feat!: migrate helm binding to runtime.Typed credentials (gate 6)#2612
Merged
jakobmoellerdev merged 2 commits intoMay 22, 2026
Conversation
✅ Deploy Preview for ocm-website canceled.
|
Contributor
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (14)
📝 WalkthroughWalkthroughThe PR migrates Helm binding credential handling from untyped ChangesHelm Binding Typed Credential Migration
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Possibly related PRs
Suggested reviewers
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
4f463ff to
87fce1b
Compare
Contributor
There was a problem hiding this comment.
🧹 Nitpick comments (1)
bindings/go/helm/go.mod (1)
29-29: Update indirect dependency review: yaml/v4 is an RC, but security advisories don’t hit the pinned versions
go.yaml.in/yaml/v4is pinned tov4.0.0-rc.2; Go module proxy shows onlyv4.0.0-rc.*variants (no stablev4.0.0), so treat this as a deliberate pre-release risk/upgrade tracking item.- The pinned indirect versions exist on the Go module proxy (including
github.com/pb33f/ordered-map/v2 v2.3.1andgo.yaml.in/yaml/v4 v4.0.0-rc.2).- GitHub security advisories show no vulnerabilities for
github.com/invopop/jsonschema,github.com/pb33f/ordered-map/v2,github.com/veqryn/slog-context, orgo.yaml.in/yaml/v4;github.com/buger/jsonparseradvisories apply to earlier versions (fixed starting at1.1.2), and the pinnedv1.2.0is outside the vulnerable ranges.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@bindings/go/helm/go.mod` at line 29, The go.mod pins an RC of go.yaml.in/yaml/v4 (v4.0.0-rc.2) which is a pre-release risk; update the repo metadata to explicitly document this (e.g., add a short comment in go.mod or PR description) noting the deliberate RC pin and plan to upgrade when a stable release is available, confirm github.com/buger/jsonparser remains >= v1.1.2 (the pinned v1.2.0 is OK), and verify other indirect pins (github.com/pb33f/ordered-map/v2 v2.3.1, github.com/invopop/jsonschema, github.com/veqryn/slog-context) are tracked for future updates so reviewers know the RC/tracking decision.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@bindings/go/helm/go.mod`:
- Line 29: The go.mod pins an RC of go.yaml.in/yaml/v4 (v4.0.0-rc.2) which is a
pre-release risk; update the repo metadata to explicitly document this (e.g.,
add a short comment in go.mod or PR description) noting the deliberate RC pin
and plan to upgrade when a stable release is available, confirm
github.com/buger/jsonparser remains >= v1.1.2 (the pinned v1.2.0 is OK), and
verify other indirect pins (github.com/pb33f/ordered-map/v2 v2.3.1,
github.com/invopop/jsonschema, github.com/veqryn/slog-context) are tracked for
future updates so reviewers know the RC/tracking decision.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 45147385-2f5e-4745-a636-393a2385a49a
⛔ Files ignored due to path filters (1)
bindings/go/helm/go.sumis excluded by!**/*.sum
📒 Files selected for processing (14)
bindings/go/helm/cmd/main.gobindings/go/helm/digest/digest.gobindings/go/helm/go.modbindings/go/helm/input/method.gobindings/go/helm/internal/download/options.gobindings/go/helm/repository/resource/resource_repository.gobindings/go/helm/spec/credentials/scheme.gobindings/go/helm/spec/credentials/v1/convert.gobindings/go/helm/spec/credentials/v1/convert_test.gobindings/go/helm/spec/credentials/v1/helm_credentials.gobindings/go/helm/spec/credentials/v1/helm_credentials_test.gobindings/go/helm/transformation/credentials.gobindings/go/helm/transformation/credentials_test.gobindings/go/helm/transformation/get_helm_chart.go
💤 Files with no reviewable changes (5)
- bindings/go/helm/transformation/credentials.go
- bindings/go/helm/internal/download/options.go
- bindings/go/helm/transformation/credentials_test.go
- bindings/go/helm/spec/credentials/v1/helm_credentials.go
- bindings/go/helm/spec/credentials/v1/helm_credentials_test.go
5e0dfe8 to
1f441d4
Compare
matthiasbruns
previously approved these changes
May 22, 2026
a472315 to
7f3b020
Compare
jakobmoellerdev
commented
May 22, 2026
c5e9430 to
5d5d2dd
Compare
Contributor
There was a problem hiding this comment.
