feat!: helm resource repo bindings#2128
Merged
matthiasbruns merged 47 commits intoApr 16, 2026
Merged
Conversation
Contributor
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughReplaces the Helm access/provider pattern with a repository-backed flow: adds a Helm ResourceRepository and ChartBlob for tar-based chart/provenance extraction, centralizes credential identity logic in helminternal.CredentialConsumerIdentity, updates transformer/digest to use the repository, and adds docs and tests. Changes
Sequence Diagram(s)sequenceDiagram
participant Client
participant ResourceRepo as ResourceRepository
participant CredResolver as CredentialResolver
participant HelmServer as Helm HTTP Server
participant ChartBlob
Client->>ResourceRepo: GetResourceCredentialConsumerIdentity(resource)
ResourceRepo->>ResourceRepo: helminternal.CredentialConsumerIdentity(helmRepository)
ResourceRepo-->>Client: runtime.Identity
Client->>CredResolver: Resolve(identity)
CredResolver-->>Client: credentials map
Client->>ResourceRepo: DownloadResource(resource, credentials)
ResourceRepo->>HelmServer: HTTP GET chart + prov
HelmServer-->>ResourceRepo: chart files
ResourceRepo->>ResourceRepo: write files to temp dir\ncreate in-memory tar
ResourceRepo->>ChartBlob: NewChartBlob(tarBlob)
ResourceRepo-->>Client: ChartBlob
Client->>ChartBlob: ChartArchive()
ChartBlob->>ChartBlob: extract .tgz (lazy, once)
ChartBlob-->>Client: chart ReadOnlyBlob
Client->>ChartBlob: ProvFile()
ChartBlob->>ChartBlob: extract .prov (lazy, once)
ChartBlob-->>Client: prov ReadOnlyBlob
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Possibly related PRs
Suggested labels
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
a414233 to
752bf5b
Compare
1d70fb1 to
7fcba25
Compare
1 task
4606a24 to
584fead
Compare
Contributor
Author
|
@coderabbitai review fully |
Contributor
|
🧠 Learnings used✅ Actions performedFull review triggered. |
Contributor
There was a problem hiding this comment.
Actionable comments posted: 4
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
bindings/go/helm/transformation/get_helm_chart.go (1)
59-67:⚠️ Potential issue | 🔴 CriticalNil pointer dereference:
ResourceRepositorynot guarded before download call.Line 59 guards
ResourceRepositoryonly for credential resolution, but line 78 callst.ResourceRepository.DownloadResource()unconditionally. IfResourceRepositoryis nil, this will panic.🐛 Proposed fix: add nil guard or make ResourceRepository required
Option 1 - Add nil guard with explicit error:
+ if t.ResourceRepository == nil { + return nil, fmt.Errorf("ResourceRepository is required for helm chart download") + } + // Download the chart content via the ResourceRepository. // The returned blob is a ChartBlob that provides structured access to the chart archive and prov file. downloadedBlob, err := t.ResourceRepository.DownloadResource(ctx, targetResource, creds)Option 2 - Remove the nil guard on line 59 to make the panic fail-fast during credential resolution (if nil is never expected).
Also applies to: 76-81
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@bindings/go/helm/transformation/get_helm_chart.go` around lines 59 - 67, The code only nil-checks t.ResourceRepository when resolving credentials but later calls t.ResourceRepository.DownloadResource unconditionally (risking a nil-pointer panic); update get_helm_chart.go to guard t.ResourceRepository before any use — either return a clear error if ResourceRepository is nil (e.g., "resource repository required") or move/remove the earlier conditional so ResourceRepository is validated up-front; specifically adjust the logic around t.ResourceRepository, GetResourceCredentialConsumerIdentity, Resolve and DownloadResource so DownloadResource is only invoked when t.ResourceRepository != nil (or ensure ResourceRepository is required and checked at function start).
