Skip to content

CM-1200: Adding agentic .md files for Cert-manager repository#454

Open
arun717 wants to merge 2 commits into
openshift:masterfrom
arun717:adding_agent.md
Open

CM-1200: Adding agentic .md files for Cert-manager repository#454
arun717 wants to merge 2 commits into
openshift:masterfrom
arun717:adding_agent.md

Conversation

@arun717

@arun717 arun717 commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Summary by CodeRabbit

  • Documentation

    • Added and expanded contributor, architecture, testing, security, performance, API contract, and integration guidance for the operator.
    • Updated the main README to provide a shorter onboarding flow, clearer component overview, and streamlined setup/deployment steps.
    • Removed a few outdated standalone guides that are now covered elsewhere.
  • Chores

    • Updated ignore rules to keep local coverage and test artifacts out of source control.

arun717 and others added 2 commits July 3, 2026 16:15
Introduce AGENTS.md, ARCHITECTURE.md, and CONTRIBUTING.md as the component
entry point, and ignore local QE output/coverage artifacts.

Co-authored-by: Cursor <cursoragent@cursor.com>
@openshift-ci openshift-ci Bot requested review from TrilokGeer and bharath-b-rh July 3, 2026 14:31
@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: arun717
Once this PR has been reviewed and has the lgtm label, please assign trilokgeer for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Walkthrough

This PR adds a comprehensive documentation suite for the cert-manager-operator repository: new AGENTS.md, ARCHITECTURE.md, CLAUDE.md, CONTRIBUTING.md, and several docs/*.md guideline files; rewrites README.md; removes obsolete cloud_credentials.md, operand_metrics.md, and proxy.md; and updates .gitignore.

Changes

Documentation restructuring

Layer / File(s) Summary
Ignore local artifacts
.gitignore
Adds ignore entries for output/ and e2e-cover-data/ local QE/coverage directories.
Agent onboarding guide
AGENTS.md
Adds full agent onboarding doc covering repo navigation, components, conventions, dev/testing, PR requirements, and triage.
Architecture reference
ARCHITECTURE.md
Adds full architecture doc: overview, code map, cross-cutting concerns, startup sequence, and triage table.
Workflow command reference
CLAUDE.md
Adds centralized build/test/lint/codegen/deploy commands and release scan guidance.
Contributor guide
CONTRIBUTING.md
Populates full contributor guide: getting started, linting/testing, coding conventions, testing requirements, PR process, workspace/licensing.
README rewrite
README.md
Replaces old detailed content with components table, project structure, getting-started/deployment commands, configuration table, and license statement.
Topic-specific guideline docs
docs/api-contracts-guidelines.md, docs/error-handling-guidelines.md, docs/integration-guidelines.md, docs/performance-guidelines.md, docs/security-guidelines.md, docs/testing-guidelines.md
Adds new guideline pages covering API contracts, error handling, integration, performance, security, and testing conventions.
Removed obsolete docs
docs/cloud_credentials.md, docs/operand_metrics.md, docs/proxy.md
Removes outdated cloud credentials, metrics, and proxy documentation.

Estimated code review effort: 2 (Simple) | ~15 minutes

Related PRs: None identified.

Suggested labels: documentation

Suggested reviewers: None identified.

🐰 Poem

A rabbit hops through docs anew,
AGENTS, ARCHITECTURE, CLAUDE in view,
README trimmed, old proxy gone,
Guidelines stacked from dusk to dawn,
Hop, hop, read — the burrow's grown! 🐇📚

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed PASS: The PR only changes markdown/docs; no Go test files or Ginkgo titles were modified, so there are no test-name stability issues in this diff.
Test Structure And Quality ✅ Passed No Ginkgo test code changed; the diff only touches docs and agent guidance, so the test-structure check is not applicable.
Microshift Test Compatibility ✅ Passed No Go/e2e test files were added; the diff is docs-only and shows no new Ginkgo tests or MicroShift-sensitive APIs.
Single Node Openshift (Sno) Test Compatibility ✅ Passed PR changes are docs-only; no Go/Ginkgo e2e tests or SNO-sensitive assumptions were added.
Topology-Aware Scheduling Compatibility ✅ Passed Docs-only and .gitignore changes; no deployment manifests, controllers, or scheduling logic were modified.
Ote Binary Stdout Contract ✅ Passed PR only changes docs/.gitignore; no process-level code, test entrypoints, or stdout-producing runtime paths were modified.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed PASS: This PR only changes markdown docs; no .go or e2e test files were added, so there are no new Ginkgo tests to check for IPv4 or connectivity assumptions.
No-Weak-Crypto ✅ Passed PR changes are docs/.gitignore only, and a targeted scan of the modified files found no weak-crypto APIs, custom crypto, or secret comparisons.
Container-Privileges ✅ Passed PR only changes Markdown docs; no K8s/container manifests or privilege settings appear in any changed file.
No-Sensitive-Data-In-Logs ✅ Passed PASS — the PR is docs/.gitignore only; no runtime logging was added, and the new guidance explicitly says not to log secrets or credential values.
Title check ✅ Passed The title accurately summarizes the main change: adding agent-oriented Markdown documentation to the cert-manager repository.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

@arun717: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 9

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@AGENTS.md`:
- Around line 173-177: The operand version bump guidance is too narrow because
it only points to make update-manifests and can leave generated artifacts stale;
update the AGENTS.md instructions to reference the full update flow used by the
repo, namely make update followed by make verify, so the version bump process
covers manifests plus bindata/generated code consistently.
- Around line 157-160: The naming guidance is too broad and incorrectly applies
the “cluster” CR name to every operand. Update the Naming section to split the
rule by operand type, keeping the `cluster` name for `CertManager` and
`TrustManager` while documenting that `IstioCSR` is the namespaced `default`
singleton; use the existing operand names and `common.ManagedResourceLabelKey`
reference to make the distinction explicit.
- Around line 44-48: The docs index in AGENTS.md still advertises removed
operational pages, so update the layout tree and the nearby docs list to stop
referencing dead paths. Remove the entries for proxy.md, cloud_credentials.md,
and operand_metrics.md, or swap them for the new documentation pages if they
exist. Use the docs index section around the docs/ tree and the linked index
entries as the place to make the cleanup.

In `@CLAUDE.md`:
- Around line 35-39: The operand version bump guidance only mentions make
update-manifests, which can leave generated bindata stale after version changes.
Update the CLAUDE.md instructions to point readers to the full update flow using
make update (or make update && make verify) so the manifest and generated
outputs stay in sync; keep the reference near the operand version bumps section
and the existing update-manifests note.

In `@docs/integration-guidelines.md`:
- Around line 14-15: The reference in docs/integration-guidelines.md points to
the removed docs/proxy.md, so update that link to the new consolidated proxy
guidance or remove it if no replacement is needed. Use the surrounding text
about Subscription patch examples and the docs/integration-guidelines.md section
to locate and replace the stale reference.
- Around line 50-54: The Metrics section still references the removed operand
metrics doc, so update the `docs/integration-guidelines.md` reference to the new
metrics documentation location or drop the bullet entirely. Use the `Metrics`
section and the `docs/operand_metrics.md` mention as the anchor when editing so
the dead link is fully removed from the integration guidance.

In `@docs/security-guidelines.md`:
- Around line 28-39: The operational references in the Cloud credentials and
Trusted CA/proxy sections are stale because docs/cloud_credentials.md and
docs/proxy.md no longer exist. Update the links in the affected markdown to
point to the consolidated documentation targets, or remove those references
entirely if there is no replacement, keeping the surrounding guidance in
docs/security-guidelines.md aligned with the current docs structure.

In `@README.md`:
- Around line 7-13: The README’s CR naming contract is incorrect for IstioCSR:
the table and summary currently say all operands are named cluster, but the
IstioCSR singleton is actually default. Update the IstioCSR row and the closing
summary text so they clearly state the correct singleton name, while keeping the
other operand names unchanged.
- Around line 120-124: The README’s Operational section still points to deleted
doc files, so update the references in the Operational list to the new docs
index or remove the section entirely. Use the README’s existing Operational
heading and linked entries as the location to replace the dead links with a
valid top-level docs reference that matches the current documentation structure.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: f8f93898-bf05-4a4b-8469-8b3acda97029

📥 Commits

Reviewing files that changed from the base of the PR and between 454cb88 and 70b5e59.

📒 Files selected for processing (15)
  • .gitignore
  • AGENTS.md
  • ARCHITECTURE.md
  • CLAUDE.md
  • CONTRIBUTING.md
  • README.md
  • docs/api-contracts-guidelines.md
  • docs/cloud_credentials.md
  • docs/error-handling-guidelines.md
  • docs/integration-guidelines.md
  • docs/operand_metrics.md
  • docs/performance-guidelines.md
  • docs/proxy.md
  • docs/security-guidelines.md
  • docs/testing-guidelines.md
💤 Files with no reviewable changes (3)
  • docs/operand_metrics.md
  • docs/proxy.md
  • docs/cloud_credentials.md

Comment thread AGENTS.md
Comment on lines +44 to +48
docs/
├── *-guidelines.md # Agent-oriented deep guidelines (see index below)
├── proxy.md # Proxy-related behavior (when present)
├── cloud_credentials.md # Ambient credentials / cloud secret wiring (when present)
└── operand_metrics.md # Metrics and monitoring for the operand (when present)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Remove the stale operational-doc links.

docs/proxy.md, docs/cloud_credentials.md, and docs/operand_metrics.md are removed in this PR, so both the layout tree and the docs index now advertise dead paths. Drop those entries or replace them with the new docs pages.

