OCI registry and example of usage

[fege]

Description

How Has This Been Tested?

Merge criteria:

• The commits are squashed in a cohesive manner and have meaningful messages.
• Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
• The developer has manually tested the changes and verified that the changes work

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• New Features

  • Introduced automated tests to validate OCI Registry operations with MinIO storage in a Kubernetes/OpenShift environment.
  • Added reusable test fixtures to set up an OCI Registry, MinIO backend, and networking resources for integration testing.
  • Provided utility functions for pushing and pulling blobs and manifests to and from the OCI Registry.
  • Defined new constants to standardize OCI Registry configuration and storage settings for tests.

• Tests

  • Added comprehensive test cases to verify OCI Registry push and pull functionality using the new fixtures and utilities.

Walkthrough

New pytest fixtures are introduced to set up an OCI Registry with MinIO S3 backend and OpenShift Route exposure for testing. Supporting utilities for pushing/pulling OCI blobs and manifests are added, along with a test verifying registry operations. Constants for OCI registry configuration are defined in a new class.

Changes

Cohort / File(s)	Change Summary
OCI Registry Test Fixtures tests/conftest.py	Added class-scoped pytest fixtures to provision an OCI Registry in Kubernetes with MinIO backend and OpenShift Route exposure. No existing fixtures were altered.
OCI Registry Integration Test tests/model_registry/async_job/test_basic_oci_registry.py	Introduced a new test class that validates OCI Registry push and pull operations using the new fixtures and MinIO backend.
OCI Registry Test Utilities tests/model_registry/async_job/utils.py	Added utility functions for pushing blobs, creating/pushing manifests, and pulling manifests from an OCI Registry, with logging and HTTP assertions.
OCI Registry Constants utilities/constants.py	Added OCIRegistry class with nested Metadata, PodConfig, and Storage classes for registry configuration constants.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~15–20 minutes

Suggested labels

size/m

Suggested reviewers

• dbasunag
• adolfo-ab

Note

⚡️ Unit Test Generation is now available in beta!

Learn more here, or try it out under "Finishing Touches" below.

---

📜 Recent review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a11aa74 and 1495f2c.

📒 Files selected for processing (4)

• tests/conftest.py (3 hunks)
• tests/model_registry/async_job/test_basic_oci_registry.py (1 hunks)
• tests/model_registry/async_job/utils.py (1 hunks)
• utilities/constants.py (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (4)

• tests/model_registry/async_job/utils.py
• utilities/constants.py
• tests/conftest.py
• tests/model_registry/async_job/test_basic_oci_registry.py

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[github-actions]

The following are automatically added/executed:

• PR size label.
• Run pre-commit
• Run tox
• Add PR author as the PR assignee
• Build image based on the PR

Available user actions:

• To mark a PR as WIP, add /wip in a comment. To remove it from the PR comment /wip cancel to the PR.
• To block merging of a PR, add /hold in a comment. To un-block merging of PR comment /hold cancel.
• To mark a PR as approved, add /lgtm in a comment. To remove, add /lgtm cancel.
  lgtm label removed on each new commit push.
• To mark PR as verified comment /verified to the PR, to un-verify comment /verified cancel to the PR.
  verified label removed on each new commit push.
• To Cherry-pick a merged PR /cherry-pick <target_branch_name> to the PR. If <target_branch_name> is valid,
  and the current PR is merged, a cherry-picked PR would be created and linked to the current PR.
• To build and push image to quay, add /build-push-pr-image in a comment. This would create an image with tag
  pr-<pr_number> to quay repository. This image tag, however would be deleted on PR merge or close action.

Supported labels

{'/wip', '/build-push-pr-image', '/hold', '/cherry-pick', '/lgtm', '/verified'}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

tests/model_registry/async_job/test_basic_oci_registry.py (1)

31-56: LGTM! Comprehensive end-to-end test with good validation.

The test performs a complete OCI registry workflow: blob push → manifest creation → manifest push → manifest pull → validation. The assertions properly verify the manifest structure and integrity.

Consider adding error handling for network failures:

 def test_oci_registry_push_and_pull_operations(
     self,
     oci_registry_route: Route,
 ) -> None:
     """Test pushing and pulling content to/from the OCI registry with MinIO backend."""
+    
+    if not oci_registry_route.instance.spec.host:
+        pytest.fail("OCI registry route host is not available")

     registry_host = oci_registry_route.instance.spec.host
     registry_url = f"http://{registry_host}"

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c364c47 and 1e1e353.

