fix(admin-ui): Enable admin-ui ingress by default

[misba7]

closes #2460

Summary by CodeRabbit

• Chores

  • Admin UI is now enabled by default in the all‑in‑one deployment, making the administrative interface available without extra enablement steps.
  • No other runtime behavior or public interfaces were changed.

• Documentation

  • Installation/upgrade notes now include a conditional SECURITY WARNING when the Admin UI is exposed, with production and demo mitigation recommendations.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Enabled the Admin UI ingress by default in Helm values and added conditional security warning blocks to two Helm NOTES templates that emit a notice when the Admin UI ingress is enabled.

Changes

Cohort / File(s)	Summary
Admin-UI default ingress configuration charts/gluu-all-in-one/values.yaml	Set admin-ui.adminUiEnabled from false to true, enabling the admin-ui ingress by default.
NOTES: security warning when Admin UI is exposed charts/gluu-all-in-one/templates/NOTES.txt, charts/gluu/templates/NOTES.txt	Add conditional Helm template blocks that render a multi-line "SECURITY WARNING: ADMIN-UI EXPOSED" message when the corresponding adminUiEnabled value is true, recommending mitigations for production and noting demo/internal exceptions.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Areas to check:
  • Confirm the values key path (admin-ui.ingress.adminUiEnabled and global.admin-ui.ingress.adminUiEnabled) matches chart consumers and any umbrella chart overrides.
  • Validate Helm conditional syntax and whitespace/newline behavior in NOTES.txt templates.
  • Review message wording for clarity and any required newline at end-of-file.

Poem

🐇 I nudged a flag and swung a door,
Admin paths wander to the fore.
A tiny note, a cautious drum,
Protect the gate — don’t leave it dumb.
Hop lightly, guard the admin sum.

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix(admin-ui): Enable admin-ui ingress by default' accurately and concisely describes the main change: enabling admin-ui ingress by default in gluu-aio.
Linked Issues check	✅ Passed	The PR successfully implements the objective from issue #2460 by changing admin-ui.ingress.adminUiEnabled from false to true in charts/gluu-all-in-one/values.yaml.
Out of Scope Changes check	✅ Passed	Changes to NOTES.txt files are supportive documentation updates that add security warnings for the newly-enabled feature, not out-of-scope changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix-admin-ui-ingress

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e637f90 and 149ce5e.

📒 Files selected for processing (1)

• charts/gluu/templates/NOTES.txt (1 hunks)

🔇 Additional comments (1)

charts/gluu/templates/NOTES.txt (1)

1-15: Original review comment contains an incorrect concern; no changes required.

After verification, the original review comment's main concern about uppercase "TRUE" is incorrect. Both charts/gluu/templates/NOTES.txt and charts/gluu-all-in-one/templates/NOTES.txt consistently use uppercase "TRUE" in user-facing warning text (line 5 in both files). This is intentional design for documentation readability, not YAML syntax requiring lowercase.

The verification confirms:

• Path global.admin-ui.ingress.adminUiEnabled is correct and exists in charts/gluu/values.yaml (line 916)
• The path difference between gluu (global.admin-ui.ingress.adminUiEnabled) and gluu-all-in-one (admin-ui.ingress.adminUiEnabled) is intentional—gluu uses a global namespace prefix while gluu-all-in-one does not
• Both charts have identical NOTES.txt warning templates with only the path differing appropriately

No changes are needed to the code.

Tip

📝 Customizable high-level summaries are now available in beta!

You can now customize how CodeRabbit generates the high-level summary in your pull requests — including its content, structure, tone, and formatting.

• Provide your own instructions using the high_level_summary_instructions setting.
• Format the summary however you like (bullet lists, tables, multi-section layouts, contributor stats, etc.).
• Use high_level_summary_in_walkthrough to move the summary from the description to the walkthrough section.

Example instruction:

"Divide the high-level summary into five sections:

1. 📝 Description — Summarize the main change in 50–60 words, explaining what was done.
2. 📓 References — List relevant issues, discussions, documentation, or related PRs.
3. 📦 Dependencies & Requirements — Mention any new/updated dependencies, environment variable changes, or configuration updates.
4. 📊 Contributor Summary — Include a Markdown table showing contributions:
   | Contributor | Lines Added | Lines Removed | Files Changed |
5. ✔️ Additional Notes — Add any extra reviewer context.
   Keep each section concise (under 200 words) and use bullet or numbered lists for clarity."

Note: This feature is currently in beta for Pro-tier users, and pricing will be announced later.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[moabu]

If we are enabling this by default we need to post a message that this is enabled and that the user should protect the /admin endpoint when helm install / helm upgrade is run.

