Changed annotation from app.oam.dev/autoRevision to
policy.oam.dev/autoRevision to better indicate its purpose and
prevent misuse in other areas of the codebase.
This annotation specifically controls whether application-scoped
policy transforms should create new ApplicationRevisions.
Updated:
- labels.go: Changed constant value
- devlogs: Updated all references in documentation
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
When policies retrigger with autoRevision=true, components were not
redeploying even though new ApplicationRevisions were created. The
dispatcher was comparing component properties against the NEW revision
(which already had policy transforms) instead of the PREVIOUS revision.
Changes:
- generator.go: Pass latestAppRev to generateDispatcher()
- dispatcher.go: Add previousAppRev parameter and conditional comparison
logic based on autoRevision annotation
- When autoRevision=true: Compare against previous revision to detect
policy-driven changes
- When autoRevision=false (default): Use existing logic for backward
compatibility
Added documentation noting that the default comparison logic seems
unclear and may need future simplification.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Added helper functions to support simplified policy architecture:
- extractRenderedSpec() - extract spec from policy results
- extractRenderedMetadata() - extract labels/annotations/context
- applyMetadataToApp() - apply metadata to Application CR
- applySpecToApp() - apply spec to Application
- renderAllPolicies() - render both global and explicit policies together
These will be used in the refactored ApplyApplicationScopeTransforms.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Added app.oam.dev/autoRevision annotation to control whether policies
can modify Application.Spec and trigger new ApplicationRevisions.
Changes:
- Added AnnotationAutoRevision constant to pkg/oam/labels.go
- Added shouldAutoCreateRevision() helper function
- Orthogonal to autoUpdate (which controls definition version updates)
- Consistent naming: autoRevision (not auto-revision) matches autoUpdate
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
This commit captures the cascade invalidation exploration before
we pivot to a simpler design. Key changes:
1. computeCascadeID() only hashes spec fields (not metadata)
2. computeApplicationHash() only hashes spec (not labels/annotations)
3. Application hash computed BEFORE policies run
4. Attempted to integrate explicit policies into new flow
Design Decision: This approach is too complex. We're pivoting to:
- Simple 1-minute in-memory cache
- Always render policies
- Store rendered vs applied spec in ConfigMap
- Auto-update annotation for spec changes
This commit preserved for historical reference.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Part 3 of Policy API Redesign - updated both tests and implementation:
**Test changes (policy_transforms_test.go):**
- Updated all 25 PolicyDefinition templates to use new API syntax
- Old: `enabled: true` at root level
- New: `config: { enabled: true }`
**Implementation changes (policy_transforms.go):**
- Added PolicyConfig struct with enabled and cacheDuration fields
- Updated extractEnabled() to support both new and old API:
- Tries config.enabled first (new API)
- Falls back to root enabled (old API, backwards compatible)
- Defaults to true if neither exists
**Testing:**
- Tests now pass with new API syntax
- Backwards compatibility maintained for old API
- TDD approach: updated tests first, then implementation
**Next:**
- Part 4: Per-output-type refresh control (config.refresh)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Updated all tests to use the new 'output' API structure instead of the old
'transforms' API. Key changes:
1. Fixed RenderedPolicyResult usage in tests
- Changed Output field to Transforms field (stores *PolicyOutput)
- Added missing Transforms field for tests calling applyRenderedPolicyResult
2. Fixed CUE templates in policy tests
- Changed 'additionalContext' to 'output.ctx' (3 templates)
- Fixed kube.#Get usage to avoid double-defining output (2 templates)
- Changed test expectations from 'transforms' to 'output' key in ConfigMap
3. Removed deprecated transforms API validation
- Removed test checking for old transforms API rejection
- Removed extractTransforms() function and its callers
- Removed PolicyTransforms validation logic
4. Fixed nil pointer bugs in revision comparison
- Added nil checks in DeepEqualRevision for definition maps
- Added nil check in gatherRevisionSpec for nil appfile parameter
All policy transform tests now pass successfully.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Completes the test migration for the transforms → output API change.
## Test Migrations
### policy_transforms_test.go (29 transforms → output)
- 21 labels transforms → output.labels
- 7 spec transforms → output.components
- 1 annotations transform → output.annotations
All type/value wrappers removed for cleaner syntax.
### policy_validation_test.go
Already migrated in previous commit.