🧹 Nitpick comments (2)
bindings/go/helm/blob/chart_blob_test.go (1)
160-177: This doesn't actually assert one-time extraction.The test still passes if
ChartArchive()re-reads the tar on every call, because it only compares the returned bytes. If the lazy/cache contract matters here, wraptarBlobin a small spy and assertReadCloser()is hit once across repeatedChartArchive()/ProvFile()calls.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@bindings/go/helm/blob/chart_blob_test.go` around lines 160 - 177, The test TestChartBlob_ExtractionIsLazy only compares returned bytes so it won't detect repeated reads; replace the raw tarBlob with a small spy/wrapper around the io.ReadCloser produced by createTarBlobFromTestdata that counts calls to Read/Close (or ReadCloser() if that's the method on the underlying blob) and expose that counter; then call cb.ChartArchive() (and cb.ProvFile() if relevant) multiple times and assert the spy's read count equals 1 to verify the extraction is performed only once; reference the ChartBlob type and its methods ChartArchive and ProvFile and wrap the tarBlob used to construct helmblob.NewChartBlob with the spy wrapper to track reads.bindings/go/helm/repository/resource/resource_repository.go (1)
26-33: Documentation mismatch: also implementsBuiltinResourceRepository.The comment states this implements
repository.ResourceRepository, butGetResourceRepositoryScheme()(lines 46-48) is defined inBuiltinResourceRepository(perbindings/go/plugin/manager/registries/resource/contract.go:30-33). Consider updating the doc to reflect the full interface:-// ResourceRepository implements [repository.ResourceRepository] for Helm charts. +// ResourceRepository implements [repository.ResourceRepository] and the plugin +// [BuiltinResourceRepository] interface for Helm charts.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@bindings/go/helm/repository/resource/resource_repository.go` around lines 26 - 33, The struct comment for ResourceRepository is incomplete: update the doc comment to state that ResourceRepository implements both repository.ResourceRepository and BuiltinResourceRepository (which includes GetResourceRepositoryScheme), so editors can see it satisfies the plugin registry contract; adjust the top-of-file comment that currently references only repository.ResourceRepository to include BuiltinResourceRepository and mention GetResourceRepositoryScheme as the defining method.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@bindings/go/helm/blob/chart_blob.go`:
- Around line 54-57: ensureExtracted currently can panic on a nil receiver or a
nil source blob; add guards at the start of ChartBlob.ensureExtracted so it
fails closed: if the receiver is nil, immediately return a descriptive error; if
c.ReadOnlyBlob is nil, set c.err to a descriptive error and return it (so
subsequent callers see the failure) before invoking c.extract.Do; otherwise
proceed to call extractFromTar as before. Reference symbols:
ChartBlob.ensureExtracted, NewChartBlob, c.ReadOnlyBlob, extractFromTar, c.err,
and c.extract.Do.
In `@bindings/go/helm/repository/resource/resource_repository_test.go`:
- Around line 158-162: The subtest "returns error for invalid repository URL"
currently passes an empty helmChart to helmResource(t,
"https://localhost:0/nonexistent", ""), causing the earlier "chart name is
required" validation to trigger instead of exercising the repository
URL/transport error; update the call to helmResource (used by the
repo.DownloadResource test) to pass a non-empty chart name (e.g., "testchart" or
"mychart") so the test reaches the invalid-URL branch and asserts the transport
error from repo.DownloadResource.
In `@bindings/go/helm/repository/resource/resource_repository.go`:
- Around line 131-186: In tarDirectoryRecursive, the tar.Writer (tw) must be
explicitly closed before building the inmemory blob so the tar footer is flushed
and any close error is handled; replace the current deferred tw.Close() with an
explicit close call just after filepath.Walk finishes and before the return that
creates inmemory.New, check and propagate/log any error from tw.Close(), and
only then call inmemory.New(&buf, inmemory.WithMediaType("application/x-tar")).
In `@bindings/go/helm/transformation/get_helm_chart.go`:
- Around line 28-33: Update bindings/go/transfer/internal/builder.go to
initialize the GetHelmChart struct using the new ResourceRepository field
instead of the removed ResourceConsumerIdentityProvider: locate the GetHelmChart
construction (currently assigning to ResourceConsumerIdentityProvider) and
replace that assignment with ResourceRepository: resourceRepo, while keeping
Scheme and CredentialProvider assignments (use transformerScheme and
credentialProvider as before) so the struct fields match the GetHelmChart type.
---
Outside diff comments:
In `@bindings/go/helm/transformation/get_helm_chart.go`:
- Around line 59-67: The code only nil-checks t.ResourceRepository when
resolving credentials but later calls t.ResourceRepository.DownloadResource
unconditionally (risking a nil-pointer panic); update get_helm_chart.go to guard
t.ResourceRepository before any use — either return a clear error if
ResourceRepository is nil (e.g., "resource repository required") or move/remove
the earlier conditional so ResourceRepository is validated up-front;
specifically adjust the logic around t.ResourceRepository,
GetResourceCredentialConsumerIdentity, Resolve and DownloadResource so
DownloadResource is only invoked when t.ResourceRepository != nil (or ensure
ResourceRepository is required and checked at function start).
