feat: Add TestVetSkipGroup and TestVetFlagExclusion for nomos vet flag validation.

Author: cowsking

cmd/nomos/flags/flags.go

@@ -40,6 +40,9 @@ const (
 	// SkipAPIServerFlag is the flag name for SkipAPIServer below.
 	SkipAPIServerFlag = "no-api-server-check"
 
+	// NoAPIServerCheckForGroupFlag is the flag name for NoAPIServerCheckForGroup below.
+	NoAPIServerCheckForGroupFlag = "no-api-server-check-for-group"
+
 	// OutputYAML specifies exporting the output in YAML format.
 	OutputYAML = "yaml"
 
@@ -64,6 +67,9 @@ var (
 	// SkipAPIServer directs whether to try to contact the API Server for checks.
 	SkipAPIServer bool
 
+	// NoAPIServerCheckForGroup contains the list of API Groups to skip API server validation for.
+	NoAPIServerCheckForGroup []string
+
 	// SourceFormat indicates the format of the Git repository.
 	SourceFormat string
 
@@ -101,6 +107,12 @@ func AddSkipAPIServerCheck(cmd *cobra.Command) {
 		"If true, disables talking to the API Server for discovery.")
 }
 
+// AddNoAPIServerCheckForGroup adds the --no-api-server-check-for-group flag.
+func AddNoAPIServerCheckForGroup(cmd *cobra.Command) {
+	cmd.Flags().StringSliceVar(&NoAPIServerCheckForGroup, NoAPIServerCheckForGroupFlag, nil,
+		"Accepts a comma-separated list of API Groups for which **all** resources will be skipped during processing (e.g., 'constraints.gatekeeper.sh'). This excludes objects in these groups from all validation and processing, not just API server validation.")
+}
+
 // AllClusters returns true if all clusters should be processed.
 func AllClusters() bool {
 	return Clusters == nil

cmd/nomos/vet/vet.go

@@ -21,6 +21,7 @@ import (
 	"github.com/GoogleContainerTools/config-sync/cmd/nomos/flags"
 	"github.com/GoogleContainerTools/config-sync/pkg/api/configsync"
 	"github.com/GoogleContainerTools/config-sync/pkg/importer/analyzer/validation/system"
+	"github.com/GoogleContainerTools/config-sync/pkg/util/gvkutil"
 	"github.com/spf13/cobra"
 )
 
@@ -35,6 +36,7 @@ func init() {
 	flags.AddClusters(Cmd)
 	flags.AddPath(Cmd)
 	flags.AddSkipAPIServerCheck(Cmd)
+	flags.AddNoAPIServerCheckForGroup(Cmd)
 	flags.AddSourceFormat(Cmd)
 	flags.AddOutputFormat(Cmd)
 	flags.AddAPIServerTimeout(Cmd)
@@ -75,15 +77,27 @@ returns a non-zero error code if any issues are found.
   nomos vet --path=my/directory
   nomos vet --path=/path/to/my/directory`,
 	Args: cobra.ExactArgs(0),
+	PreRunE: func(_ *cobra.Command, _ []string) error {
+		if flags.SkipAPIServer && len(flags.NoAPIServerCheckForGroup) > 0 {
+			return fmt.Errorf("cannot use --%s with --%s", flags.SkipAPIServerFlag, flags.NoAPIServerCheckForGroupFlag)
+		}
+		return nil
+	},
 	RunE: func(cmd *cobra.Command, _ []string) error {
 		// Don't show usage on error, as argument validation passed.
 		cmd.SilenceUsage = true
 
+		skippedGVKs, err := gvkutil.ParsePatterns(flags.NoAPIServerCheckForGroup)
+		if err != nil {
+			return err
+		}
+
 		return runVet(cmd.Context(), cmd.OutOrStderr(), vetOptions{
 			Namespace:        namespaceValue,
 			SourceFormat:     configsync.SourceFormat(flags.SourceFormat),
 			APIServerTimeout: flags.APIServerTimeout,
 			MaxObjectCount:   threshold,
+			SkippedGVKs:      skippedGVKs,
 		})
 	},
 }

cmd/nomos/vet/vet_impl.go

@@ -36,13 +36,15 @@ import (
 	"github.com/GoogleContainerTools/config-sync/pkg/parse"
 	"github.com/GoogleContainerTools/config-sync/pkg/reconcilermanager"
 	"github.com/GoogleContainerTools/config-sync/pkg/status"
+	"github.com/GoogleContainerTools/config-sync/pkg/util/gvkutil"
 )
 
 type vetOptions struct {
 	Namespace        string
 	SourceFormat     configsync.SourceFormat
 	APIServerTimeout time.Duration
 	MaxObjectCount   int
+	SkippedGVKs      []gvkutil.Pattern
 }
 
