OCPBUGS-79425: adding cred helpers to dockerconfigjson struct

[dalemcgavin]

- What I did
Added "credHelpers" field to DockerConfigJSON.
From Openshift 4.19 -> 4.20 there is stricter decoding in place which causes secrets with this field to be rejected.
JSON decoder that is used has DisallowUnknownFields enabled.

machine-config-operator/pkg/secrets/secrets.go

Lines 243 to 247 in d4008e5

	func decodeDockerConfigBytes(in []byte, target interface{}) error {
	decoder := json.NewDecoder(bytes.NewReader(in))
	decoder.DisallowUnknownFields()
	return decoder.Decode(target)
	}

- How to verify it
I have written a new test, below shows the test output before and after the change.

- Description for the changelog
Adding CredHelpers to DockerConfigJSON.

- Background
Struggling to find a definitive definition of this config file.
Decided it was okay to only add credHelpers because of containers/image.

docker/cli also shows a huge definition here

[openshift-ci]

Hi @dalemcgavin. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dalemcgavin
Once this PR has been reviewed and has the lgtm label, please assign djoshy for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

Support for credential helpers in Docker configuration was added by extending the DockerConfigJSON struct with a CredHelpers field. A corresponding test validates the handling of Docker config JSON containing both authentication and credential helper entries.

Changes

Cohort / File(s)	Summary
Production struct enhancement pkg/secrets/secrets.go	Added CredHelpers map[string]string field to DockerConfigJSON struct, serialized as credHelpers in JSON with omitempty tag.
Test coverage pkg/controller/common/dockerconfig_test.go	Added TestCredHelpers test function to verify ConvertSecretTodockercfg correctly handles Docker config JSON with credential helpers.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

pkg/secrets/secrets.go (2)

159-167: ⚠️ Potential issue | 🟠 Major

CredHelpers not copied during DockerConfigJSON conversion.

The function copies Auths but omits CredHelpers, causing credential helper data to be silently dropped when creating an ImageRegistrySecret from a DockerConfigJSON. If the intent is to preserve the full config, consider copying CredHelpers as well.

Proposed fix

 func newImageRegistrySecretFromDockerConfigJSON(dcj DockerConfigJSON) ImageRegistrySecret {
 	cfg := newDockerConfigJSON()
 
 	for key, val := range dcj.Auths {
 		cfg.Auths[key] = val
 	}
+
+	if dcj.CredHelpers != nil {
+		cfg.CredHelpers = make(map[string]string, len(dcj.CredHelpers))
+		for key, val := range dcj.CredHelpers {
+			cfg.CredHelpers[key] = val
+		}
+	}
 
 	return &imageRegistrySecretImpl{cfg: cfg}
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/secrets/secrets.go` around lines 159 - 167,
newImageRegistrySecretFromDockerConfigJSON currently copies only
DockerConfigJSON.Auths into cfg.Auths, dropping DockerConfigJSON.CredHelpers;
update the function (newImageRegistrySecretFromDockerConfigJSON) to also copy
dcj.CredHelpers into cfg.CredHelpers so credential helper entries are preserved
when constructing the imageRegistrySecretImpl (cfg). Ensure you reference the
DockerConfigJSON.CredHelpers map and assign its entries into the newly created
cfg.CredHelpers alongside the existing loop that copies Auths.

---

316-331: ⚠️ Potential issue | 🟡 Minor

Equal method ignores CredHelpers.

Two ImageRegistrySecret instances with identical Auths but different CredHelpers will be considered equal. If semantic equality should include credential helpers, this comparison needs updating.

Proposed fix

 func (i *imageRegistrySecretImpl) Equal(is2 ImageRegistrySecret) bool {
 	dcj1 := i.DockerConfigJSON()
 	dcj2 := is2.DockerConfigJSON()
 
 	if len(dcj1.Auths) != len(dcj2.Auths) {
 		return false
 	}
 
 	for key, val := range dcj1.Auths {
 		if dcj2.Auths[key] != val {
 			return false
 		}
 	}
 
