Feat/4982 unwanted dependency checks

[antoooks]

Addresses #4982

• Add unwanted dependencies checking referring to kubernetes/kubernetes unwanted-dependencies.json file
• Add unwanted-dependencies-check Github workflow

[k8s-ci-robot]

This PR has multiple commits, and the default merge method is: merge.
You can request commits to be squashed using the label: tide/merge-method-squash

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-ci-robot]

Hi @antoooks. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[charles-chenzz]

/ok-to-test

[charles-chenzz]

can this yaml run on prow job? as we have an issue which want to migrate some actions workflows to prow
#5486

[antoooks]

There's a requirement to make the job optional, is it possible in prow to always run it but not cancelling the other pipeline?

[charles-chenzz]

I'm not quite sure, but prow can run multiple jobs and choose to make some jobs optional. we might need to investigate prow( but prow is quite a huge project)

[antoooks]

I have confirmed with @natasha41575, it is decided that for this PR we'll still stick to GH action, and if your PR for prow is already merged we can migrate it to prow

[charles-chenzz]

my PR for prow is still in pending review, we should merge this first

[varshaprasad96]

The changes look good to me. Looks like this test is failing in the CI for this PR. Can it be fixed?

[antoooks]

The changes look good to me. Looks like this test is failing in the CI for this PR. Can it be fixed?

Hi @varshaprasad96, It is expected to be failed on purpose and will be treated as an optional test, so it won't affect approval. (please refer to the referenced issue page)

I think since it checks on different parts of kustomize, we should have a separate PR with respective domain owners doing the fix.

[varshaprasad96]

Hi @varshaprasad96, It is expected to be failed on purpose and will be treated as an optional test, so it won't affect approval. (please refer to the referenced issue page)

Got it! Thanks!

[varshaprasad96]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: antoooks, varshaprasad96

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [varshaprasad96]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[koba1t]

Hi!
I think Kubernetes only imports below three packages. So we need to check only the below packages.
https://github.com/kubernetes/kubernetes/blob/f07b47c3d1e596f53640285afb0d53a81fe6f259/go.mod#L232-L234

[antoooks]

Hi! I think Kubernetes only imports below three packages. So we need to check only the below packages. https://github.com/kubernetes/kubernetes/blob/f07b47c3d1e596f53640285afb0d53a81fe6f259/go.mod#L232-L234

Noted, thanks for pointing it out

[antoooks]

@koba1t feedback added

[charles-chenzz]

/lgtm
/assign @koba1t

[antoooks]

FYI, the check meant to be fail because we do have unwanted dependencies :)

[koba1t]

Hi @antoooks
Sorry for the delayed response. It's many times to take investigate.
I think there is something wrong with this check step.

For Example

in github.com/spf13/viper module.

in CI result

Looks like this dependency were found in the result.

...
Error: unwanted dependencies found. (github.com/spf13/viper at /home/runner/work/kustomize/kustomize/kyaml/go.sum)
Error: unwanted dependencies found. (github.com/spf13/viper at /home/runner/work/kustomize/kustomize/kustomize/go.sum)
Error: unwanted dependencies found. (github.com/spf13/viper at /home/runner/work/kustomize/kustomize/api/go.sum)
...

run go mod graph

github.com/spf13/viper was required only on the sigs.k8s.io/kustomize/cmd/gorepomod module. But this module appears in the go mod graph result.

$ pwd
${HOME}/kustomize/kustomize
$ go mod graph | grep viper           
sigs.k8s.io/kustomize/cmd/gorepomod github.com/spf13/[email protected]
github.com/spf13/[email protected] github.com/fsnotify/[email protected]
github.com/spf13/[email protected] github.com/hashicorp/[email protected]
github.com/spf13/[email protected] github.com/magiconair/[email protected]
...

I run after disabling to gowork.

$ GOWORK=off go mod graph | grep viper
$ 

Maybe this result was mixed in the go.work results.

Could you investigate this more?
If you need my help, please feel free to send a mention to me!

[antoooks]

GOWORK=off go mod graph | grep viper

Hi @koba1t, thank you for checking and finding this, I have found a logic error on line 83, which supposed to detect if unwanted deps are exist inside go.sum. But instead I write it as -z $(cat $file | fgrep $dep) which means if it does not exist.

Same error also happened on line 92 with go mod graph.

[k8s-ci-robot]

New changes are detected. LGTM label has been removed.

[koba1t]

Thanks for your great work, @antoooks!

