Fleet CLI dump command filter for resources

[p-se]

Refers to #4419

This PR adds the following CLI arguments to the Fleet CLI dump command:

• --all-namespaces (short: -A)
• --bundle string
• --helmop string
• --gitrepo string

--bundle string, --helmop string, --gitrepo string are mutually exclusive.

Breaking Change

--namespace has not been added, as it was defined before. But it was unused, and now it is being used. Since the default for --namespace is fleet-local, that is the namespace that a fleet dump without --namespace argument will dump, namely resources from the fleet-local namespace only. This is a breaking change and it has been introduced because it is consistent with how other commands for the fleetcli work and also how kubectl works and because the user needs to specify a namespace to point to a specific GitRepo, Bundle or HelmOp resource. Dumping all namespaces explicitly requires the --all-namespaces (or -A) argument.

Restrictions

Bundlenamespacemappings are included in the archive but not resolved. This means that clusters they point to are not (yet) in the archive when filtering for specific a specific namespace or resource.

Additional Information

When filtering is enabled at any level, secrets and events from system namespaces are always included.

Checklist

• I have updated the documentation via a pull request in the
  fleet-docs repository.

[Copilot]

Pull request overview

This pull request adds filtering capabilities to the Fleet CLI dump command, allowing users to filter resources by namespace, GitRepo, Bundle, or HelmOp. The PR introduces new CLI flags (--all-namespaces, --bundle, --helmop, --gitrepo) and implements intelligent resource filtering based on the Fleet resource relationship model.

Changes:

• Added namespace-based filtering with --namespace (now functional) and --all-namespaces (-A) flags, making --namespace default to fleet-local when not specified - this is a breaking change
• Added resource-specific filtering options: --gitrepo, --bundle, and --helmop flags (mutually exclusive)
• Implemented label-based filtering for BundleDeployments, Contents, and Secrets to include only resources related to filtered GitRepos/Bundles/HelmOps
• Fixed HelmOp template structure to use repo instead of chart field

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
internal/cmd/cli/dump/dump.go	Core implementation of filtering logic including namespace filtering, resource collection functions, and label selector construction
internal/cmd/cli/dump/dump_test.go	Unit tests for new filtering functions including GitRepo, Bundle, and HelmOp filtering
internal/cmd/cli/dump.go	CLI interface changes adding new flags and validation logic for mutually exclusive options
e2e/single-cluster/cli_dump_test.go	E2E tests verifying namespace, GitRepo, Bundle, and HelmOp filtering behavior
e2e/assets/helmop-template.yaml	Fixed HelmOp template to use correct repo field structure

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 10 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

helmop-template.yaml sets spec.helm.repo to the OCI URL and forces spec.helm.chart to an empty string. In the Fleet API, HelmOptions.Chart is the field intended for go-getter/OCI chart URLs, while HelmOptions.Repo is for HTTPS helm repos (used together with a chart name). This template likely produces invalid HelmOps and may break e2e HelmOp creation. Set spec.helm.chart to {{.Chart}} (and omit/empty repo) for OCI usage.

Suggested change

	repo: {{.Chart}}
	chart: ""
	repo: ""
	chart: {{.Chart}}

[p-se]

Not true, the documentation clearly states, that for OCI URLs the repo field is the one to be used. However, using a Chart variable in the repo field is clearly confusing.

[Copilot]

extractResourcesFromArchive() creates a gzip reader but never closes it. Add a defer gzr.Close() after gzip.NewReader to avoid leaking resources during the e2e run (especially when many tests parse dumps).

[Copilot]

CreateWithClients creates the output file with os.Create but never closes it. Even though tar/gzip writers are closed, the underlying file descriptor can remain open (and buffered data may not be fully flushed on some platforms). Add a deferred close for the file (and consider deferring tar/gzip closes too, so early returns don’t leak resources).

[Copilot]

When filtering by GitRepo/HelmOp, an empty bundleNames result currently falls through as “no bundle-name restriction”. That causes downstream logic to become overly broad: addBundleDeployments() will match all bundledeployments in the namespace, and WithContent/WithSecrets can end up dumping all Contents (contentIDs stays nil) / all Secrets (secretNames stays nil). Treat “no bundles found” as an empty result set for dependent resources (or return an error if the GitRepo/HelmOp doesn’t exist), and ensure you pass empty (non-nil) slices and/or short-circuit adding BDs/Contents/Secrets in this case.

