Skip to content

feat: add lookup function for pull secrets in helm values template#76

Open
olzemal wants to merge 2 commits into
mainfrom
feature/73-pull-secret-for
Open

feat: add lookup function for pull secrets in helm values template#76
olzemal wants to merge 2 commits into
mainfrom
feature/73-pull-secret-for

Conversation

@olzemal

@olzemal olzemal commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

What

Closes #73

Checklist

  • Tests added/updated
  • No breaking changes (or upgrade path documented above)
  • Readable commit history (squashed and cleaned up as desired)
  • AI code review considered and comments resolved

Summary by CodeRabbit

  • New Features
    • Added --pull-secrets-file to load pull-secret mappings from a JSON file and inject them into Helm rendering.
    • Added template-driven pull-secret selection with most-specific registry/path matching.
    • Introduced a JSON Schema to validate the pull-secrets file format.
  • Bug Fixes
    • Set a default Docker executable for the e2e-stop-zot workflow (still overrideable).
  • Documentation
    • Updated ocm-kit CLI and added “Pull Secrets” documentation, including template usage and configuration format.
  • Tests
    • Added unit tests and fixtures, plus an end-to-end test covering pull-secrets file rendering.

@coderabbitai

coderabbitai Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

The PR adds a default Docker executable, introduces pull-secret JSON parsing and registry resolution for Helm rendering, wires a new CLI flag through rendering, and adds fixtures, tests, and documentation for the new flow.

Changes

Docker executable default

Layer / File(s) Summary
Default Docker executable
Makefile
Defines DOCKER ?= docker so Makefile targets using $(DOCKER) have a default command.

Pull-secret templating

Layer / File(s) Summary
File format and parsing
helmvalues/pullsecrets-schema.json, helmvalues/pullsecrets_file.go, helmvalues/pullsecrets_file_test.go
Defines the pull-secrets JSON shape, parses file entries into PullSecrets, and covers valid, empty, and invalid inputs.
Lookup and template helper
helmvalues/helmvalues.go, helmvalues/helmvalues_test.go
Adds PullSecrets lookup/resolution, passes it through Render, and tests registry matching and pullSecretFor rendering.
CLI file flag and docs
cmd/ocm-kit/main.go, README.md
Adds --pull-secrets-file, loads parsed pull secrets into rendering input, and documents the flag, file format, and template usage.
Template fixture and e2e check
test/fixtures/arc/pull-secrets-values.yaml.tpl, test/fixtures/arc/pull-secrets.json, test/e2e.sh
Adds a values template, JSON fixture, and shell check that render imagePullSecrets from the supplied pull-secret file.

Estimated code review effort: 4 (Complex) | ~60 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description has What and Checklist, but it omits the required Why, Testing, and Notes for reviewers sections. Add the missing Why, Testing, and Notes for reviewers sections and briefly state how the feature was validated.
Out of Scope Changes check ⚠️ Warning The Makefile default DOCKER variable is unrelated to the pull-secrets feature and appears outside the linked issue scope. Remove the Makefile change unless it is required for this feature, or explain its necessity in the issue and PR description.
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise and matches the main pull-secrets templating change.
Linked Issues check ✅ Passed The PR adds pull-secret lookup, parses a registry-to-secret file, and exposes a CLI flag, matching issue #73's updated acceptance criteria.
Docstring Coverage ✅ Passed Docstring coverage is 80.00% which is sufficient. The required threshold is 80.00%.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feature/73-pull-secret-for

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coveralls

coveralls commented Jun 26, 2026

Copy link
Copy Markdown

Coverage Report for CI Build 28566523526

Warning

No base build found for commit 9f02ce1 on main.
Coverage changes can't be calculated without a base build.
If a base build is processing, this comment will update automatically when it completes.

Coverage: 43.017%

Details

  • Patch coverage: 10 uncovered changes across 2 files (44 of 54 lines covered, 81.48%).

