HELM-611: add OCI registry client for chart operations #15925
Conversation
OCI-based Helm charts were failing to install because the action configuration lacked a registry client. This change: - Add GetDefaultOCIRegistry() to create and attach a registry client to the Helm action configuration - Integrate registry client initialization into all Helm handlers: install, upgrade, uninstall, rollback, and chart get operations - Add unit tests for the new registry client function - Update older tests to use mock registry Client function Without a registry client, operations on OCI charts (oci://) would fail with errors about missing registry support. Fixes: HELM-611
|
@sowmya-sl: This pull request references HELM-611 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci-robot
added
the
jira/valid-reference
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Skipping CI for Draft Pull Request. |
|
@sowmya-sl: This pull request references HELM-611 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
WalkthroughAdds OCI registry client creation utilities and integrates a default OCI registry retrieval into Helm action configuration and multiple HTTP handlers. Handlers now pre-invoke the registry retrieval and return a Bad Gateway on failure; tests and a test seam for client creation were added. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~22 minutes 🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches
Comment |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sowmya-sl The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
@sowmya-sl: This pull request references HELM-611 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
@sowmya-sl: This pull request references HELM-611 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
@sowmya-sl: This pull request references HELM-611 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In `@pkg/helm/actions/get_registry.go`:
- Around line 17-26: GetOCIRegistry currently ignores insecure and plainHTTP;
fix by passing registry.ClientOptPlainHTTP() when plainHTTP is true, and handle
insecure by constructing an *http.Client with a custom
tls.Config{InsecureSkipVerify: true} and passing it to newRegistryClient via
registry.ClientOptHTTPClient(httpClient); update GetOCIRegistry to call
newRegistryClient with the appropriate options (plainHTTP and/or HTTP client)
and add imports for crypto/tls and net/http so the custom HTTP client can be
created and supplied to the registry client.
🧹 Nitpick comments (2)
pkg/helm/actions/config.go (1)
53-56: Redundant registry initialization across config and handlers.This call to
GetDefaultOCIRegistryis non-blocking (logs and continues), while handlers.go calls the same function and does fail the request on error. The redundancy means the registry client may be initialized twice per request when the first call succeeds.Consider removing this call from config initialization since handlers.go already performs the authoritative check with proper error handling. If the intent is a "best-effort early init," the pattern is fine but should be documented.
pkg/helm/handlers/handler_test.go (1)
205-207: Consider adding test coverage for registry initialization failures.The fake always returns
nil, which is fine for happy-path testing. However, since handlers now returnBadGatewaywhengetDefaultOCIRegistryfails, consider adding at least one test case that injects a failinggetDefaultOCIRegistryto verify the error response path.func fakeGetDefaultOCIRegistryError(conf *action.Configuration) error { return errors.New("mock registry error") }
|
@sowmya-sl: This pull request references HELM-611 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/retest |
webbnh
left a comment
webbnh
left a comment
There was a problem hiding this comment.
The changes to the code look very nice, now.
However, the tests seem like they could use some more attention. One of them is, I think, mistargeted, but I think it is trivial to fix that. In the second instance, you added a test for the error case but no tests for the normal cases (I've supplied a possible fix for that).
The third omission is understandable, since I couldn't find any testing for the other error cases in those functions, but I'd like to resist using that as a basis for adding more untested code. I'm not asking that you cover the existing omissions (although, I would be pleased if you took a shot at it!), but I do suggest that you include testing to cover the code that you're adding in this PR.
| func TestGetDefaultOCIRegistry_NilConfig(t *testing.T) { | ||
| err := GetDefaultOCIRegistry(nil) | ||
| require.Error(t, err) | ||
| require.Contains(t, err.Error(), "action configuration cannot be nil") | ||
| } |
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
|
|
||
| func TestGetOCIRegistry_NewClientError(t *testing.T) { |
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
There was a problem hiding this comment.
added this in the test.
| if err != nil { | ||
| serverutils.SendResponse(w, http.StatusBadGateway, serverutils.ApiError{Err: fmt.Sprintf("Failed to get default registry: %v", err)}) | ||
| return |
There was a problem hiding this comment.
Do we have a unit test scenario which exercises this code? (Ditto for the other changes to this module?)
