feat: fix lint issues

Author: user-cube

cli/cmd/bootstrap_integration_test.go

@@ -20,7 +20,7 @@ func TestBootstrapIntegration_PermissionDenied(t *testing.T) {
 	mockClient.EnsureNamespaceForbidden = true
 
 	ctx := context.Background()
-	err := mockClient.EnsureNamespace(ctx, "argocd")
+	_, err := mockClient.EnsureNamespace(ctx, "argocd")
 	require.Error(t, err)
 	assert.Contains(t, err.Error(), "permission denied")
 	assert.Contains(t, err.Error(), "cannot create namespace")
@@ -32,9 +32,10 @@ func TestBootstrapIntegration_SecretCreationFails(t *testing.T) {
 	mockClient.CreateSecretForbidden = true
 
 	ctx := context.Background()
-	require.NoError(t, mockClient.EnsureNamespace(ctx, "argocd"))
+	_, err := mockClient.EnsureNamespace(ctx, "argocd")
+	require.NoError(t, err)
 
-	_, _, err := mockClient.CreateRepoSSHSecret(ctx, "ssh://git@example.com/repo.git", "key-data", false)
+	_, _, err = mockClient.CreateRepoSSHSecret(ctx, "ssh://git@example.com/repo.git", "key-data", false)
 	require.Error(t, err)
 	assert.Contains(t, err.Error(), "permission denied")
 	assert.Contains(t, err.Error(), "cannot create secrets")
@@ -74,7 +75,8 @@ func TestBootstrapIntegration_SuccessfulFlow(t *testing.T) {
 	ctx := context.Background()
 
 	// Step 1: Ensure namespace
-	require.NoError(t, mockClient.EnsureNamespace(ctx, "argocd"))
+	_, err := mockClient.EnsureNamespace(ctx, "argocd")
+	require.NoError(t, err)
 	assert.True(t, mockClient.Namespaces["argocd"])
 
 	// Step 2: Create repo SSH secret
@@ -99,10 +101,11 @@ func TestBootstrapIntegration_DryRun(t *testing.T) {
 	mockClient := k8s.NewMockClient()
 
 	ctx := context.Background()
-	require.NoError(t, mockClient.EnsureNamespace(ctx, "argocd"))
+	_, err := mockClient.EnsureNamespace(ctx, "argocd")
+	require.NoError(t, err)
 
 	// Create secret in dry-run mode
-	_, _, err := mockClient.CreateRepoSSHSecret(ctx, "ssh://git@example.com/repo.git", "key", true)
+	_, _, err = mockClient.CreateRepoSSHSecret(ctx, "ssh://git@example.com/repo.git", "key", true)
 	require.NoError(t, err)
 
 	// Secret should not be stored
@@ -115,7 +118,8 @@ func TestBootstrapIntegration_GitCryptKey(t *testing.T) {
 	mockClient := k8s.NewMockClient()
 	ctx := context.Background()
 
-	require.NoError(t, mockClient.EnsureNamespace(ctx, "argocd"))
+	_, err := mockClient.EnsureNamespace(ctx, "argocd")
+	require.NoError(t, err)
 
 	keyData := []byte("mock-git-crypt-key-data")
 	created, err := mockClient.CreateGitCryptKeySecret(ctx, keyData)
@@ -135,15 +139,16 @@ func TestBootstrapIntegration_SequentialErrors(t *testing.T) {
 
 	// First attempt: permission denied
 	mockClient.EnsureNamespaceForbidden = true
-	err := mockClient.EnsureNamespace(ctx, "argocd")
+	_, err := mockClient.EnsureNamespace(ctx, "argocd")
 	require.Error(t, err)
 	assert.Contains(t, err.Error(), "permission denied")
 
 	// Simulate fixing the permission issue
 	mockClient.EnsureNamespaceForbidden = false
 
 	// Retry: should succeed
-	require.NoError(t, mockClient.EnsureNamespace(ctx, "argocd"))
+	_, err = mockClient.EnsureNamespace(ctx, "argocd")
+	require.NoError(t, err)
 	assert.True(t, mockClient.Namespaces["argocd"])
 }
 
