fix: use random secrets instead of default values for thunder secrets#624
fix: use random secrets instead of default values for thunder secrets#624mevan-karu wants to merge 1 commit into
Conversation
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (6)
📝 WalkthroughWalkthroughDocs remove hardcoded passwords and show retrieving generated credentials from the ChangesDynamic Credentials and Installation Pattern Updates
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
docs/ai/mcp-servers.mdx (1)
177-177:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winFix step numbering and cross-reference text.
After adding secret retrieval as Step 1, this section should be renumbered to keep instructions consistent:
- Line 177 should be Step 3 (not Step 2).
- Line 308 should point to the token request step (currently Step 2), not Step 1.
Also applies to: 307-309
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/ai/mcp-servers.mdx` at line 177, Update the step numbering and cross-references in the docs: change the heading text "**Step 2: Configure Your AI Agent**" to "**Step 3: Configure Your AI Agent**" to reflect the new secret retrieval step, and update the cross-reference that currently points to "Step 1" (the token request link/mention) so it points to "Step 2" (the token request step) — search for the token request reference around the paragraph that mentions the configure step and adjust the referenced step numbers accordingly.docs/getting-started/try-it-out/on-k3d-locally.mdx (1)
690-693:⚠️ Potential issue | 🔴 Critical | ⚡ Quick winBroken reference to removed password field.
Line 693 references
defaultCredentials.password, but this field was removed from thedefaultCredentialsexport indocs/_constants.mdx. This will cause a runtime error when rendering the page.The login section should be updated to match the pattern used in
quick-start-guide.mdx(lines 136-144) andon-your-environment.mdx(lines 647-656), which show the password retrieval command instead of referencing the removed constant.🔧 Proposed fix
-| Username | Password | -| ------------------------------------------ | ------------------------------------------ | -| <code>{defaultCredentials.username}</code> | <code>{defaultCredentials.password}</code> | +| Username | Password | +| -------- | -------- | +| <code>{defaultCredentials.username}</code> | Randomly generated. See retrieval command below. | + +Retrieve your admin password: + +```bash +kubectl get secret openchoreo-initial-credentials -n thunder \ + -o jsonpath='{.data.admin-password}' | base64 -d +```🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/getting-started/try-it-out/on-k3d-locally.mdx` around lines 690 - 693, The page references a removed field defaultCredentials.password which will throw at render time; update the login table to keep defaultCredentials.username for the Username cell but replace the Password cell with the runtime retrieval command shown in other guides (use the kubectl get secret openchoreo-initial-credentials -n thunder ... | base64 -d pattern) instead of defaultCredentials.password so the doc matches quick-start-guide.mdx and on-your-environment.mdx; ensure the Username cell still uses <code>{defaultCredentials.username}</code> and the Password cell shows the retrieval command in a code block (no reference to defaultCredentials.password).
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docs/platform-engineer-guide/identity-configuration.mdx`:
- Around line 48-51: Update the warning block to remove the hard-coded
`admin`/`admin` example and state that Thunder deploys with randomized
credentials; instruct operators to retrieve the current credentials from the
Thunder Kubernetes Secret (referencing the cluster secret for Thunder) and
rotate them for production, and replace any literal credentials in the text with
a placeholder like <THUNDER_ADMIN_CREDENTIALS> and a short note on how to fetch
them (e.g., kubectl get secret ... -o jsonpath) and configure a production
identity provider for the Thunder admin portal.
---
Outside diff comments:
In `@docs/ai/mcp-servers.mdx`:
- Line 177: Update the step numbering and cross-references in the docs: change
the heading text "**Step 2: Configure Your AI Agent**" to "**Step 3: Configure
Your AI Agent**" to reflect the new secret retrieval step, and update the
cross-reference that currently points to "Step 1" (the token request
link/mention) so it points to "Step 2" (the token request step) — search for the
token request reference around the paragraph that mentions the configure step
and adjust the referenced step numbers accordingly.
