feat(commands): improve rotate-ca with validation and better help

[kvaps]

Summary

• Add validation to rotate-ca command requiring exactly one control-plane node
• Improve help text with detailed explanation of how the command works
• Add usage examples for common scenarios
• Fix all golangci-lint issues across the codebase

Changes

rotate-ca improvements

The rotate-ca command coordinates CA rotation across the entire cluster from a single control-plane node. Previously, passing multiple nodes via -f flags would result in a confusing gRPC error. Now it provides a clear error message explaining the requirement.

Linter fixes

• Remove unused code (functions, variables, constants)
• Remove entirely unused track.go file
• Replace deprecated io/ioutil with os package
• Fix unchecked error returns
• Fix ineffectual assignments
• Remove empty branches

Test plan

• golangci-lint run ./... passes with 0 issues
• go test ./... passes
• talm rotate-ca --help shows improved help
• talm rotate-ca -e 1.1.1.1 -e 2.2.2.2 shows clear error

Summary by CodeRabbit

• New Features

  • Added validation for rotate-ca command to ensure only one control-plane node is specified.

• Refactor

  • Simplified internal error handling and control flow across multiple components.
  • Removed unused code and redundant internal helpers.
  • Improved code maintainability through streamlined logic paths.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request performs code cleanup and refactoring across multiple files. Changes include replacing deprecated ioutil functions with os equivalents, removing unused helper functions and declarations, simplifying error handling logic, and adding validation for the rotate-ca command. The modifications span error handling consistency, dead code removal, and command wrapping enhancements.

Changes

Cohort / File(s)	Summary
Standard library migration main.go	Replaced ioutil.ReadFile with os.ReadFile and removed ioutil import.
Dead code removal pkg/commands/apply.go, pkg/commands/track.go, pkg/commands/root.go	Removed unused readFirstLine helper function; deleted entire track.go file containing trackable action flags; removed unused global flag and constant.
Simplified logic pkg/age/age.go	Removed intermediate comparison branches in mergeAndEncryptYAMLValues, keeping idempotent behavior intact.
Error handling refactoring pkg/commands/init.go	Refactored error handling around talosconfig encryption and file writes; replaced implicit error propagation with explicit checks and early returns; adjusted file existence flag mutations.
Command wrapping enhancement pkg/commands/rotate_ca_handler.go, pkg/commands/talosctl_wrapper.go	Added new wrapRotateCACommand helper to validate single control-plane node constraint; integrated rotate-ca wrapping into talosctl wrapper pipeline.
Error suppression in I/O operations pkg/engine/engine.go, pkg/modeline/modeline.go, pkg/yamltools/yamltools.go	Changed encoder/file Close() calls to explicitly ignore return errors via blank identifier assignment.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~30 minutes

Poem

🐰 Old io helpers hopped away,

New guards for rotate-ca stay,

Dead branches trimmed with care,

Errors close without a stare,

Refactored clean—hip-hip-hooray! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding validation and improved help text for the rotate-ca command, which is the primary functional enhancement visible across the changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @kvaps, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the rotate-ca command by introducing crucial validation and comprehensive documentation, making it more user-friendly and robust. Concurrently, it performs a thorough cleanup of the entire codebase by resolving all golangci-lint issues, removing dead code, updating deprecated APIs, and improving error handling. These changes collectively contribute to a more stable, maintainable, and reliable application.

Highlights

• Enhanced rotate-ca Command: Implemented strict validation for the rotate-ca command, ensuring it requires exactly one control-plane node to prevent incorrect usage and provide clear error messages. The command's help text has been significantly improved with detailed explanations and practical usage examples.
• Comprehensive Codebase Cleanup: Addressed and resolved all golangci-lint issues across the entire codebase, leading to improved code quality, readability, and maintainability.
• Removal of Unused Code: Eliminated unused functions, variables, and constants, including the complete removal of the track.go file, which contained obsolete tracking logic.
• API Modernization and Error Handling: Replaced deprecated io/ioutil package usage with the modern os package. Fixed numerous instances of unchecked error returns and ineffectual assignments, enhancing the robustness and reliability of the application.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces valuable improvements to the rotate-ca command by adding input validation and more descriptive help text. Additionally, it addresses numerous golangci-lint issues throughout the codebase, enhancing overall code quality by removing unused code, fixing unchecked errors, and replacing deprecated packages. While the changes are largely positive, I've identified a flaw in the new validation logic for the rotate-ca command that could allow multiple nodes to be specified, contrary to the command's requirements. A suggestion to correct this has been provided.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@pkg/commands/init.go`:
- Around line 327-329: The call to handleTalosconfigEncryption(false) currently
discards all errors; instead capture its returned error and only ignore the
specific "no key / skip decryption" case, while propagating any other errors so
corruption/invalid-key conditions are not hidden. Concretely, call err :=
handleTalosconfigEncryption(false), then if err != nil check for the
sentinel/no-key condition (e.g., errors.Is(err, ErrNoKey) or a typed error your
function returns) and continue only in that case; otherwise return or surface
the error. After handling the error, update talosconfigFileExists =
fileExists(talosconfigFile) as before. Use the existing function names
handleTalosconfigEncryption, talosconfigFileExists and talosconfigFile to locate
the change.

In `@pkg/commands/talosctl_wrapper.go`:
- Around line 97-99: Check whether the "force" flag exists via
cmd.Flags().Lookup("force") before calling cmd.Flags().Set("force","true"), and
do not ignore errors from Set(); if Lookup returns nil skip setting, otherwise
call Set and handle its error (e.g., return it or log it) so
type-mismatch/invalid-value failures are surfaced; update the code around
cmd.Flags().Set, using cmd.Flags().Lookup and proper error handling for Set()
instead of assigning its result to _.

🧹 Nitpick comments (1)

pkg/commands/rotate_ca_handler.go (1)

73-80: Consider validating that at least one node/endpoint is provided.

The validation correctly prevents multiple nodes/endpoints, but doesn't verify that at least one is specified. If a user runs talm rotate-ca without -e or -n, the validation passes, potentially leading to a less helpful error downstream.

Additionally, consider whether having both len(Endpoints)==1 AND len(Nodes)==1 simultaneously should be validated, as this could represent conflicting or redundant configuration.

💡 Optional enhancement for stricter validation

 		// Validate that only one endpoint/node is provided
 		if len(GlobalArgs.Endpoints) > 1 {
 			return fmt.Errorf("rotate-ca requires exactly one control-plane node, but %d endpoints were provided\n\nThe rotate-ca command coordinates CA rotation across the entire cluster from a single\ncontrol-plane node. Please specify only one endpoint using -e flag or a single config file", len(GlobalArgs.Endpoints))
 		}

 		if len(GlobalArgs.Nodes) > 1 {
 			return fmt.Errorf("rotate-ca requires exactly one control-plane node, but %d nodes were provided\n\nThe rotate-ca command coordinates CA rotation across the entire cluster from a single\ncontrol-plane node. Please specify only one node using -n flag or a single config file", len(GlobalArgs.Nodes))
 		}

+		// Ensure at least one target is specified
+		if len(GlobalArgs.Endpoints) == 0 && len(GlobalArgs.Nodes) == 0 {
+			return fmt.Errorf("rotate-ca requires exactly one control-plane node\n\nPlease specify a control-plane node using -e, -n flag, or a config file (-f)")
+		}
+
 		return nil

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Propagate decryption errors instead of ignoring them.

handleTalosconfigEncryption(false) already returns nil when the key is missing and decryption should be skipped. Ignoring all errors can hide corruption/invalid key issues and leave talosconfig.encrypted stale while a new plaintext is generated.

