kustomize icon indicating copy to clipboard operation
kustomize copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-sigs

Feat/4982 unwanted dependency checks

Open antoooks opened this issue 1 year ago • 17 comments

Addresses #4982

  • Add unwanted dependencies checking referring to kubernetes/kubernetes unwanted-dependencies.json file
  • Add unwanted-dependencies-check Github workflow

antoooks avatar Jan 08 '24 15:01 antoooks

This PR has multiple commits, and the default merge method is: merge. You can request commits to be squashed using the label: tide/merge-method-squash

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Jan 08 '24 15:01 k8s-ci-robot

Hi @antoooks. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Jan 08 '24 15:01 k8s-ci-robot

The changes look good to me. Looks like this test is failing in the CI for this PR. Can it be fixed?

Hi @varshaprasad96, It is expected to be failed on purpose and will be treated as an optional test, so it won't affect approval. (please refer to the referenced issue page)

I think since it checks on different parts of kustomize, we should have a separate PR with respective domain owners doing the fix.

antoooks avatar Feb 07 '24 18:02 antoooks

Hi @varshaprasad96, It is expected to be failed on purpose and will be treated as an optional test, so it won't affect approval. (please refer to the referenced issue page)

Got it! Thanks!

varshaprasad96 avatar Feb 07 '24 21:02 varshaprasad96

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: antoooks, varshaprasad96

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

k8s-ci-robot avatar Feb 07 '24 21:02 k8s-ci-robot

Hi! I think Kubernetes only imports below three packages. So we need to check only the below packages. https://github.com/kubernetes/kubernetes/blob/f07b47c3d1e596f53640285afb0d53a81fe6f259/go.mod#L232-L234

koba1t avatar Feb 08 '24 05:02 koba1t

Hi! I think Kubernetes only imports below three packages. So we need to check only the below packages. https://github.com/kubernetes/kubernetes/blob/f07b47c3d1e596f53640285afb0d53a81fe6f259/go.mod#L232-L234

Noted, thanks for pointing it out

antoooks avatar Feb 08 '24 16:02 antoooks

@koba1t feedback added

antoooks avatar Feb 08 '24 16:02 antoooks

FYI, the check meant to be fail because we do have unwanted dependencies :)

antoooks avatar Feb 26 '24 16:02 antoooks

Hi @antoooks Sorry for the delayed response. It's many times to take investigate. I think there is something wrong with this check step.

For Example

in github.com/spf13/viper module.

in CI result

Looks like this dependency were found in the result.

...
Error: unwanted dependencies found. (github.com/spf13/viper at /home/runner/work/kustomize/kustomize/kyaml/go.sum)
Error: unwanted dependencies found. (github.com/spf13/viper at /home/runner/work/kustomize/kustomize/kustomize/go.sum)
Error: unwanted dependencies found. (github.com/spf13/viper at /home/runner/work/kustomize/kustomize/api/go.sum)
...

run go mod graph

github.com/spf13/viper was required only on the sigs.k8s.io/kustomize/cmd/gorepomod module. But this module appears in the go mod graph result.

$ pwd
${HOME}/kustomize/kustomize
$ go mod graph | grep viper           
sigs.k8s.io/kustomize/cmd/gorepomod github.com/spf13/[email protected]
github.com/spf13/[email protected] github.com/fsnotify/[email protected]
github.com/spf13/[email protected] github.com/hashicorp/[email protected]
github.com/spf13/[email protected] github.com/magiconair/[email protected]
...

I run after disabling to gowork.

$ GOWORK=off go mod graph | grep viper
$

Maybe this result was mixed in the go.work results.

Could you investigate this more? If you need my help, please feel free to send a mention to me!

koba1t avatar Mar 09 '24 14:03 koba1t

GOWORK=off go mod graph | grep viper

Hi @koba1t, thank you for checking and finding this, I have found a logic error on line 83, which supposed to detect if unwanted deps are exist inside go.sum. But instead I write it as -z $(cat $file | fgrep $dep) which means if it does not exist.

Same error also happened on line 92 with go mod graph.

antoooks avatar Mar 17 '24 17:03 antoooks

New changes are detected. LGTM label has been removed.

k8s-ci-robot avatar Mar 17 '24 17:03 k8s-ci-robot

Thanks for your great work, @antoooks!

But I'm still concerned that the unwanted-dependencies-check is still down... Maybe you need to look at "status.unwantedReferences" in the hack/unwanted-dependencies.json` file. https://github.com/kubernetes/kubernetes/blob/aa73f3163a52e9a99df01b86f60eeed31abd54d9/cmd/dependencyverifier/dependencyverifier.go#L46-L48

Because I think this entry for the exception to the unwanted dependencies list. https://github.com/kubernetes/kubernetes/pull/116598/files#diff-09f70f26cff6c34dc0063a45ca43cf5025d653058b06f7966fc8e6f3b9cecd3eR102

koba1t avatar Mar 18 '24 18:03 koba1t

Thanks for your great work, @antoooks!

But I'm still concerned that the unwanted-dependencies-check is still down... Maybe you need to look at "status.unwantedReferences" in the hack/unwanted-dependencies.json` file. https://github.com/kubernetes/kubernetes/blob/aa73f3163a52e9a99df01b86f60eeed31abd54d9/cmd/dependencyverifier/dependencyverifier.go#L46-L48

Because I think this entry for the exception to the unwanted dependencies list. https://github.com/kubernetes/kubernetes/pull/116598/files#diff-09f70f26cff6c34dc0063a45ca43cf5025d653058b06f7966fc8e6f3b9cecd3eR102

Hey @koba1t, thanks for the feedback. Do you mean we need to whitelist dependencies in the PR commit you are referring on your comment?

antoooks avatar Mar 19 '24 17:03 antoooks

Hey @koba1t, thanks for the feedback. Do you mean we need to whitelist dependencies in the PR commit you are referring on your comment?

I think that is better because we have a few unwanted dependencies that we can't delete. For example, github.com/pkg/error was required evanphx/json-patch package, and we can't delete this dependency. https://github.com/evanphx/json-patch/blob/master/v5/go.mod#L7

koba1t avatar Mar 20 '24 19:03 koba1t

hi @koba1t , I have integrated all the changes we discussed. However it seems that the unwanted deps list on k/k has changed. Could you check for deps I need to put into whitelist?

antoooks avatar Apr 16 '24 14:04 antoooks 

 2024-03-27 15:06:09 (33.8 MB/s) - ‘/home/runner/work/kustomize/kustomize/hack/unwanted-dependencies.json’ saved [11055/11055]

Error: unwanted dependencies found. (github.com/mailru/easyjson at /home/runner/work/kustomize/kustomize/kustomize/go.sum)
Error: unwanted dependencies found. (github.com/mailru/easyjson at /home/runner/work/kustomize/kustomize/api/go.sum)
Error: unwanted dependencies found. (github.com/mailru/easyjson at /home/runner/work/kustomize/kustomize/kyaml/go.sum)
Error: unwanted dependencies found. (github.com/pkg/errors at /home/runner/work/kustomize/kustomize/kustomize/go.sum)
Error: unwanted dependencies found. (github.com/pkg/errors at /home/runner/work/kustomize/kustomize/api/go.sum)

The above dependencies are listed on the whitelist. https://github.com/kubernetes/;kubernetes/blob/d831b13e6f6fb5efb566100286190fedca6dd340/hack/unwanted-dependencies.json#L162-L183

Maybe that is better to find the whitelist from the unwanted-dependencies.json files on k/k.

koba1t avatar Apr 17 '24 15:04 koba1t 

 2024-03-27 15:06:09 (33.8 MB/s) - ‘/home/runner/work/kustomize/kustomize/hack/unwanted-dependencies.json’ saved [11055/11055]

Error: unwanted dependencies found. (github.com/mailru/easyjson at /home/runner/work/kustomize/kustomize/kustomize/go.sum)
Error: unwanted dependencies found. (github.com/mailru/easyjson at /home/runner/work/kustomize/kustomize/api/go.sum)
Error: unwanted dependencies found. (github.com/mailru/easyjson at /home/runner/work/kustomize/kustomize/kyaml/go.sum)
Error: unwanted dependencies found. (github.com/pkg/errors at /home/runner/work/kustomize/kustomize/kustomize/go.sum)
Error: unwanted dependencies found. (github.com/pkg/errors at /home/runner/work/kustomize/kustomize/api/go.sum)

The above dependencies are listed on the whitelist. https://github.com/kubernetes/;kubernetes/blob/d831b13e6f6fb5efb566100286190fedca6dd340/hack/unwanted-dependencies.json#L162-L183

Maybe that is better to find the whitelist from the unwanted-dependencies.json files on k/k.

Thanks for the note @koba1t , fixed on the subsequent commit

antoooks avatar May 08 '24 10:05 antoooks