---
Nitpick comments:
In `@bindings/go/helm/blob/chart_blob_test.go`:
- Around line 160-177: The test TestChartBlob_ExtractionIsLazy only compares
returned bytes so it won't detect repeated reads; replace the raw tarBlob with a
small spy/wrapper around the io.ReadCloser produced by createTarBlobFromTestdata
that counts calls to Read/Close (or ReadCloser() if that's the method on the
underlying blob) and expose that counter; then call cb.ChartArchive() (and
cb.ProvFile() if relevant) multiple times and assert the spy's read count equals
1 to verify the extraction is performed only once; reference the ChartBlob type
and its methods ChartArchive and ProvFile and wrap the tarBlob used to construct
helmblob.NewChartBlob with the spy wrapper to track reads.
In `@bindings/go/helm/repository/resource/resource_repository.go`:
- Around line 26-33: The struct comment for ResourceRepository is incomplete:
update the doc comment to state that ResourceRepository implements both
repository.ResourceRepository and BuiltinResourceRepository (which includes
GetResourceRepositoryScheme), so editors can see it satisfies the plugin
registry contract; adjust the top-of-file comment that currently references only
repository.ResourceRepository to include BuiltinResourceRepository and mention
GetResourceRepositoryScheme as the defining method.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: ce7bf3b4-ae3f-412e-b6d2-ac185a4881b7
📒 Files selected for processing (13)
bindings/go/helm/access/access.gobindings/go/helm/access/access_test.gobindings/go/helm/access/spec/v1/helm.gobindings/go/helm/access/spec/v1/schemas/Helm.schema.jsonbindings/go/helm/blob/chart_blob.gobindings/go/helm/blob/chart_blob_test.gobindings/go/helm/blob/doc.gobindings/go/helm/interface.gobindings/go/helm/repository/resource/doc.gobindings/go/helm/repository/resource/resource_repository.gobindings/go/helm/repository/resource/resource_repository_test.gobindings/go/helm/transformation/get_helm_chart.gobindings/go/helm/transformation/get_helm_chart_test.go
💤 Files with no reviewable changes (3)
- bindings/go/helm/interface.go
- bindings/go/helm/access/access_test.go
- bindings/go/helm/access/access.go
Contributor
Author
|
@coderabbitai review again |
Contributor
|
🧠 Learnings used✅ Actions performedFull review triggered. |
Contributor
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (2)
bindings/go/helm/blob/chart_blob.go (1)
87-100: Consider warning or erroring when multiple.tgzfiles are found.If a tar archive contains multiple
.tgzentries, the current implementation silently uses the last one. While theResourceRepositoryshould only produce single-chart tars, adding a check could help catch malformed archives early.💡 Optional enhancement
switch { case strings.HasSuffix(header.Name, ".tgz"): + if chartBlob != nil { + return nil, nil, fmt.Errorf("multiple chart (.tgz) files found in tar archive") + } chartBlob = inmemory.New( bytes.NewReader(data), inmemory.WithMediaType(compression.MediaTypeGzip), inmemory.WithSize(int64(len(data))), )🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@bindings/go/helm/blob/chart_blob.go` around lines 87 - 100, The loop that processes tar headers currently overwrites chartBlob when multiple entries match ".tgz"; add a guard so when you encounter a ".tgz" and chartBlob is already non-nil you surface the problem instead of silently using the last one — e.g., detect chartBlob != nil inside the case for strings.HasSuffix(header.Name, ".tgz") and either return an explicit error (preferred) like "multiple .tgz entries in chart tar" or emit a clear warning via the package logger; update the containing function's error handling/return signature accordingly and ensure callers handle the new error path (refer to symbols chartBlob, header.Name, and the switch/case block around inmemory.New).bindings/go/helm/repository/resource/resource_repository.go (1)
141-149: Close each archived file immediately instead of deferring inside the walk.