🧹 Nitpick comments (3)
bindings/go/helm/repository/resource/resource_repository.go (1)
105-130: 💤 Low valueConsider extracting credential conversion and scheme branching to a shared helper.
The credential conversion logic (convert → check prefix → type assert → append option) is duplicated verbatim in
input/method.go,digest/digest.go, and this file. A helper inhelmcredsv1orhelminternalcould reduce repetition and centralize the OCI vs HTTP branching:// Example signature in helmcredsv1 or helminternal: func ResolveCredentialOptions(credentials runtime.Typed, repoURL string) ([]download.Option, error)This is a minor concern given the phased migration; consider addressing in a follow-up consolidation pass.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@bindings/go/helm/repository/resource/resource_repository.go` around lines 105 - 130, Extract the duplicated credential conversion and scheme-branching into a shared helper (e.g., helmcredsv1.ResolveCredentialOptions or helminternal.ResolveCredentialOptions) that accepts the runtime.Typed credentials and repo URL and returns ([]helmdownload.Option, error); move the logic from resource_repository.go (the block using helmcredsv1.ConvertCredentials, strings.HasPrefix(helmURL,"oci://"), type assertions to *ocicredsv1.OCICredentials and *helmcredsv1.HelmHTTPCredentials, and appending helmdownload.WithOCICredentials/WithCredentials) into that helper, preserve the behavior of passing nil when converted is nil and returning typed-errors on wrong type, then replace the inline block in resource_repository.go (and similar blocks in input/method.go and digest/digest.go) with a call to the new ResolveCredentialOptions helper and append the returned options to opts.bindings/go/helm/transformation/get_helm_chart.go (1)
129-134: ⚡ Quick winWrap credential resolution errors with operation context.
The fallback branch returns the resolver error unwrapped, which makes downstream logs less actionable.
♻️ Proposed improvement
typed, err := t.CredentialProvider.Resolve(ctx, consumerId) if err != nil { if errors.Is(err, credentials.ErrNotFound) { return nil, nil } - return nil, err + return nil, fmt.Errorf("failed resolving credentials for resource consumer identity: %w", err) }🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@bindings/go/helm/transformation/get_helm_chart.go` around lines 129 - 134, The credential resolver error returned in the fallback branch is propagated raw, making logs unhelpful; update the error return in the block that checks errors.Is(err, credentials.ErrNotFound) to wrap the non-ErrNotFound errors with operation context (e.g., using fmt.Errorf("resolve credentials: %w", err)) so callers of the function (getHelmChart or the credential resolution call site) receive an error that includes "resolve credentials" context while preserving the original error via %w.bindings/go/helm/spec/credentials/v1/convert.go (1)
56-59: ⚡ Quick winInclude credential type in conversion error messages.
