OSAC-1594: Auto-resolve KUBECONFIG for enclave CLI commands

[rporres]

When KUBECONFIG is not set, enclave reconcile and enclave tools now try ~/.config/enclave/kubeconfig (a symlink created by the deploy playbook) before failing with a clear error message.

The check is implemented via KubeconfigGroup(click.Group), overriding parse_args() so --help and shell-completion are not affected.

The deploy playbook creates the symlink at install time:
~/.config/enclave/kubeconfig -> /ocp-cluster/auth/kubeconfig

Added a migration so that 0.1.0 will also have the symlink

Summary by CodeRabbit

• New Features

  • Added automatic kubeconfig setup so CLI tools can run without manual environment configuration when a fallback config is available.
  • Included support for creating the needed kubeconfig link during deployment and migration steps.

• Bug Fixes

  • Improved CLI startup behavior when kubeconfig is missing or unset, with clearer user-facing errors.
  • Updated command behavior to work more reliably in help and validation flows.

[coderabbitai]

Warning

Review limit reached

@rporres, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 23 minutes and 19 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 49a44215-a4f9-4ca7-955c-d96023f87e79

📥 Commits

Reviewing files that changed from the base of the PR and between 92e48c2 and 3512613.

📒 Files selected for processing (4)

• src/enclave/reconcile/cli.py
• src/enclave/tools/cli.py
• src/enclave/utils.py
• src/tests/test_cli.py

Walkthrough

Adds kubeconfig resolution during Click startup, wires the custom group into both CLI entrypoints, creates an enclave kubeconfig symlink through Ansible deployment and migration tasks, and updates tests for fallback and missing-kubeconfig cases.

Changes

Kubeconfig Bootstrap

Layer / File(s)	Summary
Kubeconfig resolution helper src/enclave/utils.py, src/tests/test_utils.py	Adds KubeconfigNotFoundError, setup_kubeconfig, and KubeconfigGroup.parse_args, plus tests for env, fallback file, empty string, and missing path cases.
KubeconfigGroup wired into both CLI entrypoints src/enclave/reconcile/cli.py, src/enclave/tools/cli.py, src/tests/test_cli.py, src/tests/test_tools_cli.py	Imports KubeconfigGroup in both CLI modules, switches both root Click groups to cls=KubeconfigGroup, and updates CLI tests to pass explicit kubeconfig environments and cover missing-kubeconfig failures.
Ansible playbook kubeconfig symlink tasks playbooks/tasks/setup_enclave_kubeconfig_symlink.yaml, playbooks/tasks/migrations/setup_enclave_kubeconfig_symlink.yaml, playbooks/tasks/migrations.yaml, playbooks/03-deploy.yaml	Adds the shared task that creates ~/.config/enclave/kubeconfig, the migration wrapper and migration list entry, and the deployment include that runs the task during Phase 3.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested labels

validation

Suggested reviewers

• maorfr

Poem

A kubeconfig path, tucked safe and near,
now finds its trail from env or steer.
Click wakes up and checks the way,
while Ansible pins the link in place today.

🚥 Pre-merge checks | ✅ 10 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 27.27% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately captures the main change: enclave CLI commands now auto-resolve KUBECONFIG.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
No-Hardcoded-Secrets	✅ Passed	Low severity: no hardcoded secrets detected; only kubeconfig paths and test fixtures are added, with no API keys, tokens, passwords, or credentialed URLs.
No-Weak-Crypto	✅ Passed	No weak crypto or secret-comparison code was added; the patch only adds kubeconfig discovery and symlink deployment logic.
No-Injection-Vectors	✅ Passed	No SQL/shell/eval/pickle/yaml-load/os.system/dangerouslySetInnerHTML patterns were added; subprocess uses arg lists and playbooks use file/include_tasks only.
Container-Privileges	✅ Passed	No touched container/K8s manifests set privileged, hostPID/hostNetwork/hostIPC, SYS_ADMIN, or allowPrivilegeEscalation; changes are Ansible includes and CLI code only.
No-Sensitive-Data-In-Logs	✅ Passed	Low risk: the only new log is a debug fallback path; no passwords, tokens, hostnames, or customer data are emitted.
Ai-Attribution	✅ Passed	Low risk: commit 92e48c2 includes Assisted-by: Claude Code; no AI Co-Authored-By trailer found.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch set-kubeconfig

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[javipolo]

LGTM

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/enclave/utils.py`:
- Around line 60-68: The parse_args method in the enclave command group is
forcing setup_kubeconfig() even when the user invoked the group with no
subcommand, which breaks Click’s implicit help behavior. Update parse_args in
src/enclave/utils.py so the kubeconfig setup and KubeconfigNotFoundError
handling only run when args is non-empty and no help flag is present, preserving
the default help path for bare enclave commands.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 38cdfcca-15f2-458c-ad3c-86933e8eae8c

📥 Commits

Reviewing files that changed from the base of the PR and between 168a1a4 and 92e48c2.

📒 Files selected for processing (10)

• playbooks/03-deploy.yaml
• playbooks/tasks/migrations.yaml
• playbooks/tasks/migrations/setup_enclave_kubeconfig_symlink.yaml
• playbooks/tasks/setup_enclave_kubeconfig_symlink.yaml
• src/enclave/reconcile/cli.py
• src/enclave/tools/cli.py
• src/enclave/utils.py
• src/tests/test_cli.py
• src/tests/test_tools_cli.py
• src/tests/test_utils.py