* feat(addon): Store addon registry tokens in Secrets
Previously, addon registry tokens were stored in plaintext within the 'vela-addon-registry' ConfigMap. This is not a secure practice for sensitive data.
This commit refactors the addon registry functionality to store tokens in Kubernetes Secrets. The ConfigMap now only contains a reference to the secret name, while the token itself is stored securely.
This change includes:
- Creating/updating secrets when a registry is added/updated.
- Loading tokens from secrets when a registry is listed/retrieved.
- Deleting secrets when a registry is deleted.
Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>
* test(addon): Add tests for registry token secret storage
This commit introduces a comprehensive test suite for the addon registry feature.
It includes:
- Isolated unit tests for each CRUD operation (Add, Update, List, Get, Delete) to ensure each function works correctly in isolation.
- A stateful integration test to validate the complete lifecycle of an addon registry from creation to deletion.
The tests verify that tokens are handled correctly via Kubernetes Secrets, confirming the implementation of the secure token storage feature.
Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>
* feat(addon): improve addon registry robustness and fix bugs
This commit introduces several improvements to the addon registry to make it more robust and fixes several bugs.
- When updating a secret, the existing secret is now fetched and updated to avoid potential conflicts.
- Deleting a non-existent registry now returns no error, making the operation idempotent.
- Getting a non-existent registry now returns a structured not-found error.
- Loading a token from a non-existent secret is now handled gracefully.
- When setting a token directly on a git-based addon source, the token secret reference is now cleared.
- The token secret reference is now correctly copied in `SafeCopy`.
Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>
* Refactor(addon): Fix secret deletion and improve registry logic
This commit refactors the addon registry data store to fix a critical bug where deleting an addon registry would not delete its associated token secret.
The root cause was that the `GetRegistry` function, which was used by `DeleteRegistry`, would load the token from the secret and then clear the `TokenSecretRef` field on the in-memory object. This meant that when `DeleteRegistry` tried to find the secret to delete, the reference was already gone.
This has been fixed by:
1. Introducing a central `getRegistries` helper function to read the raw registry data from the ConfigMap.
2. Refactoring all data store methods (`List`, `Get`, `Add`, `Update`, `Delete`) to use this central helper, removing duplicate code.
3. Ensuring `DeleteRegistry` uses the raw, unmodified registry data so that the `TokenSecretRef` is always available for deletion.
Additionally, comprehensive unit tests for the new helper functions (`getRegistries`, `loadTokenFromSecret`, `createOrUpdateTokenSecret`) have been added to verify the fix and improve overall code quality and stability.
Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>
* feat(addon): improve addon registry token security and logging
This commit enhances the security and observability of addon registry token handling.
- Adds a warning message to users when an insecure inline token is detected in an addon registry configuration, prompting them to migrate to a more secure secret-based storage.
- Implements info-level logging to create an audit trail for token migrations, providing administrators with visibility into security-related events.
- Refactors the token migration logic into a new `migrateInlineTokenToSecret` function, improving code clarity and maintainability.
- Introduces unit tests for the `TokenSource` interface methods and the `GetTokenSource` function to ensure correctness and prevent regressions.
Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>
* Chore: remove comments to triger ci
Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>
---------
Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>
* fix(addon): show correct owner in definition conflict error
When enabling an addon, if a definition conflicted with one from another existing addon, the error message would misleadingly cite the addon being installed as the owner, rather than the actual owner of the definition. This made it difficult for users to diagnose the conflict.
This commit corrects the error message generation in `checkConflictDefs` to use the name of the actual owner application. A comprehensive unit test for this function has also been added to verify the corrected behavior and prevent regressions.
Fixes#6898
Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>
* fix(addon): show correct owner name in conflict message
When a definition conflict occurs, the error message attempts to show the addon that owns the existing definition.
However, if the owner is not a KubeVela addon application (i.e., its name doesn't have the 'addon-' prefix), the `AppName2Addon` function returns an empty string. This resulted in a confusing conflict message with a blank owner name, like "already exist in \n".