Current errors make triage harder when multiple credential types flow through this path. Include
creds.GetType()(or converted type) in both failure branches.♻️ Proposed improvement
- typed, err := convertScheme.NewObject(creds.GetType()) + credType := creds.GetType() + typed, err := convertScheme.NewObject(credType) if err != nil { - return nil, fmt.Errorf("error converting credential type: %w", err) + return nil, fmt.Errorf("error creating credential object for type %q: %w", credType.String(), err) } if err = convertScheme.Convert(creds, typed); err != nil { - return nil, fmt.Errorf("error converting credential type: %w", err) + return nil, fmt.Errorf("error converting credential type %q: %w", credType.String(), err) } @@ - return nil, fmt.Errorf("unsupported credential type %v", typed.GetType()) + return nil, fmt.Errorf("unsupported converted credential type %q (from %q)", typed.GetType().String(), credType.String())Also applies to: 71-71
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@bindings/go/helm/spec/credentials/v1/convert.go` around lines 56 - 59, Update the error messages in the conversion failure branches to include the credential type to aid triage: when the first conversion fails (before calling convertScheme.Convert) and when convertScheme.Convert(creds, typed) returns an error, include creds.GetType() (or the resolved type string) in the fmt.Errorf calls so the messages read like "error converting credential type '%s': %w"; modify the error formatting in the blocks around convertScheme.Convert and the earlier conversion branch (the conversion logic in convert.go that uses creds, typed and convertScheme.Convert) and apply the same change to the other similar failure at the later branch referenced near the second occurrence.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@bindings/go/helm/repository/resource/resource_repository.go`:
- Around line 105-130: Extract the duplicated credential conversion and
scheme-branching into a shared helper (e.g.,
helmcredsv1.ResolveCredentialOptions or helminternal.ResolveCredentialOptions)
that accepts the runtime.Typed credentials and repo URL and returns
([]helmdownload.Option, error); move the logic from resource_repository.go (the
block using helmcredsv1.ConvertCredentials, strings.HasPrefix(helmURL,"oci://"),
type assertions to *ocicredsv1.OCICredentials and
*helmcredsv1.HelmHTTPCredentials, and appending
helmdownload.WithOCICredentials/WithCredentials) into that helper, preserve the
behavior of passing nil when converted is nil and returning typed-errors on
wrong type, then replace the inline block in resource_repository.go (and similar
blocks in input/method.go and digest/digest.go) with a call to the new
ResolveCredentialOptions helper and append the returned options to opts.
In `@bindings/go/helm/spec/credentials/v1/convert.go`:
- Around line 56-59: Update the error messages in the conversion failure
branches to include the credential type to aid triage: when the first conversion
fails (before calling convertScheme.Convert) and when
convertScheme.Convert(creds, typed) returns an error, include creds.GetType()
(or the resolved type string) in the fmt.Errorf calls so the messages read like
"error converting credential type '%s': %w"; modify the error formatting in the
blocks around convertScheme.Convert and the earlier conversion branch (the
conversion logic in convert.go that uses creds, typed and convertScheme.Convert)
and apply the same change to the other similar failure at the later branch
referenced near the second occurrence.
In `@bindings/go/helm/transformation/get_helm_chart.go`:
- Around line 129-134: The credential resolver error returned in the fallback
branch is propagated raw, making logs unhelpful; update the error return in the
block that checks errors.Is(err, credentials.ErrNotFound) to wrap the
non-ErrNotFound errors with operation context (e.g., using fmt.Errorf("resolve
credentials: %w", err)) so callers of the function (getHelmChart or the
credential resolution call site) receive an error that includes "resolve