In `@docs/getting-started/try-it-out/on-k3d-locally.mdx`:
- Around line 690-693: The page references a removed field
defaultCredentials.password which will throw at render time; update the login
table to keep defaultCredentials.username for the Username cell but replace the
Password cell with the runtime retrieval command shown in other guides (use the
kubectl get secret openchoreo-initial-credentials -n thunder ... | base64 -d
pattern) instead of defaultCredentials.password so the doc matches
quick-start-guide.mdx and on-your-environment.mdx; ensure the Username cell
still uses <code>{defaultCredentials.username}</code> and the Password cell
shows the retrieval command in a code block (no reference to
defaultCredentials.password).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 717e5358-e9ed-459f-8eec-4bfb127d1fab
📒 Files selected for processing (6)
docs/_constants.mdxdocs/ai/mcp-servers.mdxdocs/getting-started/quick-start-guide.mdxdocs/getting-started/try-it-out/on-k3d-locally.mdxdocs/getting-started/try-it-out/on-your-environment.mdxdocs/platform-engineer-guide/identity-configuration.mdx
mevan-karu
force-pushed
the
fix/thunder-secrets
branch
4 times, most recently
from
4f87302 to
9513e84
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (4)
docs/getting-started/try-it-out/on-your-environment.mdx (2)
650-659: 💤 Low valueConsider adding a security tip about credential management.
The password retrieval instructions clearly state the password is randomly generated, but consider adding a reminder to change the password or delete the
openchoreo-initial-credentialssecret after initial login, similar to quick-start-guide.mdx lines 142-144.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/getting-started/try-it-out/on-your-environment.mdx` around lines 650 - 659, Add a short security tip immediately after the password retrieval block reminding users to change the randomly generated admin password after first login and to remove or rotate the Kubernetes secret (openchoreo-initial-credentials) once it's no longer needed; reference the displayed username token (<code>{defaultCredentials.username}</code>) and the existing kubectl command so readers know which secret to delete or rotate and consider linking or mirroring the guidance used in quick-start-guide.mdx (lines about changing/deleting initial credentials).
352-354: 💤 Low valueConsider adding a security tip about credential rotation.
The password retrieval command is correct, but consider adding a note to change the password after initial login for production-oriented environments, similar to the guidance in quick-start-guide.mdx.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/getting-started/try-it-out/on-your-environment.mdx` around lines 352 - 354, Add a brief security tip immediately after the Username/Password table advising operators that the `admin` password obtained via the `openchoreo-initial-credentials` secret should be changed after first login in production; reference the same credential rotation guidance in quick-start-guide.mdx (or link to it) and suggest rotating the credential and storing the new password in a secure secrets store.docs/platform-engineer-guide/identity-configuration.mdx (1)
45-51: 💤 Low valueConsider explicitly stating that credentials are randomly generated.
The password retrieval instructions are correct, but the note at lines 53-55 doesn't explicitly mention that Thunder admin credentials are now randomly generated during installation (unlike the old hardcoded
admin/admin). Adding this detail would make the security improvement clearer to readers.Suggested clarification
:::note
-The default Thunder deployment is intended for development and testing. For production deployments, configure your own OAuth2/OIDC-compliant identity provider as described in the next section.
+Thunder admin credentials are randomly generated during installation. The default Thunder deployment is intended for development and testing. For production deployments, configure your own OAuth2/OIDC-compliant identity provider as described in the next section.