[Copilot]

The current validation allows --all-namespaces with an explicitly provided --namespace=fleet-local (and also allows --all-namespaces together with --gitrepo/--bundle/--helmop). In that case the code passes Namespace="" to dump.Options, so the resource filter is effectively ignored and the dump becomes unfiltered. Consider making --all-namespaces mutually exclusive with any explicit --namespace and with --gitrepo/--bundle/--helmop to avoid surprising behavior.

[Copilot]

Test_collectBundleNamesByGitRepo asserts the exact order of returned bundle names. Kubernetes List ordering isn’t guaranteed, and the implementation doesn’t promise sorting; this can make the test brittle if the client implementation changes. Consider sorting both slices before comparison or asserting as a set (e.g., ElementsMatch).

Suggested change

	for i, name := range names {
	if name != tt.expectedNames[i] {
	t.Errorf("expected bundle name %q at index %d, got %q", tt.expectedNames[i], i, name)
	// Compare bundle names ignoring order, since Kubernetes List ordering is not guaranteed.
	sortedNames := append([]string(nil), names...)
	sortedExpected := append([]string(nil), tt.expectedNames...)
	slices.Sort(sortedNames)
	slices.Sort(sortedExpected)
	for i, name := range sortedNames {
	if name != sortedExpected[i] {
	t.Errorf("expected bundle name %q at index %d, got %q", sortedExpected[i], i, name)

[p-se]

I don't think the fake client would do that but I implemented it anyway.

[Copilot]

addBundleDeployments(): when namespace filtering is on and bundleNames is empty, buildBundleNameSelector() produces a selector that matches all bundledeployments in the namespace (bundle-namespace only). That’s correct for pure namespace filtering, but it breaks GitRepo/HelmOp filtering when bundleNames is empty (or unexpectedly empty). Consider guarding: if (opt.GitRepo/opt.HelmOp/opt.Bundle is set) and len(bundleNames)==0, return nil (or error) instead of selecting everything.

[Copilot]

createDialer(): matchingLabels includes shardKey even when shardKey is empty, which can produce an invalid label selector and make the pod List call fail for non-sharded services. Build matchingLabels conditionally (always include "app", and only include the shard label if shardKey != "").

[Copilot]

addObjectsWithNameFilter() lists all objects in the (possibly large) namespace and then filters client-side by name. For the common case where names is small (e.g. a single GitRepo/HelmOp), it would be much more efficient to fetch each object by name with Get (and write it if found), avoiding a full List and pagination.

[Copilot]

The PR description says that when filtering is enabled, resources from system namespaces are always included. However, addObjectsToArchive() applies Namespace(opt.Namespace) to most resources when opt.Namespace is set, which excludes system-namespace instances for those resource types (events/secrets are handled separately via getNamespaces). Either extend the dump logic to also include system namespaces for these resources, or update the behavior/documentation to match.

[p-se]

Clarified that only secrets and events from system namespaces are included (as they are in the unfiltered dump)

[0xavi0]

Question: Is this function is ignoring the --gitrepo filter?
Asking because it lists all the existing GitRepos in the given namespace, isn't it?

[p-se]

Nice find!

[0xavi0]

I think list, err := d.Resource(gitRepoRID).Namespace(namespace).List(ctx, lo) returns a *unstructured.UnstructuredList so items in the list would be already Unstructured.
I think you can just call directly untime.DefaultUnstructuredConverter.FromUnstructured and skip the
un, err := runtime.DefaultUnstructuredConverter.ToUnstructured(&item) call

[p-se]

Nice, unstructured.Unstructed has an Object field that returns map[string]interface{} which I can use in ToUnstructured!

[0xavi0]

nit (maybe too pedantic so feel free to ignore): filterConfig seems to mix filter parameters (bundleNames, namespace) with contents collected (contentIDs and secretNames).
Wouldn't it be better to split? Or maybe change the name of the struct.

[p-se]

It was not too pedantic. While bundleNames is collected, namespace was not required to be in filterConfig. Thanks!