🛠️ Proposed fix

-			// If decryption fails (e.g., no key), continue to generate
-			_, _ = handleTalosconfigEncryption(false)
+			// If decryption fails for any reason other than missing key, return the error
+			if _, err := handleTalosconfigEncryption(false); err != nil {
+				return err
+			}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// If decryption fails (e.g., no key), continue to generate
	_, _ = handleTalosconfigEncryption(false)
	talosconfigFileExists = fileExists(talosconfigFile)
	// If decryption fails for any reason other than missing key, return the error
	if _, err := handleTalosconfigEncryption(false); err != nil {
	return err
	}
	talosconfigFileExists = fileExists(talosconfigFile)

🤖 Prompt for AI Agents

In `@pkg/commands/init.go` around lines 327 - 329, The call to
handleTalosconfigEncryption(false) currently discards all errors; instead
capture its returned error and only ignore the specific "no key / skip
decryption" case, while propagating any other errors so corruption/invalid-key
conditions are not hidden. Concretely, call err :=
handleTalosconfigEncryption(false), then if err != nil check for the
sentinel/no-key condition (e.g., errors.Is(err, ErrNoKey) or a typed error your
function returns) and continue only in that case; otherwise return or surface
the error. After handling the error, update talosconfigFileExists =
fileExists(talosconfigFile) as before. Use the existing function names
handleTalosconfigEncryption, talosconfigFileExists and talosconfigFile to locate
the change.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

cat -n pkg/commands/talosctl_wrapper.go | sed -n '85,110p'

Repository: cozystack/talm

Length of output: 1268

---

🏁 Script executed:

# Let's see more context to understand what this code does
cat -n pkg/commands/talosctl_wrapper.go | sed -n '1,50p'

Repository: cozystack/talm

Length of output: 2054

---

🌐 Web query:

spf13/cobra pflag FlagSet.Set() error handling missing flags

💡 Result:

(*pflag.FlagSet).Set(name, value) does return an error when the flag doesn’t exist in that FlagSet; the concrete type is *pflag.NotExistError (“error returned when trying to access a flag that does not exist in the FlagSet”).[1][2]

Practical handling pattern

fs := cmd.Flags() // in Cobra: local + persistent from parents
if fs.Lookup("my-flag") == nil {
    // flag not registered on this command (or its parents)
    return nil // or return a custom error
}

if err := fs.Set("my-flag", "123"); err != nil {
    var ne *pflag.NotExistError
    if errors.As(err, &ne) {
        // handle missing flag explicitly
        return nil
    }
    return err // invalid value, etc.
}

Cobra-specific “missing flag” gotcha

If you call Set() on the wrong flag set, you’ll get “flag accessed but not defined” even though you defined it elsewhere (e.g., as a persistent flag on a parent). In Cobra, cmd.Flags() is the combined set (“local and persistent declared here and by all parents”), so it’s usually the right one to use when setting/reading flags during execution.[3]

Sources:
[1] https://pkg.go.dev/github.com/spf13/pflag#NotExistError
[2] https://pkg.go.dev/github.com/spf13/pflag#FlagSet.Set
[3] https://pkg.go.dev/github.com/spf13/cobra#Command.Flags

---

🏁 Script executed:

rg -A 5 -B 5 "force" pkg/commands/talosctl_wrapper.go | head -40

Repository: cozystack/talm

Length of output: 798

---

🏁 Script executed:

# Find the kubeconfig command definition in talosctl
fd -type f -name "*.go" | xargs rg -l "kubeconfig" | head -5

Repository: cozystack/talm

Length of output: 362

---

🏁 Script executed:

# Search for where force flag is defined
rg "AddBoolFlag.*force" --type go

Repository: cozystack/talm

Length of output: 40

---

🏁 Script executed:

# Check the original talosctl kubeconfig command to see if it has force flag
rg -B 3 -A 3 "kubeconfig.*Command" pkg/commands/talosctl_wrapper.go

Repository: cozystack/talm

Length of output: 40

---

🏁 Script executed:

rg "force.*Bool" . --max-count 20

Repository: cozystack/talm

Length of output: 40

---

🏁 Script executed:

# Look for force flag in kubeconfig_handler.go
cat pkg/commands/kubeconfig_handler.go | head -100

Repository: cozystack/talm

Length of output: 3346

---

🏁 Script executed:

