SPIRE-233: create AGENTS.md for ZTWIM repo#144
Conversation
|
@rausingh-rh: This pull request references SPIRE-233 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rausingh-rh The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
WalkthroughSeven documentation files are added: ChangesOperator Documentation Suite
Estimated code review effort🎯 2 (Simple) | ⏱️ ~15 minutes 🚥 Pre-merge checks | ✅ 15✅ Passed checks (15 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 3
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
docs/security-guidelines.md (1)
123-125: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick winAdd a language tag to this fence.
This is tripping MD040;
textis sufficient here.Proposed fix
-``` +```text app.kubernetes.io/managed-by = zero-trust-workload-identity-manager🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/security-guidelines.md` around lines 123 - 125, The fenced block in the documentation is missing a language tag, causing the MD040 lint issue. Update the markdown fence around the app.kubernetes.io/managed-by example to use a text language tag so the code block is explicitly marked as plain text. Locate the fenced example in the security guidelines content and apply the fix without changing the displayed value.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docs/performance-guidelines.md`:
- Around line 151-157: The CREATE_ONLY_MODE description is too broad and should
not say controllers “skip all Update calls,” since status and OLM condition
writes still happen elsewhere. Update the wording in the performance guidelines
to scope the behavior to managed-resource drift-correction updates only, and
keep the references to ResourceNeedsUpdate and Upgradeable consistent with that
narrower behavior.
In `@docs/security-guidelines.md`:
- Around line 62-64: The fenced snippet in the security guidelines markdown is
missing a language tag and is triggering the MD040 lint warning. Update the
existing fence around the serving-cert annotation text to use the text language
tag so the rendered block remains unchanged while satisfying the markdown
linter.
In `@docs/testing-guidelines.md`:
- Around line 24-35: The outer fenced block in the testing guidelines markdown
is unlabeled, which triggers markdownlint MD040. Update the code block that
contains the tree layout so it uses a text fence, keeping the content in the
existing testing-guidelines section readable while satisfying the linter.
---
Outside diff comments:
In `@docs/security-guidelines.md`:
- Around line 123-125: The fenced block in the documentation is missing a
language tag, causing the MD040 lint issue. Update the markdown fence around the
app.kubernetes.io/managed-by example to use a text language tag so the code
block is explicitly marked as plain text. Locate the fenced example in the
security guidelines content and apply the fix without changing the displayed
value.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 4bb8ad89-3e1e-463c-bcb5-cb11bc37f756
📒 Files selected for processing (8)
AGENTS.mdCLAUDE.mddocs/api-contracts-guidelines.mddocs/error-handling-guidelines.mddocs/integration-guidelines.mddocs/performance-guidelines.mddocs/security-guidelines.mddocs/testing-guidelines.md
| When `CREATE_ONLY_MODE=true`, controllers create resources but **skip all Update calls**. | ||
| Performance implications: | ||
|
|
||
| - Drift is not corrected. `ResourceNeedsUpdate` still runs for status condition reporting, | ||
| but no API write occurs. | ||
| - Reduces API server writes to zero after initial resource creation. | ||
| - The `Upgradeable` OLM condition is set to `False`, blocking automatic upgrades. |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win
Narrow create-only mode to managed-resource updates.
“Skip all Update calls” is too broad here: this doc still relies on status/OLM condition writes elsewhere. Please scope the claim to drift-correction updates on managed resources only.
Suggested wording
-When `CREATE_ONLY_MODE=true`, controllers create resources but **skip all Update calls**.
+When `CREATE_ONLY_MODE=true`, controllers create resources but skip drift-correction Update calls on managed resources.📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| When `CREATE_ONLY_MODE=true`, controllers create resources but **skip all Update calls**. | |
| Performance implications: | |
| - Drift is not corrected. `ResourceNeedsUpdate` still runs for status condition reporting, | |
| but no API write occurs. | |
| - Reduces API server writes to zero after initial resource creation. | |
| - The `Upgradeable` OLM condition is set to `False`, blocking automatic upgrades. | |
| When `CREATE_ONLY_MODE=true`, controllers create resources but skip drift-correction Update calls on managed resources. | |
| Performance implications: | |
| - Drift is not corrected. `ResourceNeedsUpdate` still runs for status condition reporting, | |
| but no API write occurs. | |
| - Reduces API server writes to zero after initial resource creation. | |
| - The `Upgradeable` OLM condition is set to `False`, blocking automatic upgrades. |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@docs/performance-guidelines.md` around lines 151 - 157, The CREATE_ONLY_MODE
description is too broad and should not say controllers “skip all Update calls,”
since status and OLM condition writes still happen elsewhere. Update the wording
in the performance guidelines to scope the behavior to managed-resource
drift-correction updates only, and keep the references to ResourceNeedsUpdate
and Upgradeable consistent with that narrower behavior.
| ``` | ||
| service.beta.openshift.io/serving-cert-secret-name: spire-server-serving-cert | ||
| ``` |
There was a problem hiding this comment.
📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win
Add a language tag to this fence.
This is tripping MD040; text is sufficient here.
Proposed fix
-```
+```text
service.beta.openshift.io/serving-cert-secret-name: spire-server-serving-cert📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| ``` | |
| service.beta.openshift.io/serving-cert-secret-name: spire-server-serving-cert | |
| ``` |
🧰 Tools
🪛 markdownlint-cli2 (0.22.1)
[warning] 62-62: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@docs/security-guidelines.md` around lines 62 - 64, The fenced snippet in the
security guidelines markdown is missing a language tag and is triggering the
MD040 lint warning. Update the existing fence around the serving-cert annotation
text to use the text language tag so the rendered block remains unchanged while
satisfying the markdown linter.
Source: Linters/SAST tools
| ``` | ||
| pkg/controller/spire-server/ | ||
| ├── controller_test.go # Reconcile() entry point tests | ||
| ├── service_account_test.go # reconcileServiceAccount tests | ||
| ├── service_test.go # reconcileService tests | ||
| ├── rbac_test.go # reconcileRBAC tests | ||
| ├── configmaps_test.go # reconcileConfigMap tests | ||
| ├── statefulset_test.go # reconcileStatefulSet tests | ||
| ├── routes_test.go # reconcileRoute tests | ||
| ├── webhook_test.go # reconcileWebhook tests | ||
| └── validation_test.go # validateConfiguration tests | ||
| ``` |
There was a problem hiding this comment.
📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win
Label the outer fenced block.
The unlabeled fence trips markdownlint (MD040). Use text here so the tree layout still renders cleanly.
Fix
-```
+```text📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| ``` | |
| pkg/controller/spire-server/ | |
| ├── controller_test.go # Reconcile() entry point tests | |
| ├── service_account_test.go # reconcileServiceAccount tests | |
| ├── service_test.go # reconcileService tests | |
| ├── rbac_test.go # reconcileRBAC tests | |
| ├── configmaps_test.go # reconcileConfigMap tests | |
| ├── statefulset_test.go # reconcileStatefulSet tests | |
| ├── routes_test.go # reconcileRoute tests | |
| ├── webhook_test.go # reconcileWebhook tests | |
| └── validation_test.go # validateConfiguration tests | |
| ``` |
🧰 Tools
🪛 markdownlint-cli2 (0.22.1)
[warning] 24-24: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@docs/testing-guidelines.md` around lines 24 - 35, The outer fenced block in
the testing guidelines markdown is unlabeled, which triggers markdownlint MD040.
Update the code block that contains the tree layout so it uses a text fence,
keeping the content in the existing testing-guidelines section readable while
satisfying the linter.
Source: Linters/SAST tools
|
@rausingh-rh: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
This PR adds
AGENTS.mdfor the repository. It adds the following files:AGENTS.md: Agent onboarding doc with cross-cutting conventions, project overview, 5-controller architecture, reconciliation flow, naming/coding conventions, build targets, common pitfalls, release process, and env vars. Links to all domain-specific guideline files.CLAUDE.md: Thin Claude Code-specific layer that imports @AGENTS.md and adds build/test/lint commands and behavioral preferences.docs/error-handling-guidelines.md: Error wrapping patterns, status condition rules, retry logic, ReconcileError classification, logging conventions.docs/testing-guidelines.md: Two-tier test architecture (unit + E2E), FakeCustomCtrlClient patterns, table-driven conventions, Ginkgo/Gomega E2E setup.docs/api-contracts-guidelines.md: CRD types, kubebuilder markers, CEL validation/immutability, CommonConfig/ConditionalStatus embedding, code generation pipeline.docs/security-guidelines.md: FIPS builds, container hardening, RBAC scoping, SCCs, federation TLS, metrics protection, workload attestor verification.docs/performance-guidelines.md: Label-filtered cache architecture, watch predicates, drift detection, status update optimization, retry patterns.docs/integration-guidelines.md: Bindata pattern, ConfigMap generation, SPIRE controller-manager integration, federation, OpenShift platform integrations (Routes, SCCs, service CA).Summary by CodeRabbit