diff --git a/.codecov.yml b/.codecov.yml index 6a2f4e1b..8f86e29e 100644 --- a/.codecov.yml +++ b/.codecov.yml @@ -1,5 +1,6 @@ # SPDX-FileCopyrightText: 2023 Comcast Cable Communications Management, LLC # SPDX-License-Identifier: Apache-2.0 +--- coverage: range: 50..80 round: down diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 2fb3c9e4..8764f8ba 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -7,13 +7,14 @@ updates: - package-ecosystem: "github-actions" directory: "/" schedule: - # Check for updates to GitHub Actions every week + # Check for updates to GitHub Actions every day interval: "daily" labels: - "dependencies" commit-message: prefix: "chore" include: "scope" + open-pull-requests-limit: 10 - package-ecosystem: gomod directory: / @@ -22,5 +23,6 @@ updates: labels: - "dependencies" commit-message: - prefix: "feat" + prefix: "chore" include: "scope" + open-pull-requests-limit: 10 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d7694791..d41942e9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -27,4 +27,5 @@ jobs: release-docker-latest: true release-docker-major: true release-docker-minor: true + yaml-lint-skip: false secrets: inherit diff --git a/.golangci.yaml b/.golangci.yaml index 20654aac..f4a8a995 100644 --- a/.golangci.yaml +++ b/.golangci.yaml @@ -26,7 +26,7 @@ issues: linters: - dupl # - funlen - + - path: main\.go # Accept TLSClientConfig with InsecureSkipVerify text: "G402:" diff --git a/.release/docker/caduceus_spruce.yaml b/.release/docker/caduceus_spruce.yaml index 626a4497..1f21f0a0 100644 --- a/.release/docker/caduceus_spruce.yaml +++ b/.release/docker/caduceus_spruce.yaml @@ -248,7 +248,7 @@ zap: # "console", as well as any third-party encodings registered via # RegisterEncoder. encoding: json - + ######################################## # Authorization Related Configuration ######################################## @@ -275,21 +275,21 @@ authHeader: authToken: (( grab $AUTH_TOKEN || "dXNlcjpwYXNz" )) # capabilityCheck provides the details needed for checking an incoming JWT's -# capabilities. If the type of check isn't provided, no checking is done. The -# type can be "monitor" or "enforce". If it is empty or a different value, no -# checking is done. If "monitor" is provided, the capabilities are checked but -# the request isn't rejected when there isn't a valid capability for the -# request. Instead, a message is logged. When "enforce" is provided, a request +# capabilities. If the type of check isn't provided, no checking is done. The +# type can be "monitor" or "enforce". If it is empty or a different value, no +# checking is done. If "monitor" is provided, the capabilities are checked but +# the request isn't rejected when there isn't a valid capability for the +# request. Instead, a message is logged. When "enforce" is provided, a request # that doesn't have the needed capability is rejected. # # The capability is expected to have the format: # # {prefix}{endpoint}:{method} # -# The prefix can be a regular expression. If it's empty, no capability check +# The prefix can be a regular expression. If it's empty, no capability check # is done. The endpoint is a regular expression that should match the endpoint -# the request was sent to. The method is usually the method of the request, such as -# GET. The accept all method is a catchall string that indicates the capability +# the request was sent to. The method is usually the method of the request, such as +# GET. The accept all method is a catchall string that indicates the capability # is approved for all methods. # (Optional) # capabilityCheck: @@ -297,10 +297,10 @@ authToken: (( grab $AUTH_TOKEN || "dXNlcjpwYXNz" )) # type: "enforce" # # prefix provides the regex to match the capability before the endpoint. # prefix: "prefix Here" -# # acceptAllMethod provides a way to have a capability that allows all +# # acceptAllMethod provides a way to have a capability that allows all # # methods for a specific endpoint. # acceptAllMethod: "all" -# # endpointBuckets provides regular expressions to use against the request +# # endpointBuckets provides regular expressions to use against the request # # endpoint in order to group requests for a metric label. # endpointBuckets: # - "hook\\b" @@ -318,7 +318,7 @@ webhook: # Raw: parser assumes all of the token payload == JWT token # (Optional). Defaults to 'simple'. JWTParserType: (( grab $WEBHOOK_JWT_PARSER_TYPE || "raw" )) - BasicClientConfig: + BasicClientConfig: # listen is the subsection that configures the listening feature of the argus client # (Optional) listen: @@ -408,8 +408,8 @@ sender: # and marking the delivery a failure responseHeaderTimeout: 10s - # customPIDs is a custom list of allowed PartnerIDs that will be used if a message - # has no partner IDs. When empty, a message with no partner IDs will not be sent + # customPIDs is a custom list of allowed PartnerIDs that will be used if a message + # has no partner IDs. When empty, a message with no partner IDs will not be sent # to any listeners when enforcing the partner ID check. customPIDs: [] @@ -446,7 +446,7 @@ tracing: # timeouts that apply to the Argus HTTP client. # (Optional) By default, the values below will be used. argusClientTimeout: - # clientTimeout is the timeout for requests made through this + # clientTimeout is the timeout for requests made through this # HTTP client. This timeout includes connection time, any # redirects, and reading the response body. clientTimeout: 50s diff --git a/.release/helm/caduceus/templates/caduceus.yaml b/.release/helm/caduceus/templates/caduceus.yaml index a27f4ecf..b972080b 100644 --- a/.release/helm/caduceus/templates/caduceus.yaml +++ b/.release/helm/caduceus/templates/caduceus.yaml @@ -44,7 +44,7 @@ data: # ":443" is ideal, but may require some special handling due to it being # a reserved (by the kernel) port. address: "{{ .Values.caduceus.address.host }}:{{ .Values.caduceus.address.port }}" - # HTTPS/TLS + # HTTPS/TLS # # certificateFile provides the public key and CA chain in PEM format if # TLS is used. Note: the certificate needs to match the fqdn for clients @@ -151,7 +151,7 @@ data: # registrations defines what services caduceus should register with # consul - # + # # id - the VM/container instance name registered with consul # name - the name of service being registered # tags - a list of tags to associate with this registration @@ -165,7 +165,7 @@ data: # service is removed due to check # failures registrations: - - + - id: "caduceus-instance-123.example.com" name: "caduceus" tags: @@ -176,7 +176,7 @@ data: address: "caduceus-instance-123.example.com" port: 6001 checks: - - + - checkID: "caduceus-instance-123.example.com:ttl" ttl: "30s" deregisterCriticalServiceAfter: "70s" @@ -224,7 +224,7 @@ data: # used as authorization # (Optional) jwtValidators: - - + - keys: factory: uri: "https://jwt.example.com/keys/{keyId}" diff --git a/.release/helm/caduceus/values.yaml b/.release/helm/caduceus/values.yaml index 5af441a4..b5ce1cdb 100644 --- a/.release/helm/caduceus/values.yaml +++ b/.release/helm/caduceus/values.yaml @@ -21,7 +21,7 @@ pprof: metric: address: host: "" - port: "9389" + port: "9389" service: consul: @@ -32,5 +32,3 @@ service: # Pull secret used when images are stored in a private repository # imagePullSecretName: - - diff --git a/.yamllint.yml b/.yamllint.yml new file mode 100644 index 00000000..e59609de --- /dev/null +++ b/.yamllint.yml @@ -0,0 +1,38 @@ +# SPDX-FileCopyrightText: 2024 Comcast Cable Communications Management, LLC +# SPDX-License-Identifier: Apache-2.0 +--- + +extends: default + +ignore: + - .release/helm/caduceus/templates/caduceus.yaml + +rules: + braces: + level: warning + max-spaces-inside: 1 + brackets: + level: warning + max-spaces-inside: 1 + colons: + level: warning + max-spaces-after: -1 + commas: + level: warning + comments: disable + comments-indentation: disable + document-start: + present: true + empty-lines: + max: 2 + hyphens: + max-spaces-after: 1 + indentation: + level: error + indent-sequences: consistent + line-length: + level: warning + max: 90 + allow-non-breakable-words: true + allow-non-breakable-inline-mappings: true + truthy: disable diff --git a/caduceus.yaml b/caduceus.yaml index 5accabba..04badfa2 100644 --- a/caduceus.yaml +++ b/caduceus.yaml @@ -242,7 +242,7 @@ zap: # "console", as well as any third-party encodings registered via # RegisterEncoder. encoding: json - + ######################################## # Authorization Related Configuration ######################################## @@ -258,7 +258,7 @@ jwtValidator: Config: Resolve: # Template is a URI template used to fetch keys. This template may - # use a single parameter named keyID, e.g. http://keys.com/{keyID}. + # use a single parameter named keyID, e.g. http://keys.com/{keyID}. # This field is required and has no default. Template: "http://localhost/{keyID}" Refresh: @@ -276,21 +276,21 @@ jwtValidator: authHeader: ["xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=", "dXNlcjpwYXNz"] # capabilityCheck provides the details needed for checking an incoming JWT's -# capabilities. If the type of check isn't provided, no checking is done. The -# type can be "monitor" or "enforce". If it is empty or a different value, no -# checking is done. If "monitor" is provided, the capabilities are checked but -# the request isn't rejected when there isn't a valid capability for the -# request. Instead, a message is logged. When "enforce" is provided, a request +# capabilities. If the type of check isn't provided, no checking is done. The +# type can be "monitor" or "enforce". If it is empty or a different value, no +# checking is done. If "monitor" is provided, the capabilities are checked but +# the request isn't rejected when there isn't a valid capability for the +# request. Instead, a message is logged. When "enforce" is provided, a request # that doesn't have the needed capability is rejected. # # The capability is expected to have the format: # # {prefix}{endpoint}:{method} # -# The prefix can be a regular expression. If it's empty, no capability check +# The prefix can be a regular expression. If it's empty, no capability check # is done. The endpoint is a regular expression that should match the endpoint -# the request was sent to. The method is usually the method of the request, such as -# GET. The accept all method is a catchall string that indicates the capability +# the request was sent to. The method is usually the method of the request, such as +# GET. The accept all method is a catchall string that indicates the capability # is approved for all methods. # (Optional) # capabilityCheck: @@ -298,10 +298,10 @@ authHeader: ["xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=", "dXNlcjpwYXNz"] # type: "enforce" # # prefix provides the regex to match the capability before the endpoint. # prefix: "prefix Here" -# # acceptAllMethod provides a way to have a capability that allows all +# # acceptAllMethod provides a way to have a capability that allows all # # methods for a specific endpoint. # acceptAllMethod: "all" -# # endpointBuckets provides regular expressions to use against the request +# # endpointBuckets provides regular expressions to use against the request # # endpoint in order to group requests for a metric label. # endpointBuckets: # - "hook\\b" @@ -309,18 +309,19 @@ authHeader: ["xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=", "dXNlcjpwYXNz"] # - "notify\\b" ############################################################################## -# Webhooks Related Configuration +# Webhooks Related Configuration ############################################################################## # webhook provides configuration for storing and obtaining webhook # information using Argus. webhook: # JWTParserType establishes which parser type will be used by the JWT token # acquirer used by Argus. Options include 'simple' and 'raw'. - # Simple: parser assumes token payloads have the following structure: https://github.com/xmidt-org/bascule/blob/c011b128d6b95fa8358228535c63d1945347adaa/acquire/bearer.go#L77 + # Simple: parser assumes token payloads have the following structure: + # https://github.com/xmidt-org/bascule/blob/c011b128d6b95fa8358228535c63d1945347adaa/acquire/bearer.go#L77 # Raw: parser assumes all of the token payload == JWT token # (Optional). Defaults to 'simple'. JWTParserType: "raw" - BasicClientConfig: + BasicClientConfig: # listen is the subsection that configures the listening feature of the argus client # (Optional) listen: @@ -411,8 +412,8 @@ sender: # and marking the delivery a failure responseHeaderTimeout: 10s - # customPIDs is a custom list of allowed PartnerIDs that will be used if a message - # has no partner IDs. When empty, a message with no partner IDs will not be sent + # customPIDs is a custom list of allowed PartnerIDs that will be used if a message + # has no partner IDs. When empty, a message with no partner IDs will not be sent # to any listeners when enforcing the partner ID check. customPIDs: [] @@ -452,7 +453,7 @@ tracing: # timeouts that apply to the Argus HTTP client. # (Optional) By default, the values below will be used. argusClientTimeout: - # clientTimeout is the timeout for requests made through this + # clientTimeout is the timeout for requests made through this # HTTP client. This timeout includes connection time, any # redirects, and reading the response body. clientTimeout: 50s diff --git a/docs/caduceus.yaml b/docs/caduceus.yaml index 986b6a71..58885f4a 100644 --- a/docs/caduceus.yaml +++ b/docs/caduceus.yaml @@ -72,7 +72,7 @@ paths: 500: $ref: '#/components/responses/500' - + components: schemas: Event: @@ -81,11 +81,11 @@ components: url: https://xmidt.io/docs/wrp/simple-messages/#simple-event-definition type: object required: - - msg_type - - source - - dest - - payload - - session_id + - msg_type + - source + - dest + - payload + - session_id properties: msg_type: type: integer @@ -118,8 +118,8 @@ components: type: object # map[string]string additionalProperties: type: string - description: - The map of name/value pairs used by consumers of WRP messages for + description: + The map of name/value pairs used by consumers of WRP messages for filtering & other purposes. example: {"/boot-time": "1542834188","/last-reconnect-reason": "spanish inquisition" } payload: @@ -134,7 +134,7 @@ components: description: The information needed to register a webhook with XMiDT. type: object required: - - events + - events properties: registered_from_address: type: string @@ -150,7 +150,7 @@ components: example: https://listener.example.com/event content_type: type: string - description: + description: The type of messages desired. If "application/msgpack" is specific, the full wrp is sent to the webhook. If not, only the payload is sent. @@ -163,21 +163,21 @@ components: type: array items: type: string - description: + description: | The list of explicit URLs that should be round robin through on failure cases to the main URL. example: [] failure_url: type: string - description: - The URL used to notify subscribers when they've been cut off due to + description: + The URL used to notify subscribers when they've been cut off due to event overflow. example: https://failure-listener.example.com events: type: array items: type: string - description: + description: The list of [regular expressions](https://github.com/google/re2/wiki/Syntax) to match an event type against. example: [".*"] @@ -189,7 +189,7 @@ components: type: array items: type: string - description: + description: The list of [regular expressions](https://github.com/google/re2/wiki/Syntax) to match device id type against. example: [".*"] @@ -200,43 +200,43 @@ components: until: type: string format: date-time - description: - The time this subscription expires in + description: + The time this subscription expires in [RFC3339](https://www.rfc-editor.org/rfc/rfc3339.html) format. example: "2021-08-16T07:33:35+00:00" responses: 400: - description: + description: Bad request. More information can be found in the [HTTP RFC](https://tools.ietf.org/html/rfc7231#section-6.5.1). content: { } 401: - description: + description: Unauthorized. More information can be found in the [HTTP RFC](https://httpwg.org/specs/rfc7235.html#status.401). content: { } 403: - description: + description: Forbidden. More information can be found in the [HTTP RFC](https://httpwg.org/specs/rfc7231.html#status.403). content: { } 415: - description: + description: Unsupported media type. More information can be found in the [HTTP RFC](https://datatracker.ietf.org/doc/html/rfc7231#section-6.5.13). content: { } 429: - description: + description: Too many requests. More information can be found in the [HTTP RFC](https://tools.ietf.org/html/rfc6585#section-4). content: { } 500: - description: + description: An internal error occurred. More information can be found in the [HTTP RFC](https://tools.ietf.org/html/rfc7231#section-6.6.1). content: { } 503: - description: + description: Service unavailable. More information can be found in the [HTTP RFC](https://datatracker.ietf.org/doc/html/rfc7231#section-6.6.4). content: { } @@ -250,4 +250,4 @@ components: basic_auth: type: http scheme: basic - description: Auth must be a base64 encoded username and password. \ No newline at end of file + description: Auth must be a base64 encoded username and password.