defer f.Close()in the callback keeps every descriptor open until the full walk completes. That is small today, but this helper is generic enough that it is worth closing on each iteration.One way to tighten the callback
f, err := root.Open(path) if err != nil { return fmt.Errorf("error opening file %s: %w", path, err) } - defer func() { _ = f.Close() }() - if _, err := io.Copy(tw, f); err != nil { + _ = f.Close() return fmt.Errorf("error writing file %s to tar: %w", path, err) } + if err := f.Close(); err != nil { + return fmt.Errorf("error closing file %s: %w", path, err) + } return nil })🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@bindings/go/helm/repository/resource/resource_repository.go` around lines 141 - 149, The callback that opens files using root.Open(path) currently defers f.Close(), keeping descriptors open for the whole walk; change it to close each file immediately after use by removing the defer and calling f.Close() right after the io.Copy(tw, f) call (handle and return any Close error appropriately, e.g., wrap it with fmt.Errorf), so the sequence in the callback is: open file via root.Open(path), io.Copy to tw, call f.Close(), and propagate any errors from Copy or Close; update error messages to reference path and use the same wrapping style used elsewhere in this file.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@bindings/go/helm/repository/resource/doc.go`:
- Around line 32-36: The comment incorrectly states that the Helm repository is
registered in the CLI; update the doc text to present the registration snippet
as an example or optional follow-up step rather than asserting current behavior.
Edit the block that references
manager.ResourcePluginRegistry.RegisterInternalResourcePlugin and
resource.NewResourceRepository to say something like "For example, you can
register the repository in the CLI with:" or "As a follow-up you may register
the repository:" so it no longer claims it is already wired by default.
In `@bindings/go/helm/transformation/get_helm_chart.go`:
- Around line 30-32: The code calls t.ResourceRepository.DownloadResource(...)
(and other uses of t.ResourceRepository around the GetHelmChart flow) without
checking for nil, causing a panic when the repository isn't wired; update the
code in the GetHelmChart logic to validate t.ResourceRepository at the start (or
before each use) and return a regular error (not a panic) if it's nil, e.g.,
return fmt.Errorf("missing ResourceRepository: ...") so callers receive a
configuration error instead of a nil-pointer panic; apply the same
nil-check/early-error pattern to all sites where t.ResourceRepository is used
(references around lines where DownloadResource is invoked).
---
Nitpick comments:
In `@bindings/go/helm/blob/chart_blob.go`:
- Around line 87-100: The loop that processes tar headers currently overwrites
chartBlob when multiple entries match ".tgz"; add a guard so when you encounter
a ".tgz" and chartBlob is already non-nil you surface the problem instead of
silently using the last one — e.g., detect chartBlob != nil inside the case for
strings.HasSuffix(header.Name, ".tgz") and either return an explicit error
(preferred) like "multiple .tgz entries in chart tar" or emit a clear warning
via the package logger; update the containing function's error handling/return
signature accordingly and ensure callers handle the new error path (refer to
symbols chartBlob, header.Name, and the switch/case block around inmemory.New).
In `@bindings/go/helm/repository/resource/resource_repository.go`:
- Around line 141-149: The callback that opens files using root.Open(path)
currently defers f.Close(), keeping descriptors open for the whole walk; change
it to close each file immediately after use by removing the defer and calling
f.Close() right after the io.Copy(tw, f) call (handle and return any Close error
appropriately, e.g., wrap it with fmt.Errorf), so the sequence in the callback
is: open file via root.Open(path), io.Copy to tw, call f.Close(), and propagate
any errors from Copy or Close; update error messages to reference path and use
the same wrapping style used elsewhere in this file.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: d3f33907-2dbb-4f20-901e-d56a20bc4ca9
📒 Files selected for processing (15)
bindings/go/helm/access/access.gobindings/go/helm/access/access_test.gobindings/go/helm/access/spec/v1/helm.gobindings/go/helm/access/spec/v1/schemas/Helm.schema.jsonbindings/go/helm/blob/chart_blob.gobindings/go/helm/blob/chart_blob_test.gobindings/go/helm/blob/doc.gobindings/go/helm/digest/digest.gobindings/go/helm/input/method.gobindings/go/helm/interface.gobindings/go/helm/repository/resource/doc.gobindings/go/helm/repository/resource/resource_repository.gobindings/go/helm/repository/resource/resource_repository_test.gobindings/go/helm/transformation/get_helm_chart.gobindings/go/helm/transformation/get_helm_chart_test.go
💤 Files with no reviewable changes (2)
- bindings/go/helm/interface.go
- bindings/go/helm/access/access_test.go
e6fab60 to
7271f02
Compare
Contributor
There was a problem hiding this comment.
