fix: use random secrets instead of default values for thunder secrets

[mevan-karu]

$subject

Related to openchoreo/openchoreo#3507

Depends on - openchoreo/openchoreo#3508

[coderabbitai]

Warning

Rate limit exceeded

@mevan-karu has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 34 minutes before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: cd87e583-e459-4c71-b7cb-570c11a9b1a5

📥 Commits

Reviewing files that changed from the base of the PR and between a75942c and 4f87302.

📒 Files selected for processing (6)

• docs/_constants.mdx
• docs/ai/mcp-servers.mdx
• docs/getting-started/quick-start-guide.mdx
• docs/getting-started/try-it-out/on-k3d-locally.mdx
• docs/getting-started/try-it-out/on-your-environment.mdx
• docs/platform-engineer-guide/identity-configuration.mdx

📝 Walkthrough

Walkthrough

This PR updates documentation across six files to reflect a security model shift where installation credentials are randomly generated and retrieved from Kubernetes secrets rather than using hardcoded values. It adds required Thunder secret generation steps to installation guides and emphasizes security warnings around default credentials.

Changes

Dynamic Credentials and Installation Pattern Updates

Layer / File(s)	Summary
Constants export and quick-start login pattern docs/_constants.mdx, docs/getting-started/quick-start-guide.mdx	The defaultCredentials export no longer includes a hardcoded password field. The quick-start guide updates login instructions to retrieve the randomly generated admin password from the openchoreo-initial-credentials Kubernetes secret via kubectl with base64 decoding.
Installation secret generation and OpenBao mappings docs/getting-started/try-it-out/on-k3d-locally.mdx, docs/getting-started/try-it-out/on-your-environment.mdx	Both installation guides add a required pre-install step to generate Thunder secrets using generate-thunder-secrets.sh with BAO_TOKEN=root. OpenBao secret tables are updated to document seeded paths and their corresponding ExternalSecret targets. Console login instructions in the custom environment guide show dynamic password retrieval from Kubernetes.
MCP client credentials OAuth flow docs/ai/mcp-servers.mdx	The OAuth token request flow is updated to first retrieve service-mcp-client-secret from Kubernetes into an environment variable, then use that variable in the token request instead of a hardcoded secret.
Thunder security warning and portal access docs/platform-engineer-guide/identity-configuration.mdx	A danger callout is added documenting the Thunder Admin portal URL format and warning that the default admin/admin credentials are unsafe, requiring production-ready configuration or external identity provider integration.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is incomplete. While it includes the subject and related issue link, it lacks the required sections from the template: Purpose, Checklist items (sidebars.ts update, npm run start, npm run build, link verification).	Add a Purpose section explaining the changes, and complete the Checklist section confirming that sidebars.ts was reviewed, local preview/build were tested, and links were verified.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main change: transitioning from default hardcoded values to randomly generated secrets for Thunder, which is precisely what the changeset demonstrates across all updated documentation files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

docs/ai/mcp-servers.mdx (1)

177-177: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix step numbering and cross-reference text.

After adding secret retrieval as Step 1, this section should be renumbered to keep instructions consistent:

• Line 177 should be Step 3 (not Step 2).
• Line 308 should point to the token request step (currently Step 2), not Step 1.

Also applies to: 307-309

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/ai/mcp-servers.mdx` at line 177, Update the step numbering and
cross-references in the docs: change the heading text "**Step 2: Configure Your
AI Agent**" to "**Step 3: Configure Your AI Agent**" to reflect the new secret
retrieval step, and update the cross-reference that currently points to "Step 1"
(the token request link/mention) so it points to "Step 2" (the token request
step) — search for the token request reference around the paragraph that
mentions the configure step and adjust the referenced step numbers accordingly.

docs/getting-started/try-it-out/on-k3d-locally.mdx (1)

690-693: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Broken reference to removed password field.

Line 693 references defaultCredentials.password, but this field was removed from the defaultCredentials export in docs/_constants.mdx. This will cause a runtime error when rendering the page.

The login section should be updated to match the pattern used in quick-start-guide.mdx (lines 136-144) and on-your-environment.mdx (lines 647-656), which show the password retrieval command instead of referencing the removed constant.