It looks like we probably don't have tests for any of the error cases in this (or the other) functions...but it would be good if the new code brought with it new tests.... 😇
There was a problem hiding this comment.
No UTs for this right now. But I will check on that.
- Rename insecure param to skipTLSVerify for clarity - Add TLS skip verification and plainHTTP support - Use mockable newRegistryClient for testability - Fix variable naming (registryClient) - Return nil directly instead of err variable
sowmya-sl
force-pushed
the
add-oci-support
branch
from
8ebc6b6 to
db77391
Compare
|
@sowmya-sl: This pull request references HELM-611 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In `@pkg/helm/actions/get_registry.go`:
- Around line 29-36: When skipTLSVerify is true, don't create a bare
http.Transport (which loses ProxyFromEnvironment and default timeouts/HTTP2
settings); instead clone the default transport, assert
http.DefaultTransport.(*http.Transport), call Clone() to get a copy, set its
TLSClientConfig.InsecureSkipVerify = true, and use that cloned transport in the
http.Client passed to registry.ClientOptHTTPClient so Proxy and other default
behaviors are preserved.
| if skipTLSVerify { | ||
| opts = append(opts, registry.ClientOptHTTPClient(&http.Client{ | ||
| Transport: &http.Transport{ | ||
| TLSClientConfig: &tls.Config{ | ||
| InsecureSkipVerify: true, | ||
| }, | ||
| }, | ||
| })) |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
git ls-files | head -20Repository: openshift/console
Length of output: 500
🏁 Script executed:
fd -t f "get_registry.go" -x wc -l {}Repository: openshift/console
Length of output: 98
🏁 Script executed:
cat -n pkg/helm/actions/get_registry.go | head -50Repository: openshift/console
Length of output: 1426
🏁 Script executed:
# Check the minimum Go version supported by this project
if [ -f "go.mod" ]; then
head -5 go.mod
fiRepository: openshift/console
Length of output: 127
🌐 Web query:
Go http.DefaultTransport http.Transport Clone method
💡 Result:
Yes — http.DefaultTransport is a RoundTripper whose concrete type is *http.Transport, and http.Transport has a Clone method you can use to copy the default transport instead of mutating it.
Example:
- safe: t := http.DefaultTransport.(*http.Transport).Clone()
- then modify and use: t.MaxIdleConns = 50; client := &http.Client{Transport: t}
Notes:
- Do not set fields on http.DefaultTransport directly (that mutates the global). Clone was added to Transport to make copying easy (Go 1.13+). [1][2][3]
Sources:
[1] Stack Overflow — “How to use http.DefaultTransport …” (example using Clone).
[2] Go 1.13 release notes (Transport changes; Clone added).
[3] net/http docs (DefaultTransport is &Transport{...}).
🏁 Script executed:
rg -t go "ClientOptHTTPClient|http\.Client" --context 3 | head -50Repository: openshift/console
Length of output: 2576
🏁 Script executed:
rg -t go "registry\.NewClient|registry\.Client" --context 2 | head -40Repository: openshift/console
Length of output: 2575
🏁 Script executed:
cat -n pkg/helm/actions/get_registry_test.goRepository: openshift/console
Length of output: 4961
🏁 Script executed:
rg -t go "Proxy|proxy|ProxyFromEnvironment" pkg/helm/actions/Repository: openshift/console
Length of output: 251
🌐 Web query:
http.DefaultTransport ProxyFromEnvironment proxy support Go
💡 Result:
Short answer
- net/http's DefaultTransport uses ProxyFromEnvironment, so it will honor HTTP_PROXY/http_proxy, HTTPS_PROXY/https_proxy and NO_PROXY/no_proxy (the exact parsing/semantics come from golang.org/x/net/http/httpproxy). [1][2]
Notes / gotchas
- If you create a Transport with an empty struct (e.g. &http.Transport{}), Proxy is nil and environment proxying won't be used — DefaultTransport sets Proxy: ProxyFromEnvironment for you. [1][3]
Sources
- DefaultTransport and its Proxy field in net/http docs. [1]
- httpproxy implementation (FromEnvironment / rules for HTTP(S)_PROXY and NO_PROXY). [2]
- Common pitfall: empty Transport vs DefaultTransport (discussion/example). [3]
Clone http.DefaultTransport to preserve proxy and timeout settings.
