Profile docs #623
Closed
Profile docs #623
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* added tool download script and started .replicated parser * improved tool downloading * verifies checksum for downloaded tools * removed duplicate code * added retry and timeout, moved download to User/.replicated * Update downloader.go * Add test demonstrating fallback path mismatch bug * properly saves version of downloaded tool when provided invalid version --------- Co-authored-by: Nicholas Mullen <nwmullen@gmail.com>
* Add V1 implementation of replicated lint command
Implements basic local helm linting functionality:
- New top-level `replicated lint --chart` command
- Executes helm lint via system PATH
- Parses and displays structured output
- Proper exit codes for CI/CD integration
Files added:
- pkg/lint2/types.go - Type definitions
- pkg/lint2/helm.go - Helm execution and parsing
- cli/cmd/lint.go - CLI command implementation
Manually tested with valid charts, error cases, and edge cases.
All tests passed successfully.
* Replace --chart flag with .replicated config file parsing
Changes lint command to read chart paths from .replicated config file
instead of CLI arguments. This aligns with the team decision to use
config-driven approach for all future functionality.
Changes:
- Add pkg/lint2/config.go: Parse .replicated config file (YAML/JSON)
- Update cli/cmd/lint.go: Read from config, support multiple charts,
expand glob patterns, show per-chart and overall summaries
- Remove cli/cmd/runner.go: Remove unused lintChart field
New behavior:
- Reads .replicated.yaml, .replicated.yml, or .replicated
- Supports multiple charts in one config
- Handles glob patterns (e.g., ./charts/*)
- Respects repl-lint.linters.helm.enabled setting
- Shows individual and aggregate results
Breaking change: --chart flag removed, .replicated config required
* Integrate tool resolution infrastructure into lint command
Replaces PATH-based helm lookup with automatic download and caching via the tool resolver. Adopts the disabled boolean pattern and adds support for configurable tool versions from .replicated config.
* Run gofmt on config files
* Implement code quality improvements for lint integration
Implements recommendations 1-7:
1. Use tools.DefaultHelmVersion constant
2. Use pkg/tools/config.go parser (monorepo support)
3. Add chart path validation
4. Break up large displayAllLintResults() function
5. Add package-level godoc
6. Add unit tests for helm output parsing
7. Add comprehensive test coverage
Changes:
- Replace lint2's config parser with tools.ConfigParser (tree-walking)
- Add ChartConfig to tools.Config for chart path support
- Add validateChartPath() to ensure valid Helm charts
- Refactor display functions into smaller, focused functions
- Add pkg/lint2/doc.go with package documentation
- Add pkg/lint2/helm_test.go (10 test cases)
- Add pkg/lint2/config_test.go (8 test cases)
Result: Cleaner code, better structure, comprehensive testing
Net change: +142 lines, -173 lines
* Fix critical glob detection bug and strengthen test assertions
## Fixes
1. **Critical: Fix containsGlob() logic**
- Was requiring both directory separator AND glob chars
- Now correctly detects any glob pattern using strings.ContainsAny
- Fixes bug where patterns like "*" would be treated as literals
2. **Add comprehensive glob expansion tests**
- TestGetChartPathsFromConfig_GlobExpansion (4 test cases)
- TestGetChartPathsFromConfig_InvalidChartsInGlob
- TestGetChartPathsFromConfig_MultipleCharts
- Now validates actual path values, not just counts
3. **Fix test assertion scam patterns**
- TestGetChartPathsFromConfig: Now validates returned paths
- TestGetChartPathsFromConfig_GlobExpansion: Order-independent path validation
- TestParseHelmOutput_EdgeCases: Validates parsed message structure
- All tests now assert on actual values, not just structure/count
4. **Document defensive validation**
- Added comment explaining validation in LintChart()
- Clarifies that validation is intentional since it's a public function
## Test Coverage
- 27 tests passing (added 9 new test cases)
- All tests now validate actual values, preventing false positives
- Tests catch: wrong values, duplicates, missing items, incorrect parsing
* Fix chart path resolution to be relative to config file
Previously, chart paths in .replicated config were resolved relative to
the directory where the `replicated lint` command was invoked (CWD).
This caused charts to not be found when the command was invoked from a
different directory than the config file.
Now, all relative chart paths are resolved to absolute paths relative to
the config file's directory during parsing. This ensures:
- Charts are found correctly regardless of where the command is invoked
- Monorepo configs work correctly (each config resolves paths relative to its location)
- Glob patterns expand relative to the config file directory
- Absolute paths are preserved as-is
Added comprehensive tests covering:
- Relative path resolution
- Absolute path preservation
- Mixed relative and absolute paths
- Parent directory references (../)
Manual testing confirmed the fix works correctly for:
- Single charts with relative paths
- Glob patterns
- Commands invoked from subdirectories
- Commands invoked from the config directory
* Fix config merging to support all fields and monorepo setups
This commit fixes critical issues with .replicated config parsing and
merging that prevented monorepo support from working correctly.
**Problems Fixed:**
1. **Incomplete Config struct** - Only 2 of 9 fields were defined
- Added all missing fields: appId, appSlug, promoteToChannelIds,
promoteToChannelNames, preflights, releaseLabel, manifests
- Added PreflightConfig type for preflight specs
2. **Broken config merging** - Only repl-lint was merged
- Child configs lost all fields except repl-lint
- Charts, preflights, and manifests from child configs were discarded
- Scalar fields were never merged
3. **Inconsistent path resolution** - Only charts were resolved
- Preflight paths not resolved relative to config file
- Manifest glob patterns not resolved
- Commands failed when invoked from different directories
**Solution:**
Implemented complete config merging with three strategies:
- **Scalar override**: appId, appSlug, releaseLabel (child wins)
- **Channel override**: promoteToChannelIds/Names (child replaces)
- **Resource append**: charts, preflights, manifests (accumulate)
All relative paths now resolved to absolute paths relative to their
defining config file, ensuring correct behavior regardless of CWD.
**Changes:**
- pkg/tools/types.go: Added PreflightConfig, expanded Config struct
- pkg/tools/config.go: Rewrote mergeConfigs(), renamed resolvePaths()
- pkg/tools/config_test.go: Added comprehensive tests (17 new cases)
**Testing:**
- All unit tests pass (pkg/tools, pkg/lint2)
- Manual monorepo testing verified correct behavior
- Charts from parent and child configs both linted
- Paths resolve correctly from any directory
This enables proper monorepo support where:
- Root config defines org-wide settings and common charts
- Child configs add app-specific charts and manifests
- Settings inherit and resources accumulate correctly
* Remove JSON support from .replicated config files
Simplifies config parsing to only support YAML formats (.replicated and
.replicated.yaml). JSON support was unnecessary and added complexity.
Changes:
- Remove .replicated.json from file discovery candidates
- Remove encoding/json import and fallback parsing logic
- Remove all json struct tags from Config types
- Delete valid-full.json test fixture
- Remove JSON test cases from config_test.go
- Update error messages to reflect YAML-only support
All existing tests pass with no regressions.
* Remove unsupported enabled and strict fields from linter config
- Remove Enabled field from ReplLintConfig type
- Remove Strict field from LinterConfig type
- Change Disabled field to pointer boolean (*bool) to support nil = not set
- Add nil-aware merge logic for proper config inheritance
- Add boolPtr helper function for creating pointer booleans
- Update all defaults to use pointer booleans
- Remove enabled/strict from all tests and test data
- Add inheritance verification test to monorepo end-to-end test
* Add path validation and deduplication to config parser
- Validate that chart, preflight, and manifest paths are non-empty
- Add deduplicateResources() to remove duplicate paths after merging
- Deduplicate charts, preflights, and manifests by absolute path
- Validation happens on each individual config file during parsing
- Deduplication happens after merging multiple config files
This ensures monorepo configs don't accumulate duplicate resources
and catches invalid empty paths early in the parsing process.
---------
Co-authored-by: Nicholas Mullen <nicholasmullen@Nicholass-MacBook-Pro.local>
Add 'replicated release extract-images' command for extracting container image references from Kubernetes manifests and Helm charts locally. This implementation is ported from the production-tested airgap-builder service and enables vendors to: - Discover all image references before pushing to Replicated - Validate image references (detect :latest, HTTP registries, etc.) - Prepare airgap bundles (get list of required images) - Perform security audits Key features: - Extracts from all K8s resource types (Pod, Deployment, StatefulSet, etc.) - Supports KOTS resources (Application, Preflight, SupportBundle) - Helm chart rendering with custom values - Multiple output formats (table, JSON, list) - Automatic warning detection - 72.9% test coverage with 15 tests - Performance: 21,000x faster than targets New files: - pkg/imageextract/ - Core extraction library (5 files) - cli/cmd/release_extract_images.go - CLI command - cli/print/images.go - Output formatters - docs/cli-image-extraction.md - User documentation - Test fixtures in pkg/imageextract/testdata/ Modified files: - cli/cmd/root.go - Register new command - cli/cmd/runner.go - Add command arguments
* adds auth method via .replicated config files * Update types.go * Update root.go
* feat(lint): add preflight spec linting support Implements preflight spec linting using the preflight lint command, following the same pattern as existing helm chart linting. Changes: - Add LintPreflight function that executes preflight lint binary - Parse JSON output from preflight lint command - Add path extraction and validation for preflight specs - Update CLI to lint both helm charts and preflight specs - Support enable/disable via .replicated config - Add comprehensive unit and integration tests Implementation details: - Uses tool resolver to download/cache preflight binary - Parses structured JSON output with robust extraction - Handles stderr contamination from preflight binary - Future-proofed with INFO severity support - Includes example config and test fixtures Testing: - 9 unit test cases for output parsing - 4 integration tests with actual preflight binary - All existing tests continue to pass * Update lint.go --------- Co-authored-by: Noah Campbell <noah.edward.campbell@gmail.com>
* added profile use command and --profile flag * removed local profile name setter
…age extraction (#602) - Add EphemeralContainers field to k8sPodSpec struct - Extract images from Pod ephemeralContainers - Register KOTS and Troubleshoot types with Kubernetes scheme - Fixes extraction for Preflight, SupportBundle, and Collector resources This enables complete image extraction from all container types and Troubleshoot custom resources.
* fix: add support for ephemeralContainers and Troubleshoot resource image extraction - Add EphemeralContainers field to k8sPodSpec struct - Extract images from Pod ephemeralContainers - Register KOTS and Troubleshoot types with Kubernetes scheme - Fixes extraction for Preflight, SupportBundle, and Collector resources This enables complete image extraction from all container types and Troubleshoot custom resources. * feat: integrate image extraction into lint command with --verbose flag - Add --verbose flag to 'replicated lint' command - Extract and display images from Helm charts when verbose is enabled - Add deprecation warning to 'replicated release extract-images' - Add comprehensive unit tests for verbose functionality - Graceful error handling - lint continues if extraction fails Resolves: merge image extraction into new lint command * chore: remove deprecated release extract-images command - Delete cli/cmd/release_extract_images.go - Delete cli/cmd/release_extract_images_test.go - Remove extract-images args from runner.go - Remove command initialization from root.go The functionality is now available via 'replicated lint --verbose'
* feat: add support bundle linting
Adds full support for linting Troubleshoot support bundle specs,
following the same pattern as preflight linting.
Implementation:
- LintSupportBundle() function executes support-bundle lint --format json
- ParseSupportBundleOutput() parses JSON results into structured messages
- GetSupportBundlePathsFromConfig() extracts paths from .replicated config
- Supports glob patterns and custom tool versions
Testing:
- Unit tests for JSON parsing (9 test cases)
- Integration tests with real binary (4 test cases)
- Test fixtures for valid, invalid, and edge cases
CLI Integration:
- Added to 'replicated lint' command
- Respects enable/disable config via repl-lint.linters.support-bundle
- Displays results following established output format
Usage:
Users can add to .replicated config:
supportBundles:
- path: path/to/support-bundle.yaml
* test: add unit tests for support bundle config functions
Adds comprehensive unit tests for support bundle config path handling:
- TestGetSupportBundlePathsFromConfig (basic extraction)
- TestGetSupportBundlePathsFromConfig_GlobExpansion (4 test cases)
- TestGetSupportBundlePathsFromConfig_InvalidSpecsInGlob
- TestGetSupportBundlePathsFromConfig_MultipleSpecs
- TestValidateSupportBundlePath (5 test cases)
Total: 12 new test cases, all passing
* refactor: discover support bundles from manifests instead of config
Changes support bundle linting to auto-discover specs from the manifests
array instead of requiring explicit configuration. This aligns with the
architectural direction where support bundles remain co-located with
manifests, while preflights move to a separate location.
Changes:
- Added DiscoverSupportBundlesFromManifests() to auto-detect kind: SupportBundle
- Added isSupportBundleSpec() to parse YAML and check kind field
- Supports multi-document YAML files (--- separated)
- Handles glob expansion and deduplication
- Updated CLI to use discovery instead of config extraction
- Removed SupportBundles field from Config struct
- Removed SupportBundleConfig type
- Removed config helper functions (no longer needed)
Benefits:
- No duplication between manifests and supportBundles arrays
- Works automatically with monorepo manifest merging
- Single source of truth (manifests array)
- Support bundles can live anywhere manifests are defined
Testing:
- 13 new unit tests for discovery logic (all passing)
- Integration tests still work with discovery approach
- Full test suite passes (lint2: 1.485s, tools: 2.035s)
* refactor: use yaml.NewDecoder for multi-document YAML parsing
Replace string splitting approach with proper yaml.NewDecoder for parsing
multi-document YAML files. This correctly handles document separators (---)
according to the YAML spec, including when they appear inside strings or
block scalars.
Also fixes infinite loop bug where decoder error state caused continue
statement to loop forever. Now returns early on parse errors.
* improve: use json.NewDecoder with search for robust JSON parsing
Refactor JSON extraction to use json.NewDecoder with a search loop that
tries each potential JSON object in the output. This handles edge cases
where error messages contain braces before the actual JSON.
Benefits:
- Properly handles nested JSON objects without manual string indexing
- Automatically handles trailing garbage after valid JSON
- More robust against varied tool output formats
Added test case for error messages with braces before JSON.
* style: run gofmt to fix formatting
* improve: use json.NewDecoder for preflight JSON parsing
Apply the same robust JSON parsing approach to preflight that was used
for support bundle. This provides consistency across the codebase and
handles edge cases where error messages contain braces before the actual
JSON output.
Benefits:
- Properly handles nested JSON objects without manual string indexing
- Automatically handles trailing garbage after valid JSON
- More robust against varied tool output formats
- Consistent with support bundle implementation
Added test case for error messages with braces before JSON.
* refactor: extract common troubleshoot JSON parsing into generics
Extract ~160 lines of duplicated code between preflight.go and
support_bundle.go into common generic helpers. Both tools come from
the troubleshoot.sh repository and share identical output formats.
Changes:
- Create troubleshoot_common.go with generic JSON parsing/formatting
- Create TroubleshootIssue interface for common issue handling
- Use Go generics for type-safe parsing of preflight/support-bundle
- Simplify ParsePreflightOutput and ParseSupportBundleOutput
- Remove duplicate formatPreflightMessage/formatSupportBundleMessage
- Add comprehensive tests for common functions
Benefits:
- DRY: Single source of truth for troubleshoot tool output parsing
- Consistency: Both tools guaranteed identical parsing behavior
- Maintainability: Bug fixes automatically apply to both tools
- Future-proof: Easy to add more troubleshoot tools (analyzers, etc.)
- Type safety: Go generics provide compile-time guarantees
Code reduction:
- Removed ~160 lines of duplication from implementation files
- Added 142 lines of common code + 305 lines of tests
- Net improvement in maintainability and consistency
All 81+ tests pass with race detector.
* docs: update package documentation to reflect all linters
Update pkg/lint2/doc.go to document all three linter types:
- Helm charts
- Preflight specs
- Support Bundle specs
Changes:
- Update package description to mention all linters
- Add feature list showing common and linter-specific capabilities
- Add usage examples for all three linter types
- Document key differences (e.g., Support Bundle auto-discovery)
The previous documentation only mentioned Helm, but the package now
provides comprehensive linting for all Replicated resource types.