[misba7]

@moabu
mmm. I think anyone installing gluu flex instead of janssen, it's for wanting an accessible admin-ui. That's the only difference.
So it made sense for me that gluu-aio mimics gluu which has adminUiEnabled enabled by default.

flex/charts/gluu/values.yaml

Line 916 in 06deec7

adminUiEnabled: true

[moabu]

I agree. This comment applies to the gluu microservices chart as well. I think we need to post a warning. What I’m suggesting is that we introduce templates/NOTES.txt in both charts with the following message

{{- $adminUiEnabled := false -}}
{{- if and .Values.global (index .Values.global "admin-ui") -}}
  {{- if (index .Values.global "admin-ui" "ingress" "adminUiEnabled") -}}
    {{- $adminUiEnabled = true -}}
  {{- end -}}
{{- end -}}

{{- if $adminUiEnabled }}
********************************************************************************
*** SECURITY CONFIGURATION WARNING                                           ***
********************************************************************************
The flag `global.admin-ui.ingress.adminUiEnabled` is set to TRUE.

This exposes the Admin UI at: /admin-ui

RECOMMENDATION:
1. Use this setting ONLY for demo or internal development environments.
2. For production, ensure this endpoint is restricted via NetworkPolicies,
   IP whitelisting, or an OAuth2 proxy. This endpoint is normally not internet facing.
********************************************************************************
{{- end }}

[sonarqubecloud]

Quality Gate passed for 'flex_linux_setup'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 770ec3f and e637f90.

📒 Files selected for processing (2)

• charts/gluu-all-in-one/templates/NOTES.txt (1 hunks)
• charts/gluu/templates/NOTES.txt (1 hunks)

🧰 Additional context used

🪛 LanguageTool

charts/gluu-all-in-one/templates/NOTES.txt

[grammar] ~11-~11: Use a hyphen to join words.
Context: .... This endpoint is normally not internet facing. 2. This can be left public in de...

(QB_NEW_EN_HYPHEN)

charts/gluu/templates/NOTES.txt

[grammar] ~11-~11: Use a hyphen to join words.
Context: .... This endpoint is normally not internet facing. 2. This can be left public in de...

(QB_NEW_EN_HYPHEN)

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

# Find values.yaml files in the charts directory
fd -t f "values.yaml" charts/

Repository: GluuFederation/flex

Length of output: 740

---

🏁 Script executed:

# Read the values.yaml file
cat -n charts/gluu-all-in-one/values.yaml | grep -A 10 -B 2 "admin-ui"

Repository: GluuFederation/flex

Length of output: 2718

---

Perfect! I've verified the configuration. The charts/gluu-all-in-one/values.yaml file at line 384 confirms that admin-ui.ingress.adminUiEnabled is set to true, which aligns with the template conditional and the PR objectives.

Fix the hyphenation on line 11; values.yaml configuration verified as correct.

The Helm conditional template syntax is correct and properly references admin-ui.ingress.adminUiEnabled, which is confirmed to be set to true in the values.yaml file. However, apply this diff to fix the grammar:

-   IP whitelisting, or an OAuth2 proxy. This endpoint is normally not internet facing.
+   IP whitelisting, or an OAuth2 proxy. This endpoint is normally not internet-facing.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	{{ if index .Values "admin-ui" "ingress" "adminUiEnabled" -}}
	********************************************************************************
	*** SECURITY WARNING: ADMIN-UI EXPOSED ***
	********************************************************************************
	The flag `admin-ui.ingress.adminUiEnabled` is set to TRUE.
	This publicly exposes the Admin UI at "/admin"
	RECOMMENDATION:
	1. For production, ensure this endpoint is restricted via NetworkPolicies,
	IP whitelisting, or an OAuth2 proxy. This endpoint is normally not internet facing.
	2. This can be left public in demo or internal development environments only.
	********************************************************************************
	{{- end }}
	{{ if index .Values "admin-ui" "ingress" "adminUiEnabled" -}}
	********************************************************************************
	*** SECURITY WARNING: ADMIN-UI EXPOSED ***
	********************************************************************************
	The flag `admin-ui.ingress.adminUiEnabled` is set to TRUE.
	This publicly exposes the Admin UI at "/admin"
	RECOMMENDATION:
	1. For production, ensure this endpoint is restricted via NetworkPolicies,
	IP whitelisting, or an OAuth2 proxy. This endpoint is normally not internet-facing.
	2. This can be left public in demo or internal development environments only.
	********************************************************************************
	{{- end }}

🧰 Tools

🪛 LanguageTool

[grammar] ~11-~11: Use a hyphen to join words.
Context: .... This endpoint is normally not internet facing. 2. This can be left public in de...

(QB_NEW_EN_HYPHEN)

🤖 Prompt for AI Agents

In charts/gluu-all-in-one/templates/NOTES.txt around lines 1 to 15, fix the
hyphenation on line 11 by replacing any occurrence of "Admin-UI" with "Admin UI"
(remove the hyphen) so the phrase reads consistently as "Admin UI" in the
notice.

[sonarqubecloud]

Quality Gate passed for 'Gluu Admin UI'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud