feature: Restrict Kubechecks to a Single Namespace for App Watcher (#235

)

* Restrict Kubechecks to a Single Namespace for App Watcher

* fix github webhook check

* update ai check to use gpt-4o model

* unit test for github_client

* change dump_crd

.github/actions/build-image/action.yaml

@@ -41,7 +41,7 @@ runs:
     - name: Build and push the Docker image
       shell: bash
       run: >-       
-        ./earthly 
+        ./earthly.sh 
         --push 
         +docker-multiarch
         ${{ inputs.tag_latest != 'false' && format('--LATEST_IMAGE_NAME=ghcr.io/{0}:latest', github.repository) || '' }} 

.github/workflows/on_pull-request_docs.yaml

@@ -21,7 +21,7 @@ jobs:
         with: { version: "${{ env.EARTHLY_TOOL_VERSION }}" }
 
       - name: rebuild the docs
-        run: ./earthly +rebuild-docs
+        run: ./earthly.sh +rebuild-docs
 
       - name: verify that the checked in file has not changed
         run: ./hacks/exit-on-changed-files.sh "Please run './earthly +rebuild-docs' and commit the results to this PR"

.github/workflows/on_pull-request_helm.yaml

@@ -17,4 +17,4 @@ jobs:
       - uses: earthly/actions-setup@v1
         with: { version: "v${{ env.EARTHLY_TOOL_VERSION }}" }
 
-      - run: ./earthly +ci-helm
+      - run: ./earthly.sh +ci-helm

.github/workflows/on_pull_request_go.yaml

@@ -19,4 +19,4 @@ jobs:
       - uses: earthly/actions-setup@v1
         with: { version: "v${{ env.EARTHLY }}" }
 
-      - run: ./earthly +ci-golang
+      - run: ./earthly.sh +ci-golang

.github/workflows/on_push_to_main.yaml

@@ -43,7 +43,7 @@ jobs:
 
       - name: Build and push the helm charts
         run: |
-          ./earthly \
+          ./earthly.sh \
             --push \
             +release-helm \
               --repo_owner ${{ github.repository_owner }} \

.gitignore

@@ -26,3 +26,5 @@ localdev/terraform/gitlab/project.url
 *.DS_Store
 /kubechecks
 localdev/terraform/github/project.url
+.secret
+.arg

.mockery.yaml

@@ -0,0 +1,7 @@
+with-expecter: true
+dir: "mocks/{{.PackageName}}/mocks"
+packages:
+  github.com/zapier/kubechecks/pkg/vcs/github_client:
+    # place your package-specific config here
+    config:
+      all: true

.env.example → .secret.example

@@ -1,5 +1,4 @@
 GITLAB_TOKEN=xyz
-KUBECHECKS_LOG_LEVEL=debug
 OPENAI_API_TOKEN=xyz
 GITHUB_TOKEN=xyz
 KUBECHECKS_WEBHOOK_SECRET=xyz

Tiltfile

@@ -7,7 +7,12 @@ load('ext://uibutton', 'cmd_button')
 load('ext://helm_resource', 'helm_resource')
 load('./.tilt/terraform/Tiltfile', 'local_terraform_resource')
 load('./.tilt/utils/Tiltfile', 'check_env_set')
-dotenv()
+
+# Check if the .secret file exists
+if not os.path.exists('.secret'):
+    fail('The .secret file is missing. Please copy .secret file from .secret.example and setup before running Tilt.')
+
+dotenv(fn='.secret')
 
 config.define_bool("enable_repo", True, 'create a new project for testing this app')
 config.define_string("vcs-type")
@@ -126,7 +131,7 @@ if cfg.get('enable_repo', True):
 test_go(
   'go-test', '.',
   recursive=True,
-  timeout='30s',
+  timeout='60s',
   extra_args=['-v'],
   labels=["kubechecks"],
   deps=[
@@ -138,12 +143,55 @@ test_go(
   ],
 )
 
+
+# get the git commit ref
+def get_git_head():
+    result = local('git rev-parse --short HEAD')
+    return result
+
+# read .tool-versions file and return a dictionary of tools and their versions
+def parse_tool_versions(fn):
+    if not os.path.exists(fn):
+        warn("tool versions file not found: '%s'" % fn)
+        return dict()
+
+    f = read_file(fn)
+
+    lines = str(f).splitlines()
+
+    tools = dict()
+
+    for linenumber in range(len(lines)):
+        line = lines[linenumber]
+        parts = line.split("#", 1)
+        if len(parts) == 2:
+            line = parts[0]
+        line = line.strip()
+        if line == "":
+            continue
+        parts = line.split(' ', 1)
+        tools[parts[0].strip()] = parts[1].strip()
+    return tools
+
+tool_versions = parse_tool_versions(".tool-versions")
+git_commit = str(get_git_head()).strip()
+
 earthly_build(
     context='.',
     target="+docker-debug",
     ref='kubechecks',
     image_arg='IMAGE_NAME',
     ignore='./dist',
+    extra_args=[
+        '--CHART_RELEASER_VERSION='+tool_versions.get('helm-cr'),
+        '--GOLANG_VERSION='+tool_versions.get('golang'),
+        '--GOLANGCI_LINT_VERSION='+tool_versions.get('golangci-lint'),
+        '--HELM_VERSION='+tool_versions.get('helm'),
+        '--KUBECONFORM_VERSION='+tool_versions.get('kubeconform'),
+        '--KUSTOMIZE_VERSION='+tool_versions.get('kustomize'),
+        '--STATICCHECK_VERSION='+tool_versions.get('staticcheck'),
+        '--GIT_COMMIT='+git_commit,
+        ],
 )
 
 cmd_button('loc:go mod tidy',
@@ -216,4 +264,4 @@ load("localdev/test_appsets/Tiltfile", "install_test_appsets")
 install_test_appsets(cfg)
 
 
-force_argocd_cleanup_on_tilt_down()
+force_argocd_cleanup_on_tilt_down()

cmd/container.go

@@ -5,7 +5,7 @@ import (
 	"fmt"
 
 	"github.com/pkg/errors"
-
+	"github.com/rs/zerolog/log"
 	"github.com/zapier/kubechecks/pkg/app_watcher"
 	"github.com/zapier/kubechecks/pkg/appdir"
 	"github.com/zapier/kubechecks/pkg/argo_client"
@@ -60,6 +60,8 @@ func newContainer(ctx context.Context, cfg config.ServerConfig, watchApps bool)
 
 			go ctr.ApplicationWatcher.Run(ctx, 1)
 		}
+	} else {
+		log.Info().Msgf("not monitoring applications, MonitorAllApplications: %+v", cfg.MonitorAllApplications)
 	}
 
 	return ctr, nil

cmd/root.go

@@ -56,8 +56,13 @@ func init() {
 			withDefault("gitlab"))
 	stringFlag(flags, "vcs-token", "VCS API token.")
 	stringFlag(flags, "argocd-api-token", "ArgoCD API token.")
-	stringFlag(flags, "argocd-api-server-addr", "ArgoCD API Server Address.", newStringOpts().withDefault("argocd-server"))
+	stringFlag(flags, "argocd-api-server-addr", "ArgoCD API Server Address.",
+		newStringOpts().
+			withDefault("argocd-server"))
 	boolFlag(flags, "argocd-api-insecure", "Enable to use insecure connections to the ArgoCD API server.")
+	stringFlag(flags, "argocd-api-namespace", "ArgoCD namespace where the application watcher will read Custom Resource Definitions (CRD) for Application and ApplicationSet resources.",
+		newStringOpts().
+			withDefault("argocd"))
 	stringFlag(flags, "kubernetes-config", "Path to your kubernetes config file, used to monitor applications.")
 
 	stringFlag(flags, "otel-collector-port", "The OpenTelemetry collector port.")

docs/contributing.md

@@ -67,10 +67,18 @@ It creates:
 
 To get started do the following:
 
-* Copy the `.env.example` and set required values.
+* Copy the `.secret.example` and set required values.
 
     ```console
-    cp .env.example .env
+    cp .secret.example .secret
+    ```
+  You will need to fill in either `GITLAB_TOKEN` or `GITLAB_TOKEN`  
+  If you are testing with GITHUB, please set the tile_config.json file to specify the vcs-type as the default is `gitlab`.  
+  The token you specify must have ability to get repositories, add/delete comment and webhooks.  
+    ```json
+    {
+      "vcs-type": "github"
+    }
     ```
 
 * From the root directory of this repo:
@@ -110,7 +118,7 @@ If you're using minikube with Tilt we recommend following this [guide](https://g
 
 ### Code Changes
 
-We use Earthly to simplify our CI/CD process with `kubechecks`. There's a thin wrapper around earthly that passes some common arguments in the root of the repo called `./earthly` that should be used instead of calling earthly directly. This also simplifies testing changes locally before pushing them up to ensure your PR will pass all required checks. The best command to run is `./earthly +test` this will pull all the required dependencies (including any new ones that you have added). It will then run [go vet](https://pkg.go.dev/cmd/vet), and if those pass it will run `go test` with race detection enabled. You can also always run these commands directly `go test -race ./...` will run all tests in the repo with race detection enabled. Please ensure that `./earthly +test` is passing before opening a PR.
+We use Earthly to simplify our CI/CD process with `kubechecks`. There's a thin wrapper around earthly that passes some common arguments in the root of the repo called `./earthly.sh` that should be used instead of calling earthly directly. This also simplifies testing changes locally before pushing them up to ensure your PR will pass all required checks. The best command to run is `./earthly.sh +test` this will pull all the required dependencies (including any new ones that you have added). It will then run [go vet](https://pkg.go.dev/cmd/vet), and if those pass it will run `go test` with race detection enabled. You can also always run these commands directly `go test -race ./...` will run all tests in the repo with race detection enabled. Please ensure that `./earthly.sh +test` is passing before opening a PR.
 
 ### Documentation Changes
 

docs/usage.md

@@ -37,6 +37,7 @@ The full list of supported environment variables is described below:
 |Env Var|Description|Default Value|
 |-----------|-------------|------|
 |`KUBECHECKS_ARGOCD_API_INSECURE`|Enable to use insecure connections to the ArgoCD API server.|`false`|
+|`KUBECHECKS_ARGOCD_API_NAMESPACE`|ArgoCD namespace where the application watcher will read Custom Resource Definitions (CRD) for Application and ApplicationSet resources.|`argocd`|
 |`KUBECHECKS_ARGOCD_API_SERVER_ADDR`|ArgoCD API Server Address.|`argocd-server`|
 |`KUBECHECKS_ARGOCD_API_TOKEN`|ArgoCD API token.||
 |`KUBECHECKS_ENABLE_CONFTEST`|Set to true to enable conftest policy checking of manifests.|`false`|

earthly → earthly.sh

@@ -8,7 +8,7 @@ to_echo() {
 
 read_tool_versions_write_to_env() {
     local -r tool_versions_file="$1"
-
+    cat $tool_versions_file
     # loop over each line of the .tool-versions file
     while read -r line; do
         # split the line into a bash array using the default space delimeter
@@ -39,4 +39,5 @@ earthly $* \
   --KUBECONFORM_VERSION=${kubeconform_tool_version} \
   --KUSTOMIZE_VERSION=${kustomize_tool_version} \
   --STATICCHECK_VERSION=${staticcheck_tool_version} \
-  --GIT_COMMIT=$(git rev-parse --short HEAD)
+  --GIT_COMMIT=$(git rev-parse --short HEAD) \
+  --KUBECHECKS_LOG_LEVEL=debug

go.mod

@@ -14,7 +14,7 @@ require (
 	github.com/ghodss/yaml v1.0.0
 	github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399
 	github.com/go-logr/zerologr v1.2.3
-	github.com/google/go-github/v53 v53.2.0
+	github.com/google/go-github/v62 v62.0.0
 	github.com/heptiolabs/healthcheck v0.0.0-20211123025425-613501dd5deb
 	github.com/labstack/echo-contrib v0.16.0
 	github.com/labstack/echo/v4 v4.11.4
@@ -27,7 +27,7 @@ require (
 	github.com/prometheus/client_golang v1.19.0
 	github.com/rikatz/kubepug v1.4.0
 	github.com/rs/zerolog v1.32.0
-	github.com/sashabaranov/go-openai v1.20.4
+	github.com/sashabaranov/go-openai v1.26.2
 	github.com/shurcooL/githubv4 v0.0.0-20231126234147-1cffa1f02456
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.8.0
@@ -131,6 +131,7 @@ require (
 	github.com/google/btree v1.1.2 // indirect
 	github.com/google/gnostic v0.6.9 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/google/go-github/v53 v53.2.0 // indirect
 	github.com/google/go-jsonnet v0.20.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
@@ -215,6 +216,7 @@ require (
 	github.com/spdx/tools-golang v0.5.3 // indirect
 	github.com/spf13/afero v1.11.0 // indirect
 	github.com/spf13/cast v1.6.0 // indirect
+	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/tchap/go-patricia/v2 v2.3.1 // indirect
 	github.com/tmccombs/hcl2json v0.3.6 // indirect