* test: improve lint2 test coverage from 58.4% to 70.8%
Add comprehensive test coverage for preflight config functions and
additional edge cases for support bundle discovery.
Preflight config tests (new):
- TestGetPreflightPathsFromConfig: basic config parsing
- TestGetPreflightPathsFromConfig_GlobExpansion: glob pattern handling
- TestGetPreflightPathsFromConfig_InvalidPreflightsInGlob: error cases
- TestGetPreflightPathsFromConfig_MultiplePreflights: multiple specs
- TestValidatePreflightPath: path validation
Discovery edge cases (new):
- TestDiscoverSupportBundlesFromManifests_YmlExtension: .yml support
- TestDiscoverSupportBundlesFromManifests_DirectoryWithYamlExtension: skip dirs
- Triple dash in string content: yaml.NewDecoder correctness
- Triple dash in multiline string: yaml.NewDecoder correctness
Coverage improvements:
- GetPreflightPathsFromConfig: 0% → 100%
- expandPreflightPaths: 0% → 87.5%
- validatePreflightPath: 0% → 81.8%
- DiscoverSupportBundlesFromManifests: 80% → 84.6%
- isSupportBundleSpec: 92% → 92.9%
All tests passing (97 tests total).
* config init command * Update lint.go * can use profile flag to show existing apps during config init
* Add JSON output support for lint command - Add --output flag to support json|table formats (default: table) - Add --output-file flag to save results to file (writes to both stdout and file) - Implement file overwrite protection (errors if file exists) - Refactor lint command to use structured data model for consistent output - Add comprehensive JSON output with metadata, results, and summary - Update tests for refactored functions - Add help documentation with usage examples New files: - cli/cmd/lint_types.go: JSON data structures for lint output - cli/print/lint_results.go: JSON formatting function Modified files: - cli/cmd/lint.go: Main implementation with output format support - cli/cmd/lint_test.go: Updated tests for refactored functions - cli/cmd/runner.go: Added lintOutputFile flag support * fixing CLI flags * added support bundle to output struct * Delete .replicated --------- Co-authored-by: Noah Campbell <noah.edward.campbell@gmail.com>
* feat: add recursive glob pattern support with doublestar library
Integrates the doublestar library to provide enhanced glob pattern
support for chart, preflight, and manifest path expansion in the
replicated lint command. This enables users to use powerful patterns
like `**` for recursive matching and `{a,b}` for brace expansion.
Changes:
- Add doublestar/v4 dependency for advanced glob support
- Create pkg/lint2/glob.go with specialized functions:
- Glob(): general-purpose pattern expansion
- GlobFiles(): returns only files (for preflights/manifests)
- GlobDirs(): returns only directories (for charts)
- ValidateGlobPattern(): early validation of pattern syntax
- ContainsGlob(): detect glob wildcards in paths
- Update config.go to use GlobDirs for chart path expansion
- Update config.go to use GlobFiles for preflight path expansion
- Update discovery.go to use GlobFiles for manifest discovery
- Remove 10 lines of manual directory filtering from discovery.go
- Add pattern validation to tools/config.go parsing
- Add comprehensive test coverage (147 tests, all passing)
- Update docs/lint-format.md with glob pattern documentation
Key features:
- Recursive matching: `charts/**/*.yaml` matches all depths
- Brace expansion: `{dev,prod}/**` matches multiple branches
- Early validation: invalid patterns caught at config parse time
- Better error messages: specify which pattern is invalid
- Optimized filtering: library-level vs manual loops
Pattern examples now supported:
- ./charts/** (all charts recursively)
- ./preflights/{dev,prod} (multiple specific paths)
- ./manifests/**/*.yaml (all YAML files at any depth)
Breaking changes: None (backward compatible)
* refactor: improve glob pattern validation and documentation
Brings glob.go to full parity with lint2 package patterns by adding
defensive validation and enhanced documentation.
Changes follow the established lint2 convention where all public
functions validate inputs defensively, even when callers have already
validated (see LintChart, LintPreflight, LintSupportBundle).
Changes:
- Add defensive pattern validation to Glob(), GlobFiles(), GlobDirs()
- Improve ValidateGlobPattern() error message with helpful details
- Add 4 new tests for defensive validation (65 lines)
- Update pkg/lint2/doc.go to document glob pattern capabilities
Pattern Analysis:
- Matches defensive validation in helm.go:23-31, preflight.go:43-51
- Follows comment style: "Defensive check... Note: patterns are validated..."
- Consistent with error handling patterns throughout lint2 package
Test Coverage:
- TestGlob_DefensiveValidation - validates Glob() rejects invalid patterns
- TestGlobFiles_DefensiveValidation - validates GlobFiles() rejects invalid patterns
- TestGlobDirs_DefensiveValidation - validates GlobDirs() rejects invalid patterns
- TestGlob_DefensiveValidation_ValidPattern - ensures valid patterns still work
Impact: +93 lines, all tests passing (151 total in pkg/lint2)
* test: add comprehensive tests for content-aware glob discovery
Add extensive test coverage for the content-aware discovery system that
filters glob pattern results based on resource type (charts, preflights,
support bundles). Fixes critical bug where patterns like ./pkg/** would
error on intermediate directories instead of discovering deeply nested charts.
