Replace random generated "inventory ID"#4396
Replace random generated "inventory ID"#4396Jaisheesh-2006 wants to merge 11 commits intokptdev:mainfrom
Conversation
Jaisheesh-2006
requested review from
efiacor,
kispaljr,
liamfallon and
mozesl-nokia
as code owners
✅ Deploy Preview for kptdocs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
There was a problem hiding this comment.
Pull request overview
This PR addresses lost-inventory behavior by making kpt live init inventory IDs deterministic (derived from namespace + --name) instead of random UUID-based values, and updates related CLI guidance/tests/docs.
Changes:
- Make
--namemandatory forkpt live initand validate it against Kubernetes DNS-1123 naming rules. - Replace auto-generated inventory IDs with a deterministic, length-prefixed SHA-1 hash.
- Update migrate/init flows, generated docs, and e2e coverage to reflect the new required
--namebehavior.
Reviewed changes
Copilot reviewed 5 out of 6 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/lib/errors/resolver/live.go | Updates user-facing resolver messages to instruct using kpt live init --name=.... |
| internal/docs/generated/livedocs/docs.go | Updates generated CLI docs to reflect required --name and “advanced” inventory-id override semantics. |
| e2e/live/end-to-end-test.sh | Updates e2e invocations/assertions to pass --name and expect stable RG names. |
| commands/live/migrate/migratecmd.go | Adds guardrails in migration; however, introduces/retains error-handling issues in RG-file existence checks and malformed inventory handling. |
| commands/live/init/cmdliveinit_test.go | Reworks tests for name validation and deterministic hash expectations. |
| commands/live/init/cmdliveinit.go | Implements deterministic hash ID generation, mandatory --name, hides --inventory-id, and updates init behavior. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 5 out of 6 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
dosubot
bot
added
the
size:L
Jaisheesh-2006
force-pushed
the
fix/4387-loose-inventory-id
branch
from
07896b7 to
1e0c7f5
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 5 out of 6 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 5 out of 6 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
@Jaisheesh-2006 please address the Copilot comments. |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 5 out of 6 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
dosubot
bot
added
size:XL
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 10 out of 11 changed files in this pull request and generated 5 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
|
Hello @CsatariGergely. Thank you for bringing the Copilot suggestions to my attention. I have implemented all the requested fixes, and all tests are passing successfully. Please let me know if you need any further changes. |
|
@Jaisheesh-2006 This is only a partial review, but what happens in case there was an old |
|
@nagygergo Thank you for the review and for catching this. You are completely right—the current code acts as a strict gatekeeper and completely stops the migration process when it encounters an old ResourceGroup missing its inventory-id. I will handle both parts of this issue: I will add the specific test cases you requested to establish the clear baseline behavior for legacy objects. I will update the migration logic to explicitly handle these missing ID cases so the tool provides a proper reconciliation path instead of just failing. I will update the PR shortly! |
Replaces random UUIDs with SHA-1 hashes derived from namespace and name to prevent lost inventory bugs. Makes --name mandatory and adds DNS-1123 validation. Hides --inventory-id to favor deterministic generation. Fixes kptdev#4387 Signed-off-by: Jaisheesh-2006 <jaicodes2006@gmail.com>
Signed-off-by: Jaisheesh-2006 <jaicodes2006@gmail.com>
The quiet init test was changing the inventory name from inventory-18030002 back to rg-test-case-1a, causing the downstream 'status on symlink' assertion to fail. Signed-off-by: Jaisheesh-2006 <jaicodes2006@gmail.com>
- Replace IsDNS1123Subdomain with IsDNS1123Label for stricter name validation (63-char limit, no dots). - Capture fmt.Fprintf error in generateHash. - Validate directory-name fallback with IsDNS1123Label when --name is omitted by internal callers (e.g., migrate). - Fix wrong error variable (err to rgFileErr) in os.Stat switch in migratecmd.go. - Remove unreachable kf.Inventory.Name == '' guard in migratecmd.go. - Tighten assertRGInventory bash check from -ge 1 to -eq 1. - Remove dead generateID function and unused imports. - Add tests for directory-name fallback validation path. Fixes kptdev#4387 Signed-off-by: Jaisheesh-2006 <jaicodes2006@gmail.com>
