Skip to content

SPIRE-233: create AGENTS.md for ZTWIM repo#144

Open
rausingh-rh wants to merge 1 commit into
openshift:mainfrom
rausingh-rh:agents-md
Open

SPIRE-233: create AGENTS.md for ZTWIM repo#144
rausingh-rh wants to merge 1 commit into
openshift:mainfrom
rausingh-rh:agents-md

Conversation

@rausingh-rh

@rausingh-rh rausingh-rh commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

This PR adds AGENTS.md for the repository. It adds the following files:

  1. AGENTS.md: Agent onboarding doc with cross-cutting conventions, project overview, 5-controller architecture, reconciliation flow, naming/coding conventions, build targets, common pitfalls, release process, and env vars. Links to all domain-specific guideline files.
  2. CLAUDE.md: Thin Claude Code-specific layer that imports @AGENTS.md and adds build/test/lint commands and behavioral preferences.
  3. docs/error-handling-guidelines.md: Error wrapping patterns, status condition rules, retry logic, ReconcileError classification, logging conventions.
  4. docs/testing-guidelines.md: Two-tier test architecture (unit + E2E), FakeCustomCtrlClient patterns, table-driven conventions, Ginkgo/Gomega E2E setup.
  5. docs/api-contracts-guidelines.md: CRD types, kubebuilder markers, CEL validation/immutability, CommonConfig/ConditionalStatus embedding, code generation pipeline.
  6. docs/security-guidelines.md: FIPS builds, container hardening, RBAC scoping, SCCs, federation TLS, metrics protection, workload attestor verification.
  7. docs/performance-guidelines.md: Label-filtered cache architecture, watch predicates, drift detection, status update optimization, retry patterns.
  8. docs/integration-guidelines.md: Bindata pattern, ConfigMap generation, SPIRE controller-manager integration, federation, OpenShift platform integrations (Routes, SCCs, service CA).

Summary by CodeRabbit

  • Documentation
    • Added comprehensive guidance for project setup, build and test workflows, API and integration patterns, performance tuning, security requirements, error handling, and testing practices.
    • Expanded operational notes for managing manifests, images, cache behavior, federation, and OpenShift-specific integrations.
    • Clarified contribution expectations and repository conventions to help keep changes consistent and easier to validate.

@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jun 29, 2026
@openshift-ci-robot

openshift-ci-robot commented Jun 29, 2026

Copy link
Copy Markdown

@rausingh-rh: This pull request references SPIRE-233 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

This PR adds AGENTS.md for the repository. It adds the following files:

  1. AGENTS.md: Agent onboarding doc with cross-cutting conventions, project overview, 5-controller architecture, reconciliation flow, naming/coding conventions, build targets, common pitfalls, release process, and env vars. Links to all domain-specific guideline files.
  2. CLAUDE.md: Thin Claude Code-specific layer that imports @AGENTS.md and adds build/test/lint commands and behavioral preferences.
  3. docs/error-handling-guidelines.md: Error wrapping patterns, status condition rules, retry logic, ReconcileError classification, logging conventions.
  4. docs/testing-guidelines.md: Two-tier test architecture (unit + E2E), FakeCustomCtrlClient patterns, table-driven conventions, Ginkgo/Gomega E2E setup.
  5. docs/api-contracts-guidelines.md: CRD types, kubebuilder markers, CEL validation/immutability, CommonConfig/ConditionalStatus embedding, code generation pipeline.
  6. docs/security-guidelines.md: FIPS builds, container hardening, RBAC scoping, SCCs, federation TLS, metrics protection, workload attestor verification.
  7. docs/performance-guidelines.md: Label-filtered cache architecture, watch predicates, drift detection, status update optimization, retry patterns.
  8. docs/integration-guidelines.md: Bindata pattern, ConfigMap generation, SPIRE controller-manager integration, federation, OpenShift platform integrations (Routes, SCCs, service CA).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci Bot requested review from nhegde07 and swghosh June 29, 2026 11:36
@openshift-ci

openshift-ci Bot commented Jun 29, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rausingh-rh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 29, 2026
@coderabbitai

coderabbitai Bot commented Jun 29, 2026

Copy link
Copy Markdown

Walkthrough

Seven documentation files are added: AGENTS.md and CLAUDE.md at the repo root provide AI agent and build tooling guidance, and five files under docs/ cover API contracts, error handling, integration architecture, performance/cache optimization, security requirements, and testing conventions. No production code is changed.