🔧 Proposed fix

-| Username                                   | Password                                   |
-| ------------------------------------------ | ------------------------------------------ |
-| <code>{defaultCredentials.username}</code> | <code>{defaultCredentials.password}</code> |
+| Username | Password |
+| -------- | -------- |
+| <code>{defaultCredentials.username}</code> | Randomly generated. See retrieval command below. |
+
+Retrieve your admin password:
+
+```bash
+kubectl get secret openchoreo-initial-credentials -n thunder \
+  -o jsonpath='{.data.admin-password}' | base64 -d
+```

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/getting-started/try-it-out/on-k3d-locally.mdx` around lines 690 - 693,
The page references a removed field defaultCredentials.password which will throw
at render time; update the login table to keep defaultCredentials.username for
the Username cell but replace the Password cell with the runtime retrieval
command shown in other guides (use the kubectl get secret
openchoreo-initial-credentials -n thunder ... | base64 -d pattern) instead of
defaultCredentials.password so the doc matches quick-start-guide.mdx and
on-your-environment.mdx; ensure the Username cell still uses
<code>{defaultCredentials.username}</code> and the Password cell shows the
retrieval command in a code block (no reference to defaultCredentials.password).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/platform-engineer-guide/identity-configuration.mdx`:
- Around line 48-51: Update the warning block to remove the hard-coded
`admin`/`admin` example and state that Thunder deploys with randomized
credentials; instruct operators to retrieve the current credentials from the
Thunder Kubernetes Secret (referencing the cluster secret for Thunder) and
rotate them for production, and replace any literal credentials in the text with
a placeholder like <THUNDER_ADMIN_CREDENTIALS> and a short note on how to fetch
them (e.g., kubectl get secret ... -o jsonpath) and configure a production
identity provider for the Thunder admin portal.

---

Outside diff comments:
In `@docs/ai/mcp-servers.mdx`:
- Line 177: Update the step numbering and cross-references in the docs: change
the heading text "**Step 2: Configure Your AI Agent**" to "**Step 3: Configure
Your AI Agent**" to reflect the new secret retrieval step, and update the
cross-reference that currently points to "Step 1" (the token request
link/mention) so it points to "Step 2" (the token request step) — search for the
token request reference around the paragraph that mentions the configure step
and adjust the referenced step numbers accordingly.

In `@docs/getting-started/try-it-out/on-k3d-locally.mdx`:
- Around line 690-693: The page references a removed field
defaultCredentials.password which will throw at render time; update the login
table to keep defaultCredentials.username for the Username cell but replace the
Password cell with the runtime retrieval command shown in other guides (use the
kubectl get secret openchoreo-initial-credentials -n thunder ... | base64 -d
pattern) instead of defaultCredentials.password so the doc matches
quick-start-guide.mdx and on-your-environment.mdx; ensure the Username cell
still uses <code>{defaultCredentials.username}</code> and the Password cell
shows the retrieval command in a code block (no reference to
defaultCredentials.password).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 717e5358-e9ed-459f-8eec-4bfb127d1fab

📥 Commits

Reviewing files that changed from the base of the PR and between 860cb11 and ca0a382.

📒 Files selected for processing (6)

• docs/_constants.mdx
• docs/ai/mcp-servers.mdx
• docs/getting-started/quick-start-guide.mdx
• docs/getting-started/try-it-out/on-k3d-locally.mdx
• docs/getting-started/try-it-out/on-your-environment.mdx
• docs/platform-engineer-guide/identity-configuration.mdx

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Update the warning to reflect randomized credentials, not admin/admin.

Line 49 currently documents static default credentials (admin/admin), which conflicts with this PR’s stated shift to randomly generated Thunder secrets and can mislead operators into insecure assumptions. Please replace this with guidance to retrieve generated credentials from the relevant Kubernetes secret and rotate them for production.

Suggested doc patch

 :::danger
-The default Thunder deployment uses well-known credentials (`admin`/`admin`).
-Do not expose the Thunder admin portal to untrusted networks without changing
-these credentials and configuring a production-ready identity provider.
+Thunder admin credentials are generated during installation and must be treated as secrets.
+Retrieve them from the Kubernetes secret created at install time, rotate them before exposing
+the portal, and configure a production-ready external identity provider.
 :::

Based on learnings: “Do not document or expose real credentials in docs or sample files… replace with placeholders and explain how to configure secrets securely.”

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/platform-engineer-guide/identity-configuration.mdx` around lines 48 -
51, Update the warning block to remove the hard-coded `admin`/`admin` example
and state that Thunder deploys with randomized credentials; instruct operators
to retrieve the current credentials from the Thunder Kubernetes Secret
(referencing the cluster secret for Thunder) and rotate them for production, and
replace any literal credentials in the text with a placeholder like
<THUNDER_ADMIN_CREDENTIALS> and a short note on how to fetch them (e.g., kubectl
get secret ... -o jsonpath) and configure a production identity provider for the
Thunder admin portal.