- Add explanatory comment for SHA-1 usage to clarify it is not for cryptographic security. - Align assertRGInventory bash script comment with the strict -eq 1 implementation. Signed-off-by: Jaisheesh-2006 <jaicodes2006@gmail.com>
…ents - Formatted the errNameRequired error message into a single string to improve code readability. - Expanded the inline comment in cmdliveinit.go to clarify the rationale for using SHA-1 for deterministic ID generation. Signed-off-by: Jaisheesh-2006 <jaicodes2006@gmail.com>
add explicit CRD dependency for live apply CRD+CR e2e case update fn-render golden output for subpackage deletion behavior replace unsafe angle-bracket placeholders in user-facing command examples switch live init name validation from DNS1123 label to subdomain add tests for dotted Kubernetes names and directory fallback behavior Signed-off-by: Jaisheesh-2006 <jaicodes2006@gmail.com>
Signed-off-by: Jaisheesh-2006 <jaicodes2006@gmail.com>
Signed-off-by: Jaisheesh-2006 <jaicodes2006@gmail.com>
…tion - Remove silent fallback ID in load.go that could generate a mismatched namespace-name format ID (vs the SHA-1 hash from init); add klog warning - Mark --name as cobra-required so --help shows it and cobra rejects commands without it before reaching runE - Improve error messages and flag descriptions with Helm release-name analogy to guide users on stable naming - Add round-trip determinism test proving same --name + namespace always produces the same inventory-id (core fix for kptdev#4387) - Add legacy RG reconciliation: fail with LegacyRGMissingInventoryIDError when force=false, auto-repair with --force - Fix tautological lint in migratecmd.go switch statement - Update e2e tests and docs to reflect mandatory --name flag Fixes kptdev#4387 Signed-off-by: Jaisheesh-2006 <jaicodes2006@gmail.com>
Jaisheesh-2006
force-pushed
the
fix/4387-loose-inventory-id
branch
from
ca7b848 to
893aaa5
Compare
dosubot
bot
added
size:L
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 10 out of 11 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if inv.InventoryID == "" { | ||
| klog.Warningf("generateInventoryObj called with empty inventoryID for %s/%s; "+ | ||
| "this should have been caught by validateInventory", inv.Namespace, inv.Name) | ||
| inv.InventoryID = fmt.Sprintf(inventoryIDfmt, inv.Namespace, inv.Name) |
There was a problem hiding this comment.
The comment says not to generate a fallback inventoryID, but this branch still assigns a legacy "%s-%s" value. If this ever triggers, it will produce an inventory-id label that differs from the deterministic SHA-1 ID used by kpt live init, which can reintroduce ownership conflicts. Consider removing the fallback assignment entirely (since validateInventory already blocks this) or deriving the same SHA-1 ID here to keep behavior consistent with init.
| inv.InventoryID = fmt.Sprintf(inventoryIDfmt, inv.Namespace, inv.Name) |
| if kf.Inventory.Name == "" { | ||
| return errors.E(op, types.UniquePath(dir), | ||
| fmt.Errorf("kptfile inventory has empty name; re-run: kpt live init --name=<name>")) | ||
| } | ||
|
|
There was a problem hiding this comment.
This empty-name guard is redundant/unreachable: kptfileutil.ValidateInventory(kf.Inventory) already errors if kf.Inventory.Name is empty/whitespace. Keeping both checks makes the control flow harder to follow; consider removing this block (or, if you want a custom message, handle it directly from the ValidateInventory error instead).
| if kf.Inventory.Name == "" { | |
| return errors.E(op, types.UniquePath(dir), | |
| fmt.Errorf("kptfile inventory has empty name; re-run: kpt live init --name=<name>")) | |
| } |
… lint issues Signed-off-by: Jaisheesh-2006 <jaicodes2006@gmail.com>
Description
This PR replaces the generation of random UUIDs for inventory IDs with a deterministic SHA-1 hashing mechanism. By deriving the inventory ID from the package
namespaceand--name, we ensure that the same package configuration always maps to the same inventory object in the cluster.Key Changes:
generateHash(namespace, name)using length-prefixed SHA-1 to replacegoogle/uuid.--nameflag is now mandatory forkpt live initto ensure the hash can be consistently generated.--nameinput to ensure compatibility with Kubernetes resource naming conventions.--inventory-idflag from the help menu to encourage deterministic usage while maintaining backward compatibility for existing workflows.kpt live migrateto prevent operations on empty or malformed inventory names.Motivation
Previously, re-fetching or re-initializing a package would generate a new random UUID. This led to "lost inventory" bugs where
kptcould no longer track or prune resources previously applied to the cluster because the association (the ID) had changed. Deterministic hashing ensures that as long as the namespace and name remain constant, the inventory remains trackable across different environments and local clones.Fixes
Fixes #4387