go.sum

@@ -558,6 +558,8 @@ github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-github/v53 v53.2.0 h1:wvz3FyF53v4BK+AsnvCmeNhf8AkTaeh2SoYu/XUvTtI=
 github.com/google/go-github/v53 v53.2.0/go.mod h1:XhFRObz+m/l+UCm9b7KSIC3lT3NWSXGt7mOsAWEloao=
+github.com/google/go-github/v62 v62.0.0 h1:/6mGCaRywZz9MuHyw9gD1CwsbmBX8GWsbFkwMmHdhl4=
+github.com/google/go-github/v62 v62.0.0/go.mod h1:EMxeUqGJq2xRu9DYBMwel/mr7kZrzUOfQmmpYrZn2a4=
 github.com/google/go-jsonnet v0.20.0 h1:WG4TTSARuV7bSm4PMB4ohjxe33IHT5WVTrJSU33uT4g=
 github.com/google/go-jsonnet v0.20.0/go.mod h1:VbgWF9JX7ztlv770x/TolZNGGFfiHEVx9G6ca2eUmeA=
 github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
@@ -884,8 +886,8 @@ github.com/sagikazarmark/slog-shim v0.1.0 h1:diDBnUNK9N/354PgrxMywXnAwEr1QZcOr6g
 github.com/sagikazarmark/slog-shim v0.1.0/go.mod h1:SrcSrq8aKtyuqEI1uvTDTK1arOWRIczQRv+GVI1AkeQ=
 github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 h1:lZUw3E0/J3roVtGQ+SCrUrg3ON6NgVqpn3+iol9aGu4=
 github.com/santhosh-tekuri/jsonschema/v5 v5.3.1/go.mod h1:uToXkOrWAZ6/Oc07xWQrPOhJotwFIyu2bBVN41fcDUY=
-github.com/sashabaranov/go-openai v1.20.4 h1:095xQ/fAtRa0+Rj21sezVJABgKfGPNbyx/sAN/hJUmg=
-github.com/sashabaranov/go-openai v1.20.4/go.mod h1:lj5b/K+zjTSFxVLijLSTDZuP7adOgerWeFyZLUhAKRg=
+github.com/sashabaranov/go-openai v1.26.2 h1:cVlQa3gn3eYqNXRW03pPlpy6zLG52EU4g0FrWXc0EFI=
+github.com/sashabaranov/go-openai v1.26.2/go.mod h1:lj5b/K+zjTSFxVLijLSTDZuP7adOgerWeFyZLUhAKRg=
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
 github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8=
 github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I=

justfile

@@ -65,7 +65,7 @@ unit_test_race:
 	go test -race ./...
 
 rebuild_docs:
-    ./earthly +rebuild-docs
+    ./earthly.sh +rebuild-docs
 
 ci-golang:
-    ./earthly +ci-golang
+    ./earthly.sh +ci-golang

localdev/kubechecks/values.yaml

@@ -5,7 +5,7 @@ configMap:
     KUBECHECKS_ENABLE_WEBHOOK_CONTROLLER: "false"
     KUBECHECKS_ARGOCD_API_INSECURE: "true"
     KUBECHECKS_ARGOCD_API_PATH_PREFIX : '/argocd'
-    KUBECHECKS_ARGOCD_NAMESPACE: 'kubechecks'
+    KUBECHECKS_ARGOCD_API_NAMESPACE: 'kubechecks'
     KUBECHECKS_WEBHOOK_URL_PREFIX: 'kubechecks'
     KUBECHECKS_NAMESPACE: 'kubechecks'
     KUBECHECKS_FALLBACK_K8S_VERSION: "1.25.0"
@@ -20,7 +20,7 @@ configMap:
     # KUBECHECKS_LABEL_FILTER: "test" # On your PR/MR, prefix this with "kubechecks:"
     # KUBECHECKS_SCHEMAS_LOCATION: https://github.com/zapier/kubecheck-schemas.git
     KUBECHECKS_TIDY_OUTDATED_COMMENTS_MODE: "delete"
-    KUBECHECKS_ENABLE_CONFTEST: "true"
+    KUBECHECKS_ENABLE_CONFTEST: "false"
 
 
 deployment: