* Provisioning: check GH app installation permissions in Connection tester
* fixing unit tests
* updating AppPermission name in Permission to be more generic
* formatting
* adding integration tests
* formatting
* Provisioning: Add granular condition reasons for Connection Controller
This change enhances the Ready condition on Connection resources by adding
granular reasons that distinguish between different types of failures,
enabling better automation and user guidance.
**New Condition Reasons:**
1. **`InvalidConfiguration`**: Configuration issue with spec format or
structure (validation errors, invalid fields, secret errors). User must
fix configuration. Automation should NOT retry.
2. **`AuthenticationFailed`**: Authentication or authorization failed
(invalid credentials, wrong app ID, expired token, insufficient
permissions). User must fix credentials. Automation should NOT retry.
3. **`ServiceUnavailable`**: External service issue (API down, network
timeout). Issue is transient and outside user control. Automation CAN
retry with standard backoff.
4. **`RateLimited`**: External service is rate limiting requests. User may
need to take action (upgrade plan, reduce load). Automation should retry
with longer backoff and respect Retry-After headers.
**Error Classification Logic:**
HTTP status codes are mapped to condition reasons:
- 422 (validation), 500/502 (secret/build) → InvalidConfiguration
- 400/401/403 (auth errors) → AuthenticationFailed
- 503/504 (service unavailable) → ServiceUnavailable
- 429 (rate limit) → RateLimited
- Unknown errors → InvalidConfiguration (safer, prompts investigation)
**Benefits:**
- **kubectl users**: Distinguish auth failures from config issues at a glance
- **Automation**: Implement appropriate retry logic per reason type
- **UI**: Provide actionable guidance based on specific failure reason
- **Stability**: Reasons align with Kubernetes CRD conventions and can be
extended in the future without breaking changes
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* Provisioning: Extract actual HTTP status codes from GitHub API errors
This commit updates the GitHub connection implementation to extract and return
actual HTTP status codes from GitHub API responses, enabling proper error
classification in the connection controller's Ready condition.
Changes:
1. **GitHub Client (client.go)**:
- Added sentinel errors for common HTTP status codes:
- ErrUnauthorized (401): Authentication failed
- ErrForbidden (403): Access forbidden
- ErrRateLimited (429): Rate limited
- ErrServiceUnavailable (503): GitHub unavailable
- Added extractHTTPError() to map GitHub ErrorResponse status codes to sentinel errors
- Updated all client methods to use extractHTTPError()
2. **GitHub Connection (connection.go)**:
- Updated Test() method to extract HTTP status codes from sentinel errors
- Maps errors to appropriate status codes in TestResults:
- 401/403 → ReasonAuthenticationFailed
- 429 → ReasonRateLimited
- 503 → ReasonServiceUnavailable
- Default to 400 for unknown errors
3. **API Constants (health.go)**:
- Renamed ReasonInvalidConfiguration → ReasonInvalidSpec
4. **Tests**:
- Added tests for 401, 403, and 429 error scenarios in connection_test.go
- Updated test expectations to match new behavior
- All unit and integration tests pass
This enables the connection controller to properly classify GitHub API errors
and set the appropriate Ready condition reason (InvalidSpec, AuthenticationFailed,
ServiceUnavailable, or RateLimited) based on the actual HTTP status code returned
by the GitHub API.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* Revert "Provisioning: Extract actual HTTP status codes from GitHub API errors"
This reverts commit b13b2c323e.
* Provisioning: Add ErrAuthentication for GitHub connection error detection
This commit adds a specific authentication error sentinel in the GitHub
connection package to distinguish authentication failures from other errors.
Changes:
1. **GitHub Client (client.go)**:
- Added ErrAuthentication sentinel error for 401/403 responses
- Updated GetApp() and GetAppInstallation() to check for 401/403 status codes
- Returns ErrAuthentication when GitHub API returns authentication errors
2. **GitHub Connection (connection.go)**:
- Updated Test() method to check for ErrAuthentication
- Returns 401 (Unauthorized) when authentication fails
- Returns 422 (Unprocessable Entity) for generic/spec errors instead of 400
- Returns 503 (Service Unavailable) when GitHub is down
3. **Connection Health Controller (connection_health.go)**:
- Simplified classification logic to only handle actual error codes:
- 401/403 → AuthenticationFailed
- 503 → ServiceUnavailable
- Everything else → InvalidConfiguration (default)
- Removed RateLimited classification (not currently detected)
4. **Tests**:
- Updated connection tests to expect 422 instead of 400 for generic errors
- Added test for authentication error (401) scenario
- Updated classification tests to match simplified logic
- All unit and integration tests pass
This enables proper detection of authentication errors while keeping the
classification logic simple and aligned with what the GitHub connection
actually returns.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
* Provisioning: Rename ReasonInvalidConfiguration to ReasonInvalidSpec
This commit renames the condition reason constant from ReasonInvalidConfiguration
to ReasonInvalidSpec for better alignment with Kubernetes naming conventions.
Changes:
1. **API Constants (health.go)**:
- Renamed ReasonInvalidConfiguration → ReasonInvalidSpec
- Updated constant value from "InvalidConfiguration" to "InvalidSpec"
2. **Updated all references across codebase**:
- Controller files (connection_health.go, conditions.go)
- Unit tests (connection_health_test.go, conditions_test.go, health_test.go)
- Integration tests (connection_test.go)
3. **Fixed integration test expectations**:
- Invalid installation ID test now expects ReasonInvalidSpec (not AuthenticationFailed)
- Invalid app ID mismatch test now expects ReasonInvalidSpec (not AuthenticationFailed)
- These are configuration errors, not authentication errors
All tests pass with the new naming.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---------
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
* WIP: working on Connections controller
* wip: iterating over connection controller
* wip: updating health checkers, using connection in controller - updating metrics
* wip: update TokenGenerator godoc
* wip: adding a bit more todos
* wip: adding unit tests, improving connection controller checks
* update refresh token policy
* updating integration test
* updating unit tests for controller
* Provisioning: Implement connection repositories endpoint for GitHub
This change implements the `/repositories` subresource endpoint for Connection
resources, enabling listing of repositories accessible through a GitHub App
connection.
Changes:
- Add ListRepositories method to Connection interface
- Add ListInstallationRepositories to GitHub Client interface
- Implement GitHub client method to list installation repositories
- Creates installation access token from JWT
- Handles pagination up to 1000 repos
- Implement ListRepositories in GitHub Connection
- Update connectionRepositoriesConnector to use Connection.ListRepositories
- Add ConnectionGetter interface and GetConnection method to APIBuilder
- Add comprehensive tests for the new functionality
* Fix merge issue
* Fix a couple of merge issues
* Fix tests and code
* Fix compilation
* Fix namespace issue for request
* Fix issues
* Fix the test
* WIP: mutator added, start working on validator
* first validator iteration
* second validator iteration
* wip: working on integration tests
* re-working mutation and validation, using Connection interface
* fixing some rebase things
* fixing integration tests
* formatting
* fixing unit tests
* k8s codegen
* linting
* moving tests which are available only for enterprise
* addressing comments: using repo config for connections, updating tests
* addressing comments: adding some more info in the app and installation
* fixing app data
* addressing comments: updating connection implementation
* addressing comments
* formatting
* fixing tests