credentials" context while preserving the original error via %w.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: e64e39c3-346c-48f0-b23f-663ff858b3e5
⛔ Files ignored due to path filters (1)
bindings/go/helm/go.sumis excluded by!**/*.sum
📒 Files selected for processing (14)
bindings/go/helm/cmd/main.gobindings/go/helm/digest/digest.gobindings/go/helm/go.modbindings/go/helm/input/method.gobindings/go/helm/internal/download/options.gobindings/go/helm/repository/resource/resource_repository.gobindings/go/helm/spec/credentials/scheme.gobindings/go/helm/spec/credentials/v1/convert.gobindings/go/helm/spec/credentials/v1/convert_test.gobindings/go/helm/spec/credentials/v1/helm_credentials.gobindings/go/helm/spec/credentials/v1/helm_credentials_test.gobindings/go/helm/transformation/credentials.gobindings/go/helm/transformation/credentials_test.gobindings/go/helm/transformation/get_helm_chart.go
💤 Files with no reviewable changes (5)
- bindings/go/helm/internal/download/options.go
- bindings/go/helm/transformation/credentials_test.go
- bindings/go/helm/spec/credentials/v1/helm_credentials_test.go
- bindings/go/helm/transformation/credentials.go
- bindings/go/helm/spec/credentials/v1/helm_credentials.go
✅ Files skipped from review due to trivial changes (2)
- bindings/go/helm/spec/credentials/scheme.go
- bindings/go/helm/go.mod
5d5d2dd to
752b5ab
Compare
Migrate bindings/go/helm from map[string]string credentials to runtime.Typed as part of ADR 0018 / issue open-component-model#1047 (gate 6). - Add spec/credentials/scheme.go: exported Scheme for HelmHTTPCredentials - Add spec/credentials/v1/convert.go: ConvertCredentials(runtime.Typed) returning (*HelmHTTPCredentials, *OCICredentials, error) via a single scheme-based type switch; supports DirectCredentials, HelmHTTPCredentials, OCICredentials, and raw JSON input - Add spec/credentials/v1/convert_test.go - Remove transformation/credentials.go and transformation/credentials_test.go (superseded by ConvertCredentials) - Update input/method.go, digest/digest.go, repository/resource/resource_repository.go, cmd/main.go to use runtime.Typed credential parameters and ConvertCredentials - Remove deprecated credential constants from internal/download/options.go and spec/credentials/v1/helm_credentials.go BREAKING CHANGE: ProcessResource, ProcessSource, DownloadResource, UploadResource, and ProcessResourceDigest signatures change from map[string]string to runtime.Typed. Signed-off-by: Jakob Möller <contact@jakob-moeller.com> On-behalf-of: @SAP <jakob.moeller@sap.com> Signed-off-by: Jakob Möller <contact@jakob-moeller.com> On-behalf-of: @SAP <jakob.moeller@sap.com> Signed-off-by: Jakob Möller <contact@jakob-moeller.com> On-behalf-of: @SAP <jakob.moeller@sap.com> Signed-off-by: Jakob Möller <contact@jakob-moeller.com> On-behalf-of: @SAP <jakob.moeller@sap.com> Signed-off-by: Jakob Möller <contact@jakob-moeller.com> On-behalf-of: @SAP <jakob.moeller@sap.com> Signed-off-by: Jakob Möller <contact@jakob-moeller.com> On-behalf-of: @SAP <jakob.moeller@sap.com> Signed-off-by: Jakob Möller <contact@jakob-moeller.com> On-behalf-of: @SAP <jakob.moeller@sap.com> Signed-off-by: Jakob Möller <contact@jakob-moeller.com> On-behalf-of: @SAP <jakob.moeller@sap.com> Signed-off-by: Jakob Möller <contact@jakob-moeller.com> On-behalf-of: @SAP <jakob.moeller@sap.com> Signed-off-by: Jakob Möller <contact@jakob-moeller.com> On-behalf-of: @SAP <jakob.moeller@sap.com> Signed-off-by: Jakob Möller <contact@jakob-moeller.com> On-behalf-of: @SAP <jakob.moeller@sap.com> Signed-off-by: Jakob Möller <contact@jakob-moeller.com> On-behalf-of: @SAP <jakob.moeller@sap.com> Signed-off-by: Jakob Möller <contact@jakob-moeller.com> On-behalf-of: @SAP <jakob.moeller@sap.com>
752b5ab to
e9d9241
Compare
fabianburth
approved these changes
May 22, 2026
This was referenced May 22, 2026
jakobmoellerdev
added a commit
that referenced
this pull request
May 26, 2026