:::</details> <details> <summary>🤖 Prompt for AI Agents</summary>Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.In
@docs/platform-engineer-guide/identity-configuration.mdxaround lines 45 -
51, The note that starts with "The default Thunder deployment is intended for
development and testing." does not explicitly state that admin credentials are
randomly generated; update that note by prepending a clear sentence such as
"Thunder admin credentials are randomly generated during installation." so the
note reads with the new sentence followed by the existing guidance about
development vs production and OAuth2/OIDC identity providers; modify the
documentation block containing that note to include this exact clarification.</details> </blockquote></details> <details> <summary>docs/getting-started/quick-start-guide.mdx (1)</summary><blockquote> `314-322`: _💤 Low value_ **Consider adding a security tip about credential management.** The password retrieval instructions are clear, but unlike the quick-start guide, this file doesn't remind users to change the password or delete the secret after initial login. Consider adding a tip similar to quick-start-guide.mdx lines 142-144. <details> <summary>Suggested addition</summary> ```diff ```bash kubectl get secret openchoreo-initial-credentials -n thunder \ -o jsonpath='{.data.thunder-console-admin-password}' | openssl base64 -d -A
+:::tip
+After logging in, change your password or delete theopenchoreo-initial-credentialssecret.
+:::For details on what the bootstrap configured, see the On Your Environment guide.
</details> <details> <summary>🤖 Prompt for AI Agents</summary>Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.In
@docs/getting-started/quick-start-guide.mdxaround lines 314 - 322, Add a
short security tip immediately after the password retrieval snippet in
quick-start-guide.mdx (near the "Docker Resource Constraints" section) reminding
users to change the default password or delete the
openchoreo-initial-credentials secret after first login; include the secret name
openchoreo-initial-credentialsand a concise recommendation to either change
the admin password or delete that secret (use the :::tip block style consistent
with the other quick-start guide).</details> </blockquote></details> </blockquote></details> <details> <summary>🤖 Prompt for all review comments with AI agents</summary>Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.Inline comments:
In@docs/getting-started/try-it-out/on-k3d-locally.mdx:
- Around line 226-231: The doc references a non-existent script path
install/prerequisites/thunder/generate-thunder-secrets.sh; verify whether that
script has been committed on the branch referenced by ${versions.githubRef} and
correct the path/name in docs (or add/commit the script) so the curl URL is
valid, or update the docs to show the actual secret generation flow (e.g., point
readers to install/k3d/common/values-thunder.yaml and provide the
Helm/values-based steps instead); ensure the documentation line calling
generate-thunder-secrets.sh or its replacement matches the real repository
artifact or the documented Helm commands.
Nitpick comments:
In@docs/getting-started/quick-start-guide.mdx:
- Around line 314-322: Add a short security tip immediately after the password
retrieval snippet in quick-start-guide.mdx (near the "Docker Resource
Constraints" section) reminding users to change the default password or delete
the openchoreo-initial-credentials secret after first login; include the secret
nameopenchoreo-initial-credentialsand a concise recommendation to either
change the admin password or delete that secret (use the :::tip block style
consistent with the other quick-start guide).In
@docs/getting-started/try-it-out/on-your-environment.mdx:
- Around line 650-659: Add a short security tip immediately after the password
retrieval block reminding users to change the randomly generated admin password
after first login and to remove or rotate the Kubernetes secret
(openchoreo-initial-credentials) once it's no longer needed; reference the
displayed username token ({defaultCredentials.username}) and the
existing kubectl command so readers know which secret to delete or rotate and
consider linking or mirroring the guidance used in quick-start-guide.mdx (lines
about changing/deleting initial credentials).- Around line 352-354: Add a brief security tip immediately after the
Username/Password table advising operators that theadminpassword obtained
