feat: add imagePullSecrets.name to reference existing registry secrets

[AqeelMuhammad]

Summary

• Adds optional imagePullSecrets.name field to all chart values.yaml files (control-plane, traffic-manager, gateway, key-manager, all-in-one) and their default_values.yaml counterparts
• When imagePullSecrets.name is set, the chart uses the named pre-existing secret directly instead of creating a new kubernetes.io/dockerconfigjson Secret from credentials
• When imagePullSecrets.name is empty (default), existing credential-based behaviour is preserved — fully backward compatible

Motivation

Customers deploying APIM Helm charts in environments with centrally-managed image pull secrets (e.g. via Sealed Secrets, Vault, or corporate CI/CD pipelines) currently have no way to reference an existing secret by name. They must either supply raw credentials in values.yaml or modify chart source directly.

This change adds the missing name field alongside the existing username/password fields, making both workflows available without breaking any existing deployment.

Note: a related PR (#202) was previously open for main; this PR supersedes it with a complete implementation covering all charts, deployment templates, secret templates, and resource pattern default values files.

Files changed

• distributed/*/values.yaml — added imagePullSecrets.name: ""
• distributed/*/templates/secrets/wso2am-secret-docker-registry.yaml — skip secret creation when name is set
• distributed/*/templates/*/deployment.yaml — reference named secret when name is set
• all-in-one/values.yaml, all-in-one/default_values.yaml, all-in-one/templates/... — same changes
• resources/am-pattern-*/default_*_values.yaml (16 files) — added imagePullSecrets.name: ""

Test plan

• helm lint passes on all 5 charts
• helm template with imagePullSecrets.enabled=true,name=my-secret shows imagePullSecrets: [{name: my-secret}] and no registry auth Secret rendered
• helm template with imagePullSecrets.enabled=true,username=u,password=p still renders the registry auth Secret and references it (backward compat)
• helm template with imagePullSecrets.enabled=false renders no imagePullSecrets field (unchanged)

🤖 Generated with Claude Code

[coderabbitai]

Warning

Review limit reached

@AqeelMuhammad, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 39 minutes and 31 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 946106ec-55ff-45b8-a9db-5279ebeb8666

📥 Commits

Reviewing files that changed from the base of the PR and between 96f6a51 and f0b2a0f.

📒 Files selected for processing (21)

• all-in-one/README.md
• all-in-one/default_openshift_values.yaml
• all-in-one/default_values.yaml
• distributed/control-plane/README.md
• distributed/gateway/README.md
• distributed/key-manager/README.md
• distributed/traffic-manager/README.md
• resources/am-pattern-0-all-in-one/default_values.yaml
• resources/am-pattern-1-all-in-one-HA/default_values.yaml
• resources/am-pattern-2-all-in-one_GW/default_gw_values.yaml
• resources/am-pattern-2-all-in-one_GW/default_values.yaml
• resources/am-pattern-3-ACP_TM_GW/default_acp_values.yaml
• resources/am-pattern-3-ACP_TM_GW/default_gw_values.yaml
• resources/am-pattern-3-ACP_TM_GW/default_tm_values.yaml
• resources/am-pattern-4-ACP_TM_GW_KM/default_acp_values.yaml
• resources/am-pattern-4-ACP_TM_GW_KM/default_gw_values.yaml
• resources/am-pattern-4-ACP_TM_GW_KM/default_km_values.yaml
• resources/am-pattern-4-ACP_TM_GW_KM/default_tm_values.yaml
• resources/am-pattern-5-all-in-one_GW_KM/default_gw_values.yaml
• resources/am-pattern-5-all-in-one_GW_KM/default_km_values.yaml
• resources/am-pattern-5-all-in-one_GW_KM/default_values.yaml

📝 Walkthrough

Walkthrough

This pull request extends WSO2 API Manager Helm charts to support referencing existing Kubernetes image pull secrets by name. A new imagePullSecrets.name configuration field is added across all chart values files. Deployment templates are updated to use the provided secret name when set, or fall back to the chart-generated default. Docker registry secret creation is now conditional: it only renders when image pull secrets are enabled and no custom secret name is specified. Changes apply consistently to the all-in-one, distributed (control-plane, gateway, key-manager, traffic-manager), and resource pattern Helm charts.

Suggested reviewers

• kavindasr
• RakhithaRR

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description provides clear motivation, files changed, and a concrete test plan, but is incomplete against the template: missing Purpose/Goals sections, related issues links, Release notes, Documentation links, Training, Certification, Marketing, Automation tests, Security checks, Samples, Migrations, and Test environment details.	Complete the PR description using the template: add Purpose section with issue links, Goals section outlining solutions, explicit Release notes, Documentation impact assessment, and fill in remaining template sections (Training, Certification, Marketing, Automation tests, Security checks, Test environment).

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main feature: adding an optional imagePullSecrets.name field to enable referencing existing registry secrets, which aligns with the comprehensive changes across all charts and templates.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

resources/am-pattern-4-ACP_TM_GW_KM/default_km_values.yaml (1)

338-338: ⚡ Quick win

Add documentation comment for the new imagePullSecrets.name field across all values files.

