build: Add kube-api-linter

Validates upstream API conventions are correctly applied.

Author: jimmidyson

.github/workflows/checks.yml

@@ -132,21 +132,37 @@ jobs:
         with:
           enable-cache: true
 
-      - name: Export golang and golangci-lint versions
-        id: versions
+      - name: golangci-lint
+        env:
+          REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          echo "golangci-lint=$(devbox run -- golangci-lint version --short)" >>"${GITHUB_OUTPUT}"
-          echo "golang=$(devbox run -- go version | grep -o "[[:digit:]]\+.[[:digit:]]\+\(.[[:digit:]]\+\)\?")" >>"${GITHUB_OUTPUT}"
+          devbox run golangci-lint run --config=${{ github.workspace }}/.golangci.yml --output.text.path=stdout ./... | \
+            devbox run reviewdog -f=golangci-lint -reporter=github-pr-review --fail-level=any
+        working-directory: ${{ matrix.module }}
 
-      - name: golangci-lint
-        uses: reviewdog/action-golangci-lint@v2
+  lint-api:
+    runs-on: ubuntu-24.04
+    permissions:
+      pull-requests: write
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Install devbox
+        uses: jetify-com/[email protected]
         with:
-          fail_level: error
-          reporter: github-pr-review
-          golangci_lint_version: v${{ steps.versions.outputs.golangci-lint }}
-          go_version: v${{ steps.versions.outputs.golang }}
-          workdir: ${{ matrix.module }}
-          golangci_lint_flags: "--config=${{ github.workspace }}/.golangci.yml"
+          enable-cache: true
+
+      - name: Install kube-api-linter
+        run: devbox run make hack/tools/golangci-lint-kube-api-linter
+
+      - name: golangci-lint
+        env:
+          REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          hack/tools/golangci-lint-kube-api-linter run --config=${{ github.workspace }}/.golangci.yml --output.text.path=stdout ./... | \
+            devbox run reviewdog -name=kube=api-linter -f=golangci-lint -reporter=github-pr-review --fail-level=any
+        working-directory: api
 
   lint-gha:
     runs-on: ubuntu-24.04

.gitignore

@@ -50,3 +50,4 @@ test/e2e/config/caren-envsubst.yaml
 hack/tools/fetch-images/fetch-images
 caren-images.txt
 hack/examples/release/*-cluster-class.yaml
+golangci-lint-kube-api-linter

.golangci-kal.yml

@@ -0,0 +1,61 @@
+# Copyright 2025 Nutanix. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+version: "2"
+linters:
+  default: none
+  enable:
+    - kubeapilinter # linter for Kube API conventions
+  settings:
+    custom:
+      kubeapilinter:
+        type: module
+        description: KAL is the Kube-API-Linter and lints Kube like APIs based on API conventions and best practices.
+        settings:
+          linters:
+            enable:
+              - "commentstart" # Ensure comments start with the serialized version of the field name.
+              # - "conditions" # Ensure conditions have the correct json tags and markers.
+              - "duplicatemarkers" # Ensure there are no exact duplicate markers. for types and fields.
+              - "integers" # Ensure only int32 and int64 are used for integers.
+              - "jsontags" # Ensure every field has a json tag.
+              - "maxlength" # Ensure all strings and arrays have maximum lengths/maximum items.
+              - "nobools" # Bools do not evolve over time, should use enums instead.
+              - "nofloats" # Ensure floats are not used.
+              - "nomaps" # Ensure maps are not used.
+              # "nophase" # Ensure phases are not used, as they are not extensible.
+              - "optionalfields" # Ensure that all fields marked as optional adhere to being pointers and
+                                 # having the `omitempty` value in their `json` tag where appropriate.
+              - "optionalorrequired" # Every field should be marked as `+optional` or `+required`.
+              - "requiredfields" # Required fields should not be pointers, and should not have `omitempty`.
+              # - "ssatags" # Ensure array fields have the appropriate listType markers
+              # - "statusoptional" # Ensure all first children within status should be optional.
+              # - "statussubresource" # All root objects that have a `status` field should have a status subresource.
+              - "uniquemarkers" # Ensure that types and fields do not contain more than a single definition of a marker that should only be present once.
+
+            # Linters below this line are disabled, pending conversation on how and when to enable them.
+            disable:
+            - "*" # We will manually enable new linters after understanding the impact. Disable all by default.
+          lintersConfig:
+            optionalfields:
+              pointers:
+                preference: WhenRequired # Always | WhenRequired # Whether to always require pointers, or only when required. Defaults to `Always`.
+            # jsontags:
+            #   jsonTagRegex: "^[a-z][a-z0-9]*(?:[A-Z][a-z0-9]*)*$" # The default regex is appropriate for our use case.
+            optionalorrequired:
+              preferredOptionalMarker: kubebuilder:validation:Optional # The preferred optional marker to use, fixes will suggest to use this marker. Defaults to `optional`.
+              preferredRequiredMarker: kubebuilder:validation:Required # The preferred required marker to use, fixes will suggest to use this marker. Defaults to `required`.
+
+  exclusions:
+    generated: strict
+    paths:
+      # Ignore generated files.
+      - zz_generated.*\.go$
+      # Ignore external API packages.
+      - external/
+      # Ignore test files.
+      - '.+_test\.go$'
+
+issues:
+  max-same-issues: 0
+  max-issues-per-linter: 0