Changes

Operator Documentation Suite

Layer / File(s) Summary
AI agent and build tooling guidance
AGENTS.md, CLAUDE.md
AGENTS.md documents controllers, architecture patterns, build/test/lint targets, coding conventions, and runtime env vars. CLAUDE.md adds build/test commands, pre-commit regeneration steps, vendoring guidance, and Claude Code preferences.
API contracts and CRD guidelines
docs/api-contracts-guidelines.md
Covers API group/versioning, CRD inventory, required Kubebuilder markers, CEL singleton/immutability enforcement, field validation conventions, CommonConfig/ConditionalStatus embedding, status subresource conventions, code generation pipeline, and procedures for adding fields, CRDs, and spire CRD integration.
Error handling and reconciliation patterns
docs/error-handling-guidelines.md
Specifies error wrapping rules, ReconcileError classifications, error-to-result mappings, status condition update rules, retry patterns, logging/event conventions, NotFound handling distinctions, Kubernetes API error classification, and the AlreadyExists/resource-conflict pattern via HandleCreateConflict.
Integration architecture and operand extension guide
docs/integration-guidelines.md
Describes bindata vs. programmatic resource management, singleton owner-reference scheme, per-controller reconciliation sequences, ConfigMap hashing for rollouts, federation and SPIRE controller-manager sidecar integration, OpenShift-specific integrations, image resolution, cache architecture, create-only mode, and step-by-step guides for adding bindata resources and new operands.
Performance and cache optimization guidelines
docs/performance-guidelines.md
Documents the unified label-filtered cache (NewCacheBuilder), layered predicate strategy, drift detection via ResourceNeedsUpdate, semantic equality and conflict-retrying status update wrappers, create-only mode skip behavior, and an API call reduction summary table.
Security requirements and hardening guidelines
docs/security-guidelines.md
Specifies container hardening, FIPS build requirements, metrics TLS/RBAC, HTTP/2 restrictions, RBAC scoping, SCC strategies for SPIRE agent and SPIFFE CSI driver, service CA TLS annotations, federation TLS profiles, workload attestor verification modes, leader election constraints, and RELATED_IMAGE_* image reference rules.
Testing conventions and E2E guidance
docs/testing-guidelines.md
Documents Make targets, envtest setup, unit test file layout, newTestReconciler wiring, FakeCustomCtrlClient usage, table-driven test structure, required scenario checklists, E2E Ginkgo/Gomega framework conventions, timeout constants, new-test procedures, and ginkgolinter/dupl linting behavior.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~15 minutes

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly identifies the main change: adding AGENTS.md to the ZTWIM repository.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed PR only adds docs; the Ginkgo examples use fixed static titles and contain no run-specific or generated values.
Test Structure And Quality ✅ Passed PR only adds docs files; no Ginkgo test code or cluster-interacting tests were changed, so this check is not applicable.
Microshift Test Compatibility ✅ Passed PR only adds docs; no new Ginkgo e2e test code or MicroShift-unsafe APIs/features were introduced.
Single Node Openshift (Sno) Test Compatibility ✅ Passed PR only adds docs/agent guidance; no Ginkgo e2e tests or test files were added or modified, so the SNO check is not applicable.
Topology-Aware Scheduling Compatibility ✅ Passed Docs-only PR; no manifests, controllers, or scheduling code were changed, so topology-aware scheduling constraints aren’t introduced.
Ote Binary Stdout Contract ✅ Passed Entrypoints use textlogger (stderr by default) and no added fmt.Print/os.Stdout/log.SetOutput calls were found in main/init/suite hooks.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed The PR only adds markdown guidance; no actual Ginkgo e2e specs or network/IP code were added, so this check is not applicable.
No-Weak-Crypto ✅ Passed Changed files are docs only; exact scans found no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret/token comparison logic.
Container-Privileges ✅ Passed PR only adds docs; no changed manifests contain privileged:true, hostPID/Network/IPC, SYS_ADMIN, or allowPrivilegeEscalation:true.
No-Sensitive-Data-In-Logs ✅ Passed No log guidance exposes secrets or PII; examples use generic messages, and tests use a discard logger.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
docs/security-guidelines.md (1)

123-125: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Add a language tag to this fence.

This is tripping MD040; text is sufficient here.

Proposed fix
-```
+```text
 app.kubernetes.io/managed-by = zero-trust-workload-identity-manager
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/security-guidelines.md` around lines 123 - 125, The fenced block in the
documentation is missing a language tag, causing the MD040 lint issue. Update
the markdown fence around the app.kubernetes.io/managed-by example to use a text
language tag so the code block is explicitly marked as plain text. Locate the
fenced example in the security guidelines content and apply the fix without
changing the displayed value.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/performance-guidelines.md`:
- Around line 151-157: The CREATE_ONLY_MODE description is too broad and should
not say controllers “skip all Update calls,” since status and OLM condition
writes still happen elsewhere. Update the wording in the performance guidelines
to scope the behavior to managed-resource drift-correction updates only, and
keep the references to ResourceNeedsUpdate and Upgradeable consistent with that
narrower behavior.

In `@docs/security-guidelines.md`:
- Around line 62-64: The fenced snippet in the security guidelines markdown is
missing a language tag and is triggering the MD040 lint warning. Update the
existing fence around the serving-cert annotation text to use the text language
tag so the rendered block remains unchanged while satisfying the markdown
linter.

In `@docs/testing-guidelines.md`:
- Around line 24-35: The outer fenced block in the testing guidelines markdown
is unlabeled, which triggers markdownlint MD040. Update the code block that
contains the tree layout so it uses a text fence, keeping the content in the
existing testing-guidelines section readable while satisfying the linter.

---

Outside diff comments:
In `@docs/security-guidelines.md`:
- Around line 123-125: The fenced block in the documentation is missing a
language tag, causing the MD040 lint issue. Update the markdown fence around the
app.kubernetes.io/managed-by example to use a text language tag so the code
block is explicitly marked as plain text. Locate the fenced example in the
security guidelines content and apply the fix without changing the displayed
value.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 4bb8ad89-3e1e-463c-bcb5-cb11bc37f756

📥 Commits

Reviewing files that changed from the base of the PR and between 6a7cb74 and 60662f0.

📒 Files selected for processing (8)
  • AGENTS.md
  • CLAUDE.md
  • docs/api-contracts-guidelines.md
  • docs/error-handling-guidelines.md
  • docs/integration-guidelines.md
  • docs/performance-guidelines.md
  • docs/security-guidelines.md
  • docs/testing-guidelines.md

Comment on lines +151 to +157
When `CREATE_ONLY_MODE=true`, controllers create resources but **skip all Update calls**.
Performance implications:

- Drift is not corrected. `ResourceNeedsUpdate` still runs for status condition reporting,
but no API write occurs.
- Reduces API server writes to zero after initial resource creation.
- The `Upgradeable` OLM condition is set to `False`, blocking automatic upgrades.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Narrow create-only mode to managed-resource updates.

“Skip all Update calls” is too broad here: this doc still relies on status/OLM condition writes elsewhere. Please scope the claim to drift-correction updates on managed resources only.