…entials (gate 7) (#2616) #### What this PR does / why we need it Gate 7 of the typed credentials migration (ocm-project#1047). Migrates `bindings/go/transfer` and `kubernetes/controller` to use `runtime.Typed` credentials instead of `map[string]string`. **bindings/go/transfer:** - Bump `blob→v0.0.13`, `credentials→v0.0.12`, `oci→v0.0.43`, `repository→v0.0.9` - Update OCI identity import path: `oci/spec/credentials/identity/v1` → `oci/spec/identity/v1` **kubernetes/controller:** - `resolveResourceCredentials` and `VerifyResource` return `runtime.Typed` instead of `map[string]string` - Replace `map[string]string` RSA credential literals with `rsacredentialsv1.RSACredentials` structs - Update import aliases for `oci/spec/credentials` and `oci/spec/identity/v1` - `GetComponentVersionRepository` call sites updated to pass `runtime.Typed` credentials #### Which issue(s) this PR fixes Contributes: - open-component-model/ocm-project#1047 - open-component-model/ocm-project#1055 - open-component-model/ocm-project#1056 - open-component-model/ocm-project#1057 #### Binding release order | Gate | PRs | Modules | Status | |------|-----|---------|--------| | 1 | ✅ #2580 | blob, signing, rsa | merged | | 2 | ✅ #2586 | repository, sigstore | merged | | 3 | ✅ #2594 | oci | merged | | 4 | ✅ #2598 | constructor | merged | | 5 | ✅ #2602 | plugin, input/dir, input/file, input/utf8 | merged | | 6 | ✅ #2612 | helm | merged | | 7 | **this PR** | transfer, controller | 👈 | | 8 | PR 8 | cli | — | --------- Signed-off-by: Jakob Möller <contact@jakob-moeller.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com> Co-authored-by: Matthias Bruns <git@matthiasbruns.com>
5 tasks
matthiasbruns
added a commit
that referenced
this pull request
May 26, 2026
On-behalf-of: SAP <matthias.bruns@sap.com> <!-- markdownlint-disable MD041 --> #### What this PR does / why we need it Final PR of the breaking change chain for the credential migration. This PR updated the CLI. #### Which issue(s) this PR fixes Fixed: open-component-model/ocm-project#1056 | Gate | PRs | Modules | Status | |------|-----|---------|--------| | 1 | ✅ #2580 | blob, signing, rsa | merged | | 2 | ✅ #2586 | repository, sigstore | merged | | 3 | ✅ #2594 | oci | merged | | 4 | ✅ #2598 | constructor | merged | | 5 | ✅ #2602 | plugin, input/dir, input/file, input/utf8 | merged | | 6 | ✅ #2612 | helm | merged | | 7 | ✅ #2616 | transfer, controller | merged | | 8 | **this PR** | cli | 👈 | #### Testing ##### How to test the changes ##### Verification - [ ] I have added/updated tests for my changes (see [Test Requirements](../CONTRIBUTING.md#test-requirements)) - [x] Tests pass locally (`task test` and `task test/integration` if applicable) - [ ] If touching multiple modules, `go work` is enabled (see `go.work`) - [x] My changes do not decrease test coverage - [ ] I have tested the changes locally by running `ocm` --------- Signed-off-by: Matthias Bruns <git@matthiasbruns.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Gate 6 of the phased ADR 0018 / issue #1047 credentials migration. Builds on gates 1–5 (PRs #2580, #2586, #2594, #2598, #2602).
helm binding changes
cmd/main.go,input/method.go:ProcessResource/ProcessSource→runtime.Typeddigest/digest.go:ProcessResourceDigest→runtime.Typed; singleConvertCredentialscall replaces two separate conversionsrepository/resource/resource_repository.go:DownloadResource/UploadResource→runtime.Typed;var _ repository.ResourceRepositoryassertion restoredtransformation/get_helm_chart.go: use upstream typedResourceRepositoryinterface; deletetransformation/credentials.gospec/credentials/v1/convert.go: newConvertCredentials(runtime.Typed) (*HelmHTTPCredentials, *OCICredentials, error)— single scheme-based conversion returning both typesspec/credentials/scheme.go: package-levelSchemefor helm credentialsspec/credentials/v1/helm_credentials.go: remove deprecated exported constants andFromDirectCredentials(now private)go.mod:plugin→ v0.0.16,blob→ v0.0.13,repository→ v0.0.9; no replace directivesTest plan
cd bindings/go/helm && go build ./... && go test ./...(cmd/* requirestask buildfor plugin binary)grep -rn "map\[string\]string" bindings/go/helm/returns no credential parameter usagesRefs: #1047