yaml lint

.codecov.yml

@@ -1,5 +1,6 @@
 # SPDX-FileCopyrightText: 2023 Comcast Cable Communications Management, LLC
 # SPDX-License-Identifier: Apache-2.0
+---
 coverage:
   range: 50..80
   round: down

.github/dependabot.yml

@@ -7,13 +7,14 @@ updates:
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      # Check for updates to GitHub Actions every week
+      # Check for updates to GitHub Actions every day
       interval: "daily"
     labels:
       - "dependencies"
     commit-message:
       prefix: "chore"
       include: "scope"
+    open-pull-requests-limit: 10
 
   - package-ecosystem: gomod
     directory: /
@@ -22,5 +23,6 @@ updates:
     labels:
       - "dependencies"
     commit-message:
-      prefix: "feat"
+      prefix: "chore"
       include: "scope"
+    open-pull-requests-limit: 10

.github/workflows/ci.yml

@@ -27,4 +27,5 @@ jobs:
       release-docker-latest: true
       release-docker-major:  true
       release-docker-minor:  true
+      yaml-lint-skip:        false
     secrets: inherit

.golangci.yaml

@@ -26,7 +26,7 @@ issues:
       linters:
         - dupl
         # - funlen
-        
+
     - path: main\.go
       # Accept TLSClientConfig with InsecureSkipVerify
       text: "G402:"

.release/docker/caduceus_spruce.yaml

@@ -248,7 +248,7 @@ zap:
   # "console", as well as any third-party encodings registered via
   # RegisterEncoder.
   encoding: json
-  
+
 ########################################
 #   Authorization Related Configuration
 ########################################
@@ -275,32 +275,32 @@ authHeader:
 authToken: (( grab $AUTH_TOKEN || "dXNlcjpwYXNz" ))
 
 # capabilityCheck provides the details needed for checking an incoming JWT's
-# capabilities.  If the type of check isn't provided, no checking is done.  The 
-# type can be "monitor" or "enforce".  If it is empty or a different value, no 
-# checking is done.  If "monitor" is provided, the capabilities are checked but 
-# the request isn't rejected when there isn't a valid capability for the 
-# request. Instead, a message is logged.  When "enforce" is provided, a request 
+# capabilities.  If the type of check isn't provided, no checking is done.  The
+# type can be "monitor" or "enforce".  If it is empty or a different value, no
+# checking is done.  If "monitor" is provided, the capabilities are checked but
+# the request isn't rejected when there isn't a valid capability for the
+# request. Instead, a message is logged.  When "enforce" is provided, a request
 # that doesn't have the needed capability is rejected.
 #
 # The capability is expected to have the format:
 #
 # {prefix}{endpoint}:{method}
 #
-# The prefix can be a regular expression.  If it's empty, no capability check 
+# The prefix can be a regular expression.  If it's empty, no capability check
 # is done.  The endpoint is a regular expression that should match the endpoint
-# the request was sent to. The method is usually the method of the request, such as 
-# GET.  The accept all method is a catchall string that indicates the capability 
+# the request was sent to. The method is usually the method of the request, such as
+# GET.  The accept all method is a catchall string that indicates the capability
 # is approved for all methods.
 # (Optional)
 # capabilityCheck:
 #   # type provides the mode for capability checking.
 #   type: "enforce"
 #   # prefix provides the regex to match the capability before the endpoint.
 #   prefix: "prefix Here"
-#   # acceptAllMethod provides a way to have a capability that allows all 
+#   # acceptAllMethod provides a way to have a capability that allows all
 #   # methods for a specific endpoint.
 #   acceptAllMethod: "all"
-#   # endpointBuckets provides regular expressions to use against the request 
+#   # endpointBuckets provides regular expressions to use against the request
 #   # endpoint in order to group requests for a metric label.
 #   endpointBuckets:
 #     - "hook\\b"
@@ -318,7 +318,7 @@ webhook:
   # Raw: parser assumes all of the token payload == JWT token
   # (Optional). Defaults to 'simple'.
   JWTParserType: (( grab $WEBHOOK_JWT_PARSER_TYPE || "raw" ))
-  BasicClientConfig: 
+  BasicClientConfig:
     # listen is the subsection that configures the listening feature of the argus client
     # (Optional)
     listen:
@@ -408,8 +408,8 @@ sender:
   # and marking the delivery a failure
   responseHeaderTimeout: 10s
 
