feat: Enable rhoai build from main branch #2220

kahowell · 2025-07-24T19:16:19Z

This required sigificant changes to the Makefile and a few different strategies:

conditionally build different versions of some structs, where there is an irreconcilable difference between main and rhoai branches (using build tags)
maintain a separate overlay of manifests and separate bundle, tracking rhoai specific changes where necessary.

Renamed directories:

bundle -> odh-bundle
config -> odh-config

New directories:

rhoai-bundle: contains the RHOAI bundle
rhoai-config: contains the RHOAI manifests

It was necessary to upgrade controller-tools to 0.17.3 to get a version of controller-gen that can use build tags.

With these changes most Make targets now accept the ODH_PLATFORM_TYPE parameter, and operate in either an odh-mode by default, or a rhoai mode if overridden to any value other than OpenDataHub.

get_all_manifests.sh now has a different mode when passed ODH_PLATFORM_TYPE other than OpenDataHub, where it looks at $VERSION and infers the downstream git reference to use. (It is most easily invoked via make get-manifests ODH_PLATFORM_TYPE=rhoai).

This adds RHOAI-specific Dockerfiles for the operator and the bundle.

See the difference between the rhoai versions and odh versions by using a diff tool, such as meld or diff -u.

You can compare the resulting bundle for differences by checking out the rhoai branch, and comparing bundle.rhoai to bundle in the rhoai branch.

There are a number of small differences related to changes that haven't been made to the rhoai branch.

Description

How Has This Been Tested?

Screenshot or short clip

Merge criteria

You have read the contributors guide.
Commit messages are meaningful - have a clear and concise summary and detailed explanation of what was changed and why.
Pull Request contains a description of the solution, a link to the JIRA issue, and to any dependent or related Pull Request.
Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
The developer has manually tested the changes and verified that the changes work

Summary by CodeRabbit

New Features
- Adds a RHOAI operator bundle and CSV exposing new RHOAI CRDs (Monitoring, Workbenches, ModelRegistry) and samples for a RHOAI deployment.
- Platform-aware, multi-architecture image builds and bundle outputs.
Refactor
- Reorganizes manifests/configs into ODH and RHOAI layouts and revises bundle generation/packaging workflows.
Chores
- New container build/bundle toolchain, CI trigger path updates, and updated ignore rules.
Documentation
- Integration testing guide updated for new bundle/config locations.

coderabbitai · 2025-07-24T19:16:29Z

Walkthrough

Adds RHOAI-targeted build and packaging: new multi-stage Dockerfiles and builder stages, Makefile platform-aware logic, manifest sourcing from odh-config/rhoai-config, many CRD/CSV/manifests removed from legacy bundle/config, new rhoai kustomize overlays and patches, gated Go API files via rhoai build tag, and CI/workflow path updates.

