Add configurable admin password via environment variable

- Add ORCHARD_ADMIN_PASSWORD env var to set initial admin password
- When set, admin user created without forced password change
- Add AWS Secrets Manager support for stage/prod deployments
- Add .env file support for local docker development
- Add Helm chart auth config (adminPassword, existingSecret, secretsManager)

Environments configured:
- Local: .env file or defaults to changeme123
- Feature/dev: orchardtest123 (hardcoded in values-dev.yaml)
- Stage: AWS Secrets Manager (orchard-stage-creds)
- Prod: AWS Secrets Manager (orch-prod-creds)

.gitlab-ci.yml

@@ -15,6 +15,7 @@ variables:
   STAGE_RDS_HOST: orchard-stage.cluster-cvw3jzjkozoc.us-gov-west-1.rds.amazonaws.com
   STAGE_RDS_DBNAME: postgres
   STAGE_SECRET_ARN: "arn:aws-us-gov:secretsmanager:us-gov-west-1:052673043337:secret:rds!cluster-a573672b-1a38-4665-a654-1b7df37b5297-IaeFQL"
+  STAGE_AUTH_SECRET_ARN: "arn:aws-us-gov:secretsmanager:us-gov-west-1:052673043337:secret:orchard-stage-creds-SMqvQx"
   STAGE_S3_BUCKET: orchard-artifacts-stage
   AWS_REGION: us-gov-west-1
   # Shared pip cache directory
@@ -205,7 +206,7 @@ release:
   timeout: 5m
   retry: 1  # Retry once on transient failures
   before_script:
-    - pip install --index-url "$PIP_INDEX_URL" httpx
+    - pip install --index-url "$PIP_INDEX_URL" httpx boto3
   script:
     - |
       python - <<'RESET_SCRIPT'
@@ -213,13 +214,30 @@ release:
       import sys
       import os
       import time
+      import json
+      import boto3
 
       BASE_URL = os.environ.get("STAGE_URL", "")
       ADMIN_USER = "admin"
-      ADMIN_PASS = "changeme123"  # Default admin password
       MAX_RETRIES = 3
       RETRY_DELAY = 5  # seconds
 
+      # Fetch admin password from AWS Secrets Manager
+      secret_arn = os.environ.get("STAGE_AUTH_SECRET_ARN", "")
+      if not secret_arn:
+          print("ERROR: STAGE_AUTH_SECRET_ARN environment variable not set")
+          sys.exit(1)
+
+      try:
+          client = boto3.client('secretsmanager', region_name=os.environ.get("AWS_REGION", "us-gov-west-1"))
+          secret = client.get_secret_value(SecretId=secret_arn)
+          data = json.loads(secret['SecretString'])
+          ADMIN_PASS = data['admin_password']
+          print("Successfully fetched admin password from Secrets Manager")
+      except Exception as e:
+          print(f"ERROR: Failed to fetch secret: {e}")
+          sys.exit(1)
+
       if not BASE_URL:
           print("ERROR: STAGE_URL environment variable not set")
           sys.exit(1)
@@ -286,6 +304,19 @@ integration_test_stage:
   needs: [reset_stage_pre]
   variables:
     ORCHARD_TEST_URL: $STAGE_URL
+  before_script:
+    - pip install --index-url "$PIP_INDEX_URL" -r backend/requirements.txt
+    - pip install --index-url "$PIP_INDEX_URL" pytest pytest-asyncio httpx boto3
+    # Fetch admin password from AWS Secrets Manager
+    - |
+      export ORCHARD_TEST_PASSWORD=$(python -c "
+      import boto3
+      import json
+      client = boto3.client('secretsmanager', region_name='$AWS_REGION')
+      secret = client.get_secret_value(SecretId='$STAGE_AUTH_SECRET_ARN')
+      data = json.loads(secret['SecretString'])
+      print(data['admin_password'])
+      ")
   rules:
     - if: '$CI_COMMIT_BRANCH == "main"'
       when: on_success
@@ -302,6 +333,7 @@ integration_test_feature:
   needs: [deploy_feature]
   variables:
     ORCHARD_TEST_URL: https://orchard-$CI_COMMIT_REF_SLUG.common.global.bsf.tools
+    ORCHARD_TEST_PASSWORD: orchardtest123  # Matches values-dev.yaml orchard.auth.adminPassword
   rules:
     - if: '$CI_COMMIT_BRANCH && $CI_COMMIT_BRANCH != "main"'
       when: on_success