fleet/pkg
Scott Gress d5eee802eb
Detect unknown keys in GitOps (phase 1) (#40963)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #40496

# Details

This is the first phase of an effort to detect unknown keys in GitOps
.yml files. In the regular `fleetctl gitops` case, it will fail when
unknown keys are detected. This behavior can be changed with a new
`--allow-unknown-keys` flag which will log the issues and continue.

In this first phase we are detecting unknown keys in _most_ GitOps
sections, other than the top-level `org_settings:` and `settings:`
sections which have more complicated typing. I will tackle those
separately as they require a bit more thought. Also ultimately I'd like
us to be doing this validation in a more top-down fashion in one place,
rather than spreading it across the code by doing it in each individual
section, but this is a good first step.

As a bonus, I invited my pal Mr. Levenshtein to the party so that we can
make suggestions when unknown keys are detected, like:

```
 * unknown key "queyr" in "./lib/some-report.yml"; did you mean "query"?
```
> Note: the goal is to return as many validation errors as possible to
the user, so they don't have to keep running `fleetctl gitops` to get
the next error. I did _not_ update any other errors to stop returning
early, in an effort to keep this as low-touch as possible.

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.

## Testing

- [X] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
- [X] Tested this against existing it-and-security folder and one with
updated keys from https://github.com/fleetdm/fleet/pull/40959; no
unknown keys detected
- [X] Added unknown keys at various levels, GitOps errored with helpful
messages
- [X] Same as above but with `--allow-unknown-keys`; GitOps outputted
helpful messages but continued.

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* GitOps runs now fail when unknown or misspelled keys are present in
configuration files.
* New CLI flag --allow-unknown-keys lets unknown keys be treated as
warnings instead of errors.
* Unknown-key messages include suggested valid key names to help correct
mistakes.

* **Tests**
* Expanded test coverage to validate unknown-key detection and the
allow-as-warning option.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Ian Littman <iansltx@gmail.com>
2026-03-06 16:16:17 -06:00
..
automatic_policy Don't pass the default deb auto-install policy if install status is e.g. uninstalled (#32005) 2025-08-18 17:37:06 -05:00
buildpkg Updating golangci-lint to 1.61.0 (#22973) 2024-10-18 12:38:26 -05:00
certificate Add SCEP endpoint for host identity. (#30589) 2025-07-11 11:44:07 -03:00
download Updating golangci-lint to 1.61.0 (#22973) 2024-10-18 12:38:26 -05:00
file Scope package identifier validation to template substitution (#41028) 2026-03-05 13:37:57 -05:00
filepath_windows Allow custom osquery database on fleetd (#16554) 2024-02-05 09:41:06 -03:00
fleetdbase Only allow FLEET_DEV_* env vars when --dev is passed, allow overriding configs one at a time in dev (#38652) 2026-01-27 14:32:56 -06:00
fleethttp Added OTEL instrumentation to Fleet's internal HTTP client. (#40568) 2026-02-26 12:49:52 -06:00
fleethttpsig Updated httpsig-go library to 1.2.0 and removed vendored version. (#32426) 2025-08-28 14:28:30 -05:00
mdm Final slog migration PR: test infrastructure + tools + remaining standalone files (#40727) 2026-02-28 05:52:21 -06:00
nettest fix RunWithNetRetry (#8590) 2022-11-07 16:31:10 +01:00
open Escape ampersands in URL when opening browser in windows (#35146) 2025-11-04 09:20:31 -06:00
optjson NDES SCEP proxy backend (#22542) 2024-10-09 13:47:27 -05:00
race Fix flaky timing test (#23333) 2024-10-29 14:13:17 -03:00
rawjson Updating golangci-lint to 1.61.0 (#22973) 2024-10-18 12:38:26 -05:00
retry End-user authentication for Window/Linux setup experience: agent (#34847) 2025-11-03 16:41:57 -06:00
scripts Fix windows installer stuck in pending state forever (#22592) 2024-10-02 16:18:37 -04:00
secure Fix orbit crash loop on incorrect file permissions (#40887) 2026-03-06 17:41:31 -03:00
spec Detect unknown keys in GitOps (phase 1) (#40963) 2026-03-06 16:16:17 -06:00
str Add ability to enable/disable logs by topic (#40126) 2026-02-20 17:22:50 -06:00
testutils Activity bounded context: /api/latest/fleet/activities (1 of 2) (#38115) 2026-01-19 09:07:14 -05:00
README.md Add CentOS parsing+post-processing to reduce false positives in vulnerability processing (#4037) 2022-02-14 15:13:44 -03:00

pkg directory

This top-level pkg directory contains packages that may be shared between all fleet backend components.