# Search for force flag registration in talos package imports
rg -B 5 -A 5 "cmd\.Flags\(\)\.BoolVar.*force" .

Repository: cozystack/talm

Length of output: 40

---

🏁 Script executed:

# Search for all places where force flag is referenced
rg "\"force\"" pkg/commands/ -B 2 -A 2

Repository: cozystack/talm

Length of output: 2248

---

🏁 Script executed:

# Search for where the kubeconfig command is created/wrapped
rg -B 10 -A 10 "wrapTalosCommand.*kubeconfig" pkg/commands/

Repository: cozystack/talm

Length of output: 40

---

🏁 Script executed:

# Check the talosctl import to understand the command structure
rg "taloscommands" pkg/commands/talosctl_wrapper.go -A 5 -B 5

Repository: cozystack/talm

Length of output: 1038

---

🏁 Script executed:

# Check if force flag is typically a persistent flag in talosctl
rg -A 20 "func wrapTalosCommand" pkg/commands/talosctl_wrapper.go | head -50

Repository: cozystack/talm

Length of output: 845

---

🏁 Script executed:

# Check if kubeconfig command is called with force flag anywhere
rg "kubeconfig.*--force" .

Repository: cozystack/talm

Length of output: 181

---

🏁 Script executed:

# Look for how the original talosctl kubeconfig is defined
rg -B 5 -A 15 "kubeconfig.*Command" pkg/commands/root.go

Repository: cozystack/talm

Length of output: 40

---

🏁 Script executed:

# Check the Apply command which does have force flag to see the pattern
cat -n pkg/commands/apply.go | sed -n '1,100p'

Repository: cozystack/talm

Length of output: 3712

---

🏁 Script executed:

# Search for kubeconfig command in talosctl package reference
git ls-files | xargs grep -l "kubeconfig" | head -5

Repository: cozystack/talm

Length of output: 254

---

🏁 Script executed:

# Check the initialization of talosctl commands and if force flag is added
cat -n pkg/commands/talosctl_wrapper.go | sed -n '160,180p'

Repository: cozystack/talm

Length of output: 695

---

🏁 Script executed:

# Look for any flag additions or modifications to kubeconfig specifically
rg -B 10 -A 10 "wrapKubeconfigCommand" pkg/commands/

Repository: cozystack/talm

Length of output: 2799

---

🏁 Script executed:

# Look at the full context of how kubeconfig is being wrapped, including the PreRunE logic
cat -n pkg/commands/talosctl_wrapper.go | sed -n '87,135p'

Repository: cozystack/talm

Length of output: 2055

---

🏁 Script executed:

# Search for where force flag might be added to kubeconfig
rg -A 30 "func wrapKubeconfigCommand" pkg/commands/kubeconfig_handler.go

Repository: cozystack/talm

Length of output: 1188

---

Check flag existence before calling Set() and handle errors.

Silently ignoring Set() errors masks failures: the flag might not exist, or Set() could fail for invalid values or type mismatches. Use the idiomatic pflag pattern—check with Lookup() first, then handle errors from Set().

🛠️ Proposed fix

-			// Flag might not exist, ignore error
-			_ = cmd.Flags().Set("force", "true")
+			if cmd.Flags().Lookup("force") != nil {
+				if err := cmd.Flags().Set("force", "true"); err != nil {
+					return err
+				}
+			}

🤖 Prompt for AI Agents

In `@pkg/commands/talosctl_wrapper.go` around lines 97 - 99, Check whether the
"force" flag exists via cmd.Flags().Lookup("force") before calling
cmd.Flags().Set("force","true"), and do not ignore errors from Set(); if Lookup
returns nil skip setting, otherwise call Set and handle its error (e.g., return
it or log it) so type-mismatch/invalid-value failures are surfaced; update the
code around cmd.Flags().Set, using cmd.Flags().Lookup and proper error handling
for Set() instead of assigning its result to _.