docs: ADR Typed credentials and consumer identity types#2149
Merged
matthiasbruns merged 18 commits intoApr 20, 2026
Merged
Conversation
Contributor
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughReordered tokens in the project wordlist, standardized ADR template metadata/date formatting, and added a new ADR proposing typed credentials and consumer identity types for the runtime. Changes
Sequence Diagram(s)sequenceDiagram
participant Client
participant Resolver
participant Scheme
participant IdentityProvider
participant CredentialGraph
Client->>Resolver: Request ResolveTyped(binding, identity)
Resolver->>Scheme: Lookup credential type registrations
Scheme-->>Resolver: Return converters/registered types
Resolver->>IdentityProvider: Check AcceptedCredentialTypes(identity)
IdentityProvider-->>Resolver: Accept / Reject
Resolver->>CredentialGraph: Ingest/validate typed credential
CredentialGraph-->>Resolver: Return runtime.Typed / error
Resolver-->>Client: Respond with typed credential or error
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
fbbfcbc to
4899d17
Compare
3 tasks
6875a1a to
2f38c9f
Compare
198aa52 to
c4cb810
Compare
fabianburth
reviewed
Apr 8, 2026
fabianburth
reviewed
Apr 8, 2026
Contributor
|
Since you did not mention any adjustment to the credential matching mechanism in the ADR, I tried to skim through your prototype. I think |
fabianburth
reviewed
Apr 9, 2026
Closed
7 tasks
Contributor
Author
|
oh I see feedback already :D give me one more focussed day - I will undraft the ADR once I am happy with it @fabianburth |
✅ Deploy Preview for ocm-website canceled.
|
Contributor
Author
POC ValidationBranch
|
472913c to
2fe6028
Compare
Contributor
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/config/wordlist.txt:
- Around line 24-25: The wordlist contains a duplicated entry "Testcontainers";
remove the second occurrence so each entry is unique (i.e., delete the repeated
"Testcontainers" line), and optionally run a quick dedupe check on the file to
ensure no other duplicates remain.
- Around line 686-687: Remove the duplicate entry "structs" from the wordlist:
locate the consecutive lines containing the token "structs" (the duplicate
entries shown in the diff) and delete one of them so "structs" only appears once
in .github/config/wordlist.txt.
In `@docs/adr/0017_typed_credentials.md`:
- Line 157: Replace the word "builtin" with the hyphenated form "built-in"
across the document where used; specifically update the sentence containing the
example "`com.hashicorp.vault.VaultCredentials/v1`" and the nearby phrase that
mentions "HelmHTTPCredentials/v1" (and the other occurrences that read "builtin
types" or "Builtin types") so they read "built-in types" or "Built-in types" as
appropriate for sentence case consistency; ensure you only change the
spelling/casing and keep the surrounding examples and punctuation intact.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: a381ddd9-797f-4372-be3f-7efb59447dc2
📒 Files selected for processing (4)
.github/config/wordlist.txtdocs/adr/0000_template.mddocs/adr/0016_jsonschemagen_performance.mddocs/adr/0017_typed_credentials.md
e62684c to
2bc7714
Compare
jakobmoellerdev
left a comment
Member
There was a problem hiding this comment.
Well done. The concept is very solid and the interfaces are very clear. great job on that.
|
|
||
| - **Credentials are `map[string]string`** — key names like `username`, `password`, `accessToken` are scattered string | ||
| constants with no compile-time guarantees. | ||
| A real bug exists where OCI resource downloads used `access_token` (snake_case) while docker config resolution used |
Contributor
Author
There was a problem hiding this comment.
open-component-model/ocm-project#985 will be added to the adr
13 tasks
Contributor
There was a problem hiding this comment.
🧹 Nitpick comments (1)
docs/adr/0017_typed_credentials.md (1)
263-267: Minor: Consider rewording for better readability.Lines 263-265 have three consecutive sentences beginning with "Phase", which slightly impacts readability.