Key test additions:
- Phase 1: Helper function tests (isHiddenPath, isChartDirectory)
- Phase 2: Chart discovery pattern and content tests (12 tests)
- Phase 3: Preflight discovery with content filtering (18 tests)
- Phase 4: Support bundle discovery tests (11 tests)
- Phase 5: Integration tests for cross-linter behavior (3 tests)
Bug fixes:
- Fixed single-level wildcard handling in discoverPreflightPaths where
patterns like ./preflights/* incorrectly matched subdirectories
- Changed test expectations to validate content filtering behavior
Test results:
- 88 total tests passing (52 existing + 36 new)
- Coverage: 74.8% overall, 87-100% on key discovery functions
- Integration tests properly tagged with //go:build integration
Validates:
- Pattern matching (**, *, brace expansion)
- Content-aware filtering based on YAML kind field
- Hidden directory filtering (.git, .github)
- Multi-document YAML handling
- Deduplication and error handling
* test: add error handling and edge case tests, fix trailing slash issue
Add comprehensive test coverage for error paths, pattern edge cases, and
content detection edge cases in the discovery functions. Also fix a UX
issue where trailing slashes in patterns caused unexpected failures.
Test Additions (14 new tests):
Phase 1 - Error Handling Paths:
- TestDiscoverChartPaths_GlobError: Malformed glob patterns
- TestDiscoverPreflightPaths_GlobError: Malformed preflight patterns
- TestIsPreflightSpec_FileReadError: Permission denied on files
- TestIsChartDirectory_PermissionDenied: Directory access errors
- TestDiscoverPreflightPaths_InvalidPattern: Pattern validation
Phase 2 - Pattern Edge Cases:
- TestDiscoverChartPaths_TrailingSlash: Trailing slash normalization
- TestDiscoverChartPaths_EmptyPattern: Empty string handling
- TestDiscoverChartPaths_LiteralDirectory: Direct directory paths
- TestDiscoverPreflightPaths_NestedBraceExpansion: Nested {a,b}/{c,d}
- TestDiscoverPreflightPaths_TrailingSlash: Preflight trailing slashes
Phase 3 - Content Detection Edge Cases:
- TestIsPreflightSpec_CaseSensitive: Only "Preflight" matches (4 subtests)
- TestIsPreflightSpec_KindInComment: Kind in YAML comments
- TestIsPreflightSpec_KindWrongType: Kind as number/array/object (3 subtests)
- TestIsPreflightSpec_NestedKind: Kind nested in metadata
Bug Fix - Trailing Slash Normalization:
Users naturally add trailing slashes (via tab completion or habit):
./charts/**/ or ./preflights/**/
Previously, these patterns would fail with confusing errors because
strings.HasSuffix(pattern, "**") returns false for "**/" causing the
pattern to be misclassified as a literal directory path.
Fixed by normalizing patterns early with strings.TrimRight(pattern, "/")
in both discoverChartPaths() and discoverPreflightPaths().
Coverage Improvements:
- Overall package: 74.8% → 77.2% (+2.4 points)
- discoverChartPaths: 73.1% → 92.6% (+19.5%)
- isPreflightSpec: 87.5% → 93.8% (+6.3%)
- discoverPreflightPaths: 76.7% → 83.9% (+7.2%)
Total tests: 88 → 108 (+20 including subtests)
All tests passing.
* refactor: bring support bundles to parity with charts/preflights
Add smart pattern logic to support bundles and improve consistency across
all three discovery functions (charts, preflights, support bundles).
Key Changes:
1. Smart Pattern Logic for Support Bundles
- Created discoverSupportBundlePaths() with same smart defaulting as preflights
- Patterns like ./manifests/** now auto-append *.yaml (convenience)
- Explicit patterns like ./manifests/**/bundle-*.yaml respected (power)
- Refactored DiscoverSupportBundlesFromManifests() to use new helper
2. Robust Path Normalization
- Replace strings.TrimRight() with filepath.Clean() in all discovery functions
- Handles //, /./, /../, and trailing slashes comprehensively
- Applied to: discoverChartPaths, discoverPreflightPaths, discoverSupportBundlePaths
3. Empty Pattern Validation
- Add explicit validation: return error "pattern cannot be empty"
- Applied to all three discovery functions
- Better error messages vs implicit behavior
4. Improved Error Messages
- Preserve original user pattern before normalization
- Error messages show: "expanding pattern X (from user pattern: Y)"
- Helps debugging when patterns are transformed
5. Fallback String Matching for Support Bundles
- Add fallback to isSupportBundleSpec() (consistent with isPreflightSpec)
- Malformed YAML with "kind: SupportBundle" now discovered
- Better UX: linter catches syntax errors instead of silent skip
Testing:
- Added 8 comprehensive tests for support bundle smart patterns
- TestDiscoverSupportBundlePaths_SmartPatternRecursive
- TestDiscoverSupportBundlePaths_ExplicitPattern
- TestDiscoverSupportBundlePaths_TrailingSlash
- TestDiscoverSupportBundlePaths_EmptyPattern
- TestDiscoverSupportBundlePaths_SingleLevel
- TestDiscoverSupportBundlePaths_InvalidPattern
- TestDiscoverSupportBundlesFromManifests_SmartPatternConsistency
- TestIsSupportBundleSpec_FallbackStringMatching
Consistency Achieved:
All three discovery functions now have:
✅ Smart pattern defaults (auto-append file extensions)
✅ filepath.Clean normalization (handles //, /./, /../)
✅ Empty pattern validation (explicit errors)
✅ Improved error messages (show original patterns)
✅ Fallback for malformed YAML (charts N/A, preflights+bundles yes)
✅ Hidden path filtering (already consistent)
✅ Content-aware filtering (already consistent)
✅ Deduplication (already consistent)
Coverage: 77.2% → 78.4% (+1.2 points)
Tests: 108 → 116 (+8 new tests)
Per-function coverage:
- discoverChartPaths: 92.6% → 93.3%
- discoverPreflightPaths: 83.9% → 82.4%
- isSupportBundleSpec: 92.9% → 93.8%
- DiscoverSupportBundlesFromManifests: 82.6% → 92.3%
- discoverSupportBundlePaths: NEW! 85.3%
All 116 tests passing.
* security: add path traversal protection and improve fallback matching
Security improvements:
- Add path traversal validation to reject patterns like ../../../etc/**
- Prevents glob patterns from accessing files outside the repository
- Validates patterns before expansion using filepath.Clean()
Fallback matching improvements:
- Replace bytes.Contains() with regex for malformed YAML detection
- Use (?m)^kind:\s+<Kind>\s*$ pattern to match only valid kind: lines
- Prevents false positives from comments or string values
Code cleanup:
- Remove unused GlobDirs() function and its tests
- Function was not used anywhere in the codebase
Testing:
- Add 5 path traversal test cases to ValidateGlobPattern
- Add test for regex fallback not matching false positives
- All tests passing
* feat: validate explicit paths fail loudly, glob patterns filter silently
Implement strict validation for explicit paths while keeping silent filtering
for glob patterns. This provides clear error messages when users misconfigure
specific files, while allowing glob patterns to work with mixed-content directories.
Changes:
- validatePreflightPath: Now checks file contains kind: Preflight
- discoverSupportBundlePaths: Detects explicit paths and validates strictly
- Explicit paths (no wildcards) now fail with clear error if not correct kind
- Glob patterns continue to filter silently (unchanged behavior)
Examples:
# Explicit path - fails loudly if not a Preflight
preflights:
- path: "./k8s/deployment.yaml" # ERROR: not a Preflight
# Glob pattern - filters silently
preflights:
- path: "./k8s/**/*.yaml" # Only discovers Preflights, ignores others
Tests:
- Added 5 tests for explicit path validation (preflights + support bundles)
- Updated 1 test to match new error message for explicit paths
- All 121 tests passing
* removed hard coded tool resolver defaults * updated tests * Update lint.go * fixed merge conflict remnants
- Add helm integration tests with actual binary execution - Valid helm chart test - Invalid YAML chart test - Non-existent path test - Create helm chart test fixtures (valid + invalid) - Remove redundant testing.Short() from preflight integration tests - Rename resolver_fallback_test.go to resolver_integration_test.go - Add //go:build integration tags to resolver tests - Remove all testing.Short() checks in favor of build tags All integration tests now follow consistent pattern: - Use //go:build integration tags - No testing.Short() checks needed - Fast unit tests run by default (go test ./...) - Integration tests require explicit opt-in (go test -tags=integration ./...) Tests verified: - Unit tests: go test ./pkg/lint2/... ./pkg/tools/... (0.4s) - Integration tests: go test -tags=integration ./pkg/lint2/... ./pkg/tools/... (2.6s)
* adds preflight and support bundle versions to json output * added unit tests for tool resolver
* properly detects all support bundles and preflights without .replicated * moved helm chart example out of preflights * Update config_test.go * uses existing glob pattern * removed dead code * Update lint.go
* Add HelmChart manifest discovery for builder values Implement discovery of KOTS HelmChart custom resources to extract builder values needed for preflight and support bundle template rendering. Features: - Discovers HelmChart manifests from configured manifest globs - Extracts spec.chart.name, spec.chart.chartVersion, and spec.builder - Supports both kots.io/v1beta1 and kots.io/v1beta2 API versions - Handles multi-document YAML files using yaml.NewDecoder - Detects and reports duplicate chart name:version combinations - Comprehensive test coverage with 14 test cases This is foundational work for adding template rendering support to preflight and support bundle linters. * Make HelmChart discovery future-proof and document design decisions Changes: - Remove apiVersion validation from parseHelmChartManifest Discovery is now permissive - accepts any apiVersion (v1beta1, v1beta2, future versions) Validation will happen in the linter, not during discovery This matches the pattern used by preflight/support bundle discovery - Add test for future apiVersion acceptance Verifies that v1beta3 (and beyond) HelmCharts are discovered correctly Ensures code doesn't need updates for new API versions - Document why empty manifests errors Unlike DiscoverSupportBundlesFromManifests (which returns empty list), DiscoverHelmChartManifests errors on empty manifests because HelmChart discovery is only called when preflights have templated values, so manifests are required to find builder values This change improves forward compatibility and clarifies design rationale.
* Add HelmChart manifest discovery for builder values
Implement discovery of KOTS HelmChart custom resources to extract
builder values needed for preflight and support bundle template rendering.
Features:
- Discovers HelmChart manifests from configured manifest globs
- Extracts spec.chart.name, spec.chart.chartVersion, and spec.builder
- Supports both kots.io/v1beta1 and kots.io/v1beta2 API versions
- Handles multi-document YAML files using yaml.NewDecoder
- Detects and reports duplicate chart name:version combinations
- Comprehensive test coverage with 14 test cases
This is foundational work for adding template rendering support to
preflight and support bundle linters.
* Make HelmChart discovery future-proof and document design decisions
Changes:
- Remove apiVersion validation from parseHelmChartManifest
Discovery is now permissive - accepts any apiVersion (v1beta1, v1beta2, future versions)
Validation will happen in the linter, not during discovery
This matches the pattern used by preflight/support bundle discovery
- Add test for future apiVersion acceptance
Verifies that v1beta3 (and beyond) HelmCharts are discovered correctly
Ensures code doesn't need updates for new API versions
- Document why empty manifests errors
Unlike DiscoverSupportBundlesFromManifests (which returns empty list),
DiscoverHelmChartManifests errors on empty manifests because HelmChart
discovery is only called when preflights have templated values, so
manifests are required to find builder values
This change improves forward compatibility and clarifies design rationale.
* Implement preflight template rendering with builder values
This commit implements the end-to-end workflow for rendering templated
preflights with chart values and HelmChart builder values before linting.
## Changes
### pkg/lint2/config.go
- Add PreflightWithValues struct to carry preflight path + chart metadata
- Add GetPreflightWithValuesFromConfig() to extract chart info from Chart.yaml
- Add parseChartYaml() helper to read chart name and version
- Supports glob patterns in preflight paths
- Validates Chart.yaml exists adjacent to values.yaml
### pkg/lint2/preflight.go
- Update LintPreflight() signature to accept values, chart info, and HelmChart manifests
- Split into lintPreflightDirect() for non-templated specs (backward compatible)
- Add lintPreflightWithTemplating() for rendering workflow:
- Looks up builder values from HelmChart manifest by name:version key
- Writes builder values to temp file with 0600 permissions (security)
- Runs `preflight template` with both chart values and builder values
- Renders to temp file with 0600 permissions
- Lints the rendered spec
- Cleans up temp files gracefully
### cli/cmd/lint.go
- Call DiscoverHelmChartManifests() once at start of preflight linting
- Update to use GetPreflightWithValuesFromConfig() instead of GetPreflightPathsFromConfig()
- Pass HelmChart manifests and chart metadata to LintPreflight()
### pkg/lint2/preflight_integration_test.go
- Update existing tests to pass new parameters (empty strings for non-templated specs)
- Add integration test for templated preflight with builder values override
- Add test for missing HelmChart manifest error case
- Create comprehensive test data structure
### pkg/lint2/testdata/preflights/
- Add valid.yaml, invalid-yaml.yaml, missing-analyzers.yaml for basic tests
- Add templated-test/ with complete template rendering test setup:
- chart/Chart.yaml (name: test-app, version: 1.0.0)
- chart/values.yaml (database.enabled: false, redis.enabled: false)
- manifests/helmchart.yaml (builder overrides: enabled: true)
- preflight-templated.yaml (v1beta3 with {{ .Values.* }} expressions)
## Workflow
1. Discover HelmChart manifests from config.Manifests globs
2. For each preflight:
- If valuesPath set: extract chart name/version from adjacent Chart.yaml
- Look up builder values from HelmChart manifest
- Render: `preflight template --values chart-values --values builder-values`
- Lint the rendered output
3. Clean up temp files securely
## Security
- Temp files created with 0600 permissions (owner read/write only)
- Unique file names via os.CreateTemp() prevent collisions
- Graceful cleanup with deferred functions
- Minimal lifetime (only during render + lint)
## Testing
- All existing tests pass
- Integration tests verify template rendering with builder values override
- Test coverage for missing HelmChart manifest error case
Builder values override chart values (production parity for air gap bundles).
* Improve code quality and test coverage for preflight template rendering
Quick wins from PR review:
1. Restore helpful comments in lintPreflightDirect()
- Added comment about defensive validation for public API
- Added comment explaining preflight exit codes (0 = success, 2 = errors)
- Added comment about parsing output even on errors
2. Add template syntax hint to error message
- When template rendering fails, now suggests checking for invalid {{ ... }} expressions
- Makes troubleshooting easier for users with syntax errors
3. Add test case for missing Chart.yaml
- Tests error path when valuesPath is set but Chart.yaml is missing
- Verifies error message is helpful (mentions Chart.yaml not found)
4. Enhance test verification to check rendered content
- Added detailed comments explaining what the test verifies
- Added explicit check that builder values overrode chart values
- Added log message confirming successful rendering
- Explains why success=true proves builder values worked
All tests pass. These changes improve code maintainability and make debugging easier for users.
* Add robust integration tests for preflight template rendering
Implements three high-priority test improvements:
1. Explicit builder override verification
- New test explicitly verifies builder values override chart values
- Inspects HelmChartManifest to confirm builder.enabled=true
- Proves success requires builder override (chart has enabled=false)
- Verifies no errors in lint result
2. Negative test: Builder values disabled
- Created test data: templated-disabled-test/
- Both chart and builder values have enabled: false
- Template renders with empty collectors/analyzers
- Verifies lint correctly FAILS with required field errors
- Proves we handle invalid rendered specs properly
3. End-to-end integration test
- Tests complete workflow: Config → GetPreflightWithValuesFromConfig() → DiscoverHelmChartManifests() → LintPreflight()
- Verifies chart metadata extraction (name, version)
- Tests actual user workflow, not isolated functions
- Confirms all components integrate correctly
Test Results:
- All 9 integration tests pass
- Negative test correctly fails with: 'Expected 'analyzers' to be a list'
- Builder override test confirms values work as expected
- End-to-end test validates complete pipeline
These tests significantly increase confidence that the feature works correctly in production scenarios.
* Add comprehensive tests for real-world Helm patterns
Implements 5 high-priority test cases covering common production scenarios:
1. Complex nested partial override
- Builder overrides postgresql.enabled=true
- Chart provides postgresql.host/port (not overridden)
- Preflight uses both builder (enabled) and chart (host/port) values
- Verifies partial nested overrides work correctly
2. Array values from builder
- Chart has ingress.hosts=[] (empty array)
- Builder provides ingress.hosts=[host1, host2, host3]
- Preflight uses {{- range .Values.ingress.hosts }}
- Verifies array iteration in templates
3. String interpolation without conditionals
- Direct value substitution in connection strings
- No {{- if }} conditionals, just {{ .Values.* }} substitution
- Builder: database.host=prod.database.example.com
- Chart: database.host=localhost
- Verifies builder overrides in string templates
4. Multiple charts with multiple preflights
- Two charts: frontend-app:1.0.0, backend-app:2.0.0
- Two preflights: one for frontend, one for backend
- Each uses different values (service.port vs api.port)
- Verifies correct builder values matched to each chart
5. Empty builder values uses chart defaults
- HelmChart with builder: {} (explicitly empty)
- Chart has feature.enabled=true, feature.name=default-feature
- Preflight uses chart defaults throughout
- Verifies empty builder doesn't break templating
All 14 integration tests pass. These tests cover the most common real-world
Helm patterns customers encounter with Replicated KOTS builder values.
* Add test for manifests without HelmChart kind
Tests the realistic scenario where users have manifests configured
(Deployment, Service, ConfigMap) but forgot to include the HelmChart
custom resource needed for templated preflights.
Verifies:
1. DiscoverHelmChartManifests() returns empty map (not error) when no
HelmChart resources found in manifests
2. LintPreflight() returns helpful error message pointing to the issue
3. Error message contains:
- 'no HelmChart manifest found'
- The chart name and version being looked up
- Suggestion to check manifests paths
Test data:
- Created no-helmchart-test/ with Deployment, Service, ConfigMap
- NO kind: HelmChart in manifests directory
- Templated preflight that requires HelmChart
This catches regressions where we accidentally return an error from
discovery instead of an empty map, or where the error message isn't
helpful enough for users to debug the issue.
All 15 integration tests pass.
* style: format preflight.go
* refactor: make valuesPath required for all preflight linting
Simplifies the preflight linting implementation by requiring Chart.yaml,
values.yaml, and HelmChart manifests for all preflights. This removes
the optional routing logic and consolidates to a single code path.
Changes:
- Removed lintPreflightDirect() function and routing logic
- Inlined template rendering as the only implementation path
- Added validation to require valuesPath, chartName, chartVersion
- Updated config parsing to error when valuesPath is missing
- Updated all test cases to use full chart structures
Test updates:
- Created 3 new test data directories with complete chart structures:
- valid-test/ (valid preflight spec)
- invalid-yaml-test/ (invalid YAML handling)
- missing-analyzers-test/ (missing analyzers validation)
- Updated 4 existing test cases to pass chart metadata
Impact:
- Removes ~70 lines of routing/fallback code
- All 15 integration tests passing
- Clearer API: valuesPath is now always required
* fix: remove omitempty from required ValuesPath field
The ValuesPath field is required for all preflight linting, but the YAML
tag had omitempty which allowed it to be omitted from the config file.
This caused fail-late behavior where the validation error only occurred
at runtime instead of during config parsing.
Removing omitempty makes the field truly required at all levels:
- YAML parsing will now fail if valuesPath is missing
- More consistent with the runtime validation
- Fail-fast instead of fail-late
* fix: fail-fast when no HelmChart manifests found
Add validation to DiscoverHelmChartManifests() to return an error when
no valid HelmChart resources are discovered. This prevents confusing
"no HelmChart manifest found for chart X" errors during linting and
instead fails immediately with a clear message during discovery.
This completes the fail-fast validation pattern established throughout
the preflight linting workflow:
- ValuesPath required at config parsing (config.go:224)
- Chart.yaml required at config parsing (config.go:244)
- HelmChart manifest required at discovery (helmchart.go:120)
Updated tests to expect errors when all HelmCharts are invalid/missing,
reflecting the new fail-fast behavior.
* docs: document full Helm/Sprig template support in preflight linting
Add comprehensive documentation and tests proving that preflight template
command fully supports Helm template syntax and Sprig functions.
Research Findings:
- preflight template uses Helm internally for rendering
- ALL Sprig functions are supported (default, quote, upper, etc.)
- ALL Helm functions are supported (include, required, tpl, etc.)
- Flow control works (if, range, with, define, template)
- Complex pipelines and nested templates work
Changes:
1. Enhanced LintPreflight() documentation with:
- Examples of Sprig functions, range loops, named templates
- Clear statement of full Helm/Sprig support
- Known limitation (nested templates in quoted strings)
- Better error hints guiding users to correct syntax
2. Improved error messages:
- Added hints about using 'helm template' locally for debugging
- Clarified that all Sprig/Helm functions are supported
- Better guidance on avoiding nested template actions in strings
3. Added comprehensive integration tests:
- Sprig functions (default, quote, upper, pipelines)
- Range loops over arrays
- Named templates with define/include
- All tests passing with real preflight binary
4. Fixed test broken by fail-fast validation (commit 5e09323):
- Updated "manifests without HelmChart kind" test
- Now expects DiscoverHelmChartManifests() to fail-fast
Test Coverage:
- 18 integration tests passing (3 new advanced template tests)
- Manual validation completed with actual preflight binary
- Documented findings in /tmp/PREFLIGHT_TEMPLATE_FINDINGS.md
This resolves concerns about "not supporting Helm template functions" -
the concern was unfounded. Full support exists and is now documented.
* uses feature toggles * profile edit options * readded new lint flags * Update runner.go * output flag fixed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Added documentation for the profile commands and the .replicated config file and init command