feat: introduce Helm ResourceRepository as builtin plugin#2094
Closed
matthiasbruns wants to merge 3 commits into
Closed
feat: introduce Helm ResourceRepository as builtin plugin#2094matthiasbruns wants to merge 3 commits into
matthiasbruns wants to merge 3 commits into
Conversation
Contributor
📝 WalkthroughWalkthroughRemoved the temporary Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related PRs
Suggested labels
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Contributor
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
bindings/go/helm/transformation/get_helm_chart.go (1)
57-58: Keep Helm downloads behind one implementation.Credential lookup now goes through
ResourceRepository, but the actual fetch still rebuilds the URL and callshelmdownload.NewReadOnlyChartFromRemotedirectly. That leaves this transformer andbindings/go/helm/repository/resource/resource_repository.gowith separate temp-dir, auth, and future verification behavior to keep in sync. Extract the shared download logic or extend the repository API so both flows stay aligned.Also applies to: 74-101
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@bindings/go/helm/transformation/get_helm_chart.go` around lines 57 - 58, This transformer is duplicating download behavior: it gets credentials via ResourceRepository.GetResourceCredentialConsumerIdentity but then rebuilds the URL and calls helmdownload.NewReadOnlyChartFromRemote directly, causing divergent temp-dir/auth/verification logic; fix by moving the remote-chart fetch into a single shared implementation on ResourceRepository (e.g., add a method like FetchChartFromRemote or DownloadChartWithCredentials that accepts ctx, targetResource, consumerId and returns a ready-to-use chart path/reader) and update this file to call that new repository method (replace direct helmdownload.NewReadOnlyChartFromRemote usage and any local temp-dir/auth handling) so both this transformer and bindings/go/helm/repository/resource/resource_repository.go use the exact same download/auth/verify flow.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@bindings/go/helm/repository/resource/resource_repository.go`:
- Around line 99-106: In convertAccess, guard against nil inputs before calling
resource.Access.GetType(): check that resource != nil and resource.Access != nil
and return a validation-style error (e.g., fmt.Errorf or a typed validation
error) instead of letting GetType panic; update the function (convertAccess) to
perform these nil checks at the top and return a clear error message like
"invalid resource: missing access" so callers receive an error for malformed
descriptor input rather than crashing.
- Line 24: The DownloadResource implementation in ResourceRepository currently
returns the fetched chart without verifying the downloaded blob against the
resource descriptor’s integrity metadata; update the DownloadResource method
(and the similar code path around lines 61-92) to, after downloading the blob,
compute the blob’s digest(s)/checksum(s) using the same algorithm(s) expected by
the descriptor and compare them against the descriptor’s integrity fields (e.g.,
the Resource/descriptor integrity/checksum values exposed by the descriptor
API); if the verification fails, return an error and do not return the blob—only
return the blob when the digest comparison matches the descriptor’s integrity
metadata.
---
Nitpick comments:
In `@bindings/go/helm/transformation/get_helm_chart.go`:
- Around line 57-58: This transformer is duplicating download behavior: it gets
credentials via ResourceRepository.GetResourceCredentialConsumerIdentity but
then rebuilds the URL and calls helmdownload.NewReadOnlyChartFromRemote
directly, causing divergent temp-dir/auth/verification logic; fix by moving the
remote-chart fetch into a single shared implementation on ResourceRepository
(e.g., add a method like FetchChartFromRemote or DownloadChartWithCredentials
that accepts ctx, targetResource, consumerId and returns a ready-to-use chart
path/reader) and update this file to call that new repository method (replace
direct helmdownload.NewReadOnlyChartFromRemote usage and any local temp-dir/auth
handling) so both this transformer and
bindings/go/helm/repository/resource/resource_repository.go use the exact same
download/auth/verify flow.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 8dd302d7-716e-4939-9294-1f7c40530595
📒 Files selected for processing (9)
bindings/go/helm/access/access.gobindings/go/helm/access/access_test.gobindings/go/helm/interface.gobindings/go/helm/repository/resource/resource_repository.gobindings/go/helm/repository/resource/resource_repository_test.gobindings/go/helm/transformation/get_helm_chart.gobindings/go/helm/transformation/get_helm_chart_test.gobindings/go/transfer/internal/builder.gocli/internal/plugin/builtin/builtin.go
💤 Files with no reviewable changes (2)
- bindings/go/helm/access/access.go
- bindings/go/helm/interface.go
Implement a Helm-based ResourceRepository that allows `download resource` to work with helm/v1 access types. This replaces the temporary ResourceConsumerIdentityProvider interface with a proper ResourceRepository implementation following the OCI pattern. Closes open-component-model/ocm-project#911
On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>
cde2c95 to
656e441
Compare
matthiasbruns
added a commit
that referenced
this pull request
Apr 16, 2026
