feat(gateway-helm-chart): add wso2.subscription.imagePullSecret

[renuka-fernando]

Purpose

The gateway helm chart has no shorthand for switching from the public GHCR images to the WSO2 private registry. Users with a WSO2 Subscription must override every component's image.repository and wire a docker-registry Secret name into both per-component imagePullSecrets slots — three coordinated edits scattered across values.yaml.

Fixes #2016

Goals

Add a single field, wso2.subscription.imagePullSecret, that activates WSO2 subscription mode end-to-end when set: pulls authenticate against registry.wso2.com and default images are sourced from the WSO2 private registry.

Approach

• Add wso2.subscription.imagePullSecret to values.yaml (empty by default).
• Add two helpers in _helpers.tpl:
  • gateway-operator.componentImage — rewrites repositories matching the upstream prefix ghcr.io/wso2/api-platform/ to registry.wso2.com/wso2-api-platform/ when subscription is on. Explicit overrides (e.g. myco.internal/custom-runtime) pass through untouched.
  • gateway-operator.componentImagePullSecretsBlock — renders the imagePullSecrets: YAML block, merging the subscription secret + global .Values.imagePullSecrets + per-component imagePullSecrets, additively.
• Both controller/deployment.yaml and gateway-runtime/deployment.yaml call the helpers for the image: line and the pull-secrets block.
• Credentials are intentionally not accepted in values — users create the docker-registry Secret out-of-band (one kubectl create secret docker-registry command, or sealed-secrets / external-secrets for GitOps). This keeps subscription credentials out of Helm release state.
• Default behavior (subscription empty) is unchanged: chart renders identically and pulls from ghcr.io/wso2/api-platform/* with no imagePullSecrets block.

User stories

As a WSO2 Subscription customer deploying the gateway helm chart, I want a single field that switches images and authenticates pulls against the WSO2 private registry, so I don't have to override every image.repository and wire imagePullSecrets in multiple places.

Documentation

N/A — values.yaml carries inline usage docs for the new field, including the kubectl create secret docker-registry command. No external doc impact.

Automation tests

• Unit tests

  N/A — chart change; no unit-testable code paths.

• Integration tests

  Verified locally on a Colima k8s cluster:

  • helm lint + helm template + kubectl apply --dry-run=client clean.
  • Default install (subscription empty): helm install → both pods Running, images at ghcr.io/wso2/api-platform/*, no imagePullSecrets. POST /rest-apis → 201; GET https://localhost:8443/hello-helm/ → HTTP/2 200 with sample-service echo body.
  • Subscription install (--set wso2.subscription.imagePullSecret=wso2-fake-creds): both pod specs show images rewritten to registry.wso2.com/wso2-api-platform/* and imagePullSecrets: [{"name":"wso2-fake-creds"}]. kubelet attempted the pull against https://registry.wso2.com/v2/... and got 401 Unauthorized (expected — fake creds). The 401 proves the secret was used for authentication; an anonymous pull would error differently.
  • Render matrix: defaults, subscription on, subscription + explicit repo override (override wins), subscription + per-component pull secret (additive), subscription + global pull secret (additive) — all render correctly via helm template --set.

Security checks

• Followed secure coding standards in http://wso2.com/technical-reports/wso2-secure-engineering-guidelines? yes
• Ran FindSecurityBugs plugin and verified report? N/A (helm chart only, no compiled code)
• Confirmed that this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets? yes

Samples

N/A — usage example is inline in values.yaml (the kubectl create secret docker-registry command for creating the referenced Secret).

Related PRs

N/A

Test environment

• helm v3.18.3
• kubectl v1.32.3 / Colima k8s (1 node)
• cert-manager installed on the cluster (chart renders Certificate + Issuer)

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5c15ff41-5d7b-4db1-b407-6fa3c33fbaef

📥 Commits

Reviewing files that changed from the base of the PR and between af767b3 and 290dc91.

📒 Files selected for processing (3)

• kubernetes/helm/gateway-helm-chart/templates/_helpers.tpl
• kubernetes/helm/gateway-helm-chart/templates/gateway/controller/deployment.yaml
• kubernetes/helm/gateway-helm-chart/templates/gateway/gateway-runtime/deployment.yaml

---

📝 Walkthrough

This pull request adds a single values field, wso2.subscription.imagePullSecret, to the gateway Helm chart to enable optional WSO2 subscription image-pull behavior and to merge a subscription imagePullSecret into component imagePullSecrets.

