feat: add configurable HTTP client timeouts via config file

Adds a new `http.config.ocm.software` config type that allows users to
configure HTTP client timeout settings for OCI registry and Docker daemon
connections. This prevents requests from hanging indefinitely on slow or
broken networks.

Supported timeout fields (all optional, Go duration strings like "30s", "5m"):
- timeout — overall http.Client deadline
- tcpDialTimeout — TCP connection establishment
- tcpKeepAlive — TCP keep-alive probe interval
- tlsHandshakeTimeout — TLS handshake
- responseHeaderTimeout — waiting for response headers
- idleConnTimeout — idle connection lifetime

Design:
- Follows the regular OCI config pattern (like credentials config) —
  HTTPSettings is stored on the OCI context via
  GetHTTPSettings()/SetHTTPSettings(), not as a datacontext attribute.
- Duration is a validated string type with TimeDuration() returning
  (*time.Duration, error) — nil means "not configured" (use default),
  distinct from zero ("explicitly disabled").
- httpclient.NewTransport() clones http.DefaultTransport and selectively
  overrides only the configured timeouts.
- Integration tests use Toxiproxy to verify timeout behavior against a
  real registry with injected latency.

Fixes: #1731

Signed-off-by: Piotr Janik <piotr.janik@sap.com>

Author: piotrjanik

api/oci/config/httpconfig_test.go

@@ -0,0 +1,129 @@
+package config_test
+
+import (
+	"time"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+
+	"ocm.software/ocm/api/oci/config"
+	"ocm.software/ocm/api/oci/cpi"
+)
+
+func dur(s string) *cpi.Duration {
+	d := cpi.Duration(s)
+	return &d
+}
+
+func MustGetHTTPSettings(ctx cpi.Context) cpi.HTTPSettings {
+	g, err := ctx.GetHTTPSettings()
+	ExpectWithOffset(1, err).To(Succeed())
+	return g
+}
+
+var _ = Describe("http config", func() {
+	Context("apply", func() {
+		It("applies timeout via ApplyTo", func() {
+			ctx := cpi.New()
+			cfg := &config.HTTPConfig{HTTPSettings: cpi.HTTPSettings{Timeout: dur("5m")}}
+
+			Expect(cfg.ApplyTo(ctx.ConfigContext(), ctx)).To(Succeed())
+			g := MustGetHTTPSettings(ctx)
+			Expect(g.GetTimeout()).To(HaveValue(Equal(5 * time.Minute)))
+		})
+
+		It("applies via config context", func() {
+			ctx := cpi.New()
+			cfg := &config.HTTPConfig{HTTPSettings: cpi.HTTPSettings{Timeout: dur("30s")}}
+
+			Expect(ctx.ConfigContext().ApplyConfig(cfg, "programmatic")).To(Succeed())
+			g := MustGetHTTPSettings(ctx)
+			Expect(g.GetTimeout()).To(HaveValue(Equal(30 * time.Second)))
+		})
+
+		It("parses all fields from JSON config", func() {
+			ctx := cpi.New()
+			raw := []byte(`{"type":"http.config.ocm.software/v1alpha1","timeout":"10s","tcpDialTimeout":"15s","tcpKeepAlive":"20s","tlsHandshakeTimeout":"5s","responseHeaderTimeout":"8s","idleConnTimeout":"45s"}`)
+			cfg, err := ctx.ConfigContext().GetConfigForData(raw, nil)
+			Expect(err).To(Succeed())
+			Expect(ctx.ConfigContext().ApplyConfig(cfg, "config file")).To(Succeed())
+
+			g := MustGetHTTPSettings(ctx)