✍️ Suggested rewording
- Module publish order matters — each phase must be merged and published before downstream phases. - Phase 2 PRs can run in parallel across bindings. -- Phase 4 blocks on Phase 2 completion. -- Phase 6 is the only step that removes backward compatibility. +- Repository interface updates (Phase 4) block on completing all binding migrations (Phase 2). +- Only the final cleanup step (Phase 6) removes backward compatibility. - Old `.ocmconfig` files work at every stage.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@docs/adr/0017_typed_credentials.md` around lines 263 - 267, Reword the three consecutive sentences that start with "Phase" (the lines describing Phase 2, Phase 4, and Phase 6) to improve flow and readability—e.g., vary sentence openings and/or combine related ideas so the text reads: explain that Phase 2 PRs can run in parallel across bindings, note that Phase 4 waits for Phase 2 to complete, and emphasize that only Phase 6 removes backward compatibility while confirming old `.ocmconfig` files remain compatible at every stage; update the paragraph containing these Phase statements accordingly.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In `@docs/adr/0017_typed_credentials.md`:
- Around line 263-267: Reword the three consecutive sentences that start with
"Phase" (the lines describing Phase 2, Phase 4, and Phase 6) to improve flow and
readability—e.g., vary sentence openings and/or combine related ideas so the
text reads: explain that Phase 2 PRs can run in parallel across bindings, note
that Phase 4 waits for Phase 2 to complete, and emphasize that only Phase 6
removes backward compatibility while confirming old `.ocmconfig` files remain
compatible at every stage; update the paragraph containing these Phase
statements accordingly.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 7544b237-21ae-46a1-8949-bf463cfda26d
📒 Files selected for processing (4)
.github/config/wordlist.txtdocs/adr/0000_template.mddocs/adr/0016_jsonschemagen_performance.mddocs/adr/0017_typed_credentials.md
✅ Files skipped from review due to trivial changes (1)
- docs/adr/0016_jsonschemagen_performance.md
🚧 Files skipped from review as they are similar to previous changes (2)
- docs/adr/0000_template.md
- .github/config/wordlist.txt
On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>
cb2e267 to
cae19fa
Compare
Contributor
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (1)
docs/adr/0017_typed_credentials.md (1)
249-253: Optional wording cleanup for repeated “Phase …” bullet starts.Small readability nit only: vary one bullet opening to reduce repetition.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@docs/adr/0017_typed_credentials.md` around lines 249 - 253, The repeated "Phase ..." sentence starts make the bullets rote; update one bullet for variety—e.g., change "Phase 2 PRs can run in parallel across bindings." to "PRs for Phase 2 can run in parallel across bindings." or "Phase 2 allows PRs to run in parallel across bindings." Apply this small wording change in the bullets block so only one line start is varied while preserving meaning.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@docs/adr/0017_typed_credentials.md`:
- Around line 174-175: Update the second bullet that currently reads "Built-ins
register first (at startup), plugins register after (at discovery) — built-ins
always take precedence" to reflect the duplicate-registration behavior: change
it to "Built-ins register first; conflicting later registrations error out" (and
keep the following bullet about nil-safe schemes as-is); ensure the edited text
matches the duplicate-registration policy described earlier so there is no
implication of runtime precedence.
- Around line 67-69: Update the ADR text in docs/adr/0017_typed_credentials.md
to remove ambiguity: state that credential/identity type mismatches are detected
at configuration/ingestion time and treated as an ingestion error (not just a
warning), or alternatively add a clear subsection that defines two modes
("strict" = fail at ingestion, "lenient" = warn and defer rejection to
consumers) and explicitly document the default behavior; reference the existing
sentence "The graph validates during ingestion that configured credential types
are compatible with the identity type" and change its wording to reflect the
chosen error behavior or add the strict/lenient mode description and default.
- Around line 76-77: Update the sentence about interface-breaking risk to avoid
absolutes: change the wording to say that adding a method to an interface breaks
implementors, note that while current implementations of credentials.Resolver
are in-repo, external projects or plugins could also implement it and would be
affected, and state that each binding migrates from Resolve to ResolveTyped
independently with plugin interfaces updated in Phase 3; modify the line
referencing "only breaks implementors (all in our codebase)" to this revised
phrasing mentioning credentials.Resolver, Resolve, ResolveTyped, and Phase 3.
---
Nitpick comments:
In `@docs/adr/0017_typed_credentials.md`:
- Around line 249-253: The repeated "Phase ..." sentence starts make the bullets
rote; update one bullet for variety—e.g., change "Phase 2 PRs can run in
parallel across bindings." to "PRs for Phase 2 can run in parallel across
bindings." or "Phase 2 allows PRs to run in parallel across bindings." Apply
this small wording change in the bullets block so only one line start is varied
while preserving meaning.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 79a00a10-a0e5-4ac0-a2b7-7883a4c23f40
📒 Files selected for processing (1)
docs/adr/0017_typed_credentials.md
On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>
Contributor
There was a problem hiding this comment.
♻️ Duplicate comments (3)
docs/adr/0017_typed_credentials.md (3)
76-78:⚠️ Potential issue | 🟠 MajorAvoid absolute wording about interface break impact.
“all in our codebase” is too strong for an exported interface and may understate impact on external implementors. Rephrase to acknowledge in-repo status while noting external implementations can also break.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@docs/adr/0017_typed_credentials.md` around lines 76 - 78, The sentence claiming that adding a method "breaks implementors (all in our codebase)" is too absolute; update the text around the discussion of changing the exported interface (the Resolve -> ResolveTyped migration) to soften the claim and acknowledge that while current in-repo implementors will be affected, external implementors could be impacted as well. Rephrase to something like: adding a method will require each binding to migrate from Resolve to ResolveTyped independently and may break existing implementors within our codebase and any external implementations; ensure the wording references the Resolve and ResolveTyped symbols and clarifies the scope of impact without asserting "all" implementors unconditionally.
67-69:⚠️ Potential issue | 🟠 MajorConfiguration-time mismatch handling is still ambiguous.
Line 67 says validation happens during ingestion, but Line 68 says incompatible pairs only produce warnings. That weakens the ADR’s stated goal of configuration-time detection and allows late failures.
Please make this explicit as ingestion-time errors (or define strict/lenient modes and default).
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@docs/adr/0017_typed_credentials.md` around lines 67 - 69, The ADR text is ambiguous: the sentence "The graph validates during ingestion that configured credential types are compatible with the identity type." conflicts with "Incompatible pairs produce warnings." — update the document so ingestion-time mismatches are treated as errors (not warnings) or explicitly define strict/lenient modes and a default; specifically change the behavior described around the two sentences ("The graph validates during ingestion..." and "Incompatible pairs produce warnings.") to state either (a) ingestion validation fails with clear errors for incompatible credential/identity pairs, or (b) add a short section that defines a configurable mode (strict vs lenient), document the default mode, and describe that strict emits errors at ingestion while lenient emits warnings and defers rejection to consumers.
222-223:⚠️ Potential issue | 🟡 MinorRegistration precedence conflicts with duplicate-registration semantics.
If duplicate registration errors out, “built-ins always take precedence” is misleading. Prefer wording like: built-ins register first; conflicting later registrations fail fast.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@docs/adr/0017_typed_credentials.md` around lines 222 - 223, Update the wording to remove ambiguity about precedence vs duplicate-registration behavior: state that built-ins register first and that later conflicting registrations (e.g., plugin registrations) will fail fast rather than override built-ins; mention that the system is nil-safe and falls back to DirectCredentials when no scheme is provided. Reference the terms "built-ins", "plugins", "DirectCredentials", and "duplicate registration" so maintainers know which behavior and documentation lines to update.
