feat(registry): oras-go v3 full config stack integration#32065
Draft
feat(registry): oras-go v3 full config stack integration#32065
Conversation
pull-request-size
Bot
added
the
size/XL
Contributor
There was a problem hiding this comment.
Pull request overview
Integrates ORAS Go v3’s full registry config stack into Helm’s registry client (policy evaluation, signature verification hooks, configurable config-path loading, and login Location rewrite), while completing remaining v2→v3 API updates.
Changes:
- Switch to ORAS v3 packages and update reference parsing (
properties.NewReference,.Tag). - Load and apply full container config stack via
remote/config, wiring policy evaluation and optional signature verification into repository construction. - Update CLI registry-client wiring to use the command’s
outwriter and adjust/extend registry tests for the new behavior.
Reviewed changes
Copilot reviewed 20 out of 21 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/registry/transport.go | Update ORAS retry transport import to v3 path. |
| pkg/registry/reference.go | Move reference parsing to ORAS v3 properties reference type/API. |
| pkg/registry/reference_test.go | Adjust tests for v3 .Tag field. |
| pkg/registry/generic.go | Refactor GenericClient to delegate repository creation to Client.newRepository(). |
| pkg/registry/client.go | Core wiring: config stack loading, builder setup, policy/signature hooks, Location rewrite on login, v3 login/logout APIs. |
| pkg/registry/client_test.go | Update login tests and add tests for policy evaluator/config options/login behavior. |
| pkg/registry/client_http_test.go | Update ORAS content import path to v3. |
| pkg/cmd/*.go | Thread out io.Writer into registry client construction in various commands. |
| oras-go-v3-plan.md | Add migration plan documentation for ORAS v3 integration steps. |
| go.mod | Add ORAS v3 requirement and a local replace to ./oras-go. |
| go.sum | Remove ORAS v2 sums. |
Comments suppressed due to low confidence (1)
go.mod:185
- This committed local-path
replace github.com/oras-project/oras-go/v3 => ./oras-gomakes the build dependent on a bundled copy of oras-go rather than the module proxy, and can interfere with dependency auditing and reproducible builds. If this is only for local development, it should typically not be committed; otherwise consider vendoring intentionally (documented) or switching to an upstream version/pseudo-version withoutreplace.
replace github.com/oras-project/oras-go/v3 => ./oras-go
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Promptless prepared a documentation update related to this change. Triggered by PR #32065 Added documentation for the new container ecosystem configuration support, including credential discovery from Docker/Podman, configuration file loading ( |
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 20 out of 21 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 20 out of 21 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 11 out of 12 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 12 out of 13 changed files in this pull request and generated 3 comments.
Comments suppressed due to low confidence (2)
pkg/registry/client_test.go:101
TestLogin_ResetsForceAttemptOAuth2_OnFailureno longer asserts anything aboutForceAttemptOAuth2. Rename this test (and its doc comment) to reflect the current behavior being validated (e.g., login fails when the registry is unreachable).
// Verifies that Login restores ForceAttemptOAuth2 to false even when ping fails.
func TestLogin_ResetsForceAttemptOAuth2_OnFailure(t *testing.T) {
t.Parallel()
pkg/registry/client.go:571
LoginOptTLSClientConfigpanics for common user error cases (missing/invalid cert/key/CA files, or CA parse failures). Because Helm CLI passes these options directly from flags, this would crash the command instead of returning an actionable error message. Please propagate these errors back throughLogin()(e.g., record an error in the operation and haveLoginreturn it) rather than panicking.
// LoginOptTLSClientConfig returns a function that sets the TLS settings on login.
func LoginOptTLSClientConfig(certFile, keyFile, caFile string) LoginOption {
return func(o *loginOperation) {
if (certFile == "" || keyFile == "") && caFile == "" {
return
}
// Set file path fields for the config-driven path.
if certFile != "" && keyFile != "" {
o.client.certFile = certFile
o.client.keyFile = keyFile
}
if caFile != "" {
o.client.caFile = caFile
}
// Also update the authorizer transport for the legacy path (customHTTPClient=true).
tlsConfig, err := ensureTLSConfig(o.client.authorizer, nil)
if err != nil {
panic(err)
}
if certFile != "" && keyFile != "" {
authCert, err := tls.LoadX509KeyPair(certFile, keyFile)
if err != nil {
panic(err)
}
tlsConfig.Certificates = []tls.Certificate{authCert}
}
if caFile != "" {
certPool := x509.NewCertPool()
ca, err := os.ReadFile(caFile)
if err != nil {
panic(err)
}
if !certPool.AppendCertsFromPEM(ca) {
panic(fmt.Errorf("unable to parse CA file: %q", caFile))
}
tlsConfig.RootCAs = certPool
}
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
Author
|
Update import paths from oras.land/oras-go/v2 to github.com/oras-project/oras-go/v3. Fix all breaking API changes: - auth.Credential → credentials.Credential, CredentialFunc field - ForceAttemptOAuth2 removed; use remote.Login() instead - auth.StaticCredential → credentials.StaticCredentialFunc - credentials.Logout → remote.Logout - repository.PlainHTTP/Client → repository.Registry.PlainHTTP/Client - StoreOptions.DetectDefaultNativeStore removed - Blank-import config package to register credential store loader Signed-off-by: Terry Howe <terrylhowe@gmail.com>
Create a symlink at ./oras-go pointing to ../oras-go so the go.mod replace directive uses ./oras-go instead of ../oras-go. Signed-off-by: Terry Howe <terrylhowe@gmail.com>
Load the full container ecosystem configuration in NewClient() via config.LoadConfigs(), enabling: - containers auth.json (Podman/Buildah credentials) - registries.conf (mirrors, blocked registries, insecure settings) - certs.d (per-registry CA and client certificates) - policy.json (ready for policy enforcement) Use NewRepositoryWithProperties() for Push, Tags, Resolve, and Pull operations so that registries.conf mirrors and certs.d TLS are applied automatically. CLI flag overrides (--insecure, --cert-file, --ca-file, --plain-http, --username/--password) are applied on top via applyOverrides(). When ClientOptHTTPClient or ClientOptAuthorizer is provided (e.g. in tests), fall back to the legacy direct-authorizer path to preserve custom TLS transport configuration set via LoginOptTLSClientConfigFromConfig. GenericClient now holds a *Client reference instead of copying fields, delegating repository creation to Client.newRepository(). Signed-off-by: Terry Howe <terrylhowe@gmail.com>
…g overrides, and login location rewrite - Part 3: wire policy.json into ClientBuilder via PolicyEvaluator; add ClientOptPolicyEvaluator - Part 4: per-repo signature verification via registries.d lookaside; add ClientOptSignatureVerification - Part 5: expose LoadConfigsWithOptions via ConfigOptions struct; add ClientOptConfigOptions - Part 6: apply Location rewrite from registries.conf in Login() so credentials are stored under the canonical registry name - Replace deprecated registry.ParseReference with properties.NewReference - Replace deprecated orasReference.Reference field access with .Tag Signed-off-by: Terry Howe <terrylhowe@gmail.com>
Signed-off-by: Terry Howe <terrylhowe@gmail.com>
Signed-off-by: Terry Howe <terrylhowe@gmail.com>
Use published github.com/oras-project/oras-go/v3 v3.0.0-dev instead of the ./oras-go local replacement. Signed-off-by: Terry Howe <terrylhowe@gmail.com>
- ClientOptPolicyEvaluator now acts as a true override: only build from policy.json when client.policyEvaluator is still nil - Login: use original alias host for newRegistry() transport settings, then redirect reg.Reference.Registry to the canonical host so both the connection and credential key are correct - Logout: apply the same Location rewrite as Login to remove the correct credential entry when called with an alias host - TestNewClient_WithDenyAllPolicy: use require.Same to prove the evaluator instance is the exact one passed via the option - TestLogin_LocationRewrite: write a real registries.conf, login via alias, and assert credential is stored under the canonical host only - oras-go-v3-plan.md: remove claude --resume session identifier Signed-off-by: Terry Howe <terrylhowe@gmail.com>
Signed-off-by: Terry Howe <terrylhowe@gmail.com>
- applyOverrides: only set props.Credential when both username and password are non-empty, preserving credential-store fallback when only a username is present - root.go: use os.Stderr for registry client status output (Pulled/ Pushed/Digest lines) so it does not corrupt stdout in data-oriented commands like helm template or helm show values Signed-off-by: Terry Howe <terrylhowe@gmail.com>
Signed-off-by: Terry Howe <terrylhowe@gmail.com>
Signed-off-by: Terry Howe <terrylhowe@gmail.com>
… message Signed-off-by: Terry Howe <terrylhowe@gmail.com>
…al test plan Signed-off-by: Terry Howe <terrylhowe@gmail.com>
…, and test names Signed-off-by: Terry Howe <terrylhowe@gmail.com>
TerryHowe
force-pushed
the
feature/helm-oras-go-v3-integration
branch
from
86225b5 to
3991ab2
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Migrates `helm.sh/helm/v4/pkg/registry` from `oras.land/oras-go/v2` to `github.com/oras-project/oras-go/v3` and wires in the full container ecosystem config stack.
Part 1: Mechanical v2 → v3 migration
Part 2: Full config stack + NewRepositoryWithProperties
Part 3: Policy enforcement (policy.json)
Part 4: Signature verification (registries.d + signedBy)
Part 5: LoadConfigsWithOptions override paths
Part 6: Login path Location rewrite
Deprecation fixes
Test plan
Closes: #11771