🧹 Nitpick comments (1)
bindings/go/helm/transformation/get_helm_chart.go (1)
62-62: Minor: Redundant nil check forResourceRepository.The
t.ResourceRepository != nilcheck at line 62 is redundant since line 43 already returns an error ifResourceRepositoryis nil. This is harmless but could be simplified.♻️ Optional simplification
- if t.CredentialProvider != nil && t.ResourceRepository != nil { + if t.CredentialProvider != nil {🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@bindings/go/helm/transformation/get_helm_chart.go` at line 62, The conditional `if t.CredentialProvider != nil && t.ResourceRepository != nil` contains a redundant `t.ResourceRepository != nil` check because earlier in the function `t.ResourceRepository` is already validated and an error returned if nil; simplify the condition to only check `t.CredentialProvider != nil` (e.g., replace the combined conditional with `if t.CredentialProvider != nil`) so the branch logic remains the same but the redundant nil check is removed; ensure you update any nearby comments or logic that assumed the combined check to avoid changing behavior.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In `@bindings/go/helm/transformation/get_helm_chart.go`:
- Line 62: The conditional `if t.CredentialProvider != nil &&
t.ResourceRepository != nil` contains a redundant `t.ResourceRepository != nil`
check because earlier in the function `t.ResourceRepository` is already
validated and an error returned if nil; simplify the condition to only check
`t.CredentialProvider != nil` (e.g., replace the combined conditional with `if
t.CredentialProvider != nil`) so the branch logic remains the same but the
redundant nil check is removed; ensure you update any nearby comments or logic
that assumed the combined check to avoid changing behavior.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: e648b494-c8ff-42df-a966-431dfcb5965b
📒 Files selected for processing (7)
bindings/go/helm/access/access.gobindings/go/helm/blob/chart_blob_test.gobindings/go/helm/digest/digest.gobindings/go/helm/internal/credentials.gobindings/go/helm/internal/credentials_test.gobindings/go/helm/repository/resource/resource_repository.gobindings/go/helm/transformation/get_helm_chart.go
💤 Files with no reviewable changes (1)
- bindings/go/helm/access/access.go
🚧 Files skipped from review as they are similar to previous changes (2)
- bindings/go/helm/digest/digest.go
- bindings/go/helm/blob/chart_blob_test.go
jakobmoellerdev
left a comment
Member
There was a problem hiding this comment.
This is a really cool change 🚀 First pass didnt make me flag anything but need to read through the repo changes more in detail
Contributor
Author
|
On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>
Signed-off-by: Matthias Bruns <git@matthiasbruns.com>
913520d to
ba06438
Compare
On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>
jakobmoellerdev
previously approved these changes
Apr 16, 2026
Use the existing filesystem.GetBlobFromPath to create tar archives from the helm download directory instead of a hand-rolled tarDirectoryRecursive implementation. The streaming blob is eagerly materialized into an inmemory blob before the temp directory cleanup runs. Resolves the TODO at resource_repository.go:118 and closes open-component-model/ocm-project#1014. Signed-off-by: Jakob Möller <contact@jakob-moeller.com>
…tion Replace manual ReadCloser+New+Load+Close sequence with cache.Cache() which does the same thing and also preserves size/digest/mediaType metadata from the streaming blob. Signed-off-by: Jakob Möller <contact@jakob-moeller.com>
On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>
On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>
195e8b8 to
2be84d3
Compare
fabianburth
approved these changes
Apr 16, 2026
jakobmoellerdev
approved these changes
Apr 16, 2026
ocmbot Bot
pushed a commit
that referenced
this pull request
Apr 16, 2026
