Linter (#3140)

* added embedded cluster lint command for replicated cli

* added basic yaml syntax checking

* Create README.md

* addressing bugbot concerns

* linter failure fix

* added json output format

* refactored linter for new custom domain unit tests

* sanitize error

Author: NoaheCampbell

cmd/installer/cli/lint.go

@@ -0,0 +1,124 @@
+package cli
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"os"
+
+	"github.com/replicatedhq/embedded-cluster/pkg/lint"
+	"github.com/spf13/cobra"
+)
+
+// LintCmd creates a hidden command for linting embedded cluster configuration files
+func LintCmd(ctx context.Context) *cobra.Command {
+	var verbose bool
+	var outputFormat string
+
+	cmd := &cobra.Command{
+		Use:    "lint [flags] [file...]",
+		Short:  "Lint embedded cluster configuration files",
+		Hidden: true, // Hidden command as requested
+		Long: `Lint embedded cluster configuration files to validate:
+- YAML syntax (duplicate keys, unclosed quotes, invalid structure)
+- Port specifications in unsupportedOverrides that are already supported
+- Custom domains against the Replicated app's configured domains
+
+Environment variables (optional for custom domain validation):
+- REPLICATED_API_TOKEN: Authentication token for Replicated API
+- REPLICATED_API_ORIGIN: API endpoint (e.g., https://api.replicated.com/vendor)
+- REPLICATED_APP: Application ID or slug`,
+		Args: cobra.MinimumNArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			// Validate output format
+			if outputFormat != "text" && outputFormat != "json" {
+				return fmt.Errorf("invalid output format %q: must be 'text' or 'json'", outputFormat)
+			}
+
+			// Get environment variables
+			apiToken := os.Getenv("REPLICATED_API_TOKEN")
+			apiOrigin := os.Getenv("REPLICATED_API_ORIGIN")
+			appID := os.Getenv("REPLICATED_APP")
+
+			// Create validator with verbose flag
+			validator := lint.NewValidator(apiToken, apiOrigin, appID)
+			validator.SetVerbose(verbose && outputFormat != "json") // Disable verbose in JSON mode
+
+			// For JSON output, accumulate all results
+			var jsonResults lint.JSONOutput
+			hasErrors := false
+
+			// Validate each file
+			for _, file := range args {
+				if outputFormat != "json" {
+					fmt.Printf("Linting %s...\n", file)
+				}
+
+				result, err := validator.ValidateFile(file)
+				if err != nil {
+					if outputFormat == "json" {
+						// Add as a file with error
+						jsonResults.Files = append(jsonResults.Files, lint.FileResult{
+							Path:   file,
+							Valid:  false,
+							Errors: []lint.ValidationIssue{{Field: "", Message: err.Error()}},
+						})
+					} else {
+						fmt.Fprintf(os.Stderr, "ERROR: Failed to validate %s: %v\n", file, err)
+					}
+					hasErrors = true
+					continue
+				}
+
+				if outputFormat == "json" {
+					// Add to JSON results
+					jsonResults.Files = append(jsonResults.Files, result.ToJSON(file))
+					if len(result.Errors) > 0 {
+						hasErrors = true
+					}
+				} else {
+					// Display warnings
+					for _, warning := range result.Warnings {
+						fmt.Fprintf(os.Stderr, "WARNING: %s: %s\n", file, warning)
+					}
+
+					// Display errors
+					for _, validationErr := range result.Errors {
+						fmt.Fprintf(os.Stderr, "ERROR: %s: %s\n", file, validationErr)
+						hasErrors = true
+					}
+
+					// Display result
+					if len(result.Errors) == 0 && len(result.Warnings) == 0 {
+						fmt.Printf("✓ %s passed validation\n", file)
+					} else if len(result.Errors) == 0 && len(result.Warnings) > 0 {
+						fmt.Printf("⚠ %s passed with %d warning(s)\n", file, len(result.Warnings))
+					} else {
+						fmt.Printf("✗ %s failed validation\n", file)
+					}
+				}
+			}
+
+			// Output JSON if requested
+			if outputFormat == "json" {
+				output, err := json.MarshalIndent(jsonResults, "", "  ")
+				if err != nil {
+					return fmt.Errorf("failed to marshal JSON output: %w", err)
+				}
+				fmt.Println(string(output))
+			}
+
+			// Only fail if there are errors (not warnings)
+			if hasErrors {
+				return fmt.Errorf("validation failed with errors")
+			}
+
+			return nil
+		},
+	}
+
+	cmd.Flags().BoolVarP(&verbose, "verbose", "v", false, "Enable verbose output showing API endpoints and detailed information")
+	cmd.Flags().StringVarP(&outputFormat, "output", "o", "text", "Output format: text or json")
+
+	return cmd
+}