#### What this PR does / why we need it Introduces a Helm-based `ResourceRepository` implementing `repository.ResourceRepository` and `bindings/go/plugin/manager/registries/resource/contract.go`. Full usage can be seen here: #2130 #### Which issue(s) this PR fixes Contributes open-component-model/ocm-project#911 #### CLI PR #2094 #### Testing Fully tested in #2130 #### Helm ResourceRepository — Changes compared to legacy OCM - **CLI & transfer** will use the `ResourceRepository` interface instead of the deprecated `HelmAccess` struct for credential identity resolution and chart downloads - **Deprecated types removed**: `helm.ResourceConsumerIdentityProvider` interface, `helmaccess.HelmAccess` struct, and their tests — functionality is covered by `ResourceRepository` - **Blob format**: Downloads return a `ChartBlob` (tar archive wrapping `.tgz` + optional `.prov`), replacing the legacy pattern of separate blob accessors for chart and provenance - **Plugin registration**: The helm `ResourceRepository` is registered as a builtin plugin alongside the existing OCI and digest processor plugins in #2130 ##### Intentional differences from legacy | | Legacy OCM | New | |--------------------------------------|-------------------------------------------------------------------|--------------------------------------------------------------| | `CACert` / `Keyring` on access spec | Supported as inline fields | Omitted — use credential resolver instead | | OCI-hosted helm charts (`oci://`) | Handled by helm access method with separate OCI download path | Should use the OCI ResourceRepository (separate access type) | | Blob return format (only internally) | Raw `.tgz` blob (`ChartLayerMediaType`), prov accessed separately | `ChartBlob` tar wrapping both `.tgz` and `.prov` | | Local charts | Not in access method (`IsLocal() = false`) | Not in ResourceRepository — handled by helm input plugin | ##### Test coverage - Unit tests for `ResourceRepository` (credential identity, download, temp folder usage, nil guards) - Unit tests for `ChartBlob` extraction (using real testdata charts) - Integration test: `add cv` with helm access to OCI registry - Integration test: `download resource` with helm access from CTF (byte-level verification) - Shell test: end-to-end download of podinfo chart with SHA256 verification --------- Signed-off-by: Matthias Bruns <git@matthiasbruns.com> Signed-off-by: Jakob Möller <contact@jakob-moeller.com> Co-authored-by: Jakob Möller <contact@jakob-moeller.com>
ocmbot Bot
pushed a commit
that referenced
this pull request
Apr 16, 2026
#### What this PR does / why we need it Introduces a Helm-based `ResourceRepository` implementing `repository.ResourceRepository` and `bindings/go/plugin/manager/registries/resource/contract.go`. Full usage can be seen here: #2130 #### Which issue(s) this PR fixes Contributes open-component-model/ocm-project#911 #### CLI PR #2094 #### Testing Fully tested in #2130 #### Helm ResourceRepository — Changes compared to legacy OCM - **CLI & transfer** will use the `ResourceRepository` interface instead of the deprecated `HelmAccess` struct for credential identity resolution and chart downloads - **Deprecated types removed**: `helm.ResourceConsumerIdentityProvider` interface, `helmaccess.HelmAccess` struct, and their tests — functionality is covered by `ResourceRepository` - **Blob format**: Downloads return a `ChartBlob` (tar archive wrapping `.tgz` + optional `.prov`), replacing the legacy pattern of separate blob accessors for chart and provenance - **Plugin registration**: The helm `ResourceRepository` is registered as a builtin plugin alongside the existing OCI and digest processor plugins in #2130 ##### Intentional differences from legacy | | Legacy OCM | New | |--------------------------------------|-------------------------------------------------------------------|--------------------------------------------------------------| | `CACert` / `Keyring` on access spec | Supported as inline fields | Omitted — use credential resolver instead | | OCI-hosted helm charts (`oci://`) | Handled by helm access method with separate OCI download path | Should use the OCI ResourceRepository (separate access type) | | Blob return format (only internally) | Raw `.tgz` blob (`ChartLayerMediaType`), prov accessed separately | `ChartBlob` tar wrapping both `.tgz` and `.prov` | | Local charts | Not in access method (`IsLocal() = false`) | Not in ResourceRepository — handled by helm input plugin | ##### Test coverage - Unit tests for `ResourceRepository` (credential identity, download, temp folder usage, nil guards) - Unit tests for `ChartBlob` extraction (using real testdata charts) - Integration test: `add cv` with helm access to OCI registry - Integration test: `download resource` with helm access from CTF (byte-level verification) - Shell test: end-to-end download of podinfo chart with SHA256 verification --------- Signed-off-by: Matthias Bruns <git@matthiasbruns.com> Signed-off-by: Jakob Möller <contact@jakob-moeller.com> Co-authored-by: Jakob Möller <contact@jakob-moeller.com> 2207446
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it
Introduces a Helm-based
ResourceRepositoryimplementingrepository.ResourceRepositoryandbindings/go/plugin/manager/registries/resource/contract.go, registered as a builtin plugin. This enablesdownload resourceto work withhelm/v1access types and replaces the temporaryResourceConsumerIdentityProviderinterface with a properResourceRepositoryfollowing the OCI pattern.Which issue(s) this PR fixes
Fixes open-component-model/ocm-project#911
Sub PRs