Skip to content

Support "other" and "none" upstream auth types for LLM Providers and proxies#2731

Open
thivindu wants to merge 2 commits into
wso2:mainfrom
thivindu:ai-workspace-dp-cp
Open

Support "other" and "none" upstream auth types for LLM Providers and proxies#2731
thivindu wants to merge 2 commits into
wso2:mainfrom
thivindu:ai-workspace-dp-cp

Conversation

@thivindu

Copy link
Copy Markdown
Contributor

Purpose

Support none, other, and api-key as upstream authentication types for LLM Providers and LLM Proxies across the gateway, the platform API, and the AI Workspace.

Background

Previously the gateway controller accepted only api-key as spec.upstream.auth.type — a bottom-up (gateway-first) LLM provider with any other type failed validation (Auth type must be 'api-key'), and one with no auth block at all surfaced in the AI Workspace as api-key (misleading). This PR makes the full set of types work end-to-end and standardizes "no upstream credentials" as an explicit none.

Agreed model

  • Valid spec.upstream.auth.type: api-key, other, none.
  • Absent auth ⇒ type defaults to none (defaulted by the platform API, not the gateway).
  • For none/other, header/value are irrelevant and carry no credentials.
Flow none / absent other api-key
CP→DP (deploy artifact) auth: {type: none} auth: {type: other} auth: {type: api-key, header, value}
DP→CP (import) stored as {type: none} stored as {type: other} stored as {type: api-key, …}
AI Workspace shows None shows Other + "No credentials are stored…" note shows api-key + header + masked creds

Approach

Gateway controller

  • management-openapi.yaml: UpstreamAuth / LLMUpstreamAuth enums → [api-key, other, none]; regenerated pkg/api/management/generated.go.
  • llm_validator.go: provider and proxy upstream-auth validation now accepts the allowlist; header/value required only for api-key.
  • llm_transformer.go: none/other attach no upstream-auth policy (fixed a nil policy deref in the proxy path).

Platform API

  • openapi.yaml + generated.go: added none to UpstreamAuthType; regenerated.
  • Create & Update (provider and proxy): default an absent/empty upstream auth to none server-side, and clear header/value when switching to a credential-less type — without deleting the underlying secret (it may be referenced by other providers/proxies).
  • Import (DP→CP): empty auth persisted as none.
  • Deploy (CP→DP): mapModelAuthToAPI emits an explicit type — none/other type-only, api-key with header/value. Consolidated the earlier buildDeploymentUpstreamAuth helper into mapModelAuthToAPI and made it nil-safe.
  • Read (GET): returns the stored upstream config as-is (no synthesized default).

AI Workspace

  • types.ts: added none to the UpstreamAuth type union.
  • Connection tab & create form: added none option, fall back to none when auth is empty, hide the header/credential fields for both none and other, and show the "No credentials are stored…" helper only for other.

Docs: regenerated gateway REST API docs from the OpenAPI change.

Notable decisions

  • Secrets are never deleted when switching a provider/proxy away from api-key — only the reference on the artifact is cle
  • MCP is unchanged: it shares the UpstreamAuth schema (so it gains the enum values), but its own validator still governs, and mapModelAuthToAPI's only MCP caller is nil-guarded and only ever passes api-key/bearer.

@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Warning

Review limit reached

@thivindu, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 23 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 39b30bca-e542-49e7-9c67-17f27a6688cd

📥 Commits

Reviewing files that changed from the base of the PR and between 5697dc2 and b231ace.

📒 Files selected for processing (3)
  • gateway/gateway-controller/pkg/utils/llm_transformer_test.go
  • platform-api/internal/service/artifact_cross_origin_test.go
  • platform-api/internal/service/llm.go
📝 Walkthrough

Walkthrough

Adds other and none upstream authentication support across gateway contracts, validation, transformation, platform persistence and deployment, tests, documentation, and workspace provider configuration forms.

Changes

LLM upstream authentication

Layer / File(s) Summary
Contracts and gateway documentation
docs/rest-apis/gateway/*, gateway/gateway-controller/api/management-openapi.yaml, platform-api/resources/openapi.yaml
Documents reusable upstreams, resilience, additional providers, operation matching, and expanded authentication enum values.
Gateway validation and transformation
gateway/gateway-controller/pkg/api/management/generated.go, gateway/gateway-controller/pkg/config/*, gateway/gateway-controller/pkg/utils/*
Accepts other and none, and skips API-key policies for credential-less authentication.
Platform normalization and deployment
platform-api/internal/service/*, platform-api/api/generated.go
Defaults missing auth to none, clears credentials for credential-less types, preserves referenced secrets, and emits type-only deployment auth blocks.
Workspace authentication controls
portals/ai-workspace/src/pages/appShell/appShellPages/serviceProvider/*, portals/ai-workspace/src/utils/types.ts
Adds the none option, clears credentials when selected, and hides credential fields for none and other.

