feat!: migrate plugin + constructor + input modules to runtime.Typed credentials (gate 5)#2602
Merged
jakobmoellerdev merged 4 commits intoMay 22, 2026
Conversation
👷 Deploy Preview for ocm-website processing.
|
Contributor
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (4)
📒 Files selected for processing (88)
📝 WalkthroughWalkthroughMigrates all plugin contracts and implementations to use runtime.Typed credentials. HTTP handlers parse Authorization into runtime.Raw, implementations marshal typed credentials to headers, converters/registries forward typed creds, and tests/internal plugins are updated. Minor go.mod bumps align dependencies. ChangesTyped credentials end-to-end migration
Sequence Diagram(s)sequenceDiagram
participant Client
participant Handler as HTTP Handler (rgba(66, 135, 245, 0.5))
participant Impl as RepositoryPlugin (rgba(60, 179, 113, 0.5))
participant External as External Plugin (rgba(255, 165, 0, 0.5))
Client->>Handler: Request + Authorization JSON
Handler->>Handler: Unmarshal to runtime.Raw
Handler->>Impl: Process(..., credentials runtime.Typed)
Impl->>Impl: Marshal credentials to Authorization header
Impl->>External: Call endpoint
External-->>Impl: Response
Impl-->>Handler: Result
Handler-->>Client: HTTP 200
Estimated code review effort🎯 4 (Complex) | ⏱️ ~60 minutes Possibly related PRs
Suggested reviewers
Poem
✨ Finishing Touches🧪 Generate unit tests (beta)
|
…credentials (gate 5) Part of issue open-component-model#1047 typed credentials migration series. Changes: - constructor: update Resolver interface usage from ResolveTyped → Resolve (credentials v0.0.12), bump credentials to v0.0.12, repository to v0.0.9 - input/dir, input/file, input/utf8: ProcessResource/ProcessSource credentials map[string]string → runtime.Typed - plugin: all contract interfaces credentials map[string]string → runtime.Typed - contracts: blobtransformer, componentlister, credentials, digestprocessor, input, ocmrepository, resource, signing - registry implementations: toCredentials(runtime.Typed), nil → sends "{}" - registry handlers: credentials deserialized via &runtime.Raw{} server-side - converters: all credential params updated - test plugins: all credential params updated - test files: map[string]string{} → nil, mock methods updated to runtime.Typed - plugin/go.mod: replace constructor with local (unreleased gate 5 version) Closes: part of open-component-model#1047 On-behalf-of: @SAP <jakob.moeller@sap.com> Signed-off-by: Jakob Möller <contact@jakob-moeller.com> On-behalf-of: @SAP <jakob.moeller@sap.com>
73eec77 to
f510ff5
Compare
jakobmoellerdev
added a commit
that referenced
this pull request
May 21, 2026
…als v0.0.12 compat) (#2603) ## Summary - `credentials v0.0.12` unified the `Resolver` interface to a single `Resolve(ctx, identity) (runtime.Typed, error)` method, removing the separate `ResolveTyped` method that existed in v0.0.11 - `constructor v0.0.8` (released as part of gate 4, PR #2598) still calls `provider.ResolveTyped` and depends on `credentials v0.0.11` - This causes a build failure when any module depends on both `constructor v0.0.8` and `credentials v0.0.12` This fix updates `construct.go` to call `provider.Resolve` and bumps the credentials dependency to `v0.0.12`. ## Dependency on Must be released as `constructor/v0.0.9` before PR #2602 (gate 5 plugin migration) can drop its `replace` directive. Signed-off-by: Jakob Möller <contact@jakob-moeller.com>
Signed-off-by: Jakob Möller <contact@jakob-moeller.com> On-behalf-of: @SAP <jakob.moeller@sap.com>
frewilhelm
approved these changes
May 21, 2026
matthiasbruns
approved these changes
May 21, 2026
piotrjanik
approved these changes
May 21, 2026
27c822c
into
open-component-model:main
24 of 25 checks passed
This was referenced May 22, 2026
jakobmoellerdev
added a commit
to jakobmoellerdev/open-component-model
that referenced
this pull request
May 22, 2026
Gate 5 (open-component-model#2602) migrated credential parameters to runtime.Typed but left inline JSON parsing in every registry handler. Extract the repeated Authorization header → runtime.Raw parsing into a shared helper and update all handlers to use it. - Add plugins/credentials.go: CredentialsFromHeader reads the Authorization header and unmarshals it into runtime.Typed, writing an HTTP 401 on malformed input - Update all registry handlers (blobtransformer, componentlister, credentialrepository, digestprocessor, input, resource) to use it - plugins/call.go: skip headers with empty key Refs: open-component-model#1047 On-behalf-of: @SAP <jakob.moeller@sap.com>
1 task
jakobmoellerdev
added a commit
to jakobmoellerdev/open-component-model
that referenced
this pull request
May 22, 2026
Gate 5 (open-component-model#2602) migrated credential parameters to runtime.Typed but left inline JSON parsing in every registry handler. Extract the repeated Authorization header → runtime.Raw parsing into a shared helper and update all handlers to use it. - Add plugins/credentials.go: CredentialsFromHeader reads the Authorization header and unmarshals it into runtime.Typed, writing an HTTP 401 on malformed input - Update all registry handlers (blobtransformer, componentlister, credentialrepository, digestprocessor, input, resource) to use it - plugins/call.go: skip headers with empty key Refs: open-component-model#1047 On-behalf-of: @SAP <jakob.moeller@sap.com> Signed-off-by: Jakob Möller <contact@jakob-moeller.com> On-behalf-of: @SAP <jakob.moeller@sap.com>
jakobmoellerdev
added a commit
to jakobmoellerdev/open-component-model
that referenced
this pull request
May 22, 2026
Gate 5 (open-component-model#2602) migrated credential parameters to runtime.Typed but left inline JSON parsing in every registry handler. Extract the repeated Authorization header → runtime.Raw parsing into a shared helper and update all handlers to use it. - Add plugins/credentials.go: CredentialsFromHeader reads the Authorization header and unmarshals it into runtime.Typed, writing an HTTP 401 on malformed input - Update all registry handlers (blobtransformer, componentlister, credentialrepository, digestprocessor, input, resource) to use it - plugins/call.go: skip headers with empty key Refs: open-component-model#1047 On-behalf-of: @SAP <jakob.moeller@sap.com> Signed-off-by: Jakob Möller <contact@jakob-moeller.com> On-behalf-of: @SAP <jakob.moeller@sap.com>
jakobmoellerdev
added a commit
to jakobmoellerdev/open-component-model
that referenced
this pull request
May 22, 2026
Gate 5 (open-component-model#2602) migrated credential parameters to runtime.Typed but left inline JSON parsing in every registry handler. Extract the repeated Authorization header → runtime.Raw parsing into a shared helper and update all handlers to use it. - Add plugins/credentials.go: CredentialsFromHeader reads the Authorization header and unmarshals it into runtime.Typed, writing an HTTP 401 on malformed input - Update all registry handlers (blobtransformer, componentlister, credentialrepository, digestprocessor, input, resource) to use it - plugins/call.go: skip headers with empty key Refs: open-component-model#1047 On-behalf-of: @SAP <jakob.moeller@sap.com> Signed-off-by: Jakob Möller <contact@jakob-moeller.com> On-behalf-of: @SAP <jakob.moeller@sap.com>
jakobmoellerdev
added a commit
that referenced
this pull request
May 22, 2026
) ## Summary Gate 6 of the phased [ADR 0018 / issue #1047](open-component-model/ocm-project#1047) credentials migration. Builds on gates 1–5 (PRs #2580, #2586, #2594, #2598, #2602). > **Note:** this branch also contains #2613 (plugin `CredentialsFromHeader` refactor). Once that merges, this PR will show only the helm changes. ### helm binding changes - `cmd/main.go`, `input/method.go`: `ProcessResource`/`ProcessSource` → `runtime.Typed` - `digest/digest.go`: `ProcessResourceDigest` → `runtime.Typed`; single `ConvertCredentials` call replaces two separate conversions - `repository/resource/resource_repository.go`: `DownloadResource`/`UploadResource` → `runtime.Typed`; `var _ repository.ResourceRepository` assertion restored - `transformation/get_helm_chart.go`: use upstream typed `ResourceRepository` interface; delete `transformation/credentials.go` - `spec/credentials/v1/convert.go`: new `ConvertCredentials(runtime.Typed) (*HelmHTTPCredentials, *OCICredentials, error)` — single scheme-based conversion returning both types - `spec/credentials/scheme.go`: package-level `Scheme` for helm credentials - `spec/credentials/v1/helm_credentials.go`: remove deprecated exported constants and `FromDirectCredentials` (now private) - `go.mod`: `plugin` → v0.0.16, `blob` → v0.0.13, `repository` → v0.0.9; no replace directives ## Test plan - [ ] `cd bindings/go/helm && go build ./... && go test ./...` (cmd/* requires `task build` for plugin binary) - [ ] `grep -rn "map\[string\]string" bindings/go/helm/` returns no credential parameter usages Refs: #1047 Signed-off-by: Jakob Möller <contact@jakob-moeller.com>
jakobmoellerdev
added a commit
that referenced
this pull request
May 22, 2026
## Summary Gate 5 (#2602) migrated all credential parameters to `runtime.Typed` but left the Authorization header → `runtime.Raw` parsing duplicated inline in every registry handler. This PR extracts that into a shared helper. - Add `plugins/credentials.go`: `CredentialsFromHeader` reads the `Authorization` header, unmarshals it into `runtime.Typed`, and writes HTTP 401 on malformed input - Update all registry handlers to use it: `blobtransformer`, `componentlister`, `credentialrepository`, `digestprocessor`, `input`, `resource` - `plugins/call.go`: skip headers with empty key No behaviour change — pure extraction of duplicated code. ## Test plan - [ ] `cd bindings/go/plugin && go build ./... && go test ./...` Signed-off-by: Jakob Möller <contact@jakob-moeller.com>
jakobmoellerdev
added a commit
that referenced
this pull request
May 26, 2026
…entials (gate 7) (#2616) #### What this PR does / why we need it Gate 7 of the typed credentials migration (ocm-project#1047). Migrates `bindings/go/transfer` and `kubernetes/controller` to use `runtime.Typed` credentials instead of `map[string]string`. **bindings/go/transfer:** - Bump `blob→v0.0.13`, `credentials→v0.0.12`, `oci→v0.0.43`, `repository→v0.0.9` - Update OCI identity import path: `oci/spec/credentials/identity/v1` → `oci/spec/identity/v1` **kubernetes/controller:** - `resolveResourceCredentials` and `VerifyResource` return `runtime.Typed` instead of `map[string]string` - Replace `map[string]string` RSA credential literals with `rsacredentialsv1.RSACredentials` structs - Update import aliases for `oci/spec/credentials` and `oci/spec/identity/v1` - `GetComponentVersionRepository` call sites updated to pass `runtime.Typed` credentials #### Which issue(s) this PR fixes Contributes: - open-component-model/ocm-project#1047 - open-component-model/ocm-project#1055 - open-component-model/ocm-project#1056 - open-component-model/ocm-project#1057 #### Binding release order | Gate | PRs | Modules | Status | |------|-----|---------|--------| | 1 | ✅ #2580 | blob, signing, rsa | merged | | 2 | ✅ #2586 | repository, sigstore | merged | | 3 | ✅ #2594 | oci | merged | | 4 | ✅ #2598 | constructor | merged | | 5 | ✅ #2602 | plugin, input/dir, input/file, input/utf8 | merged | | 6 | ✅ #2612 | helm | merged | | 7 | **this PR** | transfer, controller | 👈 | | 8 | PR 8 | cli | — | --------- Signed-off-by: Jakob Möller <contact@jakob-moeller.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com> Co-authored-by: Matthias Bruns <git@matthiasbruns.com>
5 tasks
matthiasbruns
added a commit
that referenced
this pull request
May 26, 2026
On-behalf-of: SAP <matthias.bruns@sap.com> <!-- markdownlint-disable MD041 --> #### What this PR does / why we need it Final PR of the breaking change chain for the credential migration. This PR updated the CLI. #### Which issue(s) this PR fixes Fixed: open-component-model/ocm-project#1056 | Gate | PRs | Modules | Status | |------|-----|---------|--------| | 1 | ✅ #2580 | blob, signing, rsa | merged | | 2 | ✅ #2586 | repository, sigstore | merged | | 3 | ✅ #2594 | oci | merged | | 4 | ✅ #2598 | constructor | merged | | 5 | ✅ #2602 | plugin, input/dir, input/file, input/utf8 | merged | | 6 | ✅ #2612 | helm | merged | | 7 | ✅ #2616 | transfer, controller | merged | | 8 | **this PR** | cli | 👈 | #### Testing ##### How to test the changes ##### Verification - [ ] I have added/updated tests for my changes (see [Test Requirements](../CONTRIBUTING.md#test-requirements)) - [x] Tests pass locally (`task test` and `task test/integration` if applicable) - [ ] If touching multiple modules, `go work` is enabled (see `go.work`) - [x] My changes do not decrease test coverage - [ ] I have tested the changes locally by running `ocm` --------- Signed-off-by: Matthias Bruns <git@matthiasbruns.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Gate 5 of the typed credentials migration (#1047). Migrates
plugin,constructor, andinput/*modules frommap[string]stringtoruntime.Typedcredentials.This continues the series started in gates 1-4 (blob, signing, rsa, repository, sigstore, oci, constructor published as PR #2598).
Modules changed
bindings/go/constructorResolver.Resolvereturn typemap[string]string→runtime.Typed; bump credentials v0.0.11→v0.0.12bindings/go/input/dirProcessResource/ProcessSourcecredentials parammap[string]string→runtime.Typedbindings/go/input/filebindings/go/input/utf8bindings/go/pluginKey design decisions
toCredentials):nilcredentials → sends"{}"JSON to preserve valid Authorization header format&runtime.Raw{}since concrete type is unknown at HTTP boundaryplugin/go.mod: usesreplacedirective pointing to local../constructor(gate 5 constructor not yet released as module tag)Related issues
Test plan
go build ./...passes in all 5 affected modulesgo test ./...passes inconstructor,input/dir,input/file,input/utf8go test ./...passes inplugin(96 files changed, all registry/handler/flow tests pass)