@@ -165,8 +170,9 @@ func TestBootstrapIntegration_AppOfAppsWithEnv(t *testing.T) {
 			mockClient := k8s.NewMockClient()
 			ctx := context.Background()
 
-			require.NoError(t, mockClient.EnsureNamespace(ctx, "argocd"))
-			_, _, err := mockClient.CreateRepoSSHSecret(ctx, "ssh://git@example.com/repo.git", "key", false)
+			_, err := mockClient.EnsureNamespace(ctx, "argocd")
+			require.NoError(t, err)
+			_, _, err = mockClient.CreateRepoSSHSecret(ctx, "ssh://git@example.com/repo.git", "key", false)
 			require.NoError(t, err)
 
 			_, _, err = mockClient.ApplyAppOfApps(ctx, "ssh://git@example.com/repo.git", "main", tt.env, tt.appPath, false)

cli/cmd/template.go

@@ -93,12 +93,21 @@ func runCustomize(cmd *cobra.Command, args []string) error {
 		currentRepo = defaultRepo
 	}
 
+	// Detect current app path from apps/values.yaml
+	currentAppPath, err := detectCurrentAppPath(workspaceRoot)
+	if err != nil {
+		if verbose {
+			fmt.Printf("⚠️  Could not detect current app path: %v. Using default.\n", err)
+		}
+		currentAppPath = defaultAppPath
+	}
+
 	// Show summary
 	fmt.Println("\n📝 Template Customization Summary")
 	fmt.Println("═══════════════════════════════════")
 	fmt.Printf("Organization:  %s → %s\n", currentOrg, orgFlag)
 	fmt.Printf("Repository:    %s → %s\n", currentRepo, repoFlag)
-	fmt.Printf("App Path:      %s\n", appPathFlag)
+	fmt.Printf("App Path:      %s → %s\n", currentAppPath, appPathFlag)
 	fmt.Printf("Go Module:     github.com/%s/%s → github.com/%s/%s\n",
 		currentOrg, currentRepo, orgFlag, repoFlag)
 
@@ -167,7 +176,7 @@ func runCustomize(cmd *cobra.Command, args []string) error {
 		},
 		{
 			name:    "App path in values",
-			pattern: fmt.Sprintf("path: %s", defaultAppPath),
+			pattern: fmt.Sprintf("path: %s", currentAppPath),
 			replace: fmt.Sprintf("path: %s", appPathFlag),
 			files:   []string{"apps/values.yaml"},
 		},
@@ -324,6 +333,24 @@ func detectCurrentValues(workspaceRoot string) (org, repo string, err error) {
 	return matches[1], matches[2], nil
 }
 
+func detectCurrentAppPath(workspaceRoot string) (string, error) {
+	valuesPath := filepath.Join(workspaceRoot, "apps", "values.yaml")
+	content, err := os.ReadFile(valuesPath) //#nosec G304 -- path is constructed from detected workspace root, not user input
+	if err != nil {
+		return "", err
+	}
+
+	// Parse "path: <value>" from values.yaml
+	// Look for source.path or just path: in the file
+	re := regexp.MustCompile(`(?m)^\s*path:\s+(\S+)`)
+	matches := re.FindStringSubmatch(string(content))
+	if len(matches) != 2 {
+		return "", fmt.Errorf("could not parse path from apps/values.yaml")
+	}
+
+	return matches[1], nil
+}
+
 func getWorkspaceRoot() (string, error) {
 	// Get current working directory
 	cwd, err := os.Getwd()

