feat(bundler): enable --attest and --data for argocd-helm (#573)#627
Conversation
7a50d9c to
fccc330
Compare
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughDocuments new POST /v1/bundle query parameters Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Possibly related PRs
Suggested reviewers
🚥 Pre-merge checks | ✅ 4✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Coverage Report ✅
Coverage BadgeMerging this branch changes the coverage (2 decrease, 4 increase)
Coverage by fileChanged files (no unit tests)
Please note that the "Total", "Covered", and "Missed" counts above refer to code statements instead of lines of code. The value in brackets refers to the test coverage of that file in the old version of the code. |
There was a problem hiding this comment.
Actionable comments posted: 6
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@docs/user/api-reference.md`:
- Around line 336-337: The docs currently state that the `repo` parameter is
used with `deployer=argocd` only, but `pkg/bundler/bundler.go` forwards
`RepoURL` to both `argocd.Generator` and `argocdhelm.Generator`, so update the
API reference entry for `repo` to indicate it is required/used for both `argocd`
and `argocd-helm` deployers (mention `RepoURL`, `argocd.Generator`, and
`argocdhelm.Generator` to guide readers); change the description on the `repo`
row to clearly list both deployer values (`argocd`, `argocd-helm`) so users of
`argocd-helm` know `repo` is honored.
In `@docs/user/cli-reference.md`:
- Line 1253: The sentence uses "embedded `--data` files" which is inaccurate;
update the text in the Attestation paragraph to replace "embedded `--data`
files." with wording that clarifies `--data` files are external inputs copied
into the bundle (for example: "external `--data` files copied into the bundle.")
so the sentence reads that attestation binds the shipped bundle — defaults,
dynamic-value stubs, and any external `--data` files copied into the bundle;
ensure the new wording does not imply `--data` files are embedded assets and
keeps the rest of the sentence unchanged.
In `@pkg/bundler/checksum/checksum.go`:
- Around line 97-99: The call to GenerateChecksums currently wraps any error as
errors.ErrCodeInternal which can overwrite the original pkg/errors code;
instead, propagate GenerateChecksums' error as-is (do not re-wrap) so existing
structured codes (e.g., context-cancel/unavailable) are preserved—replace the
errors.Wrap return in the GenerateChecksums error branch with a direct return of
the err (or, if you must inspect codes, check the error's code via the package's
accessor and only wrap when it lacks a code), referencing the GenerateChecksums
call and the current errors.Wrap(..., errors.ErrCodeInternal, ...) usage.
In `@pkg/bundler/deployer/argocd/argocd.go`:
- Around line 239-245: The code appends dataPaths (from
deployer.ResolveDataFilePaths(outputDir, g.DataFiles)) to output.Files but does
not add their sizes to output.TotalSize; update the code after output.Files =
append(output.Files, dataPaths...) to iterate the appended dataPaths (or sum
sizes from dataPaths) and add each file's size to output.TotalSize so TotalSize
reflects the included DataFiles (use the existing dataPaths variable and
output.TotalSize field to perform the accumulation).
In `@pkg/bundler/deployer/argocdhelm/argocdhelm.go`:
- Around line 192-198: The data file paths returned by
deployer.ResolveDataFilePaths are appended to output.Files but their sizes are
never added to output.TotalSize; update the block that handles dataPaths (where
dataPaths, err := deployer.ResolveDataFilePaths(outputDir, g.DataFiles) is
called) to stat each path, add its file size to output.TotalSize, and
handle/stat error returns appropriately before appending to output.Files (i.e.,
for each path use os.Stat(path) -> fi.Size() and accumulate into
output.TotalSize, returning the error if stat fails).
In `@pkg/bundler/deployer/helm/helm.go`:
- Around line 160-164: The data files returned by deployer.ResolveDataFilePaths
(called with outputDir and g.DataFiles) are appended to output.Files but their
sizes are not added to output.TotalSize; update the block after output.Files =
append(output.Files, dataPaths...) to iterate the returned dataPaths, stat each
file to get its size (or use the project utility that computes file size), sum
those sizes and add the total to output.TotalSize so the reported bundle size
includes --data files.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: fadd2ede-0fc5-4400-8159-f31a36fb8b3b
📒 Files selected for processing (14)
docs/contributor/api-server.mddocs/user/api-reference.mddocs/user/cli-reference.mdpkg/bundler/bundler.gopkg/bundler/bundler_test.gopkg/bundler/checksum/checksum.gopkg/bundler/checksum/checksum_test.gopkg/bundler/deployer/argocd/argocd.gopkg/bundler/deployer/argocd/argocd_test.gopkg/bundler/deployer/argocdhelm/argocdhelm.gopkg/bundler/deployer/argocdhelm/argocdhelm_test.gopkg/bundler/deployer/helm/helm.gopkg/bundler/deployer/helpers.gopkg/bundler/deployer/helpers_test.go
💤 Files with no reviewable changes (1)
- pkg/bundler/bundler_test.go
fccc330 to
93aae4f
Compare
There was a problem hiding this comment.
Actionable comments posted: 3
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
pkg/bundler/deployer/argocdhelm/argocdhelm.go (1)
198-200: 🧹 Nitpick | 🔵 TrivialAvoid double-wrapping the already-structured error from
finalizeOutput.
checksum.WriteChecksumsreturns errors with properErrCodeInternalcodes. Wrapping again at line 199 duplicates the code and adds unnecessary nesting. The other deployers (argocd.go,helm.go) return the error fromWriteChecksumsas-is.Proposed fix
// Generate checksums and finalize output if err := g.finalizeOutput(ctx, output, outputDir, start); err != nil { - return nil, errors.Wrap(errors.ErrCodeInternal, "failed to finalize output", err) + return nil, err }Based on learnings: "if an error was already created/wrapped with
pkg/errors... and includes the correct structured error code, then returning it should use the bare formreturn nil, err."🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@pkg/bundler/deployer/argocdhelm/argocdhelm.go` around lines 198 - 200, The call in finalizeOutput handling currently double-wraps structured errors (errors.Wrap(...)) after g.finalizeOutput(ctx, output, outputDir, start); instead of preserving the original error code; change the return to propagate the original error directly (i.e., return nil, err) when g.finalizeOutput returns a non-nil error so checksum.WriteChecksums/Finalize errors keep their existing ErrCodeInternal and avoid extra nesting; mirror the behavior used in argocd.go and helm.go.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@pkg/bundler/checksum/checksum.go`:
- Around line 96-107: WriteChecksums currently dereferences the pointer
parameter output (output.Files / output.TotalSize) and panics when nil; add a
nil-check at the start of WriteChecksums and return a proper error instead of
panicking. Concretely, in function WriteChecksums validate that output != nil
before calling GenerateChecksums or touching output.Files/TotalSize, and if nil
return a wrapped error (consistent with the package’s error style) so callers
get a normal error path; keep the rest of the flow (GenerateChecksums,
GetChecksumFilePath, os.Stat, append to output.Files and increment
output.TotalSize) unchanged.
In `@pkg/bundler/deployer/deployer.go`:
- Around line 58-71: The AddDataFiles method on type Output doesn't check for a
nil receiver and will panic when called on a nil *Output; add an explicit nil
check at the start of Output.AddDataFiles (the method shown with signature func
(o *Output) AddDataFiles(outputDir string, dataFiles []string) error) and if o
== nil return a wrapped errors.ErrCodeInvalidRequest error (use the existing
errors.Wrap pattern and a clear message like "nil output receiver") so callers
get a structured invalid-request error instead of a panic; preserve the existing
error wrapping style and return immediately before any append or size
operations.
In `@pkg/bundler/deployer/helpers_test.go`:
- Around line 139-163: Update the subtests that call Output.AddDataFiles to
assert the structured sentinel errors using errors.Is instead of only substring
checks: for the "rejects path traversal without mutating output" and "rejects
absolute path" tests use errors.Is(err, ErrUnsafeDataFilePath) and for the
"errors when file missing" test use errors.Is(err, ErrFailedToStatDataFile) (or
the repository's equivalent sentinel error names) and keep the existing
substring checks as secondary assertions; import the standard errors package if
needed and ensure you still fail the test when err is nil before calling
errors.Is.
---
Outside diff comments:
In `@pkg/bundler/deployer/argocdhelm/argocdhelm.go`:
- Around line 198-200: The call in finalizeOutput handling currently
double-wraps structured errors (errors.Wrap(...)) after g.finalizeOutput(ctx,
output, outputDir, start); instead of preserving the original error code; change
the return to propagate the original error directly (i.e., return nil, err) when
g.finalizeOutput returns a non-nil error so checksum.WriteChecksums/Finalize
errors keep their existing ErrCodeInternal and avoid extra nesting; mirror the
behavior used in argocd.go and helm.go.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: e8707c0d-9e19-4c96-a330-b98a598d7d09
📒 Files selected for processing (14)
docs/contributor/api-server.mddocs/user/api-reference.mddocs/user/cli-reference.mdpkg/bundler/bundler.gopkg/bundler/bundler_test.gopkg/bundler/checksum/checksum.gopkg/bundler/checksum/checksum_test.gopkg/bundler/deployer/argocd/argocd.gopkg/bundler/deployer/argocd/argocd_test.gopkg/bundler/deployer/argocdhelm/argocdhelm.gopkg/bundler/deployer/argocdhelm/argocdhelm_test.gopkg/bundler/deployer/deployer.gopkg/bundler/deployer/helm/helm.gopkg/bundler/deployer/helpers_test.go
💤 Files with no reviewable changes (1)
- pkg/bundler/bundler_test.go
93aae4f to
0c46c32
Compare
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@pkg/bundler/deployer/deployer.go`:
- Around line 64-66: The code currently always wraps joinErr from SafeJoin with
errors.ErrCodeInvalidRequest, which can overwrite SafeJoin's original structured
error code; change the logic so that if joinErr already carries a
structured/typed error code (i.e., represents the package's error type returned
by SafeJoin) you return joinErr directly, otherwise wrap it with
errors.Wrap(errors.ErrCodeInvalidRequest, "unsafe data file path", joinErr);
locate the conditional around joinErr in deployer.go and implement a short check
(using the existing error typing/inspection utilities in the errors package or
errors.As) to decide whether to propagate joinErr as-is or to wrap it.
In `@pkg/bundler/deployer/helpers_test.go`:
- Around line 160-176: The tests named "rejects path traversal without mutating
output", "rejects absolute path", and "errors when file missing" only assert the
returned error; update each subtest to also assert that the Output object
remains unchanged after AddDataFiles returns by checking o.Files and o.TotalSize
(use the initial values set before calling AddDataFiles). Locate the Output
instance in each subtest (o := &Output{...} or o := &Output{}), call
AddDataFiles as before, then add assertions that o.Files equals the original
slice and o.TotalSize equals the original integer to guarantee immutability on
error paths.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: 014d4d94-0b84-4b18-868f-2f40021bfd2f
📒 Files selected for processing (14)
docs/contributor/api-server.mddocs/user/api-reference.mddocs/user/cli-reference.mdpkg/bundler/bundler.gopkg/bundler/bundler_test.gopkg/bundler/checksum/checksum.gopkg/bundler/checksum/checksum_test.gopkg/bundler/deployer/argocd/argocd.gopkg/bundler/deployer/argocd/argocd_test.gopkg/bundler/deployer/argocdhelm/argocdhelm.gopkg/bundler/deployer/argocdhelm/argocdhelm_test.gopkg/bundler/deployer/deployer.gopkg/bundler/deployer/helm/helm.gopkg/bundler/deployer/helpers_test.go
💤 Files with no reviewable changes (1)
- pkg/bundler/bundler_test.go
0c46c32 to
a27a60b
Compare
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@pkg/bundler/checksum/checksum_test.go`:
- Around line 290-367: Refactor TestWriteChecksums into a table-driven test that
iterates over cases (name, setup func or inputs for tmpDir + deployer.Output,
wantError bool, expectedErrorType/code/message, and any post-check assertions)
and for each case run t.Run(tc.name, func(t *testing.T){ t.Parallel(); ... });
keep the existing behaviors for the success case (create files a.txt/b.txt, call
WriteChecksums, assert output.Files length and ChecksumFileName suffix and
TotalSize update using os.Stat), the missing-source case (use a non-existent
file and assert error is *errors.StructuredError via stderrors.As with Code ==
errors.ErrCodeInternal and error string contains "failed to compute checksum"),
and the nil-output case (call WriteChecksums with nil and assert
ErrCodeInvalidRequest). Ensure every t.Fatal/t.Fatalf path is immediately
followed by return to avoid further execution inside subtests. Use the same
unique symbols from the diff (TestWriteChecksums, WriteChecksums,
deployer.Output, ChecksumFileName, errors.StructuredError, stderrors.As,
errors.ErrCodeInternal, errors.ErrCodeInvalidRequest) to locate and update the
test logic.
In `@pkg/bundler/deployer/argocd/argocd_test.go`:
- Around line 423-499: Refactor TestGenerate_DataFiles into a table-driven test:
create a tests slice of structs (e.g., name, setup function or fields for
RecipeResult, Generator fields like DataFiles and IncludeChecksums, pre-create
files if needed, wantError bool, wantErrSubstring string, wantChecksumsEntry
bool) and loop over it with t.Run(tc.name, func(t *testing.T){...}); inside each
case construct the Generator (referencing Generator, RecipeResult, DataFiles,
IncludeChecksums), call Generate and assert either an expected error (check
tc.wantErrSubstring, e.g., "escapes base directory") or on success assert
output.Files contains the data file and checksums.txt contains
"data/overrides.yaml" when tc.wantChecksumsEntry is true; reuse existing setup
code for creating the data/overrides.yaml in the success case.
In `@pkg/bundler/deployer/argocdhelm/argocdhelm_test.go`:
- Around line 255-327: Convert TestGenerate_DataFiles into a table-driven test:
create a slice of test cases (struct with name, setup function or input fields
for Generator like DataFiles and IncludeChecksums, expectedError bool,
expectedErrorSubstring string, and expectedFiles/expectedChecksums content),
then loop over cases with t.Run(tc.name, func(t *testing.T){...}) and for each
case create the temp outputDir, stage any data files when needed, instantiate
the Generator (use the same fields currently set in TestGenerate_DataFiles such
as RecipeResult, ComponentValues, Version, RepoURL) and call g.Generate(ctx,
outputDir); for success cases assert output.Files contains the data file and
checksums.txt contains the entry, and for failure cases assert an error is
returned and contains expectedErrorSubstring (e.g., "escapes base directory" for
path traversal). Ensure you reuse Generator.Generate, DataFiles, and
IncludeChecksums symbols from the existing test to locate code.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: 11b3bf6e-9d34-47f6-a093-8ae07e0b9955
📒 Files selected for processing (15)
docs/contributor/api-server.mddocs/user/api-reference.mddocs/user/cli-reference.mdpkg/bundler/bundler.gopkg/bundler/bundler_test.gopkg/bundler/checksum/checksum.gopkg/bundler/checksum/checksum_test.gopkg/bundler/deployer/argocd/argocd.gopkg/bundler/deployer/argocd/argocd_test.gopkg/bundler/deployer/argocdhelm/argocdhelm.gopkg/bundler/deployer/argocdhelm/argocdhelm_test.gopkg/bundler/deployer/deployer.gopkg/bundler/deployer/helm/helm.gopkg/bundler/deployer/helm/helm_test.gopkg/bundler/deployer/helpers_test.go
💤 Files with no reviewable changes (1)
- pkg/bundler/bundler_test.go
a27a60b to
dae15b3
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@docs/user/cli-reference.md`:
- Around line 1249-1250: Update the earlier flag table rows for --deployer and
--repo to match the later statement that attestation supports helm, argocd and
argocd-helm: change the --deployer allowed values from "helm|argocd" to
"helm|argocd|argocd-helm" and revise the --repo description to indicate which
deployers it applies to (argocd and argocd-helm) and how external --data files
are handled (included in checksums.txt / listed as resolved dependencies) so the
table and the attestation paragraph are consistent; locate the flag-table
entries (rows referencing --deployer and --repo) and update their value list and
descriptive text accordingly.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: 079f0006-fdc2-4148-93fe-f07962af1be7
📒 Files selected for processing (15)
docs/contributor/api-server.mddocs/user/api-reference.mddocs/user/cli-reference.mdpkg/bundler/bundler.gopkg/bundler/bundler_test.gopkg/bundler/checksum/checksum.gopkg/bundler/checksum/checksum_test.gopkg/bundler/deployer/argocd/argocd.gopkg/bundler/deployer/argocd/argocd_test.gopkg/bundler/deployer/argocdhelm/argocdhelm.gopkg/bundler/deployer/argocdhelm/argocdhelm_test.gopkg/bundler/deployer/deployer.gopkg/bundler/deployer/helm/helm.gopkg/bundler/deployer/helm/helm_test.gopkg/bundler/deployer/helpers_test.go
💤 Files with no reviewable changes (1)
- pkg/bundler/bundler_test.go
- Adds DataFiles field to argocd.Generator and argocdhelm.Generator - Extracts deployer.ResolveDataFilePaths and checksum.WriteChecksums so all three deployers share one SafeJoin + checksum-finalize path - Simplifies buildDeployer: single upfront debug log, direct returns - Deletes obsolete rejection tests; adds DataFiles coverage for argocd and argocd-helm plus unit tests for the new shared helpers Attestation binds the shipped bundle (defaults, stubs, data files); it does not bind install-time values supplied via helm --set or Argo Application parameters. Policy enforcement of install-time values is out of scope and belongs to admission control or sync hooks. Closes #573
dae15b3 to
e53a28f
Compare
Summary
Attestation binds the shipped bundle (defaults, stubs, data files); it does not bind install-time values supplied via helm --set or Argo Application parameters. Policy enforcement of install-time values is out of scope and belongs to admission control or sync hooks.
Closes #573
Motivation / Context
PR #527 introduced the
argocd-helmdeployer with explicit rejection guards for--attestand--data(pending follow-up). The post-#575 refactor made the wiring straightforward:copyDataFilesandattestBundlealready run inMake()/runDeployerfor all deployers, so the guards were the only thing blocking parity. Separately, #575's review surfaced that theargocddeployer has never included its--datafiles inchecksums.txt— bundle integrity claims were incomplete for that deployer.Related: #527, #575
Type of Change
Component(s) Affected
cmd/aicr,pkg/cli)cmd/aicrd,pkg/api,pkg/server)pkg/recipe)pkg/bundler,pkg/component/*)pkg/collector,pkg/snapshotter)pkg/validator)pkg/errors,pkg/k8s)docs/,examples/)Implementation Notes
Testing
# Commands run (prefer `make qualify` for non-trivial changes) make qualifyRisk Assessment
Rollout notes:
Checklist
make testwith-race)make lint)git commit -S) — GPG signing info