left empty.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@kubernetes/helm/operator-helm-chart/values.yaml`:
- Around line 196-202: The values file currently exposes credentials via
apim_oauth2_client_secret and apim_oauth2_password; change these two scalar
fields into SecretRef objects (e.g., apim_oauth2_client_secret: { secretName:
"", key: "" } and apim_oauth2_password: { secretName: "", key: "" }) alongside
the existing apim_oauth2_client_id and apim_oauth2_username, and update the
chart templates that consume apim_oauth2_client_secret and apim_oauth2_password
to use Kubernetes Secret-backed env vars (valueFrom.secretKeyRef or
envFrom.secretRef) instead of rendering the raw values so secrets are sourced
from Secret resources rather than stored inline in values.yaml.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1ea0687c-f55b-4c1b-91f2-e4a13435a4ba

📥 Commits

Reviewing files that changed from the base of the PR and between 88f2d73 and 7747516.

📒 Files selected for processing (6)

• kubernetes/gateway-operator/config/gateway_values.yaml
• kubernetes/helm/gateway-helm-chart/templates/gateway/gateway-config.yaml
• kubernetes/helm/gateway-helm-chart/values.yaml
• kubernetes/helm/operator-helm-chart/values.yaml
• kubernetes/helm/resources/apim-apigateway-restapi-operator-demo/01-gateway-values-configmap.yaml
• kubernetes/helm/resources/apim-gateway-api-operator-demo/01-gateway-values-configmap.yaml

✅ Files skipped from review due to trivial changes (2)

• kubernetes/helm/resources/apim-apigateway-restapi-operator-demo/01-gateway-values-configmap.yaml
• kubernetes/helm/gateway-helm-chart/values.yaml

🚧 Files skipped from review as they are similar to previous changes (2)

• kubernetes/helm/gateway-helm-chart/templates/gateway/gateway-config.yaml
• kubernetes/helm/resources/apim-gateway-api-operator-demo/01-gateway-values-configmap.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Move APIM OAuth2 secret inputs to Secret references instead of inline values.

Line 198 and Line 202 introduce direct credential value fields (apim_oauth2_client_secret, apim_oauth2_password). Please switch to SecretRef-style inputs (secretName/key) and render them from Secret-backed env vars to avoid storing sensitive values in chart values/config outputs.

Suggested schema direction

             apim_oauth2_client_id: ""
-            apim_oauth2_client_secret: ""
+            apim_oauth2_client_secret: "" # deprecated fallback
+            apim_oauth2_client_secret_from:
+              secretName: ""
+              key: client-secret

             # OAuth2 Option 2: Resource Owner Password Credentials flow
             apim_oauth2_username: ""
-            apim_oauth2_password: ""
+            apim_oauth2_password: "" # deprecated fallback
+            apim_oauth2_password_from:
+              secretName: ""
+              key: password

As per coding guidelines, "Provide concise, actionable feedback focused on correctness and best practices... Use neutral, high-level language and validate safety without exposing sensitive context."

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# OAuth2 Option 1: Client Credentials flow
	apim_oauth2_client_id: ""
	apim_oauth2_client_secret: ""
	# OAuth2 Option 2: Resource Owner Password Credentials flow
	apim_oauth2_username: ""
	apim_oauth2_password: ""
	# OAuth2 Option 1: Client Credentials flow
	apim_oauth2_client_id: ""
	apim_oauth2_client_secret: "" # deprecated fallback
	apim_oauth2_client_secret_from:
	secretName: ""
	key: client-secret
	# OAuth2 Option 2: Resource Owner Password Credentials flow
	apim_oauth2_username: ""
	apim_oauth2_password: "" # deprecated fallback
	apim_oauth2_password_from:
	secretName: ""
	key: password

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@kubernetes/helm/operator-helm-chart/values.yaml` around lines 196 - 202, The
values file currently exposes credentials via apim_oauth2_client_secret and
apim_oauth2_password; change these two scalar fields into SecretRef objects
(e.g., apim_oauth2_client_secret: { secretName: "", key: "" } and
apim_oauth2_password: { secretName: "", key: "" }) alongside the existing
apim_oauth2_client_id and apim_oauth2_username, and update the chart templates
that consume apim_oauth2_client_secret and apim_oauth2_password to use
Kubernetes Secret-backed env vars (valueFrom.secretKeyRef or envFrom.secretRef)
instead of rendering the raw values so secrets are sourced from Secret resources
rather than stored inline in values.yaml.

[slahirucd7]

Can we remove these default values ?

[CrowleyRajapakse]

Fixed