cli/cmd/template_test.go

@@ -127,6 +127,80 @@ go 1.25.0
 	assert.Error(t, err)
 }
 
+func TestDetectCurrentAppPath(t *testing.T) {
+	tests := []struct {
+		name         string
+		valuesYAML   string
+		expectedPath string
+		wantErr      bool
+	}{
+		{
+			name: "standard app path",
+			valuesYAML: `source:
+  repoURL: git@github.com:org/repo.git
+  targetRevision: main
+  path: apps
+destination:
+  server: https://kubernetes.default.svc
+`,
+			expectedPath: "apps",
+			wantErr:      false,
+		},
+		{
+			name: "custom app path",
+			valuesYAML: `source:
+  repoURL: git@github.com:org/repo.git
+  targetRevision: main
+  path: custom/my-apps
+destination:
+  server: https://kubernetes.default.svc
+`,
+			expectedPath: "custom/my-apps",
+			wantErr:      false,
+		},
+		{
+			name: "indented path",
+			valuesYAML: `spec:
+  source:
+    repoURL: git@github.com:org/repo.git
+    targetRevision: main
+    path: nested-apps
+`,
+			expectedPath: "nested-apps",
+			wantErr:      false,
+		},
+		{
+			name: "missing path",
+			valuesYAML: `source:
+  repoURL: git@github.com:org/repo.git
+  targetRevision: main
+`,
+			wantErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			tmpDir := t.TempDir()
+			appsDir := filepath.Join(tmpDir, "apps")
+			err := os.MkdirAll(appsDir, 0755)
+			require.NoError(t, err)
+
+			valuesPath := filepath.Join(appsDir, "values.yaml")
+			err = os.WriteFile(valuesPath, []byte(tt.valuesYAML), 0644)
+			require.NoError(t, err)
+
+			path, err := detectCurrentAppPath(tmpDir)
+			if tt.wantErr {
+				assert.Error(t, err)
+			} else {
+				assert.NoError(t, err)
+				assert.Equal(t, tt.expectedPath, path)
+			}
+		})
+	}
+}
+
 func TestApplyReplacement(t *testing.T) {
 	// Create temporary workspace
 	tmpDir := t.TempDir()
@@ -426,3 +500,50 @@ import (
 	require.NoError(t, err)
 	assert.Contains(t, string(updatedGoFile), `"github.com/mycompany/k8s-gitops/cli/internal/config"`)
 }
+
+func TestReCustomization_AppPath(t *testing.T) {
+	// Test that re-customization with a different app-path works correctly
+	// This validates the fix for detecting current app path instead of hardcoding "apps"
+	tmpDir := t.TempDir()
+
+	// Create directories
+	appsDir := filepath.Join(tmpDir, "apps")
+	err := os.MkdirAll(appsDir, 0755)
+	require.NoError(t, err)
+
+	// Create apps/values.yaml with a custom path (already customized once)
+	appsValuesContent := `repoSource:
+  url: git@github.com:mycompany/k8s-gitops.git
+  path: custom/apps
+destination:
+  server: https://kubernetes.default.svc
+`
+	err = os.WriteFile(filepath.Join(appsDir, "values.yaml"), []byte(appsValuesContent), 0644)
+	require.NoError(t, err)
+
+	// Detect current app path
+	currentAppPath, err := detectCurrentAppPath(tmpDir)
+	require.NoError(t, err)
+	assert.Equal(t, "custom/apps", currentAppPath)
+
+	// Now re-customize with a different app path
+	newAppPath := "kubernetes/applications"
+
+	// Apply replacement using detected current path
+	r := replacement{
+		name:    "App path",
+		pattern: fmt.Sprintf("path: %s", currentAppPath),
+		replace: fmt.Sprintf("path: %s", newAppPath),
+		files:   []string{"apps/values.yaml"},
+	}
+
+	count, err := applyReplacement(tmpDir, r, false)
+	require.NoError(t, err)
+	assert.Equal(t, 1, count, "Expected 1 file to be updated")
+
+	// Verify the change
+	updatedAppsValues, err := os.ReadFile(filepath.Join(appsDir, "values.yaml"))
+	require.NoError(t, err)
+	assert.Contains(t, string(updatedAppsValues), "path: kubernetes/applications")
+	assert.NotContains(t, string(updatedAppsValues), "path: custom/apps")
+}

cli/cmd/vault_token.go

@@ -56,7 +56,7 @@ func runVaultToken(cmd *cobra.Command, args []string) error {
 
 	ctx := context.Background()
 