#### What this PR does / why we need it Introduces a Helm-based `ResourceRepository` implementing `repository.ResourceRepository` and `bindings/go/plugin/manager/registries/resource/contract.go`. Full usage can be seen here: #2130 #### Which issue(s) this PR fixes Contributes open-component-model/ocm-project#911 #### CLI PR #2094 #### Testing Fully tested in #2130 #### Helm ResourceRepository — Changes compared to legacy OCM - **CLI & transfer** will use the `ResourceRepository` interface instead of the deprecated `HelmAccess` struct for credential identity resolution and chart downloads - **Deprecated types removed**: `helm.ResourceConsumerIdentityProvider` interface, `helmaccess.HelmAccess` struct, and their tests — functionality is covered by `ResourceRepository` - **Blob format**: Downloads return a `ChartBlob` (tar archive wrapping `.tgz` + optional `.prov`), replacing the legacy pattern of separate blob accessors for chart and provenance - **Plugin registration**: The helm `ResourceRepository` is registered as a builtin plugin alongside the existing OCI and digest processor plugins in #2130 ##### Intentional differences from legacy | | Legacy OCM | New | |--------------------------------------|-------------------------------------------------------------------|--------------------------------------------------------------| | `CACert` / `Keyring` on access spec | Supported as inline fields | Omitted — use credential resolver instead | | OCI-hosted helm charts (`oci://`) | Handled by helm access method with separate OCI download path | Should use the OCI ResourceRepository (separate access type) | | Blob return format (only internally) | Raw `.tgz` blob (`ChartLayerMediaType`), prov accessed separately | `ChartBlob` tar wrapping both `.tgz` and `.prov` | | Local charts | Not in access method (`IsLocal() = false`) | Not in ResourceRepository — handled by helm input plugin | ##### Test coverage - Unit tests for `ResourceRepository` (credential identity, download, temp folder usage, nil guards) - Unit tests for `ChartBlob` extraction (using real testdata charts) - Integration test: `add cv` with helm access to OCI registry - Integration test: `download resource` with helm access from CTF (byte-level verification) - Shell test: end-to-end download of podinfo chart with SHA256 verification --------- Signed-off-by: Matthias Bruns <git@matthiasbruns.com> Signed-off-by: Jakob Möller <contact@jakob-moeller.com> Co-authored-by: Jakob Möller <contact@jakob-moeller.com> 2207446
matthiasbruns
added a commit
that referenced
this pull request
Apr 16, 2026
<!-- markdownlint-disable MD041 --> #### What this PR does / why we need it Follow up of #2128 `transfer` are refactored to use the new Helm ResourceRepository. #### Which issue(s) this PR fixes Contributes open-component-model/ocm-project#911 #### Testing ##### How to test the changes Check comment: #2130 (comment) ##### Verification - [x] I have tested the changes locally by running `ocm` --------- Signed-off-by: Matthias Bruns <git@matthiasbruns.com>
14 tasks
jakobmoellerdev
pushed a commit
that referenced
this pull request
Apr 17, 2026
<!-- markdownlint-disable MD041 --> #### What this PR does / why we need it This PR tied the helm ResourceRepository changes together and updates the spec location changes. Follow up of #2128 `cli` and `transfer` are refactored to use the new Helm ResourceRepository. Also removes the deprecated `Access` and `ResourceConsumerIdentityProvider` #### Which issue(s) this PR fixes Contributes open-component-model/ocm-project#911 #### Testing ##### How to test the changes Check comment: #2130 (comment) ##### Verification - [x] I have tested the changes locally by running `ocm` --------- Signed-off-by: Matthias Bruns <git@matthiasbruns.com>
3 tasks
2 tasks
5 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it
Introduces a Helm-based
ResourceRepositoryimplementingrepository.ResourceRepositoryandbindings/go/plugin/manager/registries/resource/contract.go.Full usage can be seen here: #2130
Which issue(s) this PR fixes
Contributes open-component-model/ocm-project#911
CLI PR
#2094
Testing
Fully tested in #2130
Helm ResourceRepository — Changes compared to legacy OCM
ResourceRepositoryinterface instead of the deprecatedHelmAccessstruct forcredential identity resolution and chart downloads
helm.ResourceConsumerIdentityProviderinterface,helmaccess.HelmAccessstruct, andtheir tests — functionality is covered by
ResourceRepositoryChartBlob(tar archive wrapping.tgz+ optional.prov), replacing the legacypattern of separate blob accessors for chart and provenance
ResourceRepositoryis registered as a builtin plugin alongside the existing OCIand digest processor plugins in feat: 911 helm resource repo #2130
Intentional differences from legacy
CACert/Keyringon access specoci://).tgzblob (ChartLayerMediaType), prov accessed separatelyChartBlobtar wrapping both.tgzand.provIsLocal() = false)Test coverage
ResourceRepository(credential identity, download, temp folder usage, nil guards)ChartBlobextraction (using real testdata charts)add cvwith helm access to OCI registrydownload resourcewith helm access from CTF (byte-level verification)