feat!: migrate transfer and controller bindings to runtime.Typed credentials (gate 7)#2616
Merged
jakobmoellerdev merged 18 commits intoMay 26, 2026
Conversation
✅ Deploy Preview for ocm-website ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Contributor
|
Warning Review limit reached
More reviews will be available in 51 minutes and 45 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (3)
📒 Files selected for processing (18)
📝 WalkthroughWalkthroughThis PR migrates credential handling from untyped ChangesTyped Credential Spec Migration
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Suggested reviewers
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Warning Review ran into problems🔥 ProblemsGit: Failed to clone repository. Please run the Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
814c491 to
554fae1
Compare
Contributor
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
kubernetes/controller/internal/controller/deployer/deployer_controller.go (1)
711-740:⚠️ Potential issue | 🟠 Major | ⚡ Quick winTreat missing resource credentials as optional here.
This helper now returns typed credentials, but it still fails on every
credGraph.Resolveerror. That makes the download path stricter thanVerifyResource, which already ignorescredentials.ErrNotFoundand proceeds withnilcredentials. Public resources will start failing whenever an OCM config exists but no matching credential is configured.Proposed fix
+ "ocm.software/open-component-model/bindings/go/credentials" "ocm.software/open-component-model/bindings/go/plugin/manager" ocmruntime "ocm.software/open-component-model/bindings/go/runtime"- creds, err := credGraph.Resolve(ctx, id) - if err != nil { + creds, err := credGraph.Resolve(ctx, id) + if err != nil && !errors.Is(err, credentials.ErrNotFound) { return nil, fmt.Errorf("failed to resolve credentials: %w", err) }🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@kubernetes/controller/internal/controller/deployer/deployer_controller.go` around lines 711 - 740, The helper should treat missing credentials as optional: when calling resourcePlugin.GetResourceCredentialConsumerIdentity and then credGraph.Resolve, catch and handle credentials.ErrNotFound by returning (nil, nil) instead of propagating the error; keep other errors wrapped and returned as before. Update the block around setup.NewCredentialGraph/credGraph.Resolve to check for errors.Is(err, credentials.ErrNotFound) (or compare the specific sentinel used in your credentials package) and return nil,nil for that case, mirroring VerifyResource behavior; leave GetResourcePlugin, GetResourceCredentialConsumerIdentity, and normal credential return paths unchanged.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In `@kubernetes/controller/internal/controller/deployer/deployer_controller.go`:
- Around line 711-740: The helper should treat missing credentials as optional:
when calling resourcePlugin.GetResourceCredentialConsumerIdentity and then
credGraph.Resolve, catch and handle credentials.ErrNotFound by returning (nil,
nil) instead of propagating the error; keep other errors wrapped and returned as
before. Update the block around setup.NewCredentialGraph/credGraph.Resolve to
check for errors.Is(err, credentials.ErrNotFound) (or compare the specific
sentinel used in your credentials package) and return nil,nil for that case,
mirroring VerifyResource behavior; leave GetResourcePlugin,
GetResourceCredentialConsumerIdentity, and normal credential return paths
unchanged.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 5d9e2363-d627-4460-8600-7b4780c7bd9b
⛔ Files ignored due to path filters (3)
bindings/go/transfer/go.sumis excluded by!**/*.sumbindings/go/transfer/integration/go.sumis excluded by!**/*.sumkubernetes/controller/go.sumis excluded by!**/*.sum
📒 Files selected for processing (15)
bindings/go/transfer/go.modbindings/go/transfer/integration/go.modbindings/go/transfer/integration/integration_test.gokubernetes/controller/cmd/main.gokubernetes/controller/go.modkubernetes/controller/internal/controller/component/suite_test.gokubernetes/controller/internal/controller/deployer/deployer_controller.gokubernetes/controller/internal/controller/deployer/suite_test.gokubernetes/controller/internal/controller/resource/suite_test.gokubernetes/controller/internal/ocm/resource.gokubernetes/controller/internal/resolution/service_test.gokubernetes/controller/internal/resolution/workerpool/workerpool.gokubernetes/controller/internal/setup/integration_test.gokubernetes/controller/internal/test/component.gokubernetes/controller/pkg/configuration/config.go
4ea51bd to
785027e
Compare
morri-son
previously approved these changes
May 22, 2026
piotrjanik
previously approved these changes
May 22, 2026
fabianburth
previously requested changes
May 22, 2026
fabianburth
left a comment
Contributor
There was a problem hiding this comment.
cannot approve this while we have replace statements in there
…entials (gate 7) Migrates bindings/go/transfer and kubernetes/controller to use runtime.Typed credentials instead of map[string]string, as part of the typed credentials migration (ocm-project#1047). Changes: - bindings/go/transfer: bump blob→v0.0.13, credentials→v0.0.12, oci→v0.0.43, repository→v0.0.9; update OCI identity import path - kubernetes/controller: update resolveResourceCredentials and VerifyResource return types to runtime.Typed; replace map[string]string credential literals with typed RSACredentials structs; update import aliases for oci/spec/credentials and oci/spec/identity/v1; fix import ordering in service_test.go and integration_test.go Contributes: ocm-project#1047, ocm-project#1055, ocm-project#1056, ocm-project#1057 On-behalf-of: @SAP <jakob.moeller@sap.com> Signed-off-by: Jakob Möller <contact@jakob-moeller.com> On-behalf-of: @SAP <jakob.moeller@sap.com> Signed-off-by: Jakob Möller <contact@jakob-moeller.com> On-behalf-of: @SAP <jakob.moeller@sap.com>
…ials dep Transfer and controller modules now depend on helm v0.0.0-20260522105049-e4d3ffbaf1f3 (gate 6 commit) which uses the corrected oci/spec/identity/v1 import path instead of oci/spec/credentials/identity/v1. Also adds rsa v0.0.0-20260522110833 which provides rsa/spec/credentials/v1 used by workerpool. On-behalf-of: @SAP <jakob.moeller@sap.com> Signed-off-by: Jakob Möller <contact@jakob-moeller.com> On-behalf-of: @SAP <jakob.moeller@sap.com> Signed-off-by: Jakob Möller <contact@jakob-moeller.com> On-behalf-of: @SAP <jakob.moeller@sap.com> # Conflicts: # kubernetes/controller/go.sum
- Drop //nolint:staticcheck comments in deployer_controller.go and resource.go: credentials.Graph.Resolve now returns runtime.Typed directly (migration complete), so SA1019 no longer fires and the nolintlint linter flags them as unused - Add missing blob/filesystem go.sum entry in transfer/integration On-behalf-of: @SAP <jakob.moeller@sap.com> Signed-off-by: Jakob Möller <contact@jakob-moeller.com> On-behalf-of: @SAP <jakob.moeller@sap.com> Signed-off-by: Jakob Möller <contact@jakob-moeller.com> On-behalf-of: @SAP <jakob.moeller@sap.com>
When no credentials are configured for a resource, the credential resolver returns nil (runtime.Typed interface). ConvertToOCICredentials was panicking on nil.GetType(). Return nil, nil for nil input to allow unauthenticated access. On-behalf-of: @SAP <jakob.moeller@sap.com> Signed-off-by: Jakob Möller <contact@jakob-moeller.com> On-behalf-of: @SAP <jakob.moeller@sap.com> Signed-off-by: Jakob Möller <contact@jakob-moeller.com> On-behalf-of: @SAP <jakob.moeller@sap.com>
When no credentials are configured for a resource (unauthenticated access), the credential resolver returns nil (runtime.Typed interface). ConvertToOCICredentials was panicking on nil.GetType(). Return nil, nil for nil input to allow unauthenticated OCI access. On-behalf-of: @SAP <jakob.moeller@sap.com> Signed-off-by: Jakob Möller <contact@jakob-moeller.com> On-behalf-of: @SAP <jakob.moeller@sap.com> Signed-off-by: Jakob Möller <contact@jakob-moeller.com> On-behalf-of: @SAP <jakob.moeller@sap.com>
While oci@v0.0.43 is the latest published version, ConvertToOCICredentials panics when called with nil (unauthenticated access path). Add replace directives pointing to the fix commit on jakobmoellerdev fork until a new oci release is published with the nil guard. On-behalf-of: @SAP <jakob.moeller@sap.com> Signed-off-by: Jakob Möller <contact@jakob-moeller.com> On-behalf-of: @SAP <jakob.moeller@sap.com> Signed-off-by: Jakob Möller <contact@jakob-moeller.com> On-behalf-of: @SAP <jakob.moeller@sap.com>
The v0.0.43 refactoring of ProcessResourceDigest in resource_repository extracted resolveOCIImageRepo but stopped converting resource.Access to the typed *OCIImage before delegating to the inner oci.Repository. The inner repository does a direct type switch, so *runtime.Raw access (from JSON deserialization) hits the default case and returns an error. Bump to fork commit e8ebef6 which resolves resource.Access via the scheme before calling repo.ProcessResourceDigest, restoring the v0.0.40 behavior. Signed-off-by: Jakob Möller <contact@jakob-moeller.com> On-behalf-of: @SAP <jakob.moeller@sap.com> Signed-off-by: Jakob Möller <contact@jakob-moeller.com> On-behalf-of: @SAP <jakob.moeller@sap.com>
On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>
When no credentials are configured for a resource (unauthenticated access), the credential resolver returns nil (runtime.Typed interface). ConvertToOCICredentials was panicking on nil.GetType(). Return nil, nil for nil input to allow unauthenticated OCI access. On-behalf-of: @SAP <jakob.moeller@sap.com> Signed-off-by: Jakob Möller <contact@jakob-moeller.com> On-behalf-of: @SAP <jakob.moeller@sap.com> Signed-off-by: Jakob Möller <contact@jakob-moeller.com> On-behalf-of: @SAP <jakob.moeller@sap.com>
While oci@v0.0.43 is the latest published version, ConvertToOCICredentials panics when called with nil (unauthenticated access path). Add replace directives pointing to the fix commit on jakobmoellerdev fork until a new oci release is published with the nil guard. On-behalf-of: @SAP <jakob.moeller@sap.com> Signed-off-by: Jakob Möller <contact@jakob-moeller.com> On-behalf-of: @SAP <jakob.moeller@sap.com> Signed-off-by: Jakob Möller <contact@jakob-moeller.com> On-behalf-of: @SAP <jakob.moeller@sap.com>
The v0.0.43 refactoring of ProcessResourceDigest in resource_repository extracted resolveOCIImageRepo but stopped converting resource.Access to the typed *OCIImage before delegating to the inner oci.Repository. The inner repository does a direct type switch, so *runtime.Raw access (from JSON deserialization) hits the default case and returns an error. Bump to fork commit e8ebef6 which resolves resource.Access via the scheme before calling repo.ProcessResourceDigest, restoring the v0.0.40 behavior. Signed-off-by: Jakob Möller <contact@jakob-moeller.com> On-behalf-of: @SAP <jakob.moeller@sap.com> Signed-off-by: Jakob Möller <contact@jakob-moeller.com> On-behalf-of: @SAP <jakob.moeller@sap.com>
On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>
2b5793e to
3a2e55f
Compare
On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>
On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>
On-behalf-of: SAP <matthias.bruns@sap.com> Signed-off-by: Matthias Bruns <git@matthiasbruns.com>
matthiasbruns
approved these changes
May 26, 2026
piotrjanik
approved these changes
May 26, 2026
5 tasks
matthiasbruns
added a commit
that referenced
this pull request
May 26, 2026
On-behalf-of: SAP <matthias.bruns@sap.com> <!-- markdownlint-disable MD041 --> #### What this PR does / why we need it Final PR of the breaking change chain for the credential migration. This PR updated the CLI. #### Which issue(s) this PR fixes Fixed: open-component-model/ocm-project#1056 | Gate | PRs | Modules | Status | |------|-----|---------|--------| | 1 | ✅ #2580 | blob, signing, rsa | merged | | 2 | ✅ #2586 | repository, sigstore | merged | | 3 | ✅ #2594 | oci | merged | | 4 | ✅ #2598 | constructor | merged | | 5 | ✅ #2602 | plugin, input/dir, input/file, input/utf8 | merged | | 6 | ✅ #2612 | helm | merged | | 7 | ✅ #2616 | transfer, controller | merged | | 8 | **this PR** | cli | 👈 | #### Testing ##### How to test the changes ##### Verification - [ ] I have added/updated tests for my changes (see [Test Requirements](../CONTRIBUTING.md#test-requirements)) - [x] Tests pass locally (`task test` and `task test/integration` if applicable) - [ ] If touching multiple modules, `go work` is enabled (see `go.work`) - [x] My changes do not decrease test coverage - [ ] I have tested the changes locally by running `ocm` --------- Signed-off-by: Matthias Bruns <git@matthiasbruns.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it
Gate 7 of the typed credentials migration (ocm-project#1047).
Migrates
bindings/go/transferandkubernetes/controllerto useruntime.Typedcredentials instead ofmap[string]string.bindings/go/transfer:
blob→v0.0.13,credentials→v0.0.12,oci→v0.0.43,repository→v0.0.9oci/spec/credentials/identity/v1→oci/spec/identity/v1kubernetes/controller:
resolveResourceCredentialsandVerifyResourcereturnruntime.Typedinstead ofmap[string]stringmap[string]stringRSA credential literals withrsacredentialsv1.RSACredentialsstructsoci/spec/credentialsandoci/spec/identity/v1GetComponentVersionRepositorycall sites updated to passruntime.TypedcredentialsWhich issue(s) this PR fixes
Contributes:
Binding release order