Get basic auth from secrets

[Tharsanan1]

Purpose

Fixes: #627

Summary by CodeRabbit

• New Features

  • Gateways now support authentication via Kubernetes Secrets using a new authSecretRef field
  • User credentials stored in a Secret under users.yaml enable basic authentication for gateways
  • Secret-based authentication is preferred; if absent or invalid, the operator falls back to ConfigMap-based auth

• Tests

  • Added tests for Secret-based auth retrieval and fallback behavior

[coderabbitai]

Walkthrough

Adds optional authSecretRef to Gateway CRD and operator logic to load Basic Auth users from a referenced Kubernetes Secret (users.yaml), preferring the Secret over the existing ConfigMap-based auth; includes API, CRD, controller, helper, tests, and CI workflow updates.

Changes

Cohort / File(s)	Summary
API & DeepCopy kubernetes/gateway-operator/api/v1alpha1/gateway_types.go, kubernetes/gateway-operator/api/v1alpha1/zz_generated.deepcopy.go	Adds AuthSecretRef *corev1.LocalObjectReference to GatewaySpec with JSON tag authSecretRef,omitempty; generates nil-safe deepcopy handling for the new field.
CRD Manifests kubernetes/gateway-operator/config/crd/bases/gateway.api-platform.wso2.com_gateways.yaml, kubernetes/helm/operator-helm-chart/crds/gateway.api-platform.wso2.com_gateways.yaml	Extends Gateway CRD schema with authSecretRef (atomic object with name string) and description indicating precedence over configRef.
Auth Helper & Tests kubernetes/gateway-operator/internal/auth/auth_helper.go, kubernetes/gateway-operator/internal/auth/auth_helper_test.go	New GetAuthConfigFromSecret(ctx, k8sClient, gateway) reads referenced Secret, parses users.yaml into AuthSettings (enables basic auth); unit test using fake client validates parsing and users extraction.
Controller Integration kubernetes/gateway-operator/internal/controller/restapi_controller.go	addAuthToRequest now attempts Secret-based auth first (via GetAuthConfigFromSecret), falling back to GetDeploymentConfigFromGateway (ConfigMap) only if Secret is absent/invalid.
Integration Test Workflow .github/workflows/operator-integration-test.yml	CI workflow creates test-gateway-auth Secret(s) containing users.yaml and updates Gateway resources to reference it via authSecretRef for integration tests.

Sequence Diagram

sequenceDiagram
    participant Client as Client (HTTP)
    participant Controller as REST API Controller
    participant Auth as Auth Helper
    participant Secret as Kubernetes Secret
    participant ConfigMap as ConfigMap (Fallback)

    Client->>Controller: Incoming request
    activate Controller
    Controller->>Auth: addAuthToRequest(gateway)
    activate Auth

    rect rgb(220,240,220)
    Note over Auth,Secret: Step 1 — Try Secret-based auth
    Auth->>Secret: Fetch Secret referenced by authSecretRef
    alt Secret found & `users.yaml` valid
        Secret-->>Auth: users.yaml -> AuthSettings (Basic enabled)
    else Secret missing/invalid
        Secret-->>Auth: error / no users
    end
    end

    alt No valid AuthSettings from Secret
        rect rgb(255,245,220)
        Note over Auth,ConfigMap: Step 2 — Fallback to ConfigMap
        Auth->>ConfigMap: GetDeploymentConfigFromGateway(configRef)
        ConfigMap-->>Auth: AuthSettings (if present)
        end
    end

    Auth->>Controller: Authorization header / AuthSettings
    deactivate Auth
    Controller->>Client: Forwarded request with auth
    deactivate Controller

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I nibble through secrets snug and tight,
I bring safe users into the light.
Gateways now check the vault first, then roam,
Falling back softly if none are at home.
A hop, a guard, authentication done.

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 40.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.
Description check	⚠️ Warning	The PR description is minimal and lacks required sections. Only Purpose and a CodeRabbit summary are provided; Goals, Approach, User stories, Documentation, Automation tests, Security checks, Samples, Related PRs, and Test environment sections are missing or incomplete.	Add comprehensive sections covering Goals, Approach with technical details, User stories, Documentation impact, Automation test coverage, Security checks, Samples, Related PRs, and Test environment details to meet the repository's PR description template requirements.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title directly summarizes the main change: adding support for loading basic auth credentials from Kubernetes Secrets, which is the primary objective of the changeset.
Linked Issues check	✅ Passed	The code changes fully implement all requirements from issue #627: adding authSecretRef field to Gateway CRD, reading users.yaml from Secret, establishing Secret precedence over ConfigMap, and integrating Secret-based auth throughout the controller logic.
Out of Scope Changes check	✅ Passed	All code changes are directly aligned with issue #627 objectives. CRD updates, auth helper functions, controller modifications, workflow file updates, and generated code changes all serve the core goal of Secret-based auth configuration.

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

kubernetes/gateway-operator/internal/auth/auth_helper_test.go (1)

80-129: LGTM! Test correctly validates Secret-based auth retrieval.

The test properly sets up the scheme, creates a Secret with users.yaml, and validates that GetAuthConfigFromSecret returns the expected authentication settings.

Optional: Consider adding error-case tests

While the happy path is well-covered, consider adding tests for error scenarios to improve coverage:

• Missing Secret (AuthSecretRef points to non-existent Secret)
• Missing users.yaml key in Secret
• Invalid YAML in users.yaml

These would verify the error handling paths in GetAuthConfigFromSecret.

kubernetes/gateway-operator/internal/auth/auth_helper.go (1)

132-134: Clarify or remove the misleading stringData comment.