+			Expect(g.GetTimeout()).To(HaveValue(Equal(10 * time.Second)))
+			Expect(g.TCPDialTimeout.TimeDuration()).To(HaveValue(Equal(15 * time.Second)))
+			Expect(g.TCPKeepAlive.TimeDuration()).To(HaveValue(Equal(20 * time.Second)))
+			Expect(g.TLSHandshakeTimeout.TimeDuration()).To(HaveValue(Equal(5 * time.Second)))
+			Expect(g.ResponseHeaderTimeout.TimeDuration()).To(HaveValue(Equal(8 * time.Second)))
+			Expect(g.IdleConnTimeout.TimeDuration()).To(HaveValue(Equal(45 * time.Second)))
+		})
+
+		It("successive ApplyConfig overrides only non-nil fields", func() {
+			ctx := cpi.New()
+
+			first := &config.HTTPConfig{
+				HTTPSettings: cpi.HTTPSettings{
+					TCPDialTimeout: dur("15s"),
+				},
+			}
+			Expect(first.ApplyTo(ctx.ConfigContext(), ctx)).To(Succeed())
+
+			second := &config.HTTPConfig{HTTPSettings: cpi.HTTPSettings{Timeout: dur("1m")}}
+			Expect(second.ApplyTo(ctx.ConfigContext(), ctx)).To(Succeed())
+
+			g := MustGetHTTPSettings(ctx)
+			Expect(g.GetTimeout()).To(HaveValue(Equal(1 * time.Minute)))
+			Expect(g.TCPDialTimeout.TimeDuration()).To(HaveValue(Equal(15 * time.Second)))
+		})
+
+		It("applies via generic config wrapper", func() {
+			ctx := cpi.New()
+			raw := []byte(`
+type: generic.config.ocm.software/v1
+configurations:
+  - type: http.config.ocm.software
+    timeout: "10s"
+    tcpDialTimeout: "15s"
+    tcpKeepAlive: "20s"
+    tlsHandshakeTimeout: "5s"
+    responseHeaderTimeout: "8s"
+    idleConnTimeout: "45s"
+`)
+			cfg, err := ctx.ConfigContext().GetConfigForData(raw, nil)
+			Expect(err).To(Succeed())
+			Expect(ctx.ConfigContext().ApplyConfig(cfg, "config file")).To(Succeed())
+
+			g := MustGetHTTPSettings(ctx)
+			Expect(g.GetTimeout()).To(HaveValue(Equal(10 * time.Second)))
+			Expect(g.GetTCPDialTimeout()).To(HaveValue(Equal(15 * time.Second)))
+			Expect(g.GetTCPKeepAlive()).To(HaveValue(Equal(20 * time.Second)))
+			Expect(g.GetTLSHandshakeTimeout()).To(HaveValue(Equal(5 * time.Second)))
+			Expect(g.GetResponseHeaderTimeout()).To(HaveValue(Equal(8 * time.Second)))
+			Expect(g.GetIdleConnTimeout()).To(HaveValue(Equal(45 * time.Second)))
+		})
+
+		It("rejects invalid duration string", func() {
+			ctx := cpi.New()
+			raw := []byte(`{"type":"http.config.ocm.software/v1alpha1","timeout":"notaduration"}`)
+			_, err := ctx.ConfigContext().GetConfigForData(raw, nil)
+			Expect(err).To(HaveOccurred())
+			Expect(err.Error()).To(ContainSubstring("invalid duration: notaduration"))
+		})
+
+		It("default settings are nil", func() {
+			g := MustGetHTTPSettings(cpi.New())
+			Expect(g.Timeout).To(BeNil())
+			Expect(g.TCPDialTimeout).To(BeNil())
+			Expect(g.TCPKeepAlive).To(BeNil())
+			Expect(g.TLSHandshakeTimeout).To(BeNil())
+			Expect(g.ResponseHeaderTimeout).To(BeNil())
+			Expect(g.IdleConnTimeout).To(BeNil())
+		})
+
+		It("nil timeout returns nil not zero", func() {
+			g := MustGetHTTPSettings(cpi.New())
+			timeout, err := g.GetTimeout()
+			Expect(err).To(Succeed())
+			Expect(timeout).To(BeNil())
+		})
+	})
+})

