* feat(addon): Store addon registry tokens in Secrets
Previously, addon registry tokens were stored in plaintext within the 'vela-addon-registry' ConfigMap. This is not a secure practice for sensitive data.
This commit refactors the addon registry functionality to store tokens in Kubernetes Secrets. The ConfigMap now only contains a reference to the secret name, while the token itself is stored securely.
This change includes:
- Creating/updating secrets when a registry is added/updated.
- Loading tokens from secrets when a registry is listed/retrieved.
- Deleting secrets when a registry is deleted.
Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>
* test(addon): Add tests for registry token secret storage
This commit introduces a comprehensive test suite for the addon registry feature.
It includes:
- Isolated unit tests for each CRUD operation (Add, Update, List, Get, Delete) to ensure each function works correctly in isolation.
- A stateful integration test to validate the complete lifecycle of an addon registry from creation to deletion.
The tests verify that tokens are handled correctly via Kubernetes Secrets, confirming the implementation of the secure token storage feature.
Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>
* feat(addon): improve addon registry robustness and fix bugs
This commit introduces several improvements to the addon registry to make it more robust and fixes several bugs.
- When updating a secret, the existing secret is now fetched and updated to avoid potential conflicts.
- Deleting a non-existent registry now returns no error, making the operation idempotent.
- Getting a non-existent registry now returns a structured not-found error.
- Loading a token from a non-existent secret is now handled gracefully.
- When setting a token directly on a git-based addon source, the token secret reference is now cleared.
- The token secret reference is now correctly copied in `SafeCopy`.
Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>
* Refactor(addon): Fix secret deletion and improve registry logic
This commit refactors the addon registry data store to fix a critical bug where deleting an addon registry would not delete its associated token secret.
The root cause was that the `GetRegistry` function, which was used by `DeleteRegistry`, would load the token from the secret and then clear the `TokenSecretRef` field on the in-memory object. This meant that when `DeleteRegistry` tried to find the secret to delete, the reference was already gone.
This has been fixed by:
1. Introducing a central `getRegistries` helper function to read the raw registry data from the ConfigMap.
2. Refactoring all data store methods (`List`, `Get`, `Add`, `Update`, `Delete`) to use this central helper, removing duplicate code.
3. Ensuring `DeleteRegistry` uses the raw, unmodified registry data so that the `TokenSecretRef` is always available for deletion.
Additionally, comprehensive unit tests for the new helper functions (`getRegistries`, `loadTokenFromSecret`, `createOrUpdateTokenSecret`) have been added to verify the fix and improve overall code quality and stability.
Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>
* feat(addon): improve addon registry token security and logging
This commit enhances the security and observability of addon registry token handling.
- Adds a warning message to users when an insecure inline token is detected in an addon registry configuration, prompting them to migrate to a more secure secret-based storage.
- Implements info-level logging to create an audit trail for token migrations, providing administrators with visibility into security-related events.
- Refactors the token migration logic into a new `migrateInlineTokenToSecret` function, improving code clarity and maintainability.
- Introduces unit tests for the `TokenSource` interface methods and the `GetTokenSource` function to ensure correctness and prevent regressions.
Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>
* Chore: remove comments to triger ci
Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>
---------
Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>
* feat(addon): add comprehensive unit tests for addon readers
This commit enhances the test coverage and code quality for the addon reader implementations in the pkg/addon package.
- Refactors all existing addon reader tests (gitee, github, gitlab, local) to use consistent, modern testing patterns like sub-tests.
- Replaces the old memory_reader_test.go with a completely refactored implementation.
- Adds new unit tests for previously untested functions, including various getters, client constructors, and RelativePath helpers.
- Improves http-based tests (gitlab, github, gitee) to use robust mock handlers that correctly simulate API behavior, including pagination and error states.
These changes improve the overall quality and reliability of the addon system and uncovered two minor bugs during the process.
Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>
* feat(addon): add more unit tests for addon helpers
This commit continues to improve the test coverage for the pkg/addon package by adding unit tests for several helper and factory functions.
- Adds a test for WrapErrRateLimit to ensure GitHub API rate limit errors are handled correctly.
- Adds a test for ClassifyItemByPattern to verify addon file classification logic.
- Adds a test for the NewAsyncReader factory function to ensure correct reader instantiation.
- Adds tests for various utility functions in utils.go, including IsRegistryFuncs, InstallOptions, ProduceDefConflictError, and GenerateChartMetadata.
These tests increase the reliability of the addon installation and handling logic.
Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>
* feat(addon): add unit tests for versioned addon registry
This commit improves test coverage for the versioned addon registry logic in the pkg/addon package.
- Adds a unit test for resolveAddonListFromIndex to verify the logic for parsing Helm index files.
- Introduces a new table-driven test for the internal loadAddon function, covering success and multiple failure scenarios (e.g., version not found, download failure, corrupt data).
- Adds a new test helper, setupAddonTestServer, to create isolated mock HTTP servers for testing addon loading, improving test reliability and clarity.
These tests ensure the core logic for discovering and fetching versioned addons is robust and functions as expected.
Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>
* chore(addon): remove unused gitlab testdata path constant
- remove unused gitlab testdata path constant name `gitlabTestdataPath`
Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>
* refactor(addon): improve unit tests based on review feedback
This commit addresses several code review comments to improve the quality, correctness, and robustness of the unit tests in the pkg/addon package.
- Refactors map key assertions in the memory reader test to use the correct "comma ok" idiom instead of assert.NotNil.
- Updates the GitHub reader test to use a compliant addon mock that includes the required template.cue file.
- Modifies the chart metadata test in utils_test.go to use t.TempDir() for better test isolation and automatic cleanup.
- Switches from assert.NotNil to require.NotNil in the versioned registry test to prevent panics on nil pointers.
These changes make the test suite more robust, reliable, and easier to maintain.
Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>
---------
Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>