Also applies to: 216-223

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@AGENTS.md` around lines 44 - 48, The docs index in AGENTS.md still advertises
removed operational pages, so update the layout tree and the nearby docs list to
stop referencing dead paths. Remove the entries for proxy.md,
cloud_credentials.md, and operand_metrics.md, or swap them for the new
documentation pages if they exist. Use the docs index section around the docs/
tree and the linked index entries as the place to make the cleanup.

Comment thread AGENTS.md
Comment on lines +157 to +160
### Naming

- Operand CR name is always `cluster` (CEL-enforced).
- Managed operand resources use label key `app` (`common.ManagedResourceLabelKey`).

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Scope the CR naming rule.

IstioCSR is the namespaced default singleton, so the blanket “always cluster” rule is wrong and will mislead contributors. Split this into CertManager/TrustManager vs. IstioCSR.

🧰 Tools
🪛 LanguageTool

[grammar] ~160-~160: Ensure spelling is correct
Context: ... operand resources use label key app (common.ManagedResourceLabelKey). - Package imports: prefer full paths; n...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@AGENTS.md` around lines 157 - 160, The naming guidance is too broad and
incorrectly applies the “cluster” CR name to every operand. Update the Naming
section to split the rule by operand type, keeping the `cluster` name for
`CertManager` and `TrustManager` while documenting that `IstioCSR` is the
namespaced `default` singleton; use the existing operand names and
`common.ManagedResourceLabelKey` reference to make the distinction explicit.

Comment thread AGENTS.md
Comment on lines +173 to +177
Operand version bumps:

```bash
make update-manifests # after changing CERT_MANAGER_VERSION etc. in Makefile
```

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Point version bumps at the full update flow.

make update-manifests is too narrow here; the repo's update path also refreshes bindata/generated code, so this instruction can leave stale artifacts behind after a version bump. Use make update (and then make verify) instead.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@AGENTS.md` around lines 173 - 177, The operand version bump guidance is too
narrow because it only points to make update-manifests and can leave generated
artifacts stale; update the AGENTS.md instructions to reference the full update
flow used by the repo, namely make update followed by make verify, so the
version bump process covers manifests plus bindata/generated code consistently.

Comment thread CLAUDE.md
Comment on lines +35 to +39
Operand version bumps:

```bash
make update-manifests # after changing CERT_MANAGER_VERSION etc. in Makefile
```

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Use the full update flow here too.

This should mention make update (or make update && make verify), not only make update-manifests; otherwise an operand version bump can leave generated bindata stale.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@CLAUDE.md` around lines 35 - 39, The operand version bump guidance only
mentions make update-manifests, which can leave generated bindata stale after
version changes. Update the CLAUDE.md instructions to point readers to the full
update flow using make update (or make update && make verify) so the manifest
and generated outputs stay in sync; keep the reference near the operand version
bumps section and the existing update-manifests note.

Comment on lines +14 to +15
- Prefer patching Subscription for operator env/config — OLM reverts direct Deployment edits.
- See `docs/proxy.md` for subscription patch examples.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Fix the stale docs/proxy.md reference.

docs/proxy.md is removed in this PR, so this link will 404. Please retarget it to the new consolidated guidance or drop the reference.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/integration-guidelines.md` around lines 14 - 15, The reference in
docs/integration-guidelines.md points to the removed docs/proxy.md, so update
that link to the new consolidated proxy guidance or remove it if no replacement
is needed. Use the surrounding text about Subscription patch examples and the
docs/integration-guidelines.md section to locate and replace the stale
reference.

Comment on lines +50 to +54
## Metrics

- Operand metrics setup documented in `docs/operand_metrics.md`.
- Operator metrics via library-go status/metrics patterns.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Remove the dead operand-metrics link.

docs/operand_metrics.md is also removed in this PR, so this reference is now broken. Please update it to the new location or remove it.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/integration-guidelines.md` around lines 50 - 54, The Metrics section
still references the removed operand metrics doc, so update the
`docs/integration-guidelines.md` reference to the new metrics documentation
location or drop the bullet entirely. Use the `Metrics` section and the
`docs/operand_metrics.md` mention as the anchor when editing so the dead link is
fully removed from the integration guidance.