via theopenchoreo-initial-credentialssecret should be changed after first
login in production; reference the same credential rotation guidance in
quick-start-guide.mdx (or link to it) and suggest rotating the credential and
storing the new password in a secure secrets store.In
@docs/platform-engineer-guide/identity-configuration.mdx:
- Around line 45-51: The note that starts with "The default Thunder deployment
is intended for development and testing." does not explicitly state that admin
credentials are randomly generated; update that note by prepending a clear
sentence such as "Thunder admin credentials are randomly generated during
installation." so the note reads with the new sentence followed by the existing
guidance about development vs production and OAuth2/OIDC identity providers;
modify the documentation block containing that note to include this exact
clarification.</details> <details> <summary>🪄 Autofix (Beta)</summary> Fix all unresolved CodeRabbit comments on this PR: - [ ] <!-- {"checkboxId": "4b0d0e0a-96d7-4f10-b296-3a18ea78f0b9"} --> Push a commit to this branch (recommended) - [ ] <!-- {"checkboxId": "ff5b1114-7d8c-49e6-8ac1-43f82af23a33"} --> Create a new PR with the fixes </details> --- <details> <summary>ℹ️ Review info</summary> <details> <summary>⚙️ Run configuration</summary> **Configuration used**: Path: .coderabbit.yaml **Review profile**: CHILL **Plan**: Pro **Run ID**: `b1ddad2d-7a06-4624-a1c3-0a4e95bb9fd3` </details> <details> <summary>📥 Commits</summary> Reviewing files that changed from the base of the PR and between a75942ceaf9a23943eb3d857046af3607634b537 and 9513e8462329159aaa700804465deeb69541e013. </details> <details> <summary>📒 Files selected for processing (6)</summary> * `docs/_constants.mdx` * `docs/ai/mcp-servers.mdx` * `docs/getting-started/quick-start-guide.mdx` * `docs/getting-started/try-it-out/on-k3d-locally.mdx` * `docs/getting-started/try-it-out/on-your-environment.mdx` * `docs/platform-engineer-guide/identity-configuration.mdx` </details> <details> <summary>💤 Files with no reviewable changes (1)</summary> * docs/_constants.mdx </details> <details> <summary>✅ Files skipped from review due to trivial changes (1)</summary> * docs/ai/mcp-servers.mdx </details> </details> <!-- This is an auto-generated comment by CodeRabbit for review status -->
mevan-karu
force-pushed
the
fix/thunder-secrets
branch
from
9513e84 to
473f4cb
Compare
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docs/ai/mcp-servers.mdx`:
- Around line 156-157: The document's step numbering is inconsistent after
inserting a new first step: update the heading "Step 2: Obtain an Access Token"
and any later references such as "Configure Your AI Agent" and the token-expiry
note so the sequence is correct (e.g., rename to "Step 3: Obtain an Access
Token" or adjust surrounding headings depending on the inserted step), and scan
the file for any remaining ordinal references to Step 1/2 to revise them to the
new numbers to keep all step references consistent.
In `@docs/getting-started/try-it-out/on-your-environment.mdx`:
- Around line 352-354: Run Prettier to fix the formatting for the markdown table
row containing the kubectl command (the row with "kubectl get secret
openchoreo-initial-credentials" / the table header "Username | Password
Retrieval Command"); execute the provided formatter command (prettier --write
docs/getting-started/try-it-out/on-your-environment.mdx), verify the table row
remains correctly escaped and wrapped (the backslash before the pipe in the
command should be preserved), then stage and commit the formatted file.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 79a711bf-da74-42b3-8817-2912ad3a1ef7
📒 Files selected for processing (6)
docs/_constants.mdxdocs/ai/mcp-servers.mdxdocs/getting-started/quick-start-guide.mdxdocs/getting-started/try-it-out/on-k3d-locally.mdxdocs/getting-started/try-it-out/on-your-environment.mdxdocs/platform-engineer-guide/identity-configuration.mdx
💤 Files with no reviewable changes (1)
- docs/_constants.mdx
✅ Files skipped from review due to trivial changes (1)
- docs/getting-started/quick-start-guide.mdx
mevan-karu
force-pushed
the
fix/thunder-secrets
branch
from
473f4cb to
2307ef3
Compare
Signed-off-by: Mevan <mevan.karu@gmail.com>
mevan-karu
force-pushed
the
fix/thunder-secrets
branch
from
2307ef3 to
b1f1503
Compare
1 participant
$subject
Related to openchoreo/openchoreo#3507
Depends on - openchoreo/openchoreo#3508