-  # customPIDs is a custom list of allowed PartnerIDs that will be used if a message 
-  # has no partner IDs.  When empty, a message with no partner IDs will not be sent 
+  # customPIDs is a custom list of allowed PartnerIDs that will be used if a message
+  # has no partner IDs.  When empty, a message with no partner IDs will not be sent
   # to any listeners when enforcing the partner ID check.
   customPIDs: []
 
@@ -446,7 +446,7 @@ tracing:
 # timeouts that apply to the Argus HTTP client.
 # (Optional) By default, the values below will be used.
 argusClientTimeout:
-  # clientTimeout is the timeout for requests made through this 
+  # clientTimeout is the timeout for requests made through this
   # HTTP client. This timeout includes connection time, any
   # redirects, and reading the response body.
   clientTimeout: 50s

.release/helm/caduceus/templates/caduceus.yaml

@@ -44,7 +44,7 @@ data:
         # ":443" is ideal, but may require some special handling due to it being
         # a reserved (by the kernel) port.
         address: "{{ .Values.caduceus.address.host }}:{{ .Values.caduceus.address.port }}"
-        # HTTPS/TLS 
+        # HTTPS/TLS
         #
         # certificateFile provides the public key and CA chain in PEM format if
         # TLS is used.  Note: the certificate needs to match the fqdn for clients
@@ -151,7 +151,7 @@ data:
 
           # registrations defines what services caduceus should register with
           # consul
-          # 
+          #
           #     id      - the VM/container instance name registered with consul
           #     name    - the name of service being registered
           #     tags    - a list of tags to associate with this registration
@@ -165,7 +165,7 @@ data:
           #                                          service is removed due to check
           #                                          failures
           registrations:
-            - 
+            -
               id: "caduceus-instance-123.example.com"
               name: "caduceus"
               tags:
@@ -176,7 +176,7 @@ data:
               address: "caduceus-instance-123.example.com"
               port: 6001
               checks:
-                - 
+                -
                   checkID: "caduceus-instance-123.example.com:ttl"
                   ttl: "30s"
                   deregisterCriticalServiceAfter: "70s"
@@ -224,7 +224,7 @@ data:
       # used as authorization
       # (Optional)
       jwtValidators:
-        - 
+        -
           keys:
             factory:
               uri: "https://jwt.example.com/keys/{keyId}"

.release/helm/caduceus/values.yaml

@@ -21,7 +21,7 @@ pprof:
 metric:
   address:
     host: ""
-    port: "9389"  
+    port: "9389"
 
 service:
   consul:
@@ -32,5 +32,3 @@ service:
 
 # Pull secret used when images are stored in a private repository
 # imagePullSecretName:
-
-

.yamllint.yml

@@ -0,0 +1,38 @@
+# SPDX-FileCopyrightText: 2024 Comcast Cable Communications Management, LLC
+# SPDX-License-Identifier: Apache-2.0
+---
+
+extends: default
+
+ignore:
+  - .release/helm/caduceus/templates/caduceus.yaml
+
+rules:
+  braces:
+    level: warning
+    max-spaces-inside: 1
+  brackets:
+    level: warning
+    max-spaces-inside: 1
+  colons:
+    level: warning
+    max-spaces-after: -1
+  commas:
+    level: warning
+  comments: disable
+  comments-indentation: disable
+  document-start:
+    present: true
+  empty-lines:
+    max: 2
+  hyphens:
+    max-spaces-after: 1
+  indentation:
+    level: error
+    indent-sequences: consistent
+  line-length:
+    level: warning
+    max: 90
+    allow-non-breakable-words: true
+    allow-non-breakable-inline-mappings: true
+  truthy: disable

caduceus.yaml

@@ -242,7 +242,7 @@ zap:
   # "console", as well as any third-party encodings registered via
   # RegisterEncoder.
   encoding: json
-  
+
 ########################################
 #   Authorization Related Configuration
 ########################################
@@ -258,7 +258,7 @@ jwtValidator:
   Config:
     Resolve:
       # Template is a URI template used to fetch keys.  This template may
-	    # use a single parameter named keyID, e.g. http://keys.com/{keyID}.
+      # use a single parameter named keyID, e.g. http://keys.com/{keyID}.
       # This field is required and has no default.
       Template: "http://localhost/{keyID}"
     Refresh:
@@ -276,51 +276,52 @@ jwtValidator:
 authHeader: ["xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=", "dXNlcjpwYXNz"]
 