## Regression Tests Added
### Test 1: Policy spec modifications preserved across status patch
Verifies fix for bug where UpdateAppLatestRevisionStatus() lost
policy-modified spec during Status().Patch() operation.
Tests that after applying a policy that modifies components, the
modifications survive the status update operation.
### Test 2: JSON normalization prevents infinite ApplicationRevisions
Verifies fix for bug where RawExtension JSON with different byte
representations caused infinite revision creation.
Tests that semantically identical JSON with different field order
produces identical normalized bytes and matching hashes.
## Additional Changes
- Minor whitespace cleanup in application_controller.go
- Import reordering in suite_test.go
- Formatting alignment in references/cli/policy.go
All tests now use the new output API exclusively.
Populate policy context with explicit fields and filtered metadata
using the existing process.Context infrastructure, providing a
secure and user-friendly API for policy templates.
Changes:
- Populate ContextData with filtered labels/annotations (via filterUserMetadata)
- Add explicit fields: appName, namespace, appRevision, appRevisionNum
- Use process.Context.BaseContextFile() to inject context into CUE
- Reuses existing context infrastructure (same as components/workflows)
Context fields now available in policies:
- context.appName - explicit application name
- context.namespace - explicit namespace
- context.appRevision - explicit revision name
- context.appRevisionNum - explicit revision number
- context.appLabels - filtered user labels (internal prefixes removed)
- context.appAnnotations - filtered user annotations (internal prefixes removed)
Security: Filtered metadata isolates policy context from components/workflows:
- Policies: get filtered labels/annotations (secure)
- Components/workflows: get unfiltered labels/annotations (unchanged)
- Policy additionalContext flows via Go context to components as context.custom
Tests:
- Verify explicit fields accessible in policies
- Verify user metadata accessible (filtered)
- Verify internal metadata filtered out
Part of Policy Refactor Plan v3 - Part 1.2 & 1.3: Foundation
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Add filterUserMetadata() function to filter out internal/system
labels and annotations from policy context, preventing policies
from accessing sensitive KubeVela/Kubernetes internal metadata.
Implementation:
- Uses map-based prefix lookup for O(1) performance
- Filters prefixes: app.oam.dev/, oam.dev/, kubectl.kubernetes.io/,
kubernetes.io/, k8s.io/, helm.sh/, app.kubernetes.io/
- Optimized for hot path (runs on every reconciliation with policies)
- Returns nil for empty results to avoid unnecessary allocations
Tests:
- Filter internal vs user metadata
- Handle empty inputs
- Handle keys without prefixes
- Verify all internal prefixes are excluded
Part of Policy Refactor Plan v3 - Part 1.1: Foundation
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Webhook Upgrade Validation / webhook-upgrade-check (push) Failing after 2m0s
- Added GetCUExParameterValue()
function that uses cuex.DefaultCompiler instead
of standard CUE compiler
- Added GetParametersWithCuex() function with cuex support
- Updated GetBaseResourceKinds() to use cuex compiler
- Updated all callers to use cuex-aware functions
Fixes#7012
Signed-off-by: GoGstickGo <janilution@gmail.com>
* Feat(KEP): Nested Definition Rendering (Compositions)
Signed-off-by: Brian Kane <briankane1@gmail.com>
* Feat(KEP) #6990 - Nested Definition Rendering (Compositions) - Minor Updates
Signed-off-by: Brian Kane <briankane1@gmail.com>
---------
Signed-off-by: Brian Kane <briankane1@gmail.com>
* refactor: pre-start hook implementation
- Introduced a new `hook.go` file defining the `PreStartHook` interface for pre-start validation hooks.
- Removed the old `pre_start_hook.go` file which contained the `SystemCRDValidationHook` implementation.
- Updated the server initialization code to use the new hook structure, specifically integrating the `crdvalidation` package for pre-start validation.
- Enhanced logging for pre-start hook execution to improve clarity on hook names and execution results.
Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>
* refactor: move color writer implementation to logging package and update usage in server setup
Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>
* refactor: rename Hook to CRDValidation for clarity and consistency
Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>
* refactor: reorder import statements for consistency
Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>
* refactor: replace hardcoded namespace with variable in cleanup function
Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>
* refactor: rename CRDValidation type to Hook for consistency
Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>
* refactor: enhance CRD validation hook with custom client support and improved error handling
Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>
* refactor: extend timeout for CRD validation hook and improve error handling for slow API servers
Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>
* refactor: remove redundant comments from PreStartHook definition
Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>
---------
Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>
* Feat: Add integration test setup and cleanup scripts, enhance server testing capabilities
Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>
* Refactor: Rename variables for clarity and consistency in core command handling
Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>
* refactor: Remove redundant server test targets and enhance logging in core command execution
Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>
* Refactor server tests and enhance E2E testing setup
- Updated server_test.go to improve test organization and clarity, including the addition of BeforeSuite and AfterSuite for environment setup and teardown.
- Enhanced the waitWebhookSecretVolume tests to cover various scenarios including empty directories and files.
- Added new tests for syncConfigurations and logging setup functions to ensure proper configuration handling.
- Introduced a new E2E test for the main function in main_e2e_test.go to validate the core functionality of the application.
- Improved the e2e.mk file to set up a k3d cluster for running main_e2e_test with embedded test binaries and added cleanup steps.
- Removed the setup-integration-tests.sh script as its functionality is now integrated into the Makefile.
Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>
* Refactor: improve multicluster test timeouts
Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>
---------
Signed-off-by: Ayush Kumar <ayushshyamkumar888@gmail.com>
* feat(addon): Store addon registry tokens in Secrets
Previously, addon registry tokens were stored in plaintext within the 'vela-addon-registry' ConfigMap. This is not a secure practice for sensitive data.
This commit refactors the addon registry functionality to store tokens in Kubernetes Secrets. The ConfigMap now only contains a reference to the secret name, while the token itself is stored securely.
This change includes:
- Creating/updating secrets when a registry is added/updated.
- Loading tokens from secrets when a registry is listed/retrieved.
- Deleting secrets when a registry is deleted.
Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>
* test(addon): Add tests for registry token secret storage
This commit introduces a comprehensive test suite for the addon registry feature.
It includes:
- Isolated unit tests for each CRUD operation (Add, Update, List, Get, Delete) to ensure each function works correctly in isolation.
- A stateful integration test to validate the complete lifecycle of an addon registry from creation to deletion.
The tests verify that tokens are handled correctly via Kubernetes Secrets, confirming the implementation of the secure token storage feature.
Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>
* feat(addon): improve addon registry robustness and fix bugs
This commit introduces several improvements to the addon registry to make it more robust and fixes several bugs.
- When updating a secret, the existing secret is now fetched and updated to avoid potential conflicts.
- Deleting a non-existent registry now returns no error, making the operation idempotent.
- Getting a non-existent registry now returns a structured not-found error.
- Loading a token from a non-existent secret is now handled gracefully.
- When setting a token directly on a git-based addon source, the token secret reference is now cleared.
- The token secret reference is now correctly copied in `SafeCopy`.
Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>
* Refactor(addon): Fix secret deletion and improve registry logic
This commit refactors the addon registry data store to fix a critical bug where deleting an addon registry would not delete its associated token secret.
The root cause was that the `GetRegistry` function, which was used by `DeleteRegistry`, would load the token from the secret and then clear the `TokenSecretRef` field on the in-memory object. This meant that when `DeleteRegistry` tried to find the secret to delete, the reference was already gone.
This has been fixed by:
1. Introducing a central `getRegistries` helper function to read the raw registry data from the ConfigMap.
2. Refactoring all data store methods (`List`, `Get`, `Add`, `Update`, `Delete`) to use this central helper, removing duplicate code.
3. Ensuring `DeleteRegistry` uses the raw, unmodified registry data so that the `TokenSecretRef` is always available for deletion.
Additionally, comprehensive unit tests for the new helper functions (`getRegistries`, `loadTokenFromSecret`, `createOrUpdateTokenSecret`) have been added to verify the fix and improve overall code quality and stability.
Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>
* feat(addon): improve addon registry token security and logging
This commit enhances the security and observability of addon registry token handling.
- Adds a warning message to users when an insecure inline token is detected in an addon registry configuration, prompting them to migrate to a more secure secret-based storage.
- Implements info-level logging to create an audit trail for token migrations, providing administrators with visibility into security-related events.
- Refactors the token migration logic into a new `migrateInlineTokenToSecret` function, improving code clarity and maintainability.
- Introduces unit tests for the `TokenSource` interface methods and the `GetTokenSource` function to ensure correctness and prevent regressions.
Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>
* Chore: remove comments to triger ci
Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>
---------
Signed-off-by: Ashvin Bambhaniya <ashvin.bambhaniya@improwised.com>