But I'm still concerned that the unwanted-dependencies-check is still down...
Maybe you need to look at "status.unwantedReferences" in the hack/unwanted-dependencies.json` file.
https://github.com/kubernetes/kubernetes/blob/aa73f3163a52e9a99df01b86f60eeed31abd54d9/cmd/dependencyverifier/dependencyverifier.go#L46-L48

Because I think this entry for the exception to the unwanted dependencies list.
https://github.com/kubernetes/kubernetes/pull/116598/files#diff-09f70f26cff6c34dc0063a45ca43cf5025d653058b06f7966fc8e6f3b9cecd3eR102

[antoooks]

Thanks for your great work, @antoooks!

But I'm still concerned that the unwanted-dependencies-check is still down... Maybe you need to look at "status.unwantedReferences" in the hack/unwanted-dependencies.json` file. https://github.com/kubernetes/kubernetes/blob/aa73f3163a52e9a99df01b86f60eeed31abd54d9/cmd/dependencyverifier/dependencyverifier.go#L46-L48

Because I think this entry for the exception to the unwanted dependencies list. https://github.com/kubernetes/kubernetes/pull/116598/files#diff-09f70f26cff6c34dc0063a45ca43cf5025d653058b06f7966fc8e6f3b9cecd3eR102

Hey @koba1t, thanks for the feedback. Do you mean we need to whitelist dependencies in the PR commit you are referring on your comment?

[koba1t]

Maybe kind/dependencies is the better label for that issue.

[koba1t]

I think that the JSON file may be old.
So, I think maybe better to use the latest file.

[koba1t]

Hey @koba1t, thanks for the feedback. Do you mean we need to whitelist dependencies in the PR commit you are referring on your comment?

I think that is better because we have a few unwanted dependencies that we can't delete.
For example,
github.com/pkg/error was required evanphx/json-patch package, and we can't delete this dependency.
https://github.com/evanphx/json-patch/blob/master/v5/go.mod#L7

[antoooks]

hi @koba1t , I have integrated all the changes we discussed. However it seems that the unwanted deps list on k/k has changed. Could you check for deps I need to put into whitelist?

[koba1t]

 2024-03-27 15:06:09 (33.8 MB/s) - ‘/home/runner/work/kustomize/kustomize/hack/unwanted-dependencies.json’ saved [11055/11055]

Error: unwanted dependencies found. (github.com/mailru/easyjson at /home/runner/work/kustomize/kustomize/kustomize/go.sum)
Error: unwanted dependencies found. (github.com/mailru/easyjson at /home/runner/work/kustomize/kustomize/api/go.sum)
Error: unwanted dependencies found. (github.com/mailru/easyjson at /home/runner/work/kustomize/kustomize/kyaml/go.sum)
Error: unwanted dependencies found. (github.com/pkg/errors at /home/runner/work/kustomize/kustomize/kustomize/go.sum)
Error: unwanted dependencies found. (github.com/pkg/errors at /home/runner/work/kustomize/kustomize/api/go.sum)

The above dependencies are listed on the whitelist.
https://github.com/kubernetes/;kubernetes/blob/d831b13e6f6fb5efb566100286190fedca6dd340/hack/unwanted-dependencies.json#L162-L183

Maybe that is better to find the whitelist from the unwanted-dependencies.json files on k/k.

[antoooks]

 2024-03-27 15:06:09 (33.8 MB/s) - ‘/home/runner/work/kustomize/kustomize/hack/unwanted-dependencies.json’ saved [11055/11055]

Error: unwanted dependencies found. (github.com/mailru/easyjson at /home/runner/work/kustomize/kustomize/kustomize/go.sum)
Error: unwanted dependencies found. (github.com/mailru/easyjson at /home/runner/work/kustomize/kustomize/api/go.sum)
Error: unwanted dependencies found. (github.com/mailru/easyjson at /home/runner/work/kustomize/kustomize/kyaml/go.sum)
Error: unwanted dependencies found. (github.com/pkg/errors at /home/runner/work/kustomize/kustomize/kustomize/go.sum)
Error: unwanted dependencies found. (github.com/pkg/errors at /home/runner/work/kustomize/kustomize/api/go.sum)

The above dependencies are listed on the whitelist. https://github.com/kubernetes/;kubernetes/blob/d831b13e6f6fb5efb566100286190fedca6dd340/hack/unwanted-dependencies.json#L162-L183

Maybe that is better to find the whitelist from the unwanted-dependencies.json files on k/k.

Thanks for the note @koba1t , fixed on the subsequent commit

[antoooks]

/close due to deprioritisation