 # capabilityCheck provides the details needed for checking an incoming JWT's
-# capabilities.  If the type of check isn't provided, no checking is done.  The 
-# type can be "monitor" or "enforce".  If it is empty or a different value, no 
-# checking is done.  If "monitor" is provided, the capabilities are checked but 
-# the request isn't rejected when there isn't a valid capability for the 
-# request. Instead, a message is logged.  When "enforce" is provided, a request 
+# capabilities.  If the type of check isn't provided, no checking is done.  The
+# type can be "monitor" or "enforce".  If it is empty or a different value, no
+# checking is done.  If "monitor" is provided, the capabilities are checked but
+# the request isn't rejected when there isn't a valid capability for the
+# request. Instead, a message is logged.  When "enforce" is provided, a request
 # that doesn't have the needed capability is rejected.
 #
 # The capability is expected to have the format:
 #
 # {prefix}{endpoint}:{method}
 #
-# The prefix can be a regular expression.  If it's empty, no capability check 
+# The prefix can be a regular expression.  If it's empty, no capability check
 # is done.  The endpoint is a regular expression that should match the endpoint
-# the request was sent to. The method is usually the method of the request, such as 
-# GET.  The accept all method is a catchall string that indicates the capability 
+# the request was sent to. The method is usually the method of the request, such as
+# GET.  The accept all method is a catchall string that indicates the capability
 # is approved for all methods.
 # (Optional)
 # capabilityCheck:
 #   # type provides the mode for capability checking.
 #   type: "enforce"
 #   # prefix provides the regex to match the capability before the endpoint.
 #   prefix: "prefix Here"
-#   # acceptAllMethod provides a way to have a capability that allows all 
+#   # acceptAllMethod provides a way to have a capability that allows all
 #   # methods for a specific endpoint.
 #   acceptAllMethod: "all"
-#   # endpointBuckets provides regular expressions to use against the request 
+#   # endpointBuckets provides regular expressions to use against the request
 #   # endpoint in order to group requests for a metric label.
 #   endpointBuckets:
 #     - "hook\\b"
 #     - "hooks\\b"
 #     - "notify\\b"
 
 ##############################################################################
-# Webhooks Related Configuration 
+# Webhooks Related Configuration
 ##############################################################################
 # webhook provides configuration for storing and obtaining webhook
 # information using Argus.
 webhook:
   # JWTParserType establishes which parser type will be used by the JWT token
   # acquirer used by Argus. Options include 'simple' and 'raw'.
-  # Simple: parser assumes token payloads have the following structure: https://github.com/xmidt-org/bascule/blob/c011b128d6b95fa8358228535c63d1945347adaa/acquire/bearer.go#L77
+  # Simple: parser assumes token payloads have the following structure:
+  # https://github.com/xmidt-org/bascule/blob/c011b128d6b95fa8358228535c63d1945347adaa/acquire/bearer.go#L77
   # Raw: parser assumes all of the token payload == JWT token
   # (Optional). Defaults to 'simple'.
   JWTParserType: "raw"
-  BasicClientConfig: 
+  BasicClientConfig:
     # listen is the subsection that configures the listening feature of the argus client
     # (Optional)
     listen:
@@ -411,8 +412,8 @@ sender:
   # and marking the delivery a failure
   responseHeaderTimeout: 10s
 
-  # customPIDs is a custom list of allowed PartnerIDs that will be used if a message 
-  # has no partner IDs.  When empty, a message with no partner IDs will not be sent 
+  # customPIDs is a custom list of allowed PartnerIDs that will be used if a message
+  # has no partner IDs.  When empty, a message with no partner IDs will not be sent
   # to any listeners when enforcing the partner ID check.
   customPIDs: []
 
@@ -452,7 +453,7 @@ tracing:
 # timeouts that apply to the Argus HTTP client.
 # (Optional) By default, the values below will be used.
 argusClientTimeout:
-  # clientTimeout is the timeout for requests made through this 
+  # clientTimeout is the timeout for requests made through this
   # HTTP client. This timeout includes connection time, any
   # redirects, and reading the response body.
   clientTimeout: 50s