Merge remote-tracking branch 'upstream/rhoai'

moulalis · moulalis · commit 49fa596c19d1 · 2026-05-11T13:01:45.000Z
diff --git a/.claude/rules/.rules b/.claude/rules/.rules
@@ -0,0 +1 @@
+../../.rules
diff --git a/.claude/rules/review-instructions.md b/.claude/rules/review-instructions.md
diff --git a/.rules/api-types.md b/.rules/api-types.md
@@ -0,0 +1,12 @@
+---
+paths: ["api/**/*.go", "docs/COMPONENT_INTEGRATION.md"]
+---
+
+# API Type Conventions
+
+User-facing config fields belong in `XxxCommonSpec`, inlined into both `XxxSpec` and `DSCXxx`.
+Fields only in `XxxSpec` (not in `XxxCommonSpec`) must be operator-written only (e.g. gateway domain from `GatewayConfig.Status.Domain`).
+
+After modifying types, run: `make generate manifests api-docs`
+
+DSC, DSCI, and component CRs are cluster-scoped singletons. Component CR naming: `default-<component>`.
diff --git a/.rules/cloudmanager-controller.md b/.rules/cloudmanager-controller.md
@@ -0,0 +1,22 @@
+---
+paths: ["**/cloudmanager/**/*.go"]
+---
+
+# Cloud Manager Controller Patterns
+
+Use reconciler builder pattern with `WithDynamicOwnership()`. Each cloud provider has its own controller under `internal/controller/cloudmanager/<provider>/`.
+
+Action execution order matters: sequential, stops on first error. GC action MUST be last.
+
+RBAC: cloudmanager controllers have hand-maintained `kubebuilder_rbac.go` per provider + `common/kubebuilder_rbac.go`. After RBAC changes run `make manifests`.
+
+Key differences from component/service controllers:
+- Config passed via `*operatorconfig.CloudManagerConfig`
+
+File locations for provider `<provider>` (azure, coreweave):
+- Controller: `internal/controller/cloudmanager/<provider>/*_controller.go`
+- Actions: `internal/controller/cloudmanager/<provider>/*_actions.go`
+- RBAC: `internal/controller/cloudmanager/<provider>/kubebuilder_rbac.go`
+- Shared: `internal/controller/cloudmanager/common/`
+
+Follow patterns in `internal/controller/cloudmanager/azure/azurekubernetesengine_controller.go`.
diff --git a/.rules/component-controller.md b/.rules/component-controller.md
@@ -0,0 +1,25 @@
+---
+paths: ["internal/controller/components/**/*.go"]
+---
+
+# Component Controller Patterns
+
+Use reconciler builder pattern:
+```go
+reconciler.ReconcilerFor(mgr, &componentApi.Xxx{}).
+    Owns(&corev1.ConfigMap{}).
+    WithAction(renderAction).
+    WithAction(deployAction).
+    WithAction(gcAction).  // MUST be last
+    Build(ctx)
+```
+
+Action signature: `func(ctx context.Context, rr *types.ReconciliationRequest) error`
+
+Component handler interface in `internal/controller/components/registry/registry.go`.
+
+RBAC: component controllers use codegen. Do NOT add `kubebuilder_rbac.go` here — only top-level controllers (`dscinitialization`, `datasciencecluster`, `gateway`, `cloudmanager/*`) have hand-maintained RBAC markers.
+
+Action execution order matters: sequential, stops on first error. Place actions deliberately — earlier actions set up state for later ones.
+
+Use `StopError` to halt reconciliation without failure. Propagate errors via `WithError()` to update status conditions.
diff --git a/.rules/review-instructions.md b/.rules/review-instructions.md
@@ -1,42 +1,28 @@
 # Review Instructions for AI Code Reviewers
 
-These instructions are meta-guidance for AI code review tools (CodeRabbit, etc.).
-They define review priorities and anti-patterns specific to this repository.
+Meta-guidance for AI code review tools (CodeRabbit, etc.). Repo-specific patterns.
 
-## Review Priority Order
+## Priority Order
 
-When multiple findings exist, prioritize in this order:
+1. Security vulnerabilities (CWE/CVE, severity, exploit scenario, remediation)
+2. RBAC gaps — trace `client.Client` calls to the relevant `kubebuilder_rbac.go`. For component controllers under `internal/controller/components/` (which have no RBAC markers), trace to the top-level controller (`datasciencecluster`, `dscinitialization`, `gateway`, `cloudmanager/*`) whose `kubebuilder_rbac.go` covers those operations
+3. Architectural anti-patterns
+4. Bug-prone patterns, error handling gaps
+5. Performance
 
-1. Security vulnerabilities (provide CWE/CVE IDs, severity, exploit scenario, and remediation code)
-2. RBAC permission gaps — trace `client.Client` calls to the calling controller's `kubebuilder_rbac.go`
-3. Architectural issues and anti-patterns
-4. Bug-prone patterns and error handling gaps
-5. Performance problems
+## Anti-Patterns (DO NOT flag)
 
-## Anti-Patterns to Avoid
+- **Tautological test oracles**: E2E tests intentionally use independent oracles. DO NOT suggest mirroring production code path.
+- **Removing fallback logic**: Three-way branch (success / IsNotFound|IsNoMatchError / other) for OpenShift resources is intentional. Fallback IS the primary path on non-OpenShift clusters.
+- **Missing `kubebuilder_rbac.go` in component controllers**: Components under `internal/controller/components/` use codegen. Only top-level controllers (`dscinitialization`, `datasciencecluster`, `gateway`, `cloudmanager/*`) have hand-maintained RBAC.
+- **Suggesting manual OwnerReferences**: Reconciler builder handles these. Only flag for cross-namespace ownership.
+- **PR description format**: Template enforces this. Only flag if completely empty.
 
-DO NOT suggest the following — these are common false positives in this codebase:
+## Must Always Flag
 
-- **Tautological test oracles**: DO NOT suggest that e2e tests call the same production helper or API resource they are validating. Independent oracles are intentional. See `AGENTS.md` "Test Oracle Independence" section.
-- **Removing fallback logic**: DO NOT flag OpenShift-to-vanilla-K8s fallback paths as dead code or suggest simplifying the three-way error branch (`success / IsNotFound|IsNoMatchError / other error`). The fallback is the primary path on non-OpenShift clusters.
-- **Missing `kubebuilder_rbac.go` in component controllers**: Component controllers under `internal/controller/components/` use codegen for RBAC. Only top-level controllers (`dscinitialization`, `datasciencecluster`, `gateway`, `cloudmanager/*`) have hand-maintained `kubebuilder_rbac.go` files.
-- **Suggesting `OwnerReferences` be set manually**: The reconciler builder pattern handles OwnerReferences. DO NOT suggest adding them in action code unless there is a cross-namespace ownership scenario.
-- **PR description format comments**: The PR template already enforces description requirements. DO NOT comment on PR description format unless it is completely empty.
-
-## Patterns That Must Always Be Flagged
-
-Always flag these regardless of context:
-
-- Any `+kubebuilder:rbac` change without a corresponding `make manifests` regeneration
-- New `client.Client` operations in `pkg/` without RBAC coverage in all calling controllers
-- Status conditions that don't update during deletion or error transitions
+- New `client.Client` ops in `pkg/` without RBAC coverage in all calling controllers
+- Status conditions not updated during deletion or error transitions
 - `InsecureSkipVerify: true` in non-test code
-- Wildcard verbs or resources in RBAC rules
-- Secrets, tokens, or credentials logged at any verbosity level
-- User-facing component configuration added only to an internal component CRD spec (`XxxSpec`)
-  without a corresponding field in `DSCXxx` (via `XxxCommonSpec`). Any field a user must set to
-  configure component behaviour belongs in `CommonSpec` so it is reachable through the DSC API.
-  The only legitimate use of internal-only spec fields (those in `XxxSpec` but NOT in
-  `XxxCommonSpec`) is for values written exclusively by the operator itself (e.g. the gateway
-  domain stamped from `GatewayConfig.Status.Domain`). See `docs/COMPONENT_INTEGRATION.md` for
-  the correct pattern.
+- Wildcard verbs/resources in RBAC rules
+- Secrets/tokens/credentials logged at any verbosity
+- User-facing config in `XxxSpec` only (not in `XxxCommonSpec`/`DSCXxx`). Internal-only spec fields are for operator-written values only. See `docs/COMPONENT_INTEGRATION.md`.
diff --git a/.rules/service-controller.md b/.rules/service-controller.md
@@ -0,0 +1,19 @@
+---
+paths: ["internal/controller/services/**/*.go"]
+---
+
+# Service Controller Patterns
+
+Use reconciler builder pattern (same as components). Services implement `ServiceHandler` interface from `internal/controller/services/registry/registry.go`.
+
+Action execution order matters: sequential, stops on first error. GC action MUST be last.
+
+RBAC: service controllers use codegen (no `kubebuilder_rbac.go`) — except `gateway` which has hand-maintained RBAC markers.
+
+File locations for service `<svc>` (auth, monitoring, setup, etc.):
+- Handler: `internal/controller/services/<svc>/<svc>.go`
+- Controller: `internal/controller/services/<svc>/<svc>_controller.go`
+- Actions: `internal/controller/services/<svc>/<svc>_controller_actions.go`
+- Tests: `internal/controller/services/<svc>/*_test.go`
+
+Follow patterns in `internal/controller/services/auth/auth_controller.go`.
diff --git a/.rules/testing.md b/.rules/testing.md
@@ -0,0 +1,14 @@
+---
+paths: ["**/*_test.go", "tests/**/*.go"]
+---
+
+# Testing Patterns
+
+Unit tests: use `fake.NewClientBuilder()` with explicit scheme registration via `pkg/utils/test/scheme`.
+E2E tests: use `TestContext` (`tc.Client()`, `tc.Context()`).
+
+E2E test oracles MUST be structurally independent from production code. Never call same production function or read same API resource as code-under-test — derive expectations from independent signals.
+
+Follow patterns in:
+- Unit: `internal/controller/components/dashboard/dashboard_controller_actions_test.go`
+- E2E: `tests/e2e/`
diff --git a/AGENTS.md b/AGENTS.md