The new name field is added consistently across all five values files but lacks an explanatory comment. Users need to understand that this field references an existing pre-created Kubernetes image pull secret by name, and that setting it will skip creation of a new secret from the username and password fields. Adding a brief comment will clarify the field's purpose and usage.

💬 Proposed fix: add documentation comment

In each of the five files, update the imagePullSecrets block as follows:

imagePullSecrets:
  enabled: false
+ # -- Name of the existing Kubernetes image pull secret to reference.
+ # If set, the chart will use this secret instead of creating one from username/password.
  name: ""
  username: ""
  password: ""

This change should be applied identically in:

• resources/am-pattern-4-ACP_TM_GW_KM/default_km_values.yaml
• resources/am-pattern-4-ACP_TM_GW_KM/default_tm_values.yaml
• resources/am-pattern-5-all-in-one_GW_KM/default_gw_values.yaml
• resources/am-pattern-5-all-in-one_GW_KM/default_km_values.yaml
• resources/am-pattern-5-all-in-one_GW_KM/default_values.yaml

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@resources/am-pattern-4-ACP_TM_GW_KM/default_km_values.yaml` at line 338, Add
a brief documentation comment above the imagePullSecrets.name field in the
imagePullSecrets block to explain that "name" should reference an existing
pre-created Kubernetes image pull secret and that setting it causes the chart to
use that secret instead of creating one from
imagePullSecrets.username/imagePullSecrets.password; update the imagePullSecrets
block (the imagePullSecrets.name field) identically across all values files
where it was added so users see the same explanatory note.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@resources/am-pattern-1-all-in-one-HA/default_values.yaml`:
- Line 713: Add an inline YAML comment immediately above the
imagePullSecrets.name field explaining that imagePullSecrets.name references the
name of an existing image pull secret in the target namespace and, if set, the
chart will not create a new secret from username/password credentials (the chart
will use the provided secret instead); apply this same comment to the
imagePullSecrets.name entry in all values files where the field was added so
users understand its purpose and behavior.

---

Nitpick comments:
In `@resources/am-pattern-4-ACP_TM_GW_KM/default_km_values.yaml`:
- Line 338: Add a brief documentation comment above the imagePullSecrets.name
field in the imagePullSecrets block to explain that "name" should reference an
existing pre-created Kubernetes image pull secret and that setting it causes the
chart to use that secret instead of creating one from
imagePullSecrets.username/imagePullSecrets.password; update the imagePullSecrets
block (the imagePullSecrets.name field) identically across all values files
where it was added so users see the same explanatory note.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f5bf2d31-4c36-4381-864e-1444e4663580

📥 Commits

Reviewing files that changed from the base of the PR and between d4b89db and 96f6a51.

📒 Files selected for processing (34)

• all-in-one/default_openshift_values.yaml
• all-in-one/default_values.yaml
• all-in-one/templates/am/instance-1/wso2am-deployment.yaml
• all-in-one/templates/am/instance-2/wso2am-deployment.yaml
• all-in-one/templates/secrets/wso2am-secret-docker-registry.yaml
• all-in-one/values.yaml
• distributed/control-plane/templates/control-plane/instance-1/wso2am-cp-deployment.yaml
• distributed/control-plane/templates/control-plane/instance-2/wso2am-cp-deployment.yaml
• distributed/control-plane/templates/secrets/wso2am-secret-docker-registry.yaml
• distributed/control-plane/values.yaml
• distributed/gateway/templates/gateway/wso2am-gateway-deployment.yaml
• distributed/gateway/templates/secrets/wso2am-secret-docker-registry.yaml
• distributed/gateway/values.yaml
• distributed/key-manager/templates/key-manager/wso2am-km-deployment.yaml
• distributed/key-manager/templates/secrets/wso2am-secret-docker-registry.yaml
• distributed/key-manager/values.yaml
• distributed/traffic-manager/templates/secrets/wso2am-secret-docker-registry.yaml
• distributed/traffic-manager/templates/traffic-manager/instance-1/wso2am-tm-deployment.yaml
• distributed/traffic-manager/templates/traffic-manager/instance-2/wso2am-tm-deployment.yaml
• distributed/traffic-manager/values.yaml
• resources/am-pattern-0-all-in-one/default_values.yaml
• resources/am-pattern-1-all-in-one-HA/default_values.yaml
• resources/am-pattern-2-all-in-one_GW/default_gw_values.yaml
• resources/am-pattern-2-all-in-one_GW/default_values.yaml
• resources/am-pattern-3-ACP_TM_GW/default_acp_values.yaml
• resources/am-pattern-3-ACP_TM_GW/default_gw_values.yaml
• resources/am-pattern-3-ACP_TM_GW/default_tm_values.yaml
• resources/am-pattern-4-ACP_TM_GW_KM/default_acp_values.yaml
• resources/am-pattern-4-ACP_TM_GW_KM/default_gw_values.yaml
• resources/am-pattern-4-ACP_TM_GW_KM/default_km_values.yaml
• resources/am-pattern-4-ACP_TM_GW_KM/default_tm_values.yaml
• resources/am-pattern-5-all-in-one_GW_KM/default_gw_values.yaml
• resources/am-pattern-5-all-in-one_GW_KM/default_km_values.yaml
• resources/am-pattern-5-all-in-one_GW_KM/default_values.yaml