The comment mentions "Fallback to stringData if not in Data (though client normally consolidates them)" but doesn't implement a fallback. This comment is misleading because when reading Secrets via controller-runtime or client-go, the Data field always contains the consolidated values—stringData is only used for input during Secret creation/updates and is never returned by the API.

🔎 Proposed fix to remove the misleading comment

 	// Look for users.yaml key
 	usersYAML, ok := secret.Data["users.yaml"]
 	if !ok {
-		// Fallback to stringData if not in Data (though client normally consolidates them)
-		// But in controller-runtime Struct Data contains byte slices
 		return nil, fmt.Errorf("secret %s/%s does not contain 'users.yaml' key", gateway.Namespace, gateway.Spec.AuthSecretRef.Name)
 	}

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a5dbad4 and 57dd163.

⛔ Files ignored due to path filters (2)

• go.work is excluded by !**/*.work
• go.work.sum is excluded by !**/*.sum

📒 Files selected for processing (7)

• .github/workflows/operator-integration-test.yml
• kubernetes/gateway-operator/api/v1alpha1/gateway_types.go
• kubernetes/gateway-operator/api/v1alpha1/zz_generated.deepcopy.go
• kubernetes/gateway-operator/config/crd/bases/gateway.api-platform.wso2.com_gateways.yaml
• kubernetes/gateway-operator/internal/auth/auth_helper.go
• kubernetes/gateway-operator/internal/auth/auth_helper_test.go
• kubernetes/gateway-operator/internal/controller/restapi_controller.go

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-12-19T06:57:38.504Z

Learnt from: tharindu1st
Repo: wso2/api-platform PR: 514
File: gateway/gateway-controller/config/config.yaml:0-0
Timestamp: 2025-12-19T06:57:38.504Z
Learning: In gateway/gateway-controller/config/config.yaml, the default admin user with plaintext password "admin" is intentionally provided for testing purposes only and must be changed to secure hashed passwords for production deployments.

Applied to files:

• .github/workflows/operator-integration-test.yml

🧬 Code graph analysis (3)

kubernetes/gateway-operator/internal/auth/auth_helper_test.go (3)

kubernetes/gateway-operator/api/v1alpha1/groupversion_info.go (1)

• AddToScheme (35-35)

kubernetes/gateway-operator/api/v1alpha1/gateway_types.go (2)

• Gateway (266-272)
• GatewaySpec (101-134)

kubernetes/gateway-operator/internal/auth/auth_helper.go (1)

• GetAuthConfigFromSecret (114-153)

kubernetes/gateway-operator/internal/auth/auth_helper.go (1)

kubernetes/gateway-operator/api/v1alpha1/gateway_types.go (1)

• Gateway (266-272)

kubernetes/gateway-operator/internal/controller/restapi_controller.go (1)

kubernetes/gateway-operator/internal/auth/auth_helper.go (3)

• AuthSettings (54-57)
• GetAuthConfigFromSecret (114-153)
• GetDeploymentConfigFromGateway (80-109)

🔇 Additional comments (7)

kubernetes/gateway-operator/api/v1alpha1/zz_generated.deepcopy.go (1)

250-254: LGTM! Auto-generated deepcopy follows the correct pattern.

The nil-safe deepcopy for AuthSecretRef correctly mirrors the existing ConfigRef pattern and is properly generated by controller-gen.

.github/workflows/operator-integration-test.yml (2)

836-850: LGTM! Secret-based authentication properly configured for integration tests.

The Secret structure correctly provides users.yaml with admin credentials, and the Gateway CR properly references it via authSecretRef.

Based on learnings, the plaintext admin credentials are intentionally used for testing purposes.

Also applies to: 865-866

---

1266-1280: LGTM! Scoped-test namespace correctly includes Secret-based auth.

The Secret and Gateway configuration for the scoped-test namespace mirrors the default namespace setup, ensuring consistent test coverage.

Also applies to: 1294-1295

kubernetes/gateway-operator/api/v1alpha1/gateway_types.go (1)

128-133: LGTM! AuthSecretRef field properly defined.

The new optional field is correctly typed, documented, and follows the existing ConfigRef pattern. The documentation clearly states the precedence behavior.

kubernetes/gateway-operator/internal/controller/restapi_controller.go (1)

877-897: LGTM! Secret-first fallback logic correctly implements precedence.

The authentication retrieval properly implements the two-tier fallback:

1. Attempts GetAuthConfigFromSecret (Secret-based via AuthSecretRef)
2. Falls back to GetDeploymentConfigFromGateway (ConfigMap-based via ConfigRef) if Secret is absent or fails
3. Uses default credentials if both fail

The error handling appropriately logs warnings while continuing to fallback options, ensuring the gateway remains operational even with configuration issues.

kubernetes/gateway-operator/internal/auth/auth_helper.go (1)

111-153: LGTM!

The implementation correctly retrieves and parses authentication configuration from the referenced Secret. The function appropriately:

• Returns nil when no AuthSecretRef is specified
• Fetches the Secret with proper error handling
• Validates the presence of the required users.yaml key
• Parses the YAML into the expected user structure
• Constructs AuthSettings with Basic authentication enabled

kubernetes/gateway-operator/config/crd/bases/gateway.api-platform.wso2.com_gateways.yaml (1)

106-122: LGTM!

The authSecretRef field definition follows Kubernetes conventions for referencing Secrets. The schema correctly:

• Makes the field optional to maintain backward compatibility
• Documents the expected users.yaml key and precedence over ConfigRef
• Uses the standard LocalObjectReference structure
• Applies the x-kubernetes-map-type: atomic marker appropriately