feat: add default password warnings for PostgreSQL and Redis in Helm chart NOTES.txt

[BearTS]

Summary

Adds runtime warnings to the Bifrost Helm chart's NOTES.txt when default passwords are detected for PostgreSQL or Redis, alerting operators before they deploy to production with insecure credentials.

Changes

• Added a warning message displayed post-install if PostgreSQL is still using the default password "bifrost_password", prompting users to set postgresql.auth.password to a strong value.
• Added a warning message displayed post-install if Redis is still using the default password "redis_password", prompting users to set vectorStore.redis.auth.password to a strong value.

Type of change

• Bug fix
• Feature
• Refactor
• Documentation
• Chore/CI

Affected areas

• Core (Go)
• Transports (HTTP)
• Providers/Integrations
• Plugins
• UI (React)
• Docs

How to test

Deploy the Helm chart with default values and verify the warnings appear in the install notes:

helm install bifrost ./helm-charts/bifrost
# Expected: warnings about default PostgreSQL and Redis passwords appear in NOTES output

helm install bifrost ./helm-charts/bifrost \
  --set postgresql.auth.password=myStrongPass \
  --set vectorStore.redis.auth.password=myStrongRedisPass
# Expected: no warnings appear in NOTES output

Breaking changes

• Yes
• No

Related issues

Security considerations

This change surfaces a security risk to operators who leave default credentials in place when deploying to production. It does not change any authentication logic but ensures users are explicitly warned about insecure default passwords for PostgreSQL and Redis.

Checklist

• I read docs/contributing/README.md and followed the guidelines
• I added/updated tests where appropriate
• I updated documentation where needed
• I verified builds succeed (Go and UI)
• I verified the CI pipeline passes locally if applicable

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 81d2e10b-90a9-4a5b-aef8-b3d21329221f

📥 Commits

Reviewing files that changed from the base of the PR and between 029741c and 08770b6.

📒 Files selected for processing (1)

• helm-charts/bifrost/templates/NOTES.txt

---

📝 Walkthrough

Summary by CodeRabbit

• Documentation
  • Added security warnings to installation notes alerting users when default credentials are detected in PostgreSQL and Redis configurations.

Walkthrough

The Helm chart NOTES template now includes conditional warning messages that alert operators when default credentials remain in the deployment configuration. PostgreSQL warnings trigger when PostgreSQL is enabled with the default password, and Redis warnings trigger when the vector store is configured with Redis auth enabled and default credentials.

Changes

Default Credential Warnings in Helm Chart Notes

Layer / File(s)	Summary
Credential warning messages helm-charts/bifrost/templates/NOTES.txt	Conditional Helm template blocks added to warn about default PostgreSQL (bifrost_password) and Redis (redis_password) credentials when those services are enabled with those specific default values.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

A rabbit hops through Helm charts bright,
With warnings now shown in the light,
No more defaults left unseen—
Credentials checked, secure and keen! 🐰

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding default password warnings for PostgreSQL and Redis in the Helm chart NOTES.txt file.
Description check	✅ Passed	The description covers all essential sections including summary, changes, type of change, affected areas, testing instructions, security considerations, and breaking changes assessment.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch 05-20-chore_show_warning_if_using_default_password_for_postgres_and_redis

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[BearTS]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• chore: bump Bifrost Helm chart to 2.1.18 with feature flags, model catalog URL, and bug fixes #3623
• feat: add access_profile_id support to bifrost helm chart virtual key schema and helpers #3622
• fix: sort provider secrets and weaviate env vars alphabetically for deterministic Helm rendering #3621
• feat: add default password warnings for PostgreSQL and Redis in Helm chart NOTES.txt #3620 👈 (View in Graphite)
• fix: gate Weaviate PVC creation on persistence.enabled #3619
• fix: use REDISCLI_AUTH env var to avoid passing password via -a flag in Redis health checks #3618
• feat: add optional gRPC port to bifrost cluster deployment and service #3617
• feat: add timeout comments to guardrail rule and provider entries in values.yaml #3612
• dev

This stack of pull requests is managed by Graphite. Learn more about stacking.

[greptile-apps]

Confidence Score: 5/5

Safe to merge — the only file changed is NOTES.txt, which is display-only and does not affect chart logic or deployed resources.

The warning conditions are tightly scoped: PostgreSQL checks in-cluster deployment and the exact default value; Redis checks all five conditions required to confirm an in-cluster, auth-enabled instance is using the default credential. No false positives for external deployments or disabled auth paths. All edge cases raised in prior review threads have been addressed in the current implementation.

No files require special attention.

Important Files Changed

Filename	Overview
helm-charts/bifrost/templates/NOTES.txt	Adds two warning blocks for default PostgreSQL and Redis passwords; conditions are correctly scoped to in-cluster deployments with auth enabled and the default credential still in place.

_{Reviews (4): Last reviewed commit: "Update helm-charts/bifrost/templates/NOT..." | Re-trigger Greptile}