This patch fixes the issue by checking if the result of `AppName2Addon` is empty. If it is, it falls back to using the full application name of the owner,
ensuring the conflict message is always clear and actionable.
Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>
* chore(addon): update comment for addon name
- Add this comment to trigger ci
Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>
* fix(addon): improve conflict message for addon definitions
adjust comment placement and logic to ensure correct addon name display in conflict messages
Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>
---------
Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>
* feat(addon): add comprehensive unit tests for addon readers
This commit enhances the test coverage and code quality for the addon reader implementations in the pkg/addon package.
- Refactors all existing addon reader tests (gitee, github, gitlab, local) to use consistent, modern testing patterns like sub-tests.
- Replaces the old memory_reader_test.go with a completely refactored implementation.
- Adds new unit tests for previously untested functions, including various getters, client constructors, and RelativePath helpers.
- Improves http-based tests (gitlab, github, gitee) to use robust mock handlers that correctly simulate API behavior, including pagination and error states.
These changes improve the overall quality and reliability of the addon system and uncovered two minor bugs during the process.
Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>
* feat(addon): add more unit tests for addon helpers
This commit continues to improve the test coverage for the pkg/addon package by adding unit tests for several helper and factory functions.
- Adds a test for WrapErrRateLimit to ensure GitHub API rate limit errors are handled correctly.
- Adds a test for ClassifyItemByPattern to verify addon file classification logic.
- Adds a test for the NewAsyncReader factory function to ensure correct reader instantiation.
- Adds tests for various utility functions in utils.go, including IsRegistryFuncs, InstallOptions, ProduceDefConflictError, and GenerateChartMetadata.
These tests increase the reliability of the addon installation and handling logic.
Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>
* feat(addon): add unit tests for versioned addon registry
This commit improves test coverage for the versioned addon registry logic in the pkg/addon package.
- Adds a unit test for resolveAddonListFromIndex to verify the logic for parsing Helm index files.
- Introduces a new table-driven test for the internal loadAddon function, covering success and multiple failure scenarios (e.g., version not found, download failure, corrupt data).
- Adds a new test helper, setupAddonTestServer, to create isolated mock HTTP servers for testing addon loading, improving test reliability and clarity.
These tests ensure the core logic for discovering and fetching versioned addons is robust and functions as expected.
Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>
* chore(addon): remove unused gitlab testdata path constant
- remove unused gitlab testdata path constant name `gitlabTestdataPath`
Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>
* refactor(addon): improve unit tests based on review feedback
This commit addresses several code review comments to improve the quality, correctness, and robustness of the unit tests in the pkg/addon package.
- Refactors map key assertions in the memory reader test to use the correct "comma ok" idiom instead of assert.NotNil.
- Updates the GitHub reader test to use a compliant addon mock that includes the required template.cue file.
- Modifies the chart metadata test in utils_test.go to use t.TempDir() for better test isolation and automatic cleanup.
- Switches from assert.NotNil to require.NotNil in the versioned registry test to prevent panics on nil pointers.
These changes make the test suite more robust, reliable, and easier to maintain.
Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>
---------
Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>
The GetPath method for GitLabItem produced an incorrect path when an addon's base path in the repository was empty. This was caused by an off-by-one error in the string slicing logic that always assumed a base path separator existed, incorrectly truncating the first character of the file path.
This commit corrects the logic by adding a check for an empty base path, ensuring the full path is returned in that case.
Fixes#6899
Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>
* Feat(#5861): Support addon dependencies version ranges
This change enables addon maintainers to define version ranges for
dependencies in an addon's metadata.yaml file.
This behavior is similar to the version range allowed in the `system`
section of the metadata file. The version range expression for
`dependencies` follows the same format as for `system`.
Example:
```yaml
dependencies:
- name: addon1
version: ">= 2.3.3, < 3.0.0"
- name: addon2
version: ">= 0.1.0, < 1.0.0"
```
When installing an addon, the behavior varies depending on whether the
dependency is already installed.
If a dependency is already installed, the installed version will be
validated against the version range, and installation will fail with an
error if there's a mismatch.
If a dependency is not installed, the version range will be used to
select the addon version to be installed. If no addon version matching
the range exists, the installation will fail with an error.
Fixes#5861
Signed-off-by: Michael Russo <merusso@gmail.com>
* fix(lint): remove unused ctx parameter
Signed-off-by: Michael Russo <merusso@gmail.com>
* fix(lint): Add comment for IsLocalRegistry
Signed-off-by: Michael Russo <merusso@gmail.com>
* fix(lint): unexport AddonInfoMap
Signed-off-by: Michael Russo <merusso@gmail.com>
* fix(lint): unexport addonInfo
Signed-off-by: Michael Russo <merusso@gmail.com>
* chore: replace map[string]addonInfo with addonInfoMap for consistency
Signed-off-by: Michael Russo <merusso@gmail.com>
* fix: add short circuit when dependency version is not specified
Signed-off-by: Michael Russo <merusso@gmail.com>
* feat: Add test for multiple validation errors
Signed-off-by: Michael Russo <merusso@gmail.com>
* fix: Run go mod tidy
Signed-off-by: Michael Russo <merusso@gmail.com>
* feat: add tests for ToVersionedRegistry
Signed-off-by: Michael Russo <merusso@gmail.com>
* fix: simplify listInstalledAddons loop
Signed-off-by: Michael Russo <merusso@gmail.com>
* feat: listAvailableAddons returns addons from multiple sources
Changes:
* implement ListAddonInfo in Registry
* add interface to aid testing of listAvailableAddons
* add tests for listAvailableAddons
Signed-off-by: Michael Russo <merusso@gmail.com>
* refactor: simplify validateAddonDependencies
move logic from validateAddonDependencies to
calculateDependencyVersionToInstall.
Signed-off-by: Michael Russo <merusso@gmail.com>
* fix(lint): Implicit memory aliasing in for loop.
Signed-off-by: Michael Russo <merusso@gmail.com>
* fix(lint): non-wrapping format verb for fmt.Errorf
Signed-off-by: Michael Russo <merusso@gmail.com>
* fix(lint): indent-error-flow: (revive)
Signed-off-by: Michael Russo <merusso@gmail.com>
* fix(lint): unexported-return
Signed-off-by: Michael Russo <merusso@gmail.com>
* fix(lint): exported type comment format (revive)
Signed-off-by: Michael Russo <merusso@gmail.com>
* fix(lint): refactor AddonInfo to ItemInfo, avoid "stutter" (revive)
Signed-off-by: Michael Russo <merusso@gmail.com>
* fix(lint): add comment to exported method Registry.ListAddonInfo
Signed-off-by: Michael Russo <merusso@gmail.com>
* fix(lint): fix stutter, rename AddonInfoLister to ItemInfoLister
Signed-off-by: Michael Russo <merusso@gmail.com>
* chore: Add suite tests for Registry.ListAddonInfo()
Signed-off-by: Michael Russo <merusso@gmail.com>
* Test: add test cases for addon.sortVersionsDescending
Signed-off-by: Michael Russo <merusso@gmail.com>
---------
Signed-off-by: Michael Russo <merusso@gmail.com>
* chore(Makefile): Give the help information of Makefile to make it more readable
Signed-off-by: Xinwei Xiong <3293172751nss@gmail.com>
fix: Fixed some spelling mistakes
Signed-off-by: Xinwei Xiong <3293172751nss@gmail.com>
fix: part of the makefile shows a problem
Signed-off-by: Xinwei Xiong(cubxxw) <3293172751nss@gmail.com>
* fix: makefile targer image-cleanup
Signed-off-by: Xinwei Xiong(cubxxw) <3293172751nss@gmail.com>
---------
Signed-off-by: Xinwei Xiong(cubxxw) <3293172751nss@gmail.com>