+	if len(dcj1.CredHelpers) != len(dcj2.CredHelpers) {
+		return false
+	}
+
+	for key, val := range dcj1.CredHelpers {
+		if dcj2.CredHelpers[key] != val {
+			return false
+		}
+	}
+
 	return true
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/secrets/secrets.go` around lines 316 - 331, The Equal method on
imageRegistrySecretImpl currently only compares DockerConfigJSON().Auths and
thus treats instances with different CredHelpers as equal; update
imageRegistrySecretImpl.Equal (and use ImageRegistrySecret.DockerConfigJSON())
to also compare the CredHelpers maps: first check lengths of dcj1.CredHelpers vs
dcj2.CredHelpers, then iterate keys and ensure values match for every entry (and
keep the existing Auths comparison). Ensure both Auths and CredHelpers are
treated as part of semantic equality.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@pkg/secrets/secrets.go`:
- Around line 159-167: newImageRegistrySecretFromDockerConfigJSON currently
copies only DockerConfigJSON.Auths into cfg.Auths, dropping
DockerConfigJSON.CredHelpers; update the function
(newImageRegistrySecretFromDockerConfigJSON) to also copy dcj.CredHelpers into
cfg.CredHelpers so credential helper entries are preserved when constructing the
imageRegistrySecretImpl (cfg). Ensure you reference the
DockerConfigJSON.CredHelpers map and assign its entries into the newly created
cfg.CredHelpers alongside the existing loop that copies Auths.
- Around line 316-331: The Equal method on imageRegistrySecretImpl currently
only compares DockerConfigJSON().Auths and thus treats instances with different
CredHelpers as equal; update imageRegistrySecretImpl.Equal (and use
ImageRegistrySecret.DockerConfigJSON()) to also compare the CredHelpers maps:
first check lengths of dcj1.CredHelpers vs dcj2.CredHelpers, then iterate keys
and ensure values match for every entry (and keep the existing Auths
comparison). Ensure both Auths and CredHelpers are treated as part of semantic
equality.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 68c682c6-68d2-4ed0-a629-7dd785ac9e24

📥 Commits

Reviewing files that changed from the base of the PR and between d4008e5 and 76b6f41.

📒 Files selected for processing (2)

• pkg/controller/common/dockerconfig_test.go
• pkg/secrets/secrets.go

[isabella-janssen]

/retitle OCPBUGS-79425: adding cred helpers to dockerconfigjson struct

[openshift-ci-robot]

@dalemcgavin: This pull request references Jira Issue OCPBUGS-79425, which is invalid:

• expected the bug to target the "4.22.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

- What I did
Added "credHelpers" field to DockerConfigJSON.
From Openshift 4.19 -> 4.20 there is stricter decoding in place which causes secrets with this field to be rejected.
JSON decoder that is used has DisallowUnknownFields enabled.

machine-config-operator/pkg/secrets/secrets.go

Lines 243 to 247 in d4008e5

	func decodeDockerConfigBytes(in []byte, target interface{}) error {
	decoder := json.NewDecoder(bytes.NewReader(in))
	decoder.DisallowUnknownFields()
	return decoder.Decode(target)
	}

- How to verify it
I have written a new test, below shows the test output before and after the change.

- Description for the changelog
Adding CredHelpers to DockerConfigJSON.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[isabella-janssen]

/jira refresh

[openshift-ci-robot]

@isabella-janssen: This pull request references Jira Issue OCPBUGS-79425, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[isabella-janssen]

/ok-to-test

[openshift-ci-robot]

@dalemcgavin: This pull request references Jira Issue OCPBUGS-79425, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

- What I did
Added "credHelpers" field to DockerConfigJSON.
From Openshift 4.19 -> 4.20 there is stricter decoding in place which causes secrets with this field to be rejected.
JSON decoder that is used has DisallowUnknownFields enabled.

machine-config-operator/pkg/secrets/secrets.go

Lines 243 to 247 in d4008e5

	func decodeDockerConfigBytes(in []byte, target interface{}) error {
	decoder := json.NewDecoder(bytes.NewReader(in))
	decoder.DisallowUnknownFields()
	return decoder.Decode(target)
	}

- How to verify it
I have written a new test, below shows the test output before and after the change.

- Description for the changelog
Adding CredHelpers to DockerConfigJSON.

- Background
Struggling to find a definitive definition of this config file.
Decided it was okay to only add credHelpers because of containers/image.

docker/cli also shows a huge definition here

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@dalemcgavin: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-gcp-op-single-node	76b6f41	link	true	/test e2e-gcp-op-single-node
ci/prow/unit	76b6f41	link	true	/test unit
ci/prow/e2e-aws-ovn	76b6f41	link	true	/test e2e-aws-ovn

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[dalemcgavin]

There is something to be said about a future change that persists the credHelpers into the ControllerConfig.spec.internalRegistryPullSecret but this didn't happen in previous openshift versions either.