Estimated code review effort: 4 (Complex) | ~45 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Workspace
  participant PlatformAPI
  participant GatewayController
  participant Deployment
  Workspace->>PlatformAPI: Submit upstream auth type
  PlatformAPI->>PlatformAPI: Normalize type and credentials
  PlatformAPI->>Deployment: Generate type-only auth for other or none
  Deployment->>GatewayController: Apply provider configuration
  GatewayController->>GatewayController: Omit API-key policy
Loading

Possibly related PRs

Suggested reviewers: renuka-fernando, malinthaprasan, tharindu1st

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Out of Scope Changes check ⚠️ Warning The PR includes broad platform API, AI Workspace, and docs updates that go beyond the linked gateway-only issue scope. Either link the broader end-to-end work in additional issues or separate the platform API, UI, and documentation changes from the gateway issue.
Docstring Coverage ⚠️ Warning Docstring coverage is 68.57% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly matches the main change: adding support for other and none upstream auth types for LLM providers and proxies.
Description check ✅ Passed It includes the key Purpose, Background, Agreed model, and Approach sections, though several template sections are omitted.
Linked Issues check ✅ Passed The gateway controller validation, enums, and transformer changes directly implement issue #2713's support for other and none auth types.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
platform-api/resources/openapi.yaml (1)

6714-6721: 🎯 Functional Correctness | 🟠 Major | 🏗️ Heavy lift

Do not widen the MCP authentication contract through the shared schema.

UpstreamAuth is also referenced by MCPProxy and MCPServerInfoFetchRequest. Adding none here advertises it as valid for MCP requests, while the PR explicitly leaves MCP validation unchanged.

Use an LLM-specific auth schema containing api-key, other, and none, or otherwise retain the existing MCP enum.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@platform-api/resources/openapi.yaml` around lines 6714 - 6721, The shared
UpstreamAuth enum must not add none because MCPProxy and
MCPServerInfoFetchRequest reuse it. Preserve the existing MCP authentication
enum and introduce a separate LLM-specific authentication schema containing
api-key, other, and none, then update only the LLM-related references to use it.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@gateway/gateway-controller/pkg/utils/llm_transformer_test.go`:
- Around line 2180-2184: Update the test around transformer.Transform to require
that result.Spec.Operations is not empty before iterating over it. Keep the
existing error and result assertions, and ensure the no-policy validation only
runs when the transformation actually produced operations.

In `@platform-api/internal/service/llm.go`:
- Around line 1153-1158: Update the upstream auth preservation logic around
defaultUpstreamAuthToNone so empty credentials are retained only when the update
explicitly provides a credential-bearing auth object, covering both Main and
Sandbox endpoints. Do not substitute omitted auth with existing auth; leave it
nil so defaultUpstreamAuthToNone converts it to none. Apply the same behavior to
proxy auth and update the proxy regression test to establish API-key auth before
submitting an update with omitted auth.

---

Outside diff comments:
In `@platform-api/resources/openapi.yaml`:
- Around line 6714-6721: The shared UpstreamAuth enum must not add none because
MCPProxy and MCPServerInfoFetchRequest reuse it. Preserve the existing MCP
authentication enum and introduce a separate LLM-specific authentication schema
containing api-key, other, and none, then update only the LLM-related references
to use it.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 8935df10-b468-4b1b-af54-5c4cc6c47280

📥 Commits

Reviewing files that changed from the base of the PR and between 52a9118 and 5697dc2.

📒 Files selected for processing (25)
  • docs/rest-apis/gateway/README.md
  • docs/rest-apis/gateway/llm-provider-management.md
  • docs/rest-apis/gateway/llm-proxy-management.md
  • docs/rest-apis/gateway/mcp-proxy-management.md
  • docs/rest-apis/gateway/rest-api-management.md
  • docs/rest-apis/gateway/schemas.md
  • gateway/gateway-controller/api/management-openapi.yaml
  • gateway/gateway-controller/pkg/api/management/generated.go
  • gateway/gateway-controller/pkg/config/llm_validator.go
  • gateway/gateway-controller/pkg/config/llm_validator_test.go
  • gateway/gateway-controller/pkg/utils/llm_provider_transformer_test.go
  • gateway/gateway-controller/pkg/utils/llm_transformer.go
  • gateway/gateway-controller/pkg/utils/llm_transformer_test.go
  • platform-api/api/generated.go
  • platform-api/internal/service/artifact_cross_origin_test.go
  • platform-api/internal/service/artifact_import_llm_provider.go
  • platform-api/internal/service/artifact_import_llm_proxy.go
  • platform-api/internal/service/llm.go
  • platform-api/internal/service/llm_deployment.go
  • platform-api/internal/service/llm_deployment_test.go
  • platform-api/internal/service/llm_test.go
  • platform-api/resources/openapi.yaml
  • portals/ai-workspace/src/pages/appShell/appShellPages/serviceProvider/AddNewProvider/ProviderTemplateFormFields.tsx
  • portals/ai-workspace/src/pages/appShell/appShellPages/serviceProvider/ServiceProviderConnectionTab.tsx
  • portals/ai-workspace/src/utils/types.ts
💤 Files with no reviewable changes (1)
  • docs/rest-apis/gateway/README.md

Comment thread gateway/gateway-controller/pkg/utils/llm_transformer_test.go
Comment thread platform-api/internal/service/llm.go
@thivindu
thivindu requested a review from Induwara04 as a code owner July 17, 2026 06:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Task]: [Bottom Up Deployment] Support "other" and "none" upstream auth types for LLM Providers in GW

1 participant