Enhance on-prem API key sync logic to support only RestApi

[DinithHerath]

This pull request updates the API key synchronization logic to support on-premises control planes more accurately. Specifically, it ensures that only supported artifact kinds (currently RestApi) are considered for API key backfill when running in on-prem mode, while skipping unsupported kinds and logging the action.

On-premises API key sync improvements:

• Introduced the onPremSupportedAPIKeyKinds map to explicitly list artifact kinds (RestApi) for which the on-prem control plane exposes an API-key backfill endpoint, clarifying that other kinds (e.g., LLM, WebSub, WebBroker) are cloud-only.
• Updated the syncAPIKeysForExistingArtifacts method to skip unsupported kinds during bulk API key sync when running on-prem, logging a debug message for each skipped kind instead of skipping the entire sync process.

Related to https://github.com/wso2-enterprise/wso2-apim-internal/issues/17413

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6d2217b1-e646-48ac-8b68-b36c0ab6af8c

📥 Commits

Reviewing files that changed from the base of the PR and between 6bdc8c9 and b94cdb6.

📒 Files selected for processing (1)

• gateway/gateway-controller/pkg/controlplane/client.go

---

📝 Walkthrough

Summary

This PR improves API key synchronization for on-premises deployments by enabling selective processing of supported artifact kinds instead of skipping all synchronization when in on-prem mode.

Changes

Modified Behavior:

• On-premises API key synchronization now processes supported artifact kinds (RestApi) while skipping unsupported kinds (LLM, WebSub, WebBroker)
• Previously, the entire API key sync process was skipped for on-prem deployments

Implementation:

• Added a new onPremSupportedAPIKeyKinds map to explicitly define which artifact kinds support API-key backfill operations in on-premises control planes
• Updated the synchronization logic to filter at the kind level during bulk API key operations, allowing the sync process to continue for supported kinds
• Added debug logging for each skipped artifact kind to provide visibility into the filtering behavior

Impact:

• Improves accuracy of on-premises deployments by enabling API key synchronization for supported artifact kinds
• Maintains compatibility by filtering out cloud-only artifact kinds from on-prem processing

Walkthrough

In client.go, the on-prem API key backfill behavior inside syncAPIKeysForExistingArtifacts is changed from a blanket early-exit when running on-prem to a per-kind check within the existing sync loop. A new package-level unexported map, onPremSupportedAPIKeyKinds, is introduced with models.KindRestApi as its only current entry. During each loop iteration, if the control plane is on-prem and the current kind is absent from this map, that kind is skipped with a debug log message and the loop continues. All other sync logic (fetching, upserting, and reconciling keys) is unchanged.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The pull request description covers the purpose, goals, and approach clearly. However, it omits several required template sections including automation tests, security checks, samples, related PRs, and test environment details.	Add missing template sections: automation tests (unit/integration test details), security checks (coding standards, FindSecurityBugs verification, secret confirmation), samples, related PRs, and test environment specifications.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: enhancing on-prem API key sync logic to support only RestApi, which aligns with the actual code modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.2)

level=error msg="[linters_context] typechecking error: pattern ./...: directory prefix . does not contain modules listed in go.work or their selected dependencies"

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[DinithHerath]

@coderabbitai approve

[coderabbitai]

✅ Action performed

Comments resolved. Approval is disabled; enable reviews.request_changes_workflow to allow explicit top-level @coderabbitai resolve or @coderabbitai approve commands.