.pre-commit-config.yaml

@@ -21,6 +21,12 @@ repos:
     language: system
     files: "(.*\\.go|go.mod|go.sum|go.mk)$"
     pass_filenames: false
+  - id: kube-api-linter
+    name: kube-api-linter
+    entry: make lint-kube-api
+    language: system
+    files: "((^api/(.*\\.go|go.mod|go.sum))|go.mk)$"
+    pass_filenames: false
   - id: chart-docs
     name: chart-docs
     entry: make chart-docs

common/pkg/capi/utils/utils.go

@@ -64,9 +64,11 @@ func ManagementOrFutureManagementCluster(ctx context.Context, c client.Reader) (
 	return cluster, nil
 }
 
-func clusterAnnotationsFromNodes(ctx context.Context, c client.Reader) (string, string, error) {
+func clusterAnnotationsFromNodes(
+	ctx context.Context, c client.Reader,
+) (clusterName, clusterNamespace string, err error) {
 	allNodes := &corev1.NodeList{}
-	err := c.List(ctx, allNodes)
+	err = c.List(ctx, allNodes)
 	if err != nil {
 		return "", "", fmt.Errorf("error listing Nodes: %w", err)
 	}

common/pkg/capi/utils/utils_test.go

@@ -138,7 +138,7 @@ func TestManagementOrFutureManagementCluster(t *testing.T) {
 				},
 			},
 			wantErr: fmt.Errorf(
-				"error determining management cluster for the provided client: error getting Cluster object based on Node annotations: clusters.cluster.x-k8s.io \"management-cluster\" not found",
+				"error determining management cluster for the provided client: error getting Cluster object based on Node annotations: clusters.cluster.x-k8s.io \"management-cluster\" not found", //nolint:lll // Long error message is expected here.
 			),
 		},
 		{
@@ -162,7 +162,7 @@ func TestManagementOrFutureManagementCluster(t *testing.T) {
 				},
 			},
 			wantErr: fmt.Errorf(
-				"error determining management cluster for the provided client: missing \"cluster.x-k8s.io/cluster-name\" annotation",
+				"error determining management cluster for the provided client: missing \"cluster.x-k8s.io/cluster-name\" annotation", //nolint:lll // Long error message is expected here.
 			),
 		},
 		{
@@ -186,7 +186,7 @@ func TestManagementOrFutureManagementCluster(t *testing.T) {
 				},
 			},
 			wantErr: fmt.Errorf(
-				"error determining management cluster for the provided client: missing \"cluster.x-k8s.io/cluster-namespace\" annotation",
+				"error determining management cluster for the provided client: missing \"cluster.x-k8s.io/cluster-namespace\" annotation", //nolint:lll // Long error message is expected here.
 			),
 		},
 		{
@@ -213,7 +213,7 @@ func TestManagementOrFutureManagementCluster(t *testing.T) {
 				},
 			},
 			wantErr: fmt.Errorf(
-				"error determining management cluster for the provided client: multiple Cluster objects found, expected exactly one",
+				"error determining management cluster for the provided client: multiple Cluster objects found, expected exactly one", //nolint:lll // Long error message is expected here.
 			),
 		},
 	}
@@ -239,7 +239,7 @@ func TestManagementOrFutureManagementCluster(t *testing.T) {
 
 func buildFakeClientForTest(t *testing.T, clusters []clusterv1.Cluster, nodes []corev1.Node) client.Client {
 	t.Helper()
-	var objs []client.Object
+	objs := make([]client.Object, 0, len(clusters)+len(nodes))
 	for i := range clusters {
 		objs = append(objs, &clusters[i])
 	}

devbox.json

@@ -28,6 +28,7 @@
     "kubernetes-controller-tools@latest",
     "kustomize@latest",
     "pre-commit@latest",
+    "reviewdog@latest",
     "rsync@latest",
     "setup-envtest@latest",
     "shfmt@latest",

devbox.lock

@@ -854,50 +854,50 @@
       }
     },
     "golangci-lint@latest": {
-      "last_modified": "2025-05-16T20:19:48Z",
-      "resolved": "github:NixOS/nixpkgs/12a55407652e04dcf2309436eb06fef0d3713ef3#golangci-lint",
+      "last_modified": "2025-07-04T02:32:11Z",
+      "resolved": "github:NixOS/nixpkgs/472908faa934435cf781ae8fac77291af3d137d3#golangci-lint",
       "source": "devbox-search",
-      "version": "2.1.6",
+      "version": "2.2.1",
       "systems": {
         "aarch64-darwin": {
           "outputs": [
             {
               "name": "out",
-              "path": "/nix/store/8d3n5ly5r6prqyx3h5nr2v778hzwp83r-golangci-lint-2.1.6",
+              "path": "/nix/store/y34ymr5fc4nywh487v49djqzplqy8nih-golangci-lint-2.2.1",
               "default": true
             }
           ],
-          "store_path": "/nix/store/8d3n5ly5r6prqyx3h5nr2v778hzwp83r-golangci-lint-2.1.6"
+          "store_path": "/nix/store/y34ymr5fc4nywh487v49djqzplqy8nih-golangci-lint-2.2.1"
         },
         "aarch64-linux": {
           "outputs": [
             {
               "name": "out",
-              "path": "/nix/store/sazvkjsaxnpnplrsaj5wf1x9xkgv0s88-golangci-lint-2.1.6",
+              "path": "/nix/store/yvlh8x7mmlg7j8vqbzjslngipvkgfgdc-golangci-lint-2.2.1",
               "default": true
             }
           ],
-          "store_path": "/nix/store/sazvkjsaxnpnplrsaj5wf1x9xkgv0s88-golangci-lint-2.1.6"
+          "store_path": "/nix/store/yvlh8x7mmlg7j8vqbzjslngipvkgfgdc-golangci-lint-2.2.1"
         },
         "x86_64-darwin": {
           "outputs": [
             {
               "name": "out",
-              "path": "/nix/store/cqfnavdyysfdm9cam8bsyscbsk8zg781-golangci-lint-2.1.6",
+              "path": "/nix/store/zji7s77vyb0l2gpnz1nsa7al4w83rjw6-golangci-lint-2.2.1",
               "default": true
             }
           ],
-          "store_path": "/nix/store/cqfnavdyysfdm9cam8bsyscbsk8zg781-golangci-lint-2.1.6"
+          "store_path": "/nix/store/zji7s77vyb0l2gpnz1nsa7al4w83rjw6-golangci-lint-2.2.1"
         },
         "x86_64-linux": {
           "outputs": [
             {
               "name": "out",
-              "path": "/nix/store/snqg2xccy7fb6q6n2dw3bfql6mqbh6ar-golangci-lint-2.1.6",
+              "path": "/nix/store/p1144qggxazwz6791avlf6cqzyvkh8cv-golangci-lint-2.2.1",
               "default": true
             }
           ],
-          "store_path": "/nix/store/snqg2xccy7fb6q6n2dw3bfql6mqbh6ar-golangci-lint-2.1.6"
+          "store_path": "/nix/store/p1144qggxazwz6791avlf6cqzyvkh8cv-golangci-lint-2.2.1"
         }
       }
     },
@@ -1577,6 +1577,54 @@
         }
       }
     },
+    "reviewdog@latest": {
+      "last_modified": "2025-06-20T02:24:11Z",
+      "resolved": "github:NixOS/nixpkgs/076e8c6678d8c54204abcb4b1b14c366835a58bb#reviewdog",
+      "source": "devbox-search",
+      "version": "0.20.3",
+      "systems": {
+        "aarch64-darwin": {
+          "outputs": [
+            {
+              "name": "out",
+              "path": "/nix/store/3yyxphpj15k63glrjhks2gkpj0ni9snf-reviewdog-0.20.3",
+              "default": true
+            }
+          ],
+          "store_path": "/nix/store/3yyxphpj15k63glrjhks2gkpj0ni9snf-reviewdog-0.20.3"
+        },
+        "aarch64-linux": {
+          "outputs": [
+            {
+              "name": "out",
+              "path": "/nix/store/drhvxi0lcpa5drqvh3asqll3kak7g2ja-reviewdog-0.20.3",
+              "default": true
+            }
+          ],
+          "store_path": "/nix/store/drhvxi0lcpa5drqvh3asqll3kak7g2ja-reviewdog-0.20.3"
+        },
+        "x86_64-darwin": {
+          "outputs": [
+            {
+              "name": "out",
+              "path": "/nix/store/i6cknyqzrvzzpzjh9n267y4b15zdxc6n-reviewdog-0.20.3",
+              "default": true
+            }
+          ],
+          "store_path": "/nix/store/i6cknyqzrvzzpzjh9n267y4b15zdxc6n-reviewdog-0.20.3"
+        },
+        "x86_64-linux": {
+          "outputs": [
+            {
+              "name": "out",
+              "path": "/nix/store/15vfbrwqpi0z4d97790vs7cr5ysz6srd-reviewdog-0.20.3",
+              "default": true
+            }
+          ],
+          "store_path": "/nix/store/15vfbrwqpi0z4d97790vs7cr5ysz6srd-reviewdog-0.20.3"
+        }
+      }
+    },
     "rsync@latest": {
       "last_modified": "2025-05-16T20:19:48Z",
       "resolved": "github:NixOS/nixpkgs/12a55407652e04dcf2309436eb06fef0d3713ef3#rsync",

hack/tools/.custom-gcl.yml

@@ -0,0 +1,8 @@
+# Copyright 2025 Nutanix. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+version: v2.2.1
+name: golangci-lint-kube-api-linter
+plugins:
+- module: 'sigs.k8s.io/kube-api-linter'
+  version: v0.0.0-20250710131328-b566fe88b732

make/go.mk

@@ -125,6 +125,7 @@ endif
 endif
 
 GOLANGCI_CONFIG_FILE ?= $(wildcard $(REPO_ROOT)/.golangci.y*ml)
+GOLANGCI_KAL_CONFIG_FILE ?= $(wildcard $(REPO_ROOT)/.golangci-kal.y*ml)
 
 .PHONY:fmt
 fmt: ## Runs golangci-lint fmt for all modules in repository
@@ -155,6 +156,16 @@ lint.%: ## Runs golangci-lint run for a specific module
 lint.%: fmt.% ; $(info $(M) linting $* module)
 	$(if $(filter-out root,$*),cd $* && )golangci-lint run --fix --config=$(GOLANGCI_CONFIG_FILE)
 
+.PHONY: lint-kube-api
+lint-kube-api: ## Runs kube-api-linter via custom golangci-lint configuration
+lint-kube-api: go-generate hack/tools/golangci-lint-kube-api-linter
+lint-kube-api: ; $(info $(M) running kube-api-linter)
+	cd api && $(PWD)/hack/tools/golangci-lint-kube-api-linter run --fix --config=$(PWD)/.golangci-kal.yml
+
+hack/tools/golangci-lint-kube-api-linter: hack/tools/.custom-gcl.yml
+hack/tools/golangci-lint-kube-api-linter: ; $(info $(M) installing golangci-lint-kube-api-linter tool)
+	cd hack/tools && golangci-lint custom
+
 .PHONY: mod-tidy
 mod-tidy: ## Run go mod tidy for all modules
 ifneq ($(wildcard $(REPO_ROOT)/go.mod),)