fix(reposerver): fix OCI repository matching (#17955)

Signed-off-by: Tomáš Novák <tomas.novak@bcas.cz>
2026-04-21 17:07:16 +00:00 · 2024-05-17 21:41:23 +02:00 · 2024-05-17 21:41:23 +02:00 · 210f26ae83
commit 210f26ae83
parent 2e43af50da
3 changed files with 19 additions and 3 deletions
--- a/USERS.md
+++ b/USERS.md
@ -44,6 +44,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [BMW Group](https://www.bmwgroup.com/)
 1. [Boozt](https://www.booztgroup.com/)
 1. [Boticario](https://www.boticario.com.br/)
+1. [Broker Consulting, a.s.](https://www.bcas.cz/en/)
 1. [Bulder Bank](https://bulderbank.no)
 1. [CAM](https://cam-inc.co.jp)
 1. [Camptocamp](https://camptocamp.com)
--- a/reposerver/repository/repository.go
+++ b/reposerver/repository/repository.go
@ -1000,7 +1000,9 @@ func getHelmRepos(appPath string, repositories []*v1alpha1.Repository, helmRepoC
 				// finally if repo is OCI and no credentials found, use the first OCI credential matching by hostname
 				// see https://github.com/argoproj/argo-cd/issues/14636
 				for _, cred := range repositories {
-					if depURL, err := url.Parse("oci://" + dep.Repo); err == nil && cred.EnableOCI && depURL.Host == cred.Repo {
+					// if the repo is OCI, don't match the repository URL exactly, but only as a dependent repository prefix just like in the getRepoCredential function
+					// see https://github.com/argoproj/argo-cd/issues/12436
+					if _, err := url.Parse("oci://" + dep.Repo); err == nil && cred.EnableOCI && strings.HasPrefix(dep.Repo, cred.Repo) {
 						repo.Username = cred.Username
 						repo.Password = cred.Password
 						break
--- a/reposerver/repository/repository_test.go
+++ b/reposerver/repository/repository_test.go
@ -3036,9 +3036,9 @@ func Test_populateHelmAppDetails_values_symlinks(t *testing.T) {
 	})
 }

-func TestGetHelmRepos_OCIDependencies(t *testing.T) {
+func TestGetHelmRepos_OCIDependenciesWithHelmRepo(t *testing.T) {
 	src := argoappv1.ApplicationSource{Path: "."}
-	q := apiclient.ManifestRequest{Repo: &argoappv1.Repository{}, ApplicationSource: &src, HelmRepoCreds: []*argoappv1.RepoCreds{
+	q := apiclient.ManifestRequest{Repos: []*argoappv1.Repository{}, ApplicationSource: &src, HelmRepoCreds: []*argoappv1.RepoCreds{
 		{URL: "example.com", Username: "test", Password: "test", EnableOCI: true},
 	}}

@ -3051,6 +3051,19 @@ func TestGetHelmRepos_OCIDependencies(t *testing.T) {
 	assert.Equal(t, helmRepos[0].Repo, "example.com/myrepo")
 }

+func TestGetHelmRepos_OCIDependenciesWithRepo(t *testing.T) {
+	src := argoappv1.ApplicationSource{Path: "."}
+	q := apiclient.ManifestRequest{Repos: []*argoappv1.Repository{{Repo: "example.com", Username: "test", Password: "test", EnableOCI: true}}, ApplicationSource: &src, HelmRepoCreds: []*argoappv1.RepoCreds{}}
+
+	helmRepos, err := getHelmRepos("./testdata/oci-dependencies", q.Repos, q.HelmRepoCreds)
+	assert.Nil(t, err)
+
+	assert.Equal(t, len(helmRepos), 1)
+	assert.Equal(t, helmRepos[0].Username, "test")
+	assert.Equal(t, helmRepos[0].EnableOci, true)
+	assert.Equal(t, helmRepos[0].Repo, "example.com/myrepo")
+}
+
 func TestGetHelmRepo_NamedRepos(t *testing.T) {
 	src := argoappv1.ApplicationSource{Path: "."}
 	q := apiclient.ManifestRequest{Repo: &argoappv1.Repository{}, ApplicationSource: &src, Repos: []*argoappv1.Repository{{