Key changes:

• New Helm helpers (templates/_helpers.tpl)
  • gateway-operator.componentImage — formats image repository:tag and, only when wso2.subscription.imagePullSecret is set and the component repository exactly matches the chart’s canonical default, rewrites the repository from ghcr.io/wso2/api-platform/* to registry.wso2.com/wso2-api-platform/*. Explicit user overrides are preserved unchanged.
  • gateway-operator.componentImagePullSecretsBlock — emits an unindented imagePullSecrets: YAML block that merges the optional subscription secret with chart-global and per-component imagePullSecrets; emits nothing if no secrets apply.
• Updated templates
  • controller/deployment.yaml — uses the new helpers for the controller image and imagePullSecrets rendering.
  • gateway-runtime/deployment.yaml — uses the new helpers for the runtime image and imagePullSecrets rendering.
• values.yaml
  • Adds wso2.subscription.imagePullSecret (string, default empty) to reference a docker-registry Secret in the release namespace.

Behavior:

• When wso2.subscription.imagePullSecret is set to a secret name, default chart component image repositories are rewritten to the private WSO2 registry and the named secret is injected additively into each component’s imagePullSecrets.
• When the field is empty, default behavior is unchanged (images stay at ghcr.io and no subscription imagePullSecrets are added).
• Credentials are not accepted in values.yaml; users must create the docker-registry Secret externally.

Additional note:

• Rewrite logic was tightened to only remap repositories that exactly equal the chart default, preventing accidental remapping of explicit overrides (including SHA-pinned or custom registries).

Walkthrough

This pull request implements a single wso2.subscription.imagePullSecret configuration value for the gateway Helm chart to simplify WSO2 subscription deployments. When configured, this value automatically injects the named docker-registry Secret into all component imagePullSecrets and rewrites component image repositories from the default ghcr.io/wso2/api-platform/ prefix to registry.wso2.com/wso2-api-platform/. Custom repository overrides are preserved. Two new Helm helpers encapsulate this logic, and both gateway controller and runtime Deployment templates refactor to use these helpers instead of inlining secret concatenation and image formatting.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the primary change: adding the wso2.subscription.imagePullSecret field to the gateway Helm chart.
Description check	✅ Passed	The description comprehensively covers all template sections with clear purpose, goals, approach, user stories, documentation, testing, security checks, and test environment details.
Linked Issues check	✅ Passed	The PR implementation fully addresses issue #2016 requirements: the wso2.subscription.imagePullSecret field injects secrets additively via componentImagePullSecretsBlock, rewrites default repositories via componentImage while preserving explicit overrides, and keeps credentials external.
Out of Scope Changes check	✅ Passed	All changes are scoped to gateway Helm chart templates and values to implement wso2.subscription.imagePullSecret functionality; no unrelated modifications are present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@kubernetes/helm/gateway-helm-chart/templates/_helpers.tpl`:
- Around line 71-83: The current rewrite triggers for any repository that has
the GHCR default prefix; change it to only rewrite when the repo exactly matches
the chart's component default. In the define "gateway-operator.componentImage",
compute a $componentDefault (e.g. set $componentDefault to printf "%s%s"
$defaultPrefix (trimPrefix $defaultPrefix $repo)) and replace the condition
(hasPrefix $defaultPrefix $repo) with an equality check (eq $repo
$componentDefault) while keeping the subscription check (ne $sub "") so explicit
user overrides with the same prefix are no longer rewritten.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f9a89a83-ca89-4cb9-a162-cd000c3e5253

📥 Commits

Reviewing files that changed from the base of the PR and between ef223a9 and af767b3.

📒 Files selected for processing (4)

• kubernetes/helm/gateway-helm-chart/templates/_helpers.tpl
• kubernetes/helm/gateway-helm-chart/templates/gateway/controller/deployment.yaml
• kubernetes/helm/gateway-helm-chart/templates/gateway/gateway-runtime/deployment.yaml
• kubernetes/helm/gateway-helm-chart/values.yaml