The bare http.Transport loses ProxyFromEnvironment support, breaking registry access in proxied environments when skipTLSVerify is true—a critical gap in enterprise deployments where corporate proxies are standard. Additionally, timeouts and HTTP/2 configuration from the default transport are dropped.
🔧 Proposed fix
- opts = append(opts, registry.ClientOptHTTPClient(&http.Client{
- Transport: &http.Transport{
- TLSClientConfig: &tls.Config{
- InsecureSkipVerify: true,
- },
- },
- }))
+ transport := http.DefaultTransport.(*http.Transport).Clone()
+ transport.TLSClientConfig = &tls.Config{
+ InsecureSkipVerify: true,
+ // MinVersion: tls.VersionTLS12, // or TLS13 if your registries support it
+ }
+ opts = append(opts, registry.ClientOptHTTPClient(&http.Client{Transport: transport}))🧰 Tools
🪛 ast-grep (0.40.5)
[warning] 31-33: MinVersionis missing from this TLS configuration. By default, TLS 1.2 is currently used as the minimum when acting as a client, and TLS 1.0 when acting as a server. General purpose web applications should default to TLS 1.3 with all other protocols disabled. Only where it is known that a web server must support legacy clients with unsupported an insecure browsers (such as Internet Explorer 10), it may be necessary to enable TLS 1.0 to provide support. AddMinVersion: tls.VersionTLS13' to the TLS configuration to bump the minimum version to TLS 1.3.
Context: tls.Config{
InsecureSkipVerify: true,
}
Note: [CWE-327]: Use of a Broken or Risky Cryptographic Algorithm [OWASP A03:2017]: Sensitive Data Exposure [OWASP A02:2021]: Cryptographic Failures [REFERENCES]
https://owasp.org/Top10/A02_2021-Cryptographic_Failures
(missing-ssl-minversion-go)
🤖 Prompt for AI Agents
In `@pkg/helm/actions/get_registry.go` around lines 29 - 36, When skipTLSVerify is
true, don't create a bare http.Transport (which loses ProxyFromEnvironment and
default timeouts/HTTP2 settings); instead clone the default transport, assert
http.DefaultTransport.(*http.Transport), call Clone() to get a copy, set its
TLSClientConfig.InsecureSkipVerify = true, and use that cloned transport in the
http.Client passed to registry.ClientOptHTTPClient so Proxy and other default
behaviors are preserved.
webbnh
left a comment
webbnh
left a comment
There was a problem hiding this comment.
Looks good, @sowmya-sl; however, there are a couple of new concerns and an old one:
- The deferral of the restoration of
newRegistryClientis being done multiple times (and, as a result, probably doesn't work properly); instead, it should probably be done only once. - We need to confirm that the restoration is not done before all of the test scenarios are completed.
- The unit test coverage for the new error handling (link).
- And, you should consider taking CodeRabbit's suggestion.
| for _, tt := range tests { | ||
| originalNewRegistryClient := newRegistryClient | ||
| defer func() { | ||
| newRegistryClient = originalNewRegistryClient | ||
| }() |
There was a problem hiding this comment.
I don't think that this is going to work as intended: the defer operation is going to be done four times, since it is inside the loop, and so it will be executed four times when the function returns; however, on each iteration, originalNewRegistryClient will be overwritten with the mock from the previous iteration, and so on each execution of the deferred function, it will restore newRegistryClient to the third iteration's mock.
There is a way to make each deferral restore the previous state, such that, after the last completes, the state is back to the original value, but it would be much easier/simpler/more-effective to simply move lines 78-81 to before the loop.
Also, there is something you should check: since your test is using t.Run() to execute the scenarios in separate go-routines, you should make sure that the deferred function(s) doesn't run before all the scenarios are complete. (That is, can control return from TestGetOCIRegistry_Success() and trigger the deferred actions before all of the t.Run() functions have finished and are no longer using newRegistryClient?...I don't recall that detail.)
|
@sowmya-sl: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
3 participants
OCI-based Helm charts were failing to install because the action configuration lacked a registry client. This change:
Without a registry client, operations on OCI charts (oci://) would fail with errors about missing registry support.
Fixes: HELM-611
Original PR on #15830
Steps to test:
Summary by CodeRabbit
New Features
Tests
✏️ Tip: You can customize this high-level summary in your review settings.