Uncovered Changes

File Changed Covered %
cmd/ocm-kit/main.go 8 0 0.0%
helmvalues/helmvalues.go 28 26 92.86%
Total (3 files) 54 44 81.48%

Coverage Regressions

Requires a base build to compare against. How to fix this →


Coverage Stats

Coverage Status
Relevant Lines: 358
Covered Lines: 154
Line Coverage: 43.02%
Coverage Strength: 0.5 hits per line

💛 - Coveralls

@olzemal olzemal force-pushed the feature/73-pull-secret-for branch 3 times, most recently from cc780fd to 8209971 Compare June 26, 2026 14:30
@olzemal olzemal marked this pull request as ready for review June 26, 2026 14:32

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 5

🧹 Nitpick comments (1)
helmvalues/helmvalues_test.go (1)

237-304: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Add a case for the exact-ref fallback.

Resolve documents a final p.Get(ref) fallback after the host/path walk, but this table never asserts it. A tagged exact-key case here would lock down that branch and the new resolver contract.

Suggested addition
 		{
+			name:    "exact full ref falls back to raw key",
+			ref:     "ghcr.io/org/myapp:v1.0.0",
+			secrets: PullSecrets{"ghcr.io/org/myapp:v1.0.0": "tag-cred"},
+			want:    "tag-cred",
+		},
+		{
 			name:    "full ref matches host only",
 			ref:     "ghcr.io/org/myapp:v1.0.0",
 			secrets: PullSecrets{"ghcr.io": "org-cred"},
 			want:    "org-cred",
 		},
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@helmvalues/helmvalues_test.go` around lines 237 - 304, Add a test case in
TestPullSecretsResolve that covers the exact-ref fallback branch in
PullSecrets.Resolve. The current table exercises host and host/path matching,
but not the final p.Get(ref) lookup; add a case where the ref itself is present
as the secret key and assert that Resolve returns that value. Keep the new case
alongside the existing PullSecrets.Resolve scenarios so the fallback contract
stays locked down.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@helmvalues/helmvalues.go`:
- Around line 83-88: The RenderingInput contract is still hardcoded to pull
secrets instead of supporting the generic extra-values extension point. Refactor
RenderingInput and its rendering path to accept arbitrary template inputs (for
example via an Extra/Values-style map) so callers can pass any keys, not just
PullSecrets. Update the Helm values rendering helpers and any CLI wiring that
consumes RenderingInput to merge these generic values into template execution
rather than relying on a bespoke field.

In `@helmvalues/pullsecrets_file_test.go`:
- Around line 75-87: The negative coverage for ParsePullSecretsFile is missing a
contract check for entries with incomplete pull secret objects. Add a new
failing test case in the pullsecrets_file_test suite using ParsePullSecretsFile
with a pullSecrets array containing an item missing or empty
registry/secretName, and assert it returns an error just like the existing
malformed structure case.

In `@helmvalues/pullsecrets_file.go`:
- Around line 26-36: The pull-secrets parser in pullSecretsFile currently
accepts malformed or partially populated entries, which can leave empty values
in the resulting map. Update the decoding logic in the pullSecretsFile
unmarshal/parse path to use a Decoder with DisallowUnknownFields(), then
validate each PullSecret entry has non-empty Registry and SecretName before
adding it to the PullSecrets map; if any entry is invalid, return a parse error
instead of silently proceeding.

In `@test/e2e.sh`:
- Around line 159-160: The e2e check in the OUTPUT5 assertion is too broad
because it only verifies one rendered secret and can miss regressions in the
more-specific lookup paths. Update the test around the OUTPUT5 validation to
assert the expected secret for each lookup form exercised by the fixture in the
script, using the relevant output blocks from the secret rendering logic, or at
minimum verify the expected count of rendered “- name:” entries instead of just
searching for one match.

In `@test/fixtures/arc/pull-secrets-values.yaml.tpl`:
- Around line 6-23: The three `imagePullSecrets` sections in this template
should only render when `pullSecretFor` resolves to a non-empty value. Update
the `apiserver`, `fizzbuzz`, and `helloworld` blocks to wrap each `- name:`
entry in an `if` or `with` guard keyed off the `pullSecretFor` result so
optional registry mappings remain omitted instead of emitting empty names.

---

Nitpick comments:
In `@helmvalues/helmvalues_test.go`:
- Around line 237-304: Add a test case in TestPullSecretsResolve that covers the
exact-ref fallback branch in PullSecrets.Resolve. The current table exercises
host and host/path matching, but not the final p.Get(ref) lookup; add a case
where the ref itself is present as the secret key and assert that Resolve
returns that value. Keep the new case alongside the existing PullSecrets.Resolve
scenarios so the fallback contract stays locked down.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2dcc5d01-bde8-423d-928e-99363561e85f

📥 Commits

Reviewing files that changed from the base of the PR and between 9f02ce1 and 8209971.

📒 Files selected for processing (10)
  • Makefile
  • cmd/ocm-kit/main.go
  • helmvalues/helmvalues.go
  • helmvalues/helmvalues_test.go
  • helmvalues/pullsecrets-schema.json
  • helmvalues/pullsecrets_file.go
  • helmvalues/pullsecrets_file_test.go
  • test/e2e.sh
  • test/fixtures/arc/pull-secrets-values.yaml.tpl
  • test/fixtures/arc/pull-secrets.json

Comment thread helmvalues/helmvalues.go
Comment thread helmvalues/pullsecrets_file_test.go
Comment thread helmvalues/pullsecrets_file.go Outdated
Comment thread test/e2e.sh Outdated
Comment thread test/fixtures/arc/pull-secrets-values.yaml.tpl
@olzemal olzemal force-pushed the feature/73-pull-secret-for branch from 8209971 to c7148b3 Compare June 29, 2026 06:14

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might be a stupid question: Is this file actually used?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not currently, but package authors could use it to validate their pull-secrets.json file.

repository: {{ $etcdImage.Host }}/{{ $etcdImage.Repository }}
tag: {{ $etcdImage.Tag }}
imagePullSecrets:
- name: {{ pullSecretFor (printf "%s/%s:%s" $etcdImage.Host $etcdImage.Repository $etcdImage.Tag) }}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, if everyone keeps writing (printf "%s/%s:%s" $etcdImage.Host $etcdImage.Repository $etcdImage.Tag) maybe added "ref" to the OCI Image struct makes sense, e.g. $etcdImage.Ref.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This could be a useful feature but is probably beyond the scope of this PR. 90% of use-cases could probably be solved by just using $etcdImage.Host anyways.

@olzemal olzemal force-pushed the feature/73-pull-secret-for branch from c7148b3 to 549eb79 Compare July 2, 2026 04:58

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@README.md`:
- Around line 213-221: The README example for `pullSecretFor` is too narrow
because it passes only `$image.Host`, which prevents matching repo-scoped OCI
keys. Update the example to pass the full OCI reference from `index
.OCIResources "my-image"` into `pullSecretFor` so it reflects the hierarchical
lookup behavior and correctly demonstrates repo-level secret mappings.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d0b238f7-63d8-4f1e-958e-23c3e427ddba

📥 Commits

Reviewing files that changed from the base of the PR and between c7148b3 and 549eb79.

📒 Files selected for processing (11)
  • Makefile
  • README.md
  • cmd/ocm-kit/main.go
  • helmvalues/helmvalues.go
  • helmvalues/helmvalues_test.go
  • helmvalues/pullsecrets-schema.json
  • helmvalues/pullsecrets_file.go
  • helmvalues/pullsecrets_file_test.go
  • test/e2e.sh
  • test/fixtures/arc/pull-secrets-values.yaml.tpl
  • test/fixtures/arc/pull-secrets.json
✅ Files skipped from review due to trivial changes (4)
  • helmvalues/pullsecrets-schema.json
  • test/fixtures/arc/pull-secrets.json
  • Makefile
  • test/fixtures/arc/pull-secrets-values.yaml.tpl
🚧 Files skipped from review as they are similar to previous changes (6)
  • helmvalues/pullsecrets_file_test.go
  • test/e2e.sh
  • cmd/ocm-kit/main.go
  • helmvalues/helmvalues_test.go
  • helmvalues/pullsecrets_file.go
  • helmvalues/helmvalues.go

Comment thread README.md
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Support adding additional values for the helm values-template

3 participants