##Description
During debugging issues with mounting .ocmconfig files into Docker containers, we had hard times finding the real root case for the issue, e.g. getting this error:
time=2025-10-29T14:08:13.004Z level=DEBUG msg="could not get configuration" error="could not read data: read /home/runner/work/open-component-model/open-component-model/bindings/go/helm/.ocmconfig: is a directory"
time=2025-10-29T14:08:13.005Z level=DEBUG msg="no plugins found at location" location=/root/.config/ocm/plugins
time=2025-10-29T14:08:13.005Z level=DEBUG msg="no plugins found at any of the configured locations" locations=/root/.config/ocm/plugins
time=2025-10-29T14:08:13.011Z level=DEBUG msg="starting discovery based on components in constructor" components="[name=ocm.software/plugins/helminput,version=main]"
time=2025-10-29T14:08:13.011Z level=DEBUG msg="component reference discovery completed successfully"
time=2025-10-29T14:08:13.011Z level=DEBUG msg="starting processing of discovered component graph"
time=2025-10-29T14:08:13.011Z level=DEBUG msg="created base descriptor" realm=constructor component=ocm.software/plugins/helminput version=main
time=2025-10-29T14:08:13.011Z level=DEBUG msg="resolving credentials for repository \"ghcr.io/morri-son/plugins\" failed: failed to resolve credentials for identity \"hostname=ghcr.io,path=/morri-son/plugins,port=443,scheme=https,type=OCIRepository\": no indirect credentials found in graph"
Problem
At many places callers follow this pattern:
if err == nil {
if f.credentialProvider != nil {
if credentials, err = f.credentialProvider.Resolve(ctx, consumerIdentity); err != nil {
slog.DebugContext(ctx, fmt.Sprintf("resolving credentials for repository %q failed: %s", specification, err.Error()))
}
}
} else {
slog.DebugContext(ctx, "no credentials found for repository", "realm", Realm, "repository", specification, "error", err)
}This hides real root causes (e.g. unreadable .ocmconfig or missing helper binary) behind messages like
failed to resolve credentials ...: no indirect credentials found in graph,
making it hard to tell if credentials are truly missing or if something is broken.
The credential graph already distinguishes between:
- Not found – no credentials exist (ErrNoDirectCredentials, ErrNoIndirectCredentials)
- Real errors – configuration or environment problems
Callers ignore this distinction and only check err == nil.
Required change
Caller should :
- Treat not found errors as soft failures (optional fallback),
- Surface all other errors so the real cause is visible.
For example, when the Docker credential helper is configured
but not available in PATH, this must be treated as a real error,
not just as “no credentials found in graph”.
Done Criteria
##Description
During debugging issues with mounting .ocmconfig files into Docker containers, we had hard times finding the real root case for the issue, e.g. getting this error:
Problem
At many places callers follow this pattern:
This hides real root causes (e.g. unreadable .ocmconfig or missing helper binary) behind messages like
failed to resolve credentials ...: no indirect credentials found in graph,making it hard to tell if credentials are truly missing or if something is broken.
The credential graph already distinguishes between:
Callers ignore this distinction and only check err == nil.
Required change
Caller should :
For example, when the Docker credential helper is configured
but not available in PATH, this must be treated as a real error,
not just as “no credentials found in graph”.
Done Criteria