feat: Enhance nomos vet with flag validation and raw resource processing

[cowsking]

This commit expands the nomos vet command's capabilities by:

• Introducing a flag validation, including specific handling for --skip-group.
• Adding new unit tests within the vet package, alongside new test cases (TestVetSkipGroup, TestVetFlagExclusion), to ensure correct behavior and validation of these enhancements.

These changes specifically address issue #1633, where nomos vet failed to validate OPA Gatekeeper custom resources when a ConstraintTemplate and its corresponding Constraint were present in the same commit. The improved raw resource processing and flag handling now allow nomos vet to correctly process such configurations, preventing the KNV1021 error.

[google-oss-prow]

Hi @cowsking. Thanks for your PR.

I'm waiting for a GoogleContainerTools member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[gemini-code-assist]

Summary of Changes

Hello @cowsking, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the nomos vet command by improving its handling of custom resources, particularly those from OPA Gatekeeper. It introduces a new mechanism to selectively bypass API server validation for specific API groups, which is crucial for correctly processing configurations where custom resource definitions and their instances are introduced concurrently. This change ensures more robust and accurate validation without requiring a live API server for certain resource types.

Highlights

• New Flag Introduction: Introduced a new flag, --no-api-server-check-for-group, to the nomos vet command. This flag allows users to specify a comma-separated list of API Groups for which API server validation should be skipped, specifically addressing issues with Gatekeeper custom resources.
• Flag Exclusivity Validation: Implemented validation logic to ensure that the --no-api-server-check and --no-api-server-check-for-group flags cannot be used simultaneously, preventing conflicting behavior.
• Enhanced Raw Resource Processing: Modified the nomos vet command's raw resource processing to conditionally ignore KNV1021 errors (unknown GVKs) for API groups specified by the new --no-api-server-check-for-group flag. This resolves an issue where nomos vet failed to validate OPA Gatekeeper custom resources when a ConstraintTemplate and its corresponding Constraint were present in the same commit.
• New Utility Package: Added a new utility package pkg/util/gvkutil to handle GroupKind pattern matching, which is used for the new flag's functionality.
• Comprehensive Testing: Included new unit tests for the flag exclusivity validation and the gvkutil package, along with new e2e test data for Gatekeeper ConstraintTemplate and Constraint to verify the fix for issue Nomos vet fails to validate OPA Gatekeeper custom resource when ConstraintTemplate is in the same commit #1633.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[google-oss-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign tiffanny29631 for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gemini-code-assist]

Code Review

This pull request enhances the nomos vet command by introducing a --no-api-server-check-for-group flag to skip API server validation for specific resource groups, which resolves an issue with OPA Gatekeeper resources. The changes include adding the new flag, implementing validation to ensure it's not used with the existing --no-api-server-check flag, and updating the resource processing logic to respect the new flag. The accompanying tests are a good addition. My review includes a critical fix to prevent unintended error suppression and a suggestion to improve test robustness.

[cowsking]

/ok-to-test

[google-oss-prow]

@cowsking: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

In response to this:

/ok-to-test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[mikebz]

/ok-to-test

[Copilot]

Pull Request Overview

This PR introduces a new flag --no-api-server-check-for-group to skip API server validation for specific API groups, providing a more granular alternative to the existing --no-api-server-check flag. This is particularly useful for scenarios like Gatekeeper constraint templates where the GVK may not be discoverable but should still be validated.

• Added a new utility package gvkutil for parsing and matching GroupKind patterns
• Implemented flag exclusivity validation to prevent simultaneous use of both flags
• Integrated the new flag into the validation flow to skip errors for matching GVKs

Reviewed Changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
pkg/util/gvkutil/gvk.go	New utility for parsing group patterns and matching GroupKind objects
pkg/util/gvkutil/gvk_test.go	Test coverage for the new gvkutil package
pkg/validate/fileobjects/raw.go	Integrated gvkutil to skip errors for matching GVKs during validation
cmd/nomos/flags/flags.go	Added the new --no-api-server-check-for-group flag definition
cmd/nomos/vet/vet.go	Added PreRunE validation to ensure flag exclusivity
cmd/nomos/vet/vet_test.go	Tests for flag exclusivity validation
e2e/testdata/gatekeeper-skip-gvk/constraint.yaml	Test data for Gatekeeper constraint
e2e/testdata/gatekeeper-skip-gvk/constraint-template.yaml	Test data for Gatekeeper constraint template

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[mikebz]

this seems pretty long... I would consider something shorter.

[cowsking]

It was designed to name as skip-gvk but we wanted it to align with no-api-server-check. go/nomos-vet-skip-gvk-dd

[Copilot]

Pull Request Overview

Copilot reviewed 12 out of 12 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.