support path-scoped registry credentials#1109
Conversation
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughRegistry credential lookup, validation, and task credential generation now use normalized registry scopes and path-aware matching. The PostgreSQL connector adds bulk and filtered registry credential retrieval. CLI help text for REGISTRY credentials is updated. ChangesPath-scoped registry credential matching
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #1109 +/- ##
==========================================
+ Coverage 57.41% 60.65% +3.23%
==========================================
Files 211 201 -10
Lines 26658 25562 -1096
Branches 4046 3836 -210
==========================================
+ Hits 15306 15504 +198
+ Misses 10659 9372 -1287
+ Partials 693 686 -7
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@src/lib/utils/common.py`:
- Around line 459-465: The normalize_registry_scope() function needs to
canonicalize the default HTTPS port to match the behavior of
image_registry_scope(). After calling registry_parse() on the parsed netloc to
get the registry value, strip the explicit default port 443 (`:443`) from the
registry string before using it in the return statement. This ensures that
equivalent scopes like `registry.example.com:443/org` and
`registry.example.com/org` normalize to the same value and can be properly
matched.
In `@src/utils/connectors/postgres.py`:
- Around line 1562-1566: The bulk registry credential API returns raw
row.profile keys without normalization, causing inconsistency with the
single-item get_registry_cred() function which normalizes lookup keys. In the
dictionary comprehension that returns the registry credentials (in the section
showing row.profile as the key), normalize the row.profile value using the same
normalization logic applied in get_registry_cred() before using it as the
dictionary key. This ensures equivalent scopes behave consistently between
direct and bulk lookups and properly matches path-scoped credentials regardless
of whether persisted profiles are already in canonical form.
- Around line 1574-1579: Refactor this code to filter matching registry scopes
before decrypting credentials rather than decrypting all and filtering. Instead
of calling get_all_registry_creds(user) which decrypts every credential, first
get only the registry credential keys, use common.matching_registry_scopes() to
identify which scopes match the image_info, and then decrypt only those specific
matching credentials. This prevents unrelated bad credentials from failing valid
image auth paths and eliminates unnecessary decryption work.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: f835dd78-05d8-4c80-a9d4-e29a5289da8e
📒 Files selected for processing (10)
src/cli/credential.pysrc/lib/utils/common.pysrc/lib/utils/tests/test_common.pysrc/service/core/workflow/objects.pysrc/service/core/workflow/tests/test_helpers.pysrc/utils/connectors/postgres.pysrc/utils/job/task.pysrc/utils/job/tests/test_task.pysrc/utils/job/tests/test_workflow_helpers.pysrc/utils/job/workflow.py
|
📖 Docs preview: https://d3in15bfzp49i0.cloudfront.net/1109/index.html |
xutongNV
left a comment
There was a problem hiding this comment.
Please check if UI needs to be modified
Description
OSMO previously resolved Docker registry credentials using only the registry hostname. This prevented users from configuring separate credentials for different repository paths under the same registry host.
Issue #1113
This PR adds path-scoped registry credential support and aligns OSMO more closely with Kubernetes docker config matching behavior.
What Changed
dockerconfigjsonimage pull secrets to include all matching auth entries.Matching Behavior
For an image like:
These credential scopes match:
<registry-host>/team-b<registry-host>These credential scopes do not match:
<registry-host>/team-a<registry-host>/team-b/subpathThe generated docker config includes all matching credentials, ordered most-specific first.
Testing
Bazel Tests
bazel test \ //src/lib/utils/tests:test_common \ //src/utils/job/tests:test_task_pure \ //src/utils/job/tests:test_task \ //src/utils/job/tests:test_workflow_helpers \ //src/service/core/workflow/tests:test_helpers \ //src/cli/tests:test_credentialResult:
Manual CLI Validation
Using the Bazel-built CLI, created multiple registry credentials under the same host:
Then verified:
This validates that OSMO now stores path-scoped registry credentials separately and resolves only path-segment-compatible credentials for image validation and image pull secret generation.
Checklist
Summary by CodeRabbit
host[/repository/path]), improving accuracy for image pulls and registry validation.osmo credential setCLI help example forREGISTRY.