From 610787af201d6afecac42ce604b226e93227dcdf Mon Sep 17 00:00:00 2001
From: Xavi Garcia <xavi.garcia@suse.com>
Date: Thu, 31 Jul 2025 15:12:26 +0200
Subject: [PATCH] Avoid using a global registry client when downloading OCI
 helm charts

This changes how we instantiate the `registryClient` used when downloading helm charts stored in OCI registries.
It fixes race conditions that could lead to `Not Logged In` or even authentication problems.

Refers to: https://github.com/rancher/fleet/issues/3915

Signed-off-by: Xavi Garcia <xavi.garcia@suse.com>
---
 internal/bundlereader/loaddirectory.go | 30 +++++++++-----------------
 1 file changed, 10 insertions(+), 20 deletions(-)

diff --git a/internal/bundlereader/loaddirectory.go b/internal/bundlereader/loaddirectory.go
index 2af7aac7ea..67a5a88c1d 100644
--- a/internal/bundlereader/loaddirectory.go
+++ b/internal/bundlereader/loaddirectory.go
@@ -26,23 +26,6 @@ import (
 	"helm.sh/helm/v3/pkg/registry"
 )
 
-var (
-	registryClient *registry.Client
-
-	fleetOciProvider = helmgetter.Provider{
-		Schemes: []string{registry.OCIScheme},
-		New:     NewFleetOCIProvider,
-	}
-)
-
-func NewFleetOCIProvider(options ...helmgetter.Option) (helmgetter.Getter, error) {
-	if registryClient == nil {
-		return nil, fmt.Errorf("oci registry client is nil")
-	}
-
-	return helmgetter.NewOCIGetter(helmgetter.WithRegistryClient(registryClient))
-}
-
 // ignoreTree represents a tree of ignored paths (read from .fleetignore files), each node being a directory.
 // It provides a means for ignored paths to be propagated down the tree, but not between subdirectories of a same
 // directory.
@@ -363,7 +346,7 @@ func downloadOCIChart(name, version, path string, auth Auth) (string, error) {
 	if auth.BasicHTTP {
 		clientOptions = append(clientOptions, registry.ClientOptPlainHTTP())
 	}
-	registryClient, err = registry.NewClient(clientOptions...)
+	registryClient, err := registry.NewClient(clientOptions...)
 	if err != nil {
 		return "", err
 	}
@@ -394,8 +377,15 @@ func downloadOCIChart(name, version, path string, auth Auth) (string, error) {
 	getterOptions = append(getterOptions, helmgetter.WithInsecureSkipVerifyTLS(auth.InsecureSkipVerify))
 
 	c := downloader.ChartDownloader{
-		Verify:         downloader.VerifyNever,
-		Getters:        helmgetter.Providers{fleetOciProvider},
+		Verify: downloader.VerifyNever,
+		Getters: helmgetter.Providers{
+			helmgetter.Provider{
+				Schemes: []string{registry.OCIScheme},
+				New: func(options ...helmgetter.Option) (helmgetter.Getter, error) {
+					return helmgetter.NewOCIGetter(helmgetter.WithRegistryClient(registryClient))
+				},
+			},
+		},
 		RegistryClient: registryClient,
 		Options:        getterOptions,
 	}