api/oci/config/httptype.go

@@ -0,0 +1,83 @@
+package config
+
+import (
+	cfgcpi "ocm.software/ocm/api/config/cpi"
+	"ocm.software/ocm/api/oci/cpi"
+	"ocm.software/ocm/api/utils/runtime"
+)
+
+const (
+	HTTPConfigType         = "http" + cfgcpi.OCM_CONFIG_TYPE_SUFFIX
+	HTTPConfigTypeV1Alpha1 = HTTPConfigType + runtime.VersionSeparator + "v1alpha1"
+)
+
+func init() {
+	cfgcpi.RegisterConfigType(cfgcpi.NewConfigType[*HTTPConfig](HTTPConfigType, httpUsage))
+	cfgcpi.RegisterConfigType(cfgcpi.NewConfigType[*HTTPConfig](HTTPConfigTypeV1Alpha1, httpUsage))
+}
+
+// HTTPConfig describes the configuration for HTTP client settings.
+type HTTPConfig struct {
+	runtime.ObjectVersionedType `json:",inline"`
+	cpi.HTTPSettings            `json:",inline"`
+}
+
+func (a *HTTPConfig) GetType() string {
+	return HTTPConfigType
+}
+
+func (a *HTTPConfig) ApplyTo(_ cfgcpi.Context, target interface{}) error {
+	t, ok := target.(cpi.Context)
+	if !ok {
+		return cfgcpi.ErrNoContext(HTTPConfigType)
+	}
+	s, err := t.GetHTTPSettings()
+	if err != nil {
+		return err
+	}
+	if a.Timeout != nil {
+		s.Timeout = a.Timeout
+	}
+	if a.TCPDialTimeout != nil {
+		s.TCPDialTimeout = a.TCPDialTimeout
+	}
+	if a.TCPKeepAlive != nil {
+		s.TCPKeepAlive = a.TCPKeepAlive
+	}
+	if a.TLSHandshakeTimeout != nil {
+		s.TLSHandshakeTimeout = a.TLSHandshakeTimeout
+	}
+	if a.ResponseHeaderTimeout != nil {
+		s.ResponseHeaderTimeout = a.ResponseHeaderTimeout
+	}
+	if a.IdleConnTimeout != nil {
+		s.IdleConnTimeout = a.IdleConnTimeout
+	}
+	t.SetHTTPSettings(&s)
+	return nil
+}
+
+const httpUsage = `
+The config type <code>` + HTTPConfigType + `</code> can be used to configure
+HTTP client settings:
+
+<pre>
+    type: generic.config.ocm.software/v1
+    configurations:
+      - type: ` + HTTPConfigType + `
+        timeout: "0s"
+        tcpDialTimeout: "30s"
+        tcpKeepAlive: "30s"
+        tlsHandshakeTimeout: "10s"
+        responseHeaderTimeout: "0s"
+        idleConnTimeout: "90s"
+</pre>
+
+All timeout values are Go duration strings (e.g. "30s", "5m", "1h").
+Use "0s" to disable a specific timeout. If not set, the <code>http.DefaultTransport</code>
+values from the Go standard library are used.
+
+Note: <code>timeout</code> controls the overall <code>http.Client</code> request deadline and is
+independent of the transport-level settings. Setting only <code>timeout</code> does not
+affect <code>tcpDialTimeout</code>, <code>tlsHandshakeTimeout</code>, or other transport timeouts.
+`

api/oci/cpi/interface.go

@@ -42,6 +42,8 @@ type (
 	DataAccess                       = internal.DataAccess
 	RepositorySource                 = internal.RepositorySource
 	ConsumerIdentityProvider         = internal.ConsumerIdentityProvider
+	Duration                         = internal.Duration
+	HTTPSettings                     = internal.HTTPSettings
 )
 
 type Descriptor = ociv1.Descriptor

api/oci/extensions/repositories/docker/client.go

@@ -13,11 +13,18 @@ import (
 	dockerclient "github.com/moby/moby/client"
 	"github.com/spf13/pflag"
 
+	"ocm.software/ocm/api/oci/cpi"
+	"ocm.software/ocm/api/utils/httpclient"
 	"ocm.software/ocm/api/utils/logging"
 )
 
-func newDockerClient(dockerhost string, logger mlog.UnboundLogger) (*dockerclient.Client, error) {
+func newDockerClient(dockerhost string, logger mlog.UnboundLogger, httpCfg *cpi.HTTPSettings) (*dockerclient.Client, error) {
 	if dockerhost == "" {
+		// Use Docker CLI context resolution (DOCKER_CONTEXT env,
+		// currentContext in ~/.docker/config.json, DOCKER_HOST env,
+		// default socket). NewAPIClientFromFlags builds its own HTTP
+		// transport internally, so OCM HTTP timeout settings do not
+		// apply to this path.
 		opts := cliflags.NewClientOptions()
 		// set defaults
 		opts.SetDefaultOptions(pflag.NewFlagSet("", pflag.ContinueOnError))
@@ -35,8 +42,22 @@ func newDockerClient(dockerhost string, logger mlog.UnboundLogger) (*dockerclien
 	if err == nil && url.Scheme == "unix" {
 		opts = append(opts, dockerclient.WithScheme(url.Scheme))
 	}
-	clnt := http.Client{}
-	clnt.Transport = logging.NewRoundTripper(clnt.Transport, logger)
+
+	transport, err := httpclient.NewTransport(httpCfg)
+	if err != nil {
+		return nil, err
+	}
+	timeout, err := httpCfg.GetTimeout()
+	if err != nil {
+		return nil, err
+	}
+
+	clnt := http.Client{
+		Transport: logging.NewRoundTripper(transport, logger),
+	}
+	if timeout != nil {
+		clnt.Timeout = *timeout
+	}
 	opts = append(opts, dockerclient.WithHTTPClient(&clnt))
 	c, err := dockerclient.New(opts...)
 	if err != nil {