-	if err := client.EnsureNamespace(ctx, "vault"); err != nil {
+	if _, err := client.EnsureNamespace(ctx, "vault"); err != nil {
 		return err
 	}
 

cli/internal/k8s/client_mock.go

@@ -36,15 +36,21 @@ func NewMockClient() *MockClient {
 }
 
 // EnsureNamespace simulates namespace creation with mock state.
-func (m *MockClient) EnsureNamespace(ctx context.Context, name string) error {
+func (m *MockClient) EnsureNamespace(ctx context.Context, name string) (bool, error) {
 	if m.EnsureNamespaceErr != nil {
-		return m.EnsureNamespaceErr
+		return false, m.EnsureNamespaceErr
 	}
 	if m.EnsureNamespaceForbidden {
-		return fmt.Errorf("permission denied: cannot create namespace %s: Forbidden", name)
+		return false, fmt.Errorf("permission denied: cannot create namespace %s: Forbidden", name)
 	}
+
+	// Check if namespace already exists
+	if m.Namespaces[name] {
+		return false, nil
+	}
+
 	m.Namespaces[name] = true
-	return nil
+	return true, nil
 }
 
 // CreateRepoSSHSecret simulates secret creation with mock state.
@@ -178,7 +184,7 @@ func (m *MockClient) GetApplication(name string) *unstructured.Unstructured {
 // ClientInterface defines the interface that both Client and MockClient implement.
 // This is useful for testing code that uses a K8s client.
 type ClientInterface interface {
-	EnsureNamespace(ctx context.Context, name string) error
+	EnsureNamespace(ctx context.Context, name string) (bool, error)
 	CreateRepoSSHSecret(ctx context.Context, repoURL, sshPrivateKey string, dryRun bool) (*corev1.Secret, bool, error)
 	CreateGitCryptKeySecret(ctx context.Context, keyData []byte) (bool, error)
 	ApplyAppOfApps(ctx context.Context, repoURL, targetRevision, env, appPath string, dryRun bool) (string, bool, error)

cli/internal/k8s/secrets.go

@@ -10,16 +10,16 @@ import (
 )
 
 // EnsureNamespace creates a namespace if it does not already exist.
-func (c *Client) EnsureNamespace(ctx context.Context, name string) error {
+func (c *Client) EnsureNamespace(ctx context.Context, name string) (bool, error) {
 	_, err := c.Clientset.CoreV1().Namespaces().Get(ctx, name, metav1.GetOptions{})
 	if err == nil {
-		return nil
+		return false, nil
 	}
 	if !apierrors.IsNotFound(err) {
 		if apierrors.IsForbidden(err) {
-			return fmt.Errorf("permission denied: cannot get namespace %s: %w\n  hint: verify your cluster role has permission to get namespaces", name, err)
+			return false, fmt.Errorf("permission denied: cannot get namespace %s: %w\n  hint: verify your cluster role has permission to get namespaces", name, err)
 		}
-		return fmt.Errorf("failed to get namespace %s: %w", name, err)
+		return false, fmt.Errorf("failed to get namespace %s: %w", name, err)
 	}
 
 	ns := &corev1.Namespace{
@@ -30,11 +30,11 @@ func (c *Client) EnsureNamespace(ctx context.Context, name string) error {
 	_, err = c.Clientset.CoreV1().Namespaces().Create(ctx, ns, metav1.CreateOptions{})
 	if err != nil {
 		if apierrors.IsForbidden(err) {
-			return fmt.Errorf("permission denied: cannot create namespace %s: %w\n  hint: verify your cluster role has permission to create namespaces", name, err)
+			return false, fmt.Errorf("permission denied: cannot create namespace %s: %w\n  hint: verify your cluster role has permission to create namespaces", name, err)
 		}
-		return fmt.Errorf("failed to create namespace %s: %w", name, err)
+		return false, fmt.Errorf("failed to create namespace %s: %w", name, err)
 	}
-	return nil
+	return true, nil
 }
 
 // CreateRepoSSHSecret creates or updates the repo-ssh-key secret in the argocd namespace.
@@ -102,7 +102,7 @@ func (c *Client) CreateRepoSSHSecret(ctx context.Context, repoURL, sshPrivateKey
 // The key data is the raw symmetric key used by git-crypt.
 // Returns a boolean indicating if it was created (true) or updated (false).
 func (c *Client) CreateGitCryptKeySecret(ctx context.Context, keyData []byte) (bool, error) {
-	if err := c.EnsureNamespace(ctx, "argocd"); err != nil {
+	if _, err := c.EnsureNamespace(ctx, "argocd"); err != nil {
 		return false, err
 	}