 // vet runs nomos vet with the specified options.
@@ -102,6 +104,7 @@ func runVet(ctx context.Context, out io.Writer, opts vetOptions) error {
 	}
 	validateOpts.FieldManager = util.FieldManager
 	validateOpts.MaxObjectCount = opts.MaxObjectCount
+	validateOpts.SkippedGVKs = opts.SkippedGVKs
 
 	switch sourceFormat {
 	case configsync.SourceFormatHierarchy:

cmd/nomos/vet/vet_test.go

@@ -20,6 +20,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"strings"
 	"testing"
 
 	"github.com/GoogleContainerTools/config-sync/cmd/nomos/flags"
@@ -50,6 +51,7 @@ func resetFlags() {
 	keepOutput = false
 	outPath = flags.DefaultHydrationOutput
 	flags.OutputFormat = flags.OutputYAML
+	flags.NoAPIServerCheckForGroup = nil
 }
 
 var examplesDir = cmpath.RelativeSlash("../../../examples")
@@ -180,6 +182,75 @@ func TestVet_MultiCluster(t *testing.T) {
 	}
 }
 
+func TestVet_FlagExclusivity(t *testing.T) {
+	testCases := []struct {
+		name          string
+		flags         []string
+		expectError   bool
+		expectedError string
+	}{
+		{
+			name:          "Both flags used",
+			flags:         []string{"--no-api-server-check", "--no-api-server-check-for-group=constraints.gatekeeper.sh"},
+			expectError:   true,
+			expectedError: "cannot use --no-api-server-check with --no-api-server-check-for-group",
+		},
+		{
+			name:        "Only --no-api-server-check used",
+			flags:       []string{"--no-api-server-check"},
+			expectError: false,
+		},
+		{
+			name:        "Only --no-api-server-check-for-group used",
+			flags:       []string{"--no-api-server-check-for-group=constraints.gatekeeper.sh"},
+			expectError: false,
+		},
+		{
+			name:        "No flags used",
+			flags:       []string{},
+			expectError: false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			resetFlags()
+			// We need a valid directory for the command to run, even though we're testing flag validation.
+			tmpDir, err := os.MkdirTemp("", "nomos-vet-test")
+			require.NoError(t, err)
+			t.Cleanup(func() {
+				err := os.RemoveAll(tmpDir)
+				require.NoError(t, err)
+			})
+
+			// Reset flags to a clean state for each test case.
+			flags.SkipAPIServer = false
+			flags.NoAPIServerCheckForGroup = nil
+
+			// Set the flags for the current test case.
+			var groups []string
+			for _, f := range tc.flags {
+				if f == "--no-api-server-check" {
+					flags.SkipAPIServer = true
+				} else if strings.HasPrefix(f, "--no-api-server-check-for-group=") {
+					parts := strings.SplitN(f, "=", 2)
+					groups = append(groups, strings.Split(parts[1], ",")...)
+				}
+			}
+			flags.NoAPIServerCheckForGroup = groups
+
+			err = Cmd.PreRunE(Cmd, nil)
+
+			if tc.expectError {
+				require.Error(t, err)
+				require.Contains(t, err.Error(), tc.expectedError)
+			} else {
+				require.NoError(t, err)
+			}
+		})
+	}
+}
+
 func TestVet_Threshold(t *testing.T) {
 	Cmd.SilenceUsage = true
 

e2e/testcases/cli_test.go

@@ -1278,6 +1278,34 @@ func TestNomosStatusNameFilter(t *testing.T) {
 	}
 }
 
+func TestVetSkipGVK(t *testing.T) {
+	nt := nomostest.New(t, nomostesting.NomosCLI,
+		ntopts.SyncWithGitSource(nomostest.DefaultRootSyncID, ntopts.Unstructured),
+	)
+
+	rootRepo := nt.SyncSourceGitReadWriteRepository(nomostest.DefaultRootSyncID)
+
+	nt.Must(rootRepo.Copy("../testdata/gatekeeper-skip-gvk", "acme"))
+	if err := rootRepo.CommitAndPush("add gatekeeper constraint template and constraint"); err != nil {
+		nt.T.Fatal(err)
+	}
+
+	// First, run `nomos vet` without the flag and expect a failure.
+	out, err := nt.Shell.Command("nomos", "vet", "--path", rootRepo.Root, "--source-format=unstructured").CombinedOutput()
+	if err == nil {
+		t.Fatal("expected `nomos vet` to fail but it passed")
+	}
+	// Check for KNV1021 error.
+	if !strings.Contains(string(out), "KNV1021") {
+		t.Fatalf("expected KNV1021 error, but got: %v", string(out))
+	}
+
+	// Now, run `nomos vet` with the flag and expect it to pass.
+	output, err := nt.Shell.Command("nomos", "vet", "--path", rootRepo.Root, "--source-format=unstructured", "--no-api-server-check-for-group=templates.gatekeeper.sh,constraints.gatekeeper.sh").CombinedOutput()
+	nt.Must(output, err)
+
+}
+
 func TestApiResourceFormatting(t *testing.T) {
 	nt := nomostest.New(t, nomostesting.NomosCLI)
 
@@ -1296,6 +1324,18 @@ func TestApiResourceFormatting(t *testing.T) {
 	assert.Equal(t, columnName, header)
 }
 
+func TestVetFlagExclusion(t *testing.T) {
+	nt := nomostest.New(t, nomostesting.NomosCLI, ntopts.SkipConfigSyncInstall)
+
+	out, err := nt.Shell.Command("nomos", "vet", "--no-api-server-check", "--no-api-server-check-for-group=constraints.gatekeeper.sh").CombinedOutput()
+	if err == nil {
+		t.Fatal("expected `nomos vet` to fail but it passed")
+	}
+	if !strings.Contains(string(out), "cannot use --no-api-server-check with --no-api-server-check-for-group") {
+		t.Fatalf("expected error message, but got: %v", string(out))
+	}
+}
+
 func TestNomosMigrate(t *testing.T) {
 	nt := nomostest.New(t, nomostesting.NomosCLI, ntopts.SkipConfigSyncInstall)
 

e2e/testdata/gatekeeper-skip-gvk/constraint-template.yaml

@@ -0,0 +1,33 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: templates.gatekeeper.sh/v1beta1
+kind: ConstraintTemplate
+metadata:
+  name: k8srequiredlabels
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sRequiredLabels
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |-
+        package k8srequiredlabels
+        violation[{"msg": msg, "details": {"missing_labels": missing}}] {
+          provided := {label | input.review.object.metadata.labels[label]}
+          required := {label | label := input.parameters.labels[_]}
+          missing := required - provided
+          count(missing) > 0
+          msg := sprintf("you must provide labels: %v", [missing])
+        }

e2e/testdata/gatekeeper-skip-gvk/constraint.yaml

@@ -0,0 +1,24 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sRequiredLabels
+metadata:
+  name: ns-must-have-gk-label
+spec:
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Namespace"]
+  parameters:
+    labels: ["gatekeeper"]

pkg/util/gvkutil/gvk.go

@@ -0,0 +1,47 @@
+// Copyright 2025 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package gvkutil
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// Pattern represents a pattern to match against a GroupKind.
+type Pattern struct {
+	Group string
+}
+
+// ParsePatterns parses a slice of strings into a slice of Patterns.
+// Each string is expected to be a group.
+func ParsePatterns(rawPatterns []string) ([]Pattern, error) {
+	if rawPatterns == nil {
+		return []Pattern{}, nil
+	}
+	patterns := make([]Pattern, 0, len(rawPatterns))
+	for _, p := range rawPatterns {
+		patterns = append(patterns, Pattern{Group: p})
+	}
+	return patterns, nil
+}
+
+// Matches checks if the given GroupKind matches any of the patterns.
+func Matches(gk schema.GroupKind, patterns []Pattern) bool {
+	for _, p := range patterns {
+		if gk.Group == p.Group {
+			return true
+		}
+	}
+	return false
+}