api/oci/extensions/repositories/docker/repository.go

@@ -23,7 +23,12 @@ var _ cpi.RepositoryImpl = (*RepositoryImpl)(nil)
 func NewRepository(ctx cpi.Context, spec *RepositorySpec) (cpi.Repository, error) {
 	urs := spec.UniformRepositorySpec()
 	logger := logging.DynamicLogger(ctx, REALM, logging.NewAttribute(ocmlog.ATTR_HOST, urs.Host))
-	client, err := newDockerClient(spec.DockerHost, logger)
+	httpSettings, err := ctx.GetHTTPSettings()
+	if err != nil {
+		return nil, err
+	}
+	httpCfg := &httpSettings
+	client, err := newDockerClient(spec.DockerHost, logger, httpCfg)
 	if err != nil {
 		return nil, err
 	}

api/oci/extensions/repositories/docker/type.go

@@ -56,7 +56,11 @@ func (a *RepositorySpec) Repository(ctx cpi.Context, creds credentials.Credentia
 func (a *RepositorySpec) Validate(ctx cpi.Context, creds credentials.Credentials, usageContext ...credentials.UsageContext) error {
 	urs := a.UniformRepositorySpec()
 	logger := logging.DynamicLogger(ctx, REALM, logging.NewAttribute(ocmlog.ATTR_HOST, urs.Host))
-	client, err := newDockerClient(a.DockerHost, logger)
+	httpSettings, err := ctx.GetHTTPSettings()
+	if err != nil {
+		return err
+	}
+	client, err := newDockerClient(a.DockerHost, logger, &httpSettings)
 	if err != nil {
 		return err
 	}

api/oci/extensions/repositories/ocireg/repository.go

@@ -22,6 +22,7 @@ import (
 	"ocm.software/ocm/api/tech/oci/identity"
 	"ocm.software/ocm/api/tech/oras"
 	"ocm.software/ocm/api/utils"
+	"ocm.software/ocm/api/utils/httpclient"
 	ocmlog "ocm.software/ocm/api/utils/logging"
 	"ocm.software/ocm/api/utils/refmgmt"
 )
@@ -153,12 +154,23 @@ func (r *RepositoryImpl) getResolver(comp string) (oras.Resolver, error) {
 		}
 	}
 
-	client := retry.DefaultClient
-	client.Transport = ocmlog.NewRoundTripper(retry.DefaultClient.Transport, logger)
+	httpSettings, err := r.GetContext().GetHTTPSettings()
+	if err != nil {
+		return nil, err
+	}
+	httpCfg := &httpSettings
+	baseTransport, err := httpclient.NewTransport(httpCfg)
+	if err != nil {
+		return nil, err
+	}
+	timeout, err := httpCfg.GetTimeout()
+	if err != nil {
+		return nil, err
+	}
+
 	if r.info.Scheme == "https" {
-		// set up TLS
 		//nolint:gosec // used like the default, there are OCI servers (quay.io) not working with min version.
-		conf := &tls.Config{
+		baseTransport.TLSClientConfig = &tls.Config{
 			// MinVersion: tls.VersionTLS13,
 			RootCAs: func() *x509.CertPool {
 				rootCAs := rootcertsattr.Get(r.GetContext()).GetRootCertPool(true)
@@ -168,13 +180,18 @@ func (r *RepositoryImpl) getResolver(comp string) (oras.Resolver, error) {
 						rootCAs.AppendCertsFromPEM([]byte(c))
 					}
 				}
-
 				return rootCAs
 			}(),
 		}
-		client.Transport = ocmlog.NewRoundTripper(retry.NewTransport(&http.Transport{
-			TLSClientConfig: conf,
-		}), logger)
+	}
+
+	retryTransport := retry.NewTransport(baseTransport)
+
+	client := &http.Client{
+		Transport: ocmlog.NewRoundTripper(retryTransport, logger),
+	}
+	if timeout != nil {
+		client.Timeout = *timeout
 	}
 
 	authClient := &auth.Client{

api/oci/extensions/repositories/ocireg/suite_test.go

@@ -0,0 +1,13 @@
+package ocireg_test
+
+import (
+	"testing"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+func TestOCIReg(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "OCIReg")
+}