cmd/installer/cli/root.go

@@ -121,6 +121,7 @@ func RootCmd(ctx context.Context) *cobra.Command {
 	cmd.AddCommand(RestoreCmd(ctx, appSlug, appTitle))
 	cmd.AddCommand(AdminConsoleCmd(ctx, appTitle))
 	cmd.AddCommand(SupportBundleCmd(ctx))
+	cmd.AddCommand(LintCmd(ctx))
 
 	return cmd
 }

go.mod

@@ -53,6 +53,7 @@ require (
 	go.yaml.in/yaml/v3 v3.0.4
 	golang.org/x/crypto v0.43.0
 	golang.org/x/term v0.36.0
+	gopkg.in/yaml.v2 v2.4.0
 	gotest.tools v2.2.0+incompatible
 	helm.sh/helm/v3 v3.19.0
 	k8s.io/api v0.34.1
@@ -346,7 +347,6 @@ require (
 	google.golang.org/protobuf v1.36.10 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/apiserver v0.34.1 // indirect
 	k8s.io/component-base v0.34.1 // indirect

pkg/lint/README.md

@@ -0,0 +1,223 @@
+# Embedded Cluster Lint Package
+
+A hidden lint command for validating Embedded Cluster configuration files.
+
+## Purpose
+
+Validates Embedded Cluster YAML configuration files to catch common issues:
+- **YAML syntax errors** (duplicate keys, unclosed quotes, invalid structure)
+- **Port configuration issues** (ports in unsupportedOverrides that are already supported)
+- **Custom domain validation** (domains must exist in the Replicated app)
+
+## Usage
+
+```bash
+# Basic usage
+embedded-cluster lint config.yaml
+
+# Multiple files
+embedded-cluster lint config1.yaml config2.yaml config3.yaml
+
+# Verbose mode (shows API endpoints and configuration)
+embedded-cluster lint -v config.yaml
+
+# JSON output (for CI/CD and scripting)
+embedded-cluster lint -o json config.yaml
+embedded-cluster lint --output json config.yaml  # Long form
+
+# With custom domain validation enabled
+REPLICATED_API_TOKEN="your-token" \
+REPLICATED_API_ORIGIN="https://api.replicated.com/vendor" \
+REPLICATED_APP="your-app-id" \
+embedded-cluster lint config.yaml
+
+# JSON output with custom domain validation
+REPLICATED_API_TOKEN="your-token" \
+REPLICATED_API_ORIGIN="https://api.replicated.com/vendor" \
+REPLICATED_APP="your-app-id" \
+embedded-cluster lint -o json config.yaml
+```
+
+## Validation Rules
+
+### 1. YAML Syntax Validation (ERROR)
+Validates basic YAML syntax before attempting content validation.
+
+**Catches:**
+- Duplicate keys
+- Unclosed quotes
+- Invalid indentation
+- Tabs mixed with spaces
+- Malformed YAML structures
+
+**Example:**
+```
+ERROR: Failed to validate config.yaml: YAML syntax error at line 6: key "version" already set in map
+```
+
+### 2. Port Range Validation (WARNING)
+Checks if ports specified in `unsupportedOverrides` are within the default supported range (80-32767).
+
+**Why it matters:** Ports in this range don't need to be in unsupportedOverrides - they're already supported by default.
+
+**Example:**
+```
+WARNING: config.yaml: unsupportedOverrides.builtInExtensions[adminconsole].service.nodePort: port 30000 is already supported (supported range: 80-32767) and should not be in unsupportedOverrides
+```
+
+### 3. Custom Domain Validation (ERROR)
+When environment variables are provided, validates that custom domains exist in the app's configuration.
+
+**Requires all three environment variables:**
+- `REPLICATED_API_TOKEN` - Authentication token for Replicated API
+- `REPLICATED_API_ORIGIN` - API endpoint (e.g., `https://api.replicated.com/vendor`)
+- `REPLICATED_APP` - Application ID or slug
+
+**If any are missing:** Shows informative message and skips domain validation.
+
+**Example:**
+```
+ERROR: config.yaml: domains.replicatedAppDomain: custom domain "invalid.example.com" not found in app's configured domains
+```
+
+## Exit Codes
+
+- **0**: Validation passed (may have warnings)
+- **1**: Validation failed (has errors)
+