Suggested wording
-When `CREATE_ONLY_MODE=true`, controllers create resources but **skip all Update calls**.
+When `CREATE_ONLY_MODE=true`, controllers create resources but skip drift-correction Update calls on managed resources.
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
When `CREATE_ONLY_MODE=true`, controllers create resources but **skip all Update calls**.
Performance implications:
- Drift is not corrected. `ResourceNeedsUpdate` still runs for status condition reporting,
but no API write occurs.
- Reduces API server writes to zero after initial resource creation.
- The `Upgradeable` OLM condition is set to `False`, blocking automatic upgrades.
When `CREATE_ONLY_MODE=true`, controllers create resources but skip drift-correction Update calls on managed resources.
Performance implications:
- Drift is not corrected. `ResourceNeedsUpdate` still runs for status condition reporting,
but no API write occurs.
- Reduces API server writes to zero after initial resource creation.
- The `Upgradeable` OLM condition is set to `False`, blocking automatic upgrades.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/performance-guidelines.md` around lines 151 - 157, The CREATE_ONLY_MODE
description is too broad and should not say controllers “skip all Update calls,”
since status and OLM condition writes still happen elsewhere. Update the wording
in the performance guidelines to scope the behavior to managed-resource
drift-correction updates only, and keep the references to ResourceNeedsUpdate
and Upgradeable consistent with that narrower behavior.

Comment on lines +62 to +64
```
service.beta.openshift.io/serving-cert-secret-name: spire-server-serving-cert
```

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Add a language tag to this fence.

This is tripping MD040; text is sufficient here.

Proposed fix
-```
+```text
 service.beta.openshift.io/serving-cert-secret-name: spire-server-serving-cert
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
```
service.beta.openshift.io/serving-cert-secret-name: spire-server-serving-cert
```
🧰 Tools
🪛 markdownlint-cli2 (0.22.1)

[warning] 62-62: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/security-guidelines.md` around lines 62 - 64, The fenced snippet in the
security guidelines markdown is missing a language tag and is triggering the
MD040 lint warning. Update the existing fence around the serving-cert annotation
text to use the text language tag so the rendered block remains unchanged while
satisfying the markdown linter.

Source: Linters/SAST tools

Comment on lines +24 to +35
```
pkg/controller/spire-server/
├── controller_test.go # Reconcile() entry point tests
├── service_account_test.go # reconcileServiceAccount tests
├── service_test.go # reconcileService tests
├── rbac_test.go # reconcileRBAC tests
├── configmaps_test.go # reconcileConfigMap tests
├── statefulset_test.go # reconcileStatefulSet tests
├── routes_test.go # reconcileRoute tests
├── webhook_test.go # reconcileWebhook tests
└── validation_test.go # validateConfiguration tests
```

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Label the outer fenced block.

The unlabeled fence trips markdownlint (MD040). Use text here so the tree layout still renders cleanly.

Fix
-```
+```text
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
```
pkg/controller/spire-server/
├── controller_test.go # Reconcile() entry point tests
├── service_account_test.go # reconcileServiceAccount tests
├── service_test.go # reconcileService tests
├── rbac_test.go # reconcileRBAC tests
├── configmaps_test.go # reconcileConfigMap tests
├── statefulset_test.go # reconcileStatefulSet tests
├── routes_test.go # reconcileRoute tests
├── webhook_test.go # reconcileWebhook tests
└── validation_test.go # validateConfiguration tests
```
🧰 Tools
🪛 markdownlint-cli2 (0.22.1)

[warning] 24-24: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/testing-guidelines.md` around lines 24 - 35, The outer fenced block in
the testing guidelines markdown is unlabeled, which triggers markdownlint MD040.
Update the code block that contains the tree layout so it uses a text fence,
keeping the content in the existing testing-guidelines section readable while
satisfying the linter.

Source: Linters/SAST tools

@openshift-ci

openshift-ci Bot commented Jun 29, 2026

Copy link
Copy Markdown

@rausingh-rh: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants