Conversation
WalkthroughAdds deprecation notices for GitLab-backed model storage, adds Harbor preparation notes, introduces a Model Catalog configuration section (secrets, registry address, PVC), documents importing built-in OCI model images into Harbor via containerd/ctr, and registers a new site entry. Model Catalog and Harbor import
Sequence Diagram(s)sequenceDiagram
participant Operator
participant Containerd_ctr
participant Harbor
Operator->>Containerd_ctr: download OCI tarball & ctr images import (--all-platforms)
Operator->>Containerd_ctr: tag and ctr images push (--plain-http if Harbor over HTTP)
Containerd_ctr->>Harbor: push image artifact
Operator->>Harbor: verify artifact via API (curl / jq)
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Tip 💬 Introducing Slack Agent: The best way for teams to turn conversations into code.Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.
Built for teams:
One agent for your entire SDLC. Right inside Slack. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docs/en/installation/ai-cluster.mdx`:
- Around line 439-443: The curl verification step hardcodes "https://" causing
failures for HTTP-only registries when users used ctr push --plain-http; update
the docs around the curl command in ai-cluster.mdx to either (a) parameterize
the URL scheme (introduce a variable like $SCHEME and use "$SCHEME://$REG/..."
in the example) or (b) add a brief note immediately before/after the curl
snippet telling readers to replace "https://" with "http://" when using
--plain-http (and mention the --plain-http flag) so verification succeeds for
HTTP-only registries.
- Around line 413-422: The canonical push example currently includes the
--skip-verify flag unconditionally; remove --skip-verify from the example
command (ctr -n k8s.io images push ... "$REG/$REPO:$TAG") and instead add a
short note below the snippet stating that --skip-verify is optional and should
only be used for registries with private CAs (similarly document --plain-http
and --local as optional flags), so readers won’t cargo-cult TLS verification
disabling into normal environments.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 69f9d2b8-b05b-4018-8d3a-f0e77e85f7b1
📒 Files selected for processing (1)
docs/en/installation/ai-cluster.mdx
Deploying alauda-ai with
|
| Latest commit: |
9a08386
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://669704db.alauda-ai.pages.dev |
| Branch Preview URL: | https://oci-models.alauda-ai.pages.dev |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docs/en/installation/ai-cluster.mdx`:
- Around line 397-401: The TAG extraction can yield the literal string "null"
when the annotation is missing; update the script that sets TAG (the command
using tar -xOf "$TAR" index.json | jq -r
'.manifests[0].annotations["org.opencontainers.image.ref.name"]') to validate
the result immediately after assignment and bail out with a clear error if TAG
is empty or equals "null" (e.g., check [[ -z "$TAG" || "$TAG" == "null" ]] and
print an explanatory message and exit 1) so subsequent ctr/curl commands never
run with $REG/$REPO:null.
- Around line 369-393: Add a prominent warning callout in the "Pushing to
Harbor" section stating that the shown workflow transmits credentials in
plaintext because it targets HTTP-only registries; reference the environment
variables REG/REPO/TAG/TAR/AUTH and the commands that use them (curl -u "$AUTH"
and ctr push --user "$AUTH" with --plain-http) and instruct readers to use HTTPS
in production (drop --plain-http, switch http:// to https:// in curl calls, and
mention --skip-verify for private CAs) so users know how to adapt the steps for
TLS-enabled Harbor deployments.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: ed513c87-be0e-497b-b7ea-3725483b9d3e
📒 Files selected for processing (1)
docs/en/installation/ai-cluster.mdx
Comment on lines
+397
to
+401
| ```bash | ||
| export TAG=$(tar -xOf "$TAR" index.json \ | ||
| | jq -r '.manifests[0].annotations["org.opencontainers.image.ref.name"]') | ||
| echo "$TAG" # should print something like v2.3.0 | ||
| ``` |
There was a problem hiding this comment.
Add a null-guard for the tag extraction — absent annotation sets $TAG to the literal string "null"
If org.opencontainers.image.ref.name is absent from the tarball's index.json, jq -r outputs null and TAG is silently set to the string "null". Every subsequent ctr/curl command then uses $REG/$REPO:null, failing in a confusing way.
🛡️ Proposed fix
export TAG=$(tar -xOf "$TAR" index.json \
| jq -r '.manifests[0].annotations["org.opencontainers.image.ref.name"]')
-echo "$TAG" # should print something like v2.3.0
+if [ -z "$TAG" ] || [ "$TAG" = "null" ]; then
+ echo "ERROR: could not extract tag from $TAR — set \$TAG manually." >&2
+ exit 1
+fi
+echo "$TAG" # should print something like v2.3.0🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@docs/en/installation/ai-cluster.mdx` around lines 397 - 401, The TAG
extraction can yield the literal string "null" when the annotation is missing;
update the script that sets TAG (the command using tar -xOf "$TAR" index.json |
jq -r '.manifests[0].annotations["org.opencontainers.image.ref.name"]') to
validate the result immediately after assignment and bail out with a clear error
if TAG is empty or equals "null" (e.g., check [[ -z "$TAG" || "$TAG" == "null"
]] and print an explanatory message and exit 1) so subsequent ctr/curl commands
never run with $REG/$REPO:null.
There was a problem hiding this comment.
♻️ Duplicate comments (2)
docs/en/installation/ai-cluster.mdx (2)
459-463:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winGuard TAG extraction to avoid propagating a literal
"null"tag.On Line 460, if the annotation is missing,
jq -rcan producenull, and subsequent commands push/query$REPO:null, which is confusing to troubleshoot.Suggested doc patch
export TAG=$(tar -xOf "$TAR" index.json \ | jq -r '.manifests[0].annotations["org.opencontainers.image.ref.name"]') +if [ -z "$TAG" ] || [ "$TAG" = "null" ]; then + echo "ERROR: failed to extract tag from $TAR; set TAG manually." >&2 + exit 1 +fi echo "$TAG" # should print something like v2.3.0🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/en/installation/ai-cluster.mdx` around lines 459 - 463, The TAG extraction can yield the literal string "null" when the annotation is missing, causing downstream commands to use an invalid tag; update the extraction/usage around the TAG and TAR variables (the export TAG=... block that uses jq -r '.manifests[0].annotations["org.opencontainers.image.ref.name"]') to guard against null/empty results: after extracting TAG, detect if TAG is empty or equals "null" and fail early or set a sensible default and print a clear error message so subsequent pushes/queries never use "$REPO:null".
431-435:⚠️ Potential issue | 🟠 Major | ⚡ Quick winAdd a prominent HTTP plaintext-credentials warning near the Harbor workflow.
Line 433 scopes this to HTTP Harbor, but the commands on Lines 483-509 send credentials (
-u "$AUTH"/--user "$AUTH") over plaintext transport. Please add a warning callout that this flow is HTTP-only and how to adapt for HTTPS.Suggested doc patch
The recommended target is Harbor. The following procedure has been verified with an HTTP Harbor registry, where the push command must include `--plain-http`. + +:::warning +This procedure is for **HTTP-only** registries and sends credentials in plaintext on the network. +For production HTTPS Harbor: +- Remove `--plain-http` from `ctr images push`. +- Use `https://` for Harbor API requests. +- Only add `--skip-verify` when using a private/self-signed CA. +:::Also applies to: 483-509
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/en/installation/ai-cluster.mdx` around lines 431 - 435, Add a prominent warning callout in the "Pushing to Harbor" section indicating the example uses plaintext HTTP transport (the commands that use --plain-http and pass credentials with -u "$AUTH"/--user "$AUTH" send credentials in cleartext); update the text near the Harbor workflow to explicitly label this as HTTP-only, instruct readers to prefer HTTPS for production (remove --plain-http, ensure Harbor is configured with TLS, and use secure auth methods like docker/ctr login or token-based auth), and reference the specific commands shown later that include -u "$AUTH"/--user "$AUTH" so readers know to adapt them for HTTPS.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Duplicate comments:
In `@docs/en/installation/ai-cluster.mdx`:
- Around line 459-463: The TAG extraction can yield the literal string "null"
when the annotation is missing, causing downstream commands to use an invalid
tag; update the extraction/usage around the TAG and TAR variables (the export
TAG=... block that uses jq -r
'.manifests[0].annotations["org.opencontainers.image.ref.name"]') to guard
against null/empty results: after extracting TAG, detect if TAG is empty or
equals "null" and fail early or set a sensible default and print a clear error
message so subsequent pushes/queries never use "$REPO:null".
- Around line 431-435: Add a prominent warning callout in the "Pushing to
Harbor" section indicating the example uses plaintext HTTP transport (the
commands that use --plain-http and pass credentials with -u "$AUTH"/--user
"$AUTH" send credentials in cleartext); update the text near the Harbor workflow
to explicitly label this as HTTP-only, instruct readers to prefer HTTPS for
production (remove --plain-http, ensure Harbor is configured with TLS, and use
secure auth methods like docker/ctr login or token-based auth), and reference
the specific commands shown later that include -u "$AUTH"/--user "$AUTH" so
readers know to adapt them for HTTPS.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: b7051c2b-4922-46bf-8a6c-a6a856cdb379
📒 Files selected for processing (3)
docs/en/installation/ai-cluster.mdxdocs/en/installation/pre-configuration.mdxsites.yaml
There was a problem hiding this comment.
♻️ Duplicate comments (1)
docs/en/installation/ai-cluster.mdx (1)
460-463:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winAdd null-guard for TAG extraction to prevent confusing failures.
If the
org.opencontainers.image.ref.nameannotation is missing from the tarball,jq -routputs the literal string"null"and every subsequentctr/curlcommand silently uses$REG/$REPO:null, causing cryptic errors. Add validation immediately after extraction.🛡️ Proposed fix
export TAG=$(tar -xOf "$TAR" index.json \ | jq -r '.manifests[0].annotations["org.opencontainers.image.ref.name"]') +if [ -z "$TAG" ] || [ "$TAG" = "null" ]; then + echo "ERROR: could not extract tag from $TAR — set \$TAG manually." >&2 + exit 1 +fi echo "$TAG" # should print something like v0.1.0🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/en/installation/ai-cluster.mdx` around lines 460 - 463, The TAG extraction using export TAG=$(tar -xOf "$TAR" index.json | jq -r '.manifests[0].annotations["org.opencontainers.image.ref.name"]') can yield the literal "null" (or empty) if the annotation is missing; add a null-guard immediately after this extraction to validate TAG (check for empty string or "null") and, if invalid, print a clear error mentioning the missing org.opencontainers.image.ref.name in index.json and exit non-zero so subsequent ctr/curl commands never run with $REG/$REPO:null.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Duplicate comments:
In `@docs/en/installation/ai-cluster.mdx`:
- Around line 460-463: The TAG extraction using export TAG=$(tar -xOf "$TAR"
index.json | jq -r
'.manifests[0].annotations["org.opencontainers.image.ref.name"]') can yield the
literal "null" (or empty) if the annotation is missing; add a null-guard
immediately after this extraction to validate TAG (check for empty string or
"null") and, if invalid, print a clear error mentioning the missing
org.opencontainers.image.ref.name in index.json and exit non-zero so subsequent
ctr/curl commands never run with $REG/$REPO:null.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 44deea77-f925-4c67-a980-3eeee0171014
📒 Files selected for processing (3)
docs/en/installation/ai-cluster.mdxdocs/en/installation/pre-configuration.mdxsites.yaml
🚧 Files skipped from review as they are similar to previous changes (1)
- sites.yaml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary by CodeRabbit