+Warnings do NOT cause a non-zero exit code.
+
+## JSON Output
+
+Use the `-o json` or `--output json` flag for machine-parseable output:
+
+```bash
+embedded-cluster lint -o json config.yaml
+embedded-cluster lint --output json config.yaml
+```
+
+### JSON Format
+
+```json
+{
+  "files": [
+    {
+      "path": "config.yaml",
+      "valid": true,
+      "warnings": [
+        {
+          "field": "unsupportedOverrides.builtInExtensions[adminconsole].service.nodePort",
+          "message": "port 8080 is already supported (supported range: 80-32767)"
+        }
+      ]
+    }
+  ]
+}
+```
+
+### JSON Fields
+
+- `files[]` - Array of file results
+  - `path` - File path
+  - `valid` - `true` if no errors (warnings don't affect this)
+  - `errors[]` - Array of validation errors (if any)
+    - `field` - YAML path to the problematic field
+    - `message` - Error description
+  - `warnings[]` - Array of validation warnings (if any)
+    - `field` - YAML path to the field
+    - `message` - Warning description
+
+### CI/CD Integration
+
+```bash
+# Example: Fail CI build on errors, allow warnings
+if ! embedded-cluster lint -o json config.yaml > results.json 2>&1; then
+  echo "Validation failed with errors"
+  cat results.json | jq '.files[].errors'
+  exit 1
+fi
+
+# Check if there are any warnings
+if cat results.json | jq -e '.files[].warnings | length > 0' > /dev/null; then
+  echo "::warning::Lint warnings found"
+  cat results.json | jq '.files[].warnings'
+fi
+```
+
+## Verbose Mode
+
+Use the `-v` flag to see detailed information:
+
+```bash
+embedded-cluster lint -v config.yaml
+```
+
+**Shows:**
+- Environment configuration (token shown as `<set>`)
+- API endpoints being called
+- HTTP response status codes
+- Custom domains found
+- Fallback attempts to alternate endpoints
+
+**Example output:**
+```
+Environment configuration:
+  REPLICATED_API_ORIGIN: https://api.replicated.com/vendor
+  REPLICATED_APP: my-app
+  REPLICATED_API_TOKEN: <set>
+Starting custom domain validation
+Fetching channels from: https://api.replicated.com/vendor/v3/app/my-app/channels
+Attempting to fetch custom domains from: https://api.replicated.com/vendor/v3/app/my-app/custom-hostnames
+Response status: 200 200 OK
+```
+
+## Testing
+
+### Run all tests
+```bash
+go test ./pkg/lint/... -v
+```
+
+### Run specific test suites
+```bash
+# YAML syntax validation
+go test ./pkg/lint/... -run TestValidateYAMLSyntax
+
+# Port validation
+go test ./pkg/lint/... -run TestValidatePorts
+
+# API client
+go test ./pkg/lint/... -run TestAPIClient
+```
+
+### Test with example specs
+```bash
+# Test syntax errors
+./bin/embedded-cluster lint ./pkg/lint/testdata/specs/syntax-error-duplicate-key.yaml
+
+# Test port warnings
+./bin/embedded-cluster lint ./pkg/lint/testdata/specs/01-warning-port-in-range.yaml
+
+# Test valid configuration
+./bin/embedded-cluster lint ./pkg/lint/testdata/specs/04-valid-ports-outside-range.yaml
+```
+
+## Package Structure
+
+- `validator.go` - Core validation logic
+- `validator_test.go` - Validation tests
+- `api_client.go` - Replicated API client for custom domain fetching
+- `api_client_test.go` - API client tests
+- `testdata/specs/` - Example YAML files for testing
+
+## Development
+
+The lint command is currently **hidden** (not shown in `--help` output). To make it visible, modify `cmd/installer/cli/lint.go` and set `Hidden: false`.
+
+### Adding New Validation Rules
+
+1. Add validation function to `validator.go`
+2. Call it from `ValidateFile()`
+3. Return warnings or errors as appropriate
+4. Add test cases to `validator_test.go`
+5. Create example spec files in `testdata/specs/`