📒 Files selected for processing (4)

• tests/conftest.py (3 hunks)
• tests/model_registry/async_job/test_basic_oci_registry.py (1 hunks)
• tests/model_registry/async_job/utils.py (1 hunks)
• utilities/constants.py (1 hunks)

🧰 Additional context used

🧠 Learnings (12)

📓 Common learnings

Learnt from: fege
PR: opendatahub-io/opendatahub-tests#320
File: tests/model_registry/rest_api/conftest.py:200-216
Timestamp: 2025-06-05T14:32:40.247Z
Learning: In the opendatahub-tests repository, the test fixtures should raise exceptions on cleanup failures rather than just logging warnings. The user fege prefers strict cleanup behavior where tests fail if cleanup doesn't work properly, rather than silently continuing.

Learnt from: adolfo-ab
PR: opendatahub-io/opendatahub-tests#334
File: tests/model_explainability/trustyai_service/test_trustyai_service.py:52-65
Timestamp: 2025-06-05T10:05:17.642Z
Learning: For TrustyAI image validation tests: operator image tests require admin_client, related_images_refs, and trustyai_operator_configmap fixtures, while service image tests would require different fixtures like trustyai_service_with_pvc_storage, model_namespace, and current_client_token.

Learnt from: dbasunag
PR: opendatahub-io/opendatahub-tests#401
File: tests/model_registry/rest_api/mariadb/conftest.py:89-110
Timestamp: 2025-07-04T00:17:47.799Z
Learning: In tests/model_registry/rest_api/mariadb/conftest.py, the model_registry_with_mariadb fixture should always use OAUTH_PROXY_CONFIG_DICT for the oauth_proxy parameter regardless of the is_model_registry_oauth parameter value, based on expected product behavior for MariaDB-backed ModelRegistry instances.

Learnt from: dbasunag
PR: opendatahub-io/opendatahub-tests#354
File: tests/model_registry/rbac/test_mr_rbac.py:64-77
Timestamp: 2025-06-16T11:26:53.789Z
Learning: In Model Registry RBAC tests, client instantiation tests are designed to verify the ability to create and use the MR python client, with actual API functionality testing covered by separate existing tests.

Learnt from: lugi0
PR: opendatahub-io/opendatahub-tests#446
File: tests/model_registry/conftest.py:733-770
Timestamp: 2025-07-17T15:42:23.880Z
Learning: In tests/model_registry/conftest.py, the model_registry_instance_1 and model_registry_instance_2 fixtures do not need explicit database dependency fixtures (like db_deployment_1, db_secret_1, etc.) in their function signatures. Pytest's dependency injection automatically handles the fixture dependencies when they reference db_name_1 and db_name_2 parameters. This is the correct pattern for these Model Registry instance fixtures.

Learnt from: dbasunag
PR: opendatahub-io/opendatahub-tests#338
File: tests/model_registry/rbac/test_mr_rbac.py:24-53
Timestamp: 2025-06-06T12:22:57.057Z
Learning: In the opendatahub-tests repository, prefer keeping test parameterization configurations inline rather than extracting them to separate variables/constants, as it makes triaging easier by avoiding the need to jump between different parts of the file to understand the test setup.

Learnt from: lugi0
PR: opendatahub-io/opendatahub-tests#446
File: tests/model_registry/conftest.py:0-0
Timestamp: 2025-07-17T15:42:26.275Z
Learning: In tests/model_registry/conftest.py, the model_registry_instance_1 fixture (and similar duplicated Model Registry instance fixtures) do not require admin_client, db_deployment_1, or db_secret_1 parameters as explicit dependencies, even though these dependencies exist implicitly through the fixture dependency chain.

Learnt from: lugi0
PR: opendatahub-io/opendatahub-tests#446
File: tests/model_registry/conftest.py:595-612
Timestamp: 2025-07-17T15:42:04.167Z
Learning: In tests/model_registry/conftest.py, the db_deployment_1 fixture (and similar duplicated resource fixtures) do not require the admin_client parameter or explicit dependencies on related fixtures like db_secret_1, db_pvc_1, and db_service_1, even though the original model_registry_db_deployment fixture includes these parameters.

📚 Learning: in model registry rbac tests, client instantiation tests are designed to verify the ability to creat...

Learnt from: dbasunag
PR: opendatahub-io/opendatahub-tests#354
File: tests/model_registry/rbac/test_mr_rbac.py:64-77
Timestamp: 2025-06-16T11:26:53.789Z
Learning: In Model Registry RBAC tests, client instantiation tests are designed to verify the ability to create and use the MR python client, with actual API functionality testing covered by separate existing tests.

Applied to files:

• tests/model_registry/async_job/test_basic_oci_registry.py
• tests/conftest.py

📚 Learning: in tests/model_registry/rest_api/mariadb/conftest.py, the model_registry_with_mariadb fixture should...

Learnt from: dbasunag
PR: opendatahub-io/opendatahub-tests#401
File: tests/model_registry/rest_api/mariadb/conftest.py:89-110
Timestamp: 2025-07-04T00:17:47.799Z
Learning: In tests/model_registry/rest_api/mariadb/conftest.py, the model_registry_with_mariadb fixture should always use OAUTH_PROXY_CONFIG_DICT for the oauth_proxy parameter regardless of the is_model_registry_oauth parameter value, based on expected product behavior for MariaDB-backed ModelRegistry instances.

Applied to files:

• tests/model_registry/async_job/test_basic_oci_registry.py
• tests/conftest.py

📚 Learning: in tests/model_registry/conftest.py, the model_registry_instance_1 and model_registry_instance_2 fix...

Learnt from: lugi0
PR: opendatahub-io/opendatahub-tests#446
File: tests/model_registry/conftest.py:733-770
Timestamp: 2025-07-17T15:42:23.880Z
Learning: In tests/model_registry/conftest.py, the model_registry_instance_1 and model_registry_instance_2 fixtures do not need explicit database dependency fixtures (like db_deployment_1, db_secret_1, etc.) in their function signatures. Pytest's dependency injection automatically handles the fixture dependencies when they reference db_name_1 and db_name_2 parameters. This is the correct pattern for these Model Registry instance fixtures.

Applied to files:

• tests/model_registry/async_job/test_basic_oci_registry.py
• tests/conftest.py

📚 Learning: in tests/model_registry/rbac/test_mr_rbac_sa.py, bounds checking for model_registry_instance_rest_en...

Learnt from: dbasunag
PR: opendatahub-io/opendatahub-tests#429
File: tests/model_registry/rbac/test_mr_rbac_sa.py:45-45
Timestamp: 2025-07-30T14:15:25.605Z
Learning: In tests/model_registry/rbac/test_mr_rbac_sa.py, bounds checking for model_registry_instance_rest_endpoint list access is not needed because upstream fixture validation already ensures endpoints exist before the tests execute. The Model Registry setup process validates endpoint availability, making additional bounds checks redundant.

Applied to files:

• tests/model_registry/async_job/test_basic_oci_registry.py
• tests/conftest.py

📚 Learning: in tests/model_registry/conftest.py, the model_registry_instance_1 fixture (and similar duplicated m...

Learnt from: lugi0
PR: opendatahub-io/opendatahub-tests#446
File: tests/model_registry/conftest.py:0-0
Timestamp: 2025-07-17T15:42:26.275Z
Learning: In tests/model_registry/conftest.py, the model_registry_instance_1 fixture (and similar duplicated Model Registry instance fixtures) do not require admin_client, db_deployment_1, or db_secret_1 parameters as explicit dependencies, even though these dependencies exist implicitly through the fixture dependency chain.

Applied to files:

• tests/model_registry/async_job/test_basic_oci_registry.py
• tests/conftest.py

📚 Learning: in tests/model_registry/conftest.py, the db_deployment_1 fixture (and similar duplicated resource fi...

Learnt from: lugi0
PR: opendatahub-io/opendatahub-tests#446
File: tests/model_registry/conftest.py:595-612
Timestamp: 2025-07-17T15:42:04.167Z
Learning: In tests/model_registry/conftest.py, the db_deployment_1 fixture (and similar duplicated resource fixtures) do not require the admin_client parameter or explicit dependencies on related fixtures like db_secret_1, db_pvc_1, and db_service_1, even though the original model_registry_db_deployment fixture includes these parameters.

Applied to files:

• tests/conftest.py

📚 Learning: for trustyai image validation tests: operator image tests require admin_client, related_images_refs,...

Learnt from: adolfo-ab
PR: opendatahub-io/opendatahub-tests#334
File: tests/model_explainability/trustyai_service/test_trustyai_service.py:52-65
Timestamp: 2025-06-05T10:05:17.642Z
Learning: For TrustyAI image validation tests: operator image tests require admin_client, related_images_refs, and trustyai_operator_configmap fixtures, while service image tests would require different fixtures like trustyai_service_with_pvc_storage, model_namespace, and current_client_token.

Applied to files:

• tests/conftest.py

📚 Learning: in tests/model_registry/conftest.py, the db_service_1 and db_service_2 fixtures do not require the a...

Learnt from: lugi0
PR: opendatahub-io/opendatahub-tests#446
File: tests/model_registry/conftest.py:579-591
Timestamp: 2025-07-17T15:43:04.876Z
Learning: In tests/model_registry/conftest.py, the db_service_1 and db_service_2 fixtures do not require the admin_client parameter for Service resource creation, despite the existing model_registry_db_service fixture using client=admin_client. This inconsistency was confirmed as intentional by user lugi0.

Applied to files:

• tests/conftest.py

📚 Learning: in tests/model_registry/conftest.py, the db_secret_1 and db_secret_2 fixtures do not require the adm...

Learnt from: lugi0
PR: opendatahub-io/opendatahub-tests#446
File: tests/model_registry/conftest.py:666-676
Timestamp: 2025-07-17T15:41:54.284Z
Learning: In tests/model_registry/conftest.py, the db_secret_1 and db_secret_2 fixtures do not require the admin_client parameter in their signatures, unlike some other Secret fixtures in the codebase. The user lugi0 confirmed this is the correct pattern for these specific fixtures.

Applied to files:

• tests/conftest.py

📚 Learning: in tests/model_registry/rbac/conftest.py, predictable names are intentionally used for test resource...

Learnt from: dbasunag
PR: opendatahub-io/opendatahub-tests#354
File: tests/model_registry/rbac/conftest.py:166-175
Timestamp: 2025-06-16T11:25:39.599Z
Learning: In tests/model_registry/rbac/conftest.py, predictable names are intentionally used for test resources (like RoleBindings and groups) instead of random names. This design choice prioritizes exposing cleanup failures from previous test runs through name collisions rather than masking such issues with random names. The philosophy is that test failures should be observable and informative to help debug underlying infrastructure or cleanup issues.

Applied to files:

• tests/conftest.py

📚 Learning: in tests/model_registry/conftest.py, service resources can be created without explicitly passing the...

Learnt from: lugi0
PR: opendatahub-io/opendatahub-tests#446
File: tests/model_registry/conftest.py:579-591
Timestamp: 2025-07-17T15:43:04.876Z
Learning: In tests/model_registry/conftest.py, Service resources can be created without explicitly passing the admin_client parameter when using the context manager approach with "with Service()". The client parameter is optional for Service resource creation.

Applied to files:

• tests/conftest.py

🔇 Additional comments (12)

utilities/constants.py (1)

249-266: LGTM! Well-structured constants for OCI registry configuration.

The new OCIRegistry class follows established patterns in the codebase and provides appropriate constants for registry setup. The configuration includes proper Istio integration with sidecar injection and route exposure.

tests/model_registry/async_job/test_basic_oci_registry.py (1)

17-26: LGTM! Proper parametrization following established patterns.

The parametrization correctly configures both MinIO and OCI registry pods using the constants from utilities/constants.py.

tests/model_registry/async_job/utils.py (4)

10-27: LGTM! Proper implementation of OCI registry blob upload.

The function correctly implements the two-step OCI registry blob upload process: initiate upload (POST) followed by content upload (PUT). The SHA256 digest calculation and HTTP status code validation are appropriate.

---

29-39: LGTM! Correct OCI manifest structure.

The manifest follows OCI Image Manifest Specification with proper schema version, media types, and structure. The JSON encoding with compact separators is appropriate for network transmission.

---

41-51: LGTM! Proper OCI manifest push implementation.

The function correctly uses the OCI registry manifest API with appropriate Content-Type header and status code validation.

---

53-63: LGTM! Correct OCI manifest pull implementation.

The function properly uses the Accept header to request OCI manifest format and validates the response before returning parsed JSON.

tests/conftest.py (6)

22-22: LGTM! Required import for Route fixture.

---

53-53: LGTM! Required import for OCIRegistry constants.

---

571-578: LGTM! Proper namespace fixture following established patterns.

The fixture follows the same pattern as minio_namespace with unique naming and proper cleanup.

---

580-659: LGTM! Comprehensive OCI registry pod configuration.

The fixture properly configures the OCI registry to use MinIO as S3 backend with all necessary environment variables. The security context and pod readiness wait are appropriate. The parameterization allows for flexible configuration while maintaining good defaults.

---

661-681: LGTM! Standard service configuration following established patterns.

The service configuration is consistent with other services in the file, using appropriate port, protocol, and session affinity settings.

---

683-692: LGTM! Simple and correct route configuration.

The route fixture properly exposes the OCI registry service externally, following the established pattern in the codebase.

[lugi0]

lgtm, we can use a separate constants file as milind suggested, I also think we can avoid the istio annotation

[github-actions]

Status of building tag latest: success.
Status of pushing tag latest to image registry: success.