🧹 Nitpick comments (1)
docs/adr/0017_typed_credentials.md (1)
298-302: Consider tightening repeated bullet phrasing for readability.Three consecutive bullets start similarly (“Phase ...”). Minor, but rewording one or two improves scanability in the constraints section.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@docs/adr/0017_typed_credentials.md` around lines 298 - 302, The three constraint bullets that begin with “Phase …” are repetitive; edit one or two of them (specifically the lines containing “Phase 2 PRs can run in parallel across bindings”, “Phase 4 blocks on Phase 2 completion”, and “Phase 6 is the only step that removes backward compatibility”) to vary the phrasing for readability—e.g., convert one to a leading clause (“PRs in Phase 2 can run in parallel across bindings”) or to a descriptive form (“Phase 4: waits for Phase 2 to complete”) so the bullets scan more clearly while preserving the original meaning.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In `@docs/adr/0017_typed_credentials.md`:
- Around line 76-78: The sentence claiming that adding a method "breaks
implementors (all in our codebase)" is too absolute; update the text around the
discussion of changing the exported interface (the Resolve -> ResolveTyped
migration) to soften the claim and acknowledge that while current in-repo
implementors will be affected, external implementors could be impacted as well.
Rephrase to something like: adding a method will require each binding to migrate
from Resolve to ResolveTyped independently and may break existing implementors
within our codebase and any external implementations; ensure the wording
references the Resolve and ResolveTyped symbols and clarifies the scope of
impact without asserting "all" implementors unconditionally.
- Around line 67-69: The ADR text is ambiguous: the sentence "The graph
validates during ingestion that configured credential types are compatible with
the identity type." conflicts with "Incompatible pairs produce warnings." —
update the document so ingestion-time mismatches are treated as errors (not
warnings) or explicitly define strict/lenient modes and a default; specifically
change the behavior described around the two sentences ("The graph validates
during ingestion..." and "Incompatible pairs produce warnings.") to state either
(a) ingestion validation fails with clear errors for incompatible
credential/identity pairs, or (b) add a short section that defines a
configurable mode (strict vs lenient), document the default mode, and describe
that strict emits errors at ingestion while lenient emits warnings and defers
rejection to consumers.
- Around line 222-223: Update the wording to remove ambiguity about precedence
vs duplicate-registration behavior: state that built-ins register first and that
later conflicting registrations (e.g., plugin registrations) will fail fast
rather than override built-ins; mention that the system is nil-safe and falls
back to DirectCredentials when no scheme is provided. Reference the terms
"built-ins", "plugins", "DirectCredentials", and "duplicate registration" so
maintainers know which behavior and documentation lines to update.
---
Nitpick comments:
In `@docs/adr/0017_typed_credentials.md`:
- Around line 298-302: The three constraint bullets that begin with “Phase …”
are repetitive; edit one or two of them (specifically the lines containing
“Phase 2 PRs can run in parallel across bindings”, “Phase 4 blocks on Phase 2
completion”, and “Phase 6 is the only step that removes backward compatibility”)
to vary the phrasing for readability—e.g., convert one to a leading clause (“PRs
in Phase 2 can run in parallel across bindings”) or to a descriptive form
(“Phase 4: waits for Phase 2 to complete”) so the bullets scan more clearly
while preserving the original meaning.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 69128676-58c3-420c-ad58-e810fc3ae8fd
📒 Files selected for processing (1)
docs/adr/0017_typed_credentials.md
Contributor
Author
This should now also have been tackled |
On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>
On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>
…ckwards compatibility On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>
morri-son
approved these changes
Apr 20, 2026
fabianburth
approved these changes
Apr 20, 2026
This was referenced Apr 24, 2026
This was referenced May 1, 2026
This was referenced May 11, 2026
This was referenced Jun 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it
Adds ADR 0015 proposing typed credentials and consumer identity types for the OCM credential system. The ADR proposes evolving
map[string]stringcredentials into typed Go structs registered inruntime.Schemeregistries:HelmHTTPCredentials/v1,OCICredentials/v1)CredentialAcceptorvalidationResolveTypedmethod added to existingResolverinterface for gradual migrationDirectCredentials/v1fallback at every stageDesign validated by POC: #2148 (exploration code, not for merge)
Which issue(s) this PR fixes
Contributes: open-component-model/ocm-project#980
Testing
How to test the changes
This is a documentation-only PR (ADR). No code changes.
Verification