Comment on lines +28 to +39
## Cloud credentials

- AWS/GCP ambient credentials use Cloud Credential Operator via `CredentialsRequest` (`pkg/controller/certmanager/credentials_request.go`).
- Cloud credential secret name is passed at runtime via `CloudCredentialSecret` flag (see `pkg/operator/starter.go`).
- See `docs/cloud_credentials.md` for operational setup.

## Trusted CA / proxy

- Trusted CA ConfigMap name is a runtime arg (`TrustedCAConfigMapName` in `pkg/operator/starter.go`).
- Prefer patching OLM Subscription env vars over editing Deployments directly (OLM reverts direct edits).
- See `docs/proxy.md` for proxy and CA injection patterns.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Update the deleted operational-doc links.

Both docs/cloud_credentials.md and docs/proxy.md are removed in this PR, so these references will break. Please point them at the consolidated docs or delete the stale links.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/security-guidelines.md` around lines 28 - 39, The operational references
in the Cloud credentials and Trusted CA/proxy sections are stale because
docs/cloud_credentials.md and docs/proxy.md no longer exist. Update the links in
the affected markdown to point to the consolidated documentation targets, or
remove those references entirely if there is no replacement, keeping the
surrounding guidance in docs/security-guidelines.md aligned with the current
docs structure.

Comment thread README.md
Comment on lines +7 to +13
| Operand CR | Kind | Description |
|------------|------|-------------|
| `cluster` | CertManager | Core cert-manager deployment (controller, webhook, cainjector) |
| `cluster` | TrustManager | Bundle distribution for trust anchors (TechPreview) |
| `cluster` | IstioCSR | Certificate signing for Istio workloads (TechPreview) |

The Operator automatically deploys a cluster-scoped `CertManager` object named `cluster` if it's missing (with default values).
All CRs use API group `operator.openshift.io/v1alpha1` and must be named `cluster`.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Fix the IstioCSR singleton name.

The table and summary say every CR is cluster, but IstioCSR is actually the namespaced default singleton. Update this so the CR naming contract matches the architecture docs.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@README.md` around lines 7 - 13, The README’s CR naming contract is incorrect
for IstioCSR: the table and summary currently say all operands are named
cluster, but the IstioCSR singleton is actually default. Update the IstioCSR row
and the closing summary text so they clearly state the correct singleton name,
while keeping the other operand names unchanged.

Comment thread README.md
Comment on lines +120 to +124
### Operational

```asciidoc
apiVersion: operator.openshift.io/v1alpha1
kind: CertManager
metadata:
name: cluster
spec:
managementState: "Managed"
unsupportedConfigOverrides:
# Here's an example to supply custom DNS settings.
controller:
args:
- "--dns01-recursive-nameservers=1.1.1.1:53"
- "--dns01-recursive-nameservers-only"
```
## Metrics and Monitoring
- [docs/proxy.md](docs/proxy.md) — egress proxy and trusted CA configuration
- [docs/cloud_credentials.md](docs/cloud_credentials.md) — Cloud Credential Operator integration
- [docs/operand_metrics.md](docs/operand_metrics.md) — Prometheus metrics setup

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Drop the dead operational-doc links.

docs/proxy.md, docs/cloud_credentials.md, and docs/operand_metrics.md are deleted in this PR, so the README now links to files that no longer exist. Replace that section with the new docs index or remove it.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@README.md` around lines 120 - 124, The README’s Operational section still
points to deleted doc files, so update the references in the Operational list to
the new docs index or remove the section entirely. Use the README’s existing
Operational heading and linked entries as the location to replace the dead links
with a valid top-level docs reference that matches the current documentation
structure.

@arun717 arun717 changed the title Adding agentic .md files for Cert-manager repository CM-1200: Adding agentic .md files for Cert-manager repository Jul 3, 2026
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jul 3, 2026
@openshift-ci-robot

openshift-ci-robot commented Jul 3, 2026

Copy link
Copy Markdown

@arun717: This pull request references CM-1200 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary by CodeRabbit

  • Documentation

  • Added and expanded contributor, architecture, testing, security, performance, API contract, and integration guidance for the operator.

  • Updated the main README to provide a shorter onboarding flow, clearer component overview, and streamlined setup/deployment steps.

  • Removed a few outdated standalone guides that are now covered elsewhere.

  • Chores

  • Updated ignore rules to keep local coverage and test artifacts out of source control.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants