Skip to content

[RFE] Add bro-tool CLI for support use#908

Merged
mallardduck merged 17 commits intorancher:mainfrom
mallardduck:bro-tool
Mar 13, 2026
Merged

[RFE] Add bro-tool CLI for support use#908
mallardduck merged 17 commits intorancher:mainfrom
mallardduck:bro-tool

Conversation

@mallardduck
Copy link
Member

@mallardduck mallardduck commented Mar 11, 2026

Introduces bro-tool, a companion CLI for support engineers and developers working with the Backup and Restore Operator.

The tool operates entirely offline — it fetches or reads a BRO helm chart and inspects its bundled ResourceSet configuration without requiring a live cluster.

What's included:

  • pkg/version — moved version info to a shared package so both the operator and bro-tool can use it.
  • Multi-module Go workspace (go.work) covering the root operator, cmd/tool, and tests/, with dependency isolation enforced per module.
  • resource-set:view — renders all ResourceSet rules from a given BRO chart version, with table, yaml, and json output. Each rule is attributed back to its source file within the chart (e.g. fleet.yaml, aks.yaml).
  • resource-set:check — checks whether a specific Kubernetes resource would be covered by a backup. Accepts a kind/name string or a full resource manifest, infers API versions for built-in Kubernetes kinds, reports all matching rules with caveats for conditions that couldn't be verified offline, and exits non-zero when no match is found (script-friendly).
  • Chart fetching with local caching (~/.cache/bro-tool/charts/) when using --version.
  • scripts/tidy for one-command tidy+sync across all workspace modules; make build now produces both bin/backup-restore-operator and bin/bro-tool.
  • CI updates: golangci-lint now runs per-module via matrix, and a new workspace-sync job catches go.work.sum drift on every PR.
  • User documentation in docs/bro-tool.md and workspace/contributing notes in DEVELOPING.md.

Note

bro-tool is explicitly out-of-scope for SUSE/Rancher support SLAs and is documented as such.

@mallardduck mallardduck requested a review from a team as a code owner March 11, 2026 18:04
@mallardduck
Copy link
Member Author

mallardduck commented Mar 11, 2026

resource-set:view — inspect all rules for a BRO version

$ bro-tool resource-set:view --version v9.0.0

ResourceSet: rancher-resource-set-full
  #    Source                                                      APIVersion                          Kinds
Names                  Namespaces
  -    ------                                                      ----------                          -----
-----                  ----------
  1    default/basic-resourceset-contents/aks.yaml                 apiextensions.k8s.io/v1             ~.
~aks.cattle.io$        *
  2    default/basic-resourceset-contents/aks.yaml                 aks.cattle.io/v1                    ~.                      *
                     *
  3    default/basic-resourceset-contents/aks.yaml                 apps/v1                             ~^deployments$
aks-config-operator    cattle-system
  4    default/basic-resourceset-contents/aks.yaml                 rbac.authorization.k8s.io/v1        ~^clusterroles$
aks-operator           *
  ...

The Source column maps each rule back to the component file within the chart that defines it (e.g. fleet.yaml, aks.yaml,
rancher.yaml). Supports --output yaml and --output json for diffing between versions.

resource-set:check — check if a specific resource is covered

$ bro-tool resource-set:check --version v9.0.0 \
    --resource ManagedChart/rancher-monitoring \
    --namespace fleet-default \
    --api-version management.cattle.io/v3

Matching rules for: management.cattle.io/v3 fleet-default/ManagedChart/rancher-monitoring

  ResourceSet                 #   Source                                           APIVersion               Kinds  Names
Namespaces  Caveats
  -----------                 -   ------                                           ----------               -----  -----
----------  -------
  rancher-resource-set-full   68  default/basic-resourceset-contents/rancher.yaml  management.cattle.io/v3  ~.     *      *
  rancher-resource-set-basic  68  default/basic-resourceset-contents/rancher.yaml  management.cattle.io/v3  ~.     *      *

Caveats — conditions that couldn't be checked offline

When a rule uses a label selector but no labels were provided, the tool reports a caveat rather than silently assuming a match or
non-match:

$ bro-tool resource-set:check --version v9.0.0 --resource ClusterRole/my-custom-role

Matching rules for: rbac.authorization.k8s.io/v1 ClusterRole/my-custom-role

  ResourceSet                 #   Source                               APIVersion                    Kinds
           Names  Namespaces  Caveats
  -----------                 -   ------                               ----------                    -----
           -----  ----------  -------
  rancher-resource-set-full   84  optional/.../kubewarden.yaml         rbac.authorization.k8s.io/v1
~^clusterroles$|^clusterrolebindings$  *      *           label selector not checked (use --resource-path to include labels)

Use --resource-path ./my-resource.yaml to pass a full manifest with labels, which resolves most caveats.

(some of the outputs didn't copy paste great)

@mallardduck mallardduck requested review from Copilot, diogoasouza and susesamu and removed request for a team March 11, 2026 18:20
Copilot AI reviewed Mar 11, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces a Go workspace and adds a new companion CLI (bro-tool) as a separate Go module, while consolidating version metadata into a shared package and updating CI/build tooling to support the multi-module layout.

Changes:

  • Add cmd/tool (“bro-tool”) as a standalone Go module and wire it into builds and release tooling.
  • Introduce go.work workspace management and update validation/CI to lint/sync modules consistently.
  • Move build-time version variables into pkg/version and update consumers (operator + objectstore) accordingly.

Reviewed changes

Copilot reviewed 27 out of 32 changed files in this pull request and generated 10 comments.

Show a summary per file
File Description
tests/hull/main.go Go formatting / minor test cleanup (composite literals, unused param).
tests/go.mod Updates indirect dependencies for the tests module.
tests/go.sum Dependency checksum updates for the tests module.
scripts/validate-ci Runs go work sync to keep workspace sums in sync during CI validation.
scripts/validate Lints each workspace module (., cmd/tool, tests) independently.
scripts/tidy New helper to go mod tidy each module and then go work sync.
scripts/build Switches ldflags to pkg/version and builds bro-tool binary.
README.md Adds a top-level section describing bro-tool and links to full docs.
pkg/version/version.go New shared version package + formatted version string helper.
pkg/objectstore/s3minio.go Updates version import path to pkg/version.
go.work Introduces workspace definition for root, cmd/tool, and tests.
go.sum Root module checksum updates (notably easyjson, cobra/pflag, otlp http exporter, etc.).
go.mod Root module dependency updates (easyjson, pflag, x/time, ansiterm, term, cobra, otlp http exporter).
docs/bro-tool.md New end-user documentation for bro-tool.
DEVELOPING.md Documents workspace/module layout and common dev workflows.
cmd/tool/README.md Adds module-local README describing bro-tool usage and dev rules.
cmd/tool/main.go Implements bro-tool entrypoint and command dispatch.
cmd/tool/internal/cmd/resourcesetview/cmd.go Implements resource-set:view subcommand and output formatting.
cmd/tool/internal/cmd/resourcesetcheck/infer_crd_versions.go Adds apiVersion inference for well-known kinds via scheme.
cmd/tool/internal/cmd/resourcesetcheck/cmd.go Implements resource-set:check subcommand, parsing and output.
cmd/tool/internal/chart/render.go Loads/renders chart and annotates selectors with source attribution.
cmd/tool/internal/chart/match.go Implements offline selector matching logic and caveat reporting.
cmd/tool/internal/chart/fetch.go Downloads/caches charts from GitHub releases for offline analysis.
cmd/tool/go.mod New cmd/tool module definition and dependencies.
cmd/tool/go.sum New dependency checksums for cmd/tool module.
cmd/operator/version/version.go Removes old operator-local version variables (moved to pkg/version).
cmd/operator/main.go Adds --version support and switches to shared pkg/version.
.goreleaser.yaml Updates ldflags to pkg/version and adds a bro-tool build.
.golangci.yaml Adds revive exclusion for new pkg/version vars.
.gitignore Adjusts ignored binary names / patterns.
.github/workflows/ci.yaml Adds workspace sync check + runs golangci-lint per module.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

mallardduck and others added 3 commits March 11, 2026 14:41
susesamu
susesamu reviewed Mar 11, 2026
View reviewed changes
@mallardduck mallardduck requested a review from susesamu March 11, 2026 20:56
susesamu
susesamu approved these changes Mar 12, 2026
View reviewed changes
Copy link
Contributor

@susesamu susesamu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@mallardduck mallardduck merged commit b322068 into rancher:main Mar 13, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@diogoasouza diogoasouza diogoasouza approved these changes

@susesamu susesamu susesamu approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mallardduck @diogoasouza @susesamu