fix: clean up .gitignore and implement report writing

Author: graz-dev

cmd/validate.go

@@ -182,13 +182,20 @@ func runValidate() error {
 		}
 	}
 
-	// Output for CI (GITHUB_OUTPUT)
-	// We can write to a file or stdout?
-	// The validation pipeline expects 'diff_output' and 'has_drift' outputs.
-	// Ideally this command outputs the report to stdout?
-	// But we are also logging info.
-	// Maybe we write the REPORT to a file if requested? --output-file?
-	// For now, let's print the usage instruction for the user.
+	// Output Report
+	if validateReportFile != "" {
+		if totalDiff == "" {
+			totalDiff = "No drift detected."
+		}
+		if err := os.WriteFile(validateReportFile, []byte(totalDiff), 0644); err != nil {
+			fmt.Fprintf(os.Stderr, "ERROR: Failed to write report: %v\n", err)
+		}
+	} else {
+		// If no file, print report to stdout (if not empty)
+		if totalDiff != "" {
+			fmt.Println(totalDiff)
+		}
+	}
 
 	if hasDrift {
 		return fmt.Errorf("Validation failed: Drift detected.")

demos/gitops-validation/README.md

@@ -0,0 +1,17 @@
+# GitOps Validation Demos
+
+This directory contains step-by-step tutorials for implementing **GitOps Validation** using Kalco.
+
+**Philosophy**: These demos are designed to be "Drop-in". They assume you want validation *without* maintaining a persistent "Reality Repo". The pipeline creates a temporary snapshot during the check.
+
+## Scenarios
+
+1.  **[Raw Resources](./raw-resources/README.md)**
+    *   **Best for:** Deployments using plain Kubernetes YAML manifests (Deployment, Service, etc.).
+    *   **How to use:** Copy the folder contents (`manifests`, `.github`) to your repo.
+
+2.  **[Helm Charts](./helm/README.md)**
+    *   **Best for:** Deployments managed via Helm Charts.
+    *   **How to use:** Copy the folder contents (`chart`, `.github`) to your repo.
+
+All you need is to set the `KUBECONFIG` secret in your repository.

demos/gitops-validation/helm/.github/workflows/validation.yaml

@@ -0,0 +1,143 @@
+name: Kalco Helm Validation
+
+on:
+  pull_request:
+    branches: [ master ]
+    paths:
+      - 'chart/**'
+
+jobs:
+  validate-drift:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Checkout Source Code
+        uses: actions/checkout@v3
+
+      - name: Install Tools
+        run: |
+          curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
+          # Install Kalco
+          curl -sL https://github.com/graz-dev/kalco/releases/download/v0.1.19/kalco_Linux_x86_64.tar.gz | tar xz
+          sudo mv kalco /usr/local/bin/
+
+      - name: Configure Kalco
+        env:
+          KUBECONFIG_DATA: ${{ secrets.KUBECONFIG }}
+        run: |
+          # Configure Git for Kalco's internal git operations
+          git config --global user.email "ci-bot@kalco.dev"
+          git config --global user.name "Kalco CI Bot"
+
+          mkdir -p ~/.kube
+          echo "$KUBECONFIG_DATA" | base64 -d > ~/.kube/config
+          
+          mkdir -p tmp-snapshot
+
+          kalco context set validation-ctx \
+            --kubeconfig ~/.kube/config \
+            --output $(pwd)/tmp-snapshot
+
+          kalco context use validation-ctx
+
+      - name: Snapshot Live State
+        run: |
+          kalco export
+
+      - name: Render & Diff
+        id: kalco-diff
+        run: |
+          # Fetch base branch for comparison
+          git fetch origin ${{ github.base_ref }}
+          
+          mkdir -p generated-manifests
+          
+          # 1. Render PR version (Chart at current state)
+          helm template my-release chart --namespace guestbook-helm > generated-manifests/pr-all.yaml
+          
+          # 2. Render Base version (Chart at base branch state)
+          # We need to extract the chart files from the base branch to a temp dir?
+          # Or easier: checkout base to temp dir and render there.
+          mkdir -p base-chart-source
+          git archive origin/${{ github.base_ref }} chart | tar -x -C base-chart-source
+          
+          # Check if chart existed in base
+          IGNORE_BASE_FLAG=""
+          if [ -d "base-chart-source/chart" ]; then
+             helm template my-release base-chart-source/chart --namespace guestbook-helm > generated-manifests/base-all.yaml
+             if [ -s generated-manifests/base-all.yaml ]; then
+                 IGNORE_BASE_FLAG="--ignore-base generated-manifests/base-all.yaml"
+             fi
+          fi
+          
+          TOTAL_DIFF=""
+          HAS_DRIFT="false"
+          
+          echo "Comparing generated manifests against snapshot..."
+          
+          # Use Kalco Diff directly on the multi-doc generated file
+          # Pass --ignore-base pointing to the base render
+          OUTPUT=$(kalco --no-color diff --target generated-manifests/pr-all.yaml --snapshot-dir tmp-snapshot --format markdown $IGNORE_BASE_FLAG --ignore-extra-fields || true)
+          
+          if [ -n "$OUTPUT" ]; then
+              echo "Diff Output for all.yaml:"
+              echo "$OUTPUT"
+              
+              TOTAL_DIFF+=$'\n'"#### Helm Difference Report"$'\n'"$OUTPUT"$'\n'
+              
+              if echo "$OUTPUT" | grep -q "Drift Detected"; then
+                  HAS_DRIFT="true"
+                  echo "!!! CRITICAL: DRIFT DETECTED !!!"
+              fi
+          fi
+          
+          echo "has_drift=$HAS_DRIFT" >> $GITHUB_OUTPUT
+          
+          EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
+          echo "diff_output<<$EOF" >> $GITHUB_OUTPUT
+          echo "$TOTAL_DIFF" >> $GITHUB_OUTPUT
+          echo "$EOF" >> $GITHUB_OUTPUT
+
+      - name: Comment PR & Label
+        uses: actions/github-script@v6
+        env:
+          DIFF_OUTPUT: ${{ steps.kalco-diff.outputs.diff_output }}
+          HAS_DRIFT: ${{ steps.kalco-diff.outputs.has_drift }}
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const output = process.env.DIFF_OUTPUT;
+            const hasDrift = process.env.HAS_DRIFT === 'true';
+            
+            if (!output || output.trim() === "") {
+                console.log("No output to comment.");
+                return;
+            }
+            
+            const labelAdd = hasDrift ? 'kalco/deny' : 'kalco/approve';
+            const labelRemove = hasDrift ? 'kalco/approve' : 'kalco/deny';
+            
+            await github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: `### 🛡️ Kalco Helm Validation Report\n\n${output}`
+            });
+            
+            try {
+              await github.rest.issues.removeLabel({
+                issue_number: context.issue.number,
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                name: labelRemove
+              });
+            } catch (e) {}
+            
+            await github.rest.issues.addLabels({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              labels: [labelAdd]
+            });

demos/gitops-validation/helm/README.md

@@ -0,0 +1,52 @@
+# GitOps Validation with Kalco: Helm Charts
+
+This tutorial shows how to validate Helm Chart changes against your live cluster using Kalco.
+
+## Prerequisites
+
+- [ ] Kubernetes Cluster & ArgoCD.
+- [ ] **One GitHub Repository**: This contains your chart and pipeline.
+- [ ] **Secrets** configured: `KUBECONFIG`.
+
+## Setup
+
+### 1. Install ArgoCD (if not installed)
+
+```bash
+kubectl create namespace argocd
+kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
+
+# Wait for ArgoCD to be ready
+kubectl wait --for=condition=available deployment -l "app.kubernetes.io/name=argocd-server" -n argocd --timeout=300s
+```
+
+### 2. Copy Files
+Copy the contents of this folder (`chart/`, `.github/`, `argocd/`) to the **root** of your repository.
+
+### 3. Configure Secret
+Add `KUBECONFIG` to your repo secrets.
+
+### 4. Deploy App
+Apply `argocd/application.yaml` (edit the repoURL first!).
+
+## Workflow Overview
+
+1.  **Snapshot**: Kalco exports the live state to a temporary directory (`./tmp-snapshot`).
+2.  **Render**: `helm template` generates manifests from your local chart code.
+3.  **Split & Diff**: The rendered manifests are split and compared against the temporary snapshot.
+
+## Command Reference
+
+```bash
+# Workflow logic roughly equivalent to:
+kalco context set validation-ctx --output ./tmp-snapshot --kubeconfig ...
+kalco export
+helm template . > all.yaml
+kalco diff --target <split-file> --snapshot-dir ./tmp-snapshot
+```
+
+## Usage
+
+1.  Change a value in `chart/values.yaml` (e.g., replica count).
+2.  Open a PR.
+3.  The pipeline will detect if your change conflicts with the live state.

demos/gitops-validation/helm/argocd/application.yaml

@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: guestbook-helm
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/YOUR_USERNAME/gitops-validation-demo # Users will update this
+    targetRevision: HEAD
+    path: chart
+    helm:
+      valueFiles:
+      - values.yaml
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: guestbook-helm
+  syncPolicy:
+    automated: 
+      selfHeal: false
+      prune: true

demos/gitops-validation/helm/chart/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: guestbook
+description: A Helm chart for the Guestbook application
+type: application
+version: 0.1.0
+appVersion: "1.16.0"