Introduce Initdata subcommand

[bpradipt]

No description provided.

[Copilot]

Pull request overview

This PR introduces a new initdata command group to generate, dump, and validate initdata artifacts for Confidential Containers, while extending the pkg/initdata library with raw generation and decoding support.

Changes:

• Add kubectl coco initdata {create,dump,validate} subcommands (plus shared helpers and fixtures).
• Extend pkg/initdata with GenerateRaw (raw TOML) and Decode (base64+gzip → data map), and refactor Generate to reuse GenerateRaw.
• Remove the legacy dump-initdata command and its tests; update root command wiring and local-only planning artifact guidance.

Reviewed changes

Copilot reviewed 20 out of 21 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
pkg/initdata/initdata.go	Refactors generation to add GenerateRaw, adds Decode, adjusts policy loading logic.
pkg/initdata/initdata_test.go	Adds unit tests for GenerateRaw, Generate, and Decode round-trips/error cases.
cmd/root.go	Registers the new initdata command group.
cmd/initdata/initdata.go	Adds initdata root command and wires create, dump, validate subcommands.
cmd/initdata/create.go	Implements initdata create (config loading, optional CA bundle embed, writes raw TOML).
cmd/initdata/dump.go	Implements initdata dump (reads saved TOML, outputs raw or base64+gzip).
cmd/initdata/validate.go	Implements initdata validate (structure/version/algorithm/key presence + embedded cert checks).
cmd/initdata/common.go	Shared helpers: config loading, blob decompress, cert parsing/validation, cert extraction.
cmd/initdata/common_test.go	Test coverage for shared helpers (cert parsing/dir loading, blob decode, extraction).
cmd/initdata/create_test.go	Test coverage for create behavior including cert validation and output mode.
cmd/initdata/dump_test.go	Test coverage for dump raw/encoded output and missing file handling.
cmd/initdata/validate_test.go	Test coverage for validate from file/stdin and invalid cases (version/algorithm/missing keys/certs).
cmd/initdata/testdata/*.toml	Validation fixtures for valid/invalid initdata TOML inputs.
cmd/dump_initdata.go	Removes the legacy dump-initdata command implementation.
cmd/dump_initdata_test.go	Removes tests for the legacy dump-initdata command.
.gitignore	Ignores local-only docs/ planning artifacts.
CLAUDE.md	Documents that docs/ is for local-only AI planning artifacts and should not be committed.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Repo convention is to include a justification on gosec suppressions (e.g., // #nosec G304 -- <reason>). Please add a reason here so it’s clear why iterating and reading files from this directory is safe/expected.

[Copilot]

Repo convention is to include a justification on gosec suppressions (e.g., // #nosec G304 -- <reason>). Please add a reason here (the path comes from --file), so the suppression is auditable.

[Copilot]

Repo convention is to include a justification on gosec suppressions (e.g., // #nosec G304 -- <reason>). Please add a reason here (path is user-provided via --file or defaulted), so the suppression is consistent and reviewable.

Suggested change

	// #nosec G304
	// #nosec G304 -- path is user-provided via --file or defaults to ~/.kube/coco-initdata.toml for this CLI command

[Copilot]

createCmd.MarkFlagsMutuallyExclusive(...) returns an error in cobra v1.10.x; ignoring it can mask issues if flag names change or initialization order is altered. Please handle the returned error (e.g., if err := ...; err != nil { return/panic }) to make failures explicit during command setup.

Suggested change

	createCmd.MarkFlagsMutuallyExclusive("cacert", "capath")
	if err := createCmd.MarkFlagsMutuallyExclusive("cacert", "capath"); err != nil {
	panic(err)
	}

[Copilot]

loadPolicyFile no longer prevents relative paths from escaping the current working directory. With the current Clean + Join(cwd, cleanPath) logic, an input like ../secrets/policy.rego will resolve outside cwd, which reintroduces directory traversal risk for user-controlled config values (e.g., kata_agent_policy). Consider restoring the previous guard (e.g., compute an absolute path and ensure filepath.Rel(cwd, absPath) does not start with ..), or otherwise restrict/validate allowed locations before os.ReadFile.

[Copilot]

Repo convention is to include a justification on gosec suppressions (e.g., // #nosec G304 -- <reason>). Please add a reason here so future readers understand why reading this path is considered safe in this context.

Suggested change

	// #nosec G304
	// #nosec G304 -- path is cleaned and resolved to an absolute path before reading a user-specified local policy file

[Copilot]

Repo convention is to include a justification on gosec suppressions (e.g., // #nosec G304 -- <reason>). Please add a reason here so future readers understand why reading this user-provided path is acceptable.