Changes

Cohort / File(s)	Summary
New / Updated Dockerfiles `Dockerfiles/rhoai.Dockerfile`, `Dockerfiles/Dockerfile`, `Dockerfiles/bundle.Dockerfile`, `Dockerfiles/build-bundle.Dockerfile`, `Dockerfiles/rhoai-bundle.Dockerfile`, `Dockerfiles/build-bundle.Dockerfile`, `Dockerfiles/rhoai-bundle.Dockerfile`	Add multi-stage, multi-arch builds for manager and bundle images; builder stages cache Go modules and tooling; final images copy built artifacts and manifests; manifest COPY sources switched to `odh-config/` in places.
Makefile & build orchestration `Makefile`	Add `ODH_PLATFORM_TYPE` with per-platform variable blocks, image tagging logic, `USE_IMAGE_DIGESTS`, updated `CONTROLLER_TOOLS_VERSION`, per-platform bundle generation/build wiring, `deploy-bundle`/`upgrade-bundle` targets, and kustomize/image substitution changes.
Manifest fetcher script `get_all_manifests.sh`	Replace hard-coded org/refs with platform-driven `GITHUB_ORG` and per-component `_REF` vars, update platform manifest mappings to `odh-config`, add CLI `--key=value` override parsing and validation, preserve fetch/link flow.
New RHOAI bundle build helper `Dockerfiles/*-bundle.Dockerfile`, `Dockerfiles/build-bundle.Dockerfile`	Builder stages produce both ODH and RHOAI bundles; final images include bundle manifests/metadata/tests and appropriate bundle labels/annotations.
Gated Go APIs and new rhoai APIs `api/components/v1alpha1/modelregistry_types.go`, `api/components/v1alpha1/workbenches_types.go`, `api/dscinitialization/v1/`, `api/services/v1alpha1/`, `api/components/v1alpha1/rhoai_modelregistry_types.go`, `api/components/v1alpha1/rhoai_workbenches_types.go`, `api/dscinitialization/v1/rhoai_dscinitialization_types.go`, `api/services/v1alpha1/rhoai_monitoring_types.go`	Add `//go:build !rhoai` to several existing files; add new rhoai-specific API types and DSC/DSCI variants: ModelRegistry, Workbenches, DSCInitialization(v1), Monitoring (rhoai), with constants, specs/statuses, helper methods, validations, and scheme registration.
Large removal: legacy bundle manifests `bundle/manifests/`, `bundle/metadata/annotations.yaml`, `bundle/tests/scorecard/config.yaml`, `bundle/manifests/opendatahub-operator.clusterserviceversion.yaml`, many `bundle/manifests/components..yaml`	Remove CSV, many CRD manifests, RBAC, Service, metadata annotations, and scorecard configuration from `bundle/` (bulk deletion of bundle assets).
Large removal: legacy config CRDs & webhooks `config/crd/bases/`, `config/crd/external/`, `config/rbac/role.yaml`, `config/webhook/manifests.yaml`	Remove generated CRD base manifests, external CRDs, broad ClusterRole and webhook registration manifests.
RHOAI kustomize overlays & CRD patches `rhoai-config/crd/`, `rhoai-config/crd/patches/`, `rhoai-config/crd/kustomizeconfig.yaml`, `rhoai-config/crd/kustomization.yaml`	Add `rhoai-config` CRD kustomization, kustomizeconfig, conversion webhook patches, cert-manager CA injection patches, and CRD lists for RHOAI CRDs.
RHOAI default/manager kustomize & manifests `rhoai-config/default/`, `rhoai-config/manager/`, `rhoai-config/manager/kustomization.yaml.in`, `rhoai-config/manager/manager.yaml`	Add default kustomization, manager patches (auth-proxy, webhook), manager Deployment/Namespace/service/account overlays, and manager kustomize template with `REPLACE_IMAGE` placeholder.
RHOAI bundle manifests & CSV `rhoai-config/manifests/*`, `rhoai-config/manifests/bases/rhods-operator.clusterserviceversion.yaml`, `rhoai-config/manifests/kustomization.yaml`	Add new CSV (`rhods-operator.v2.0.0`), description patch, kustomization composing bases/default/samples/prometheus/scorecard, and list of owned CRDs in CSV.
CI/workflows & scripts `.github/workflows/*`, `.github/scripts/update-versions.sh`, `.github/workflows/build-push-images-on-pr-update.yaml`, `.github/workflows/run-integration-tests.yaml`, `.github/workflows/prometheus-unit-tests.yaml`, `.github/workflows/release-staging.yaml`	Update path triggers to `odh-config/`/`rhoai-config/` and bundle dirs, adjust release cleanup targets and CSV path, minor formatting and path changes.
Docs & ignore rules `docs/integration-testing.md`, `.gitignore`, `.dockerignore`	Update docs and ignore rules to reference `odh-config/`/`rhoai-config/` and `odh-bundle`/`rhoai-bundle`; adjust dockerignore formatting and sample rules.
ODH manager image placeholder `odh-config/manager/manager.yaml`	Replace concrete image `controller:latest` with placeholder `REPLACE_IMAGE:latest` for kustomize substitution.
Various small scripts & helpers `hack/update-catalog-template.sh`, other minor files	Update default catalog template path to `odh-config/` and adjust script targets accordingly.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Dev as Developer
  participant MK as Make
  participant GM as get_all_manifests.sh
  participant D_MAN as Docker(manifests stage)
  participant D_BUILDER as Docker(builder)
  participant D_FINAL as Docker(final)

  Dev->>MK: make image (ODH_PLATFORM_TYPE=[OpenDataHub|rhoai], VERSION, overrides)
  MK->>GM: ODH_PLATFORM_TYPE, VERSION, optional --key=value
  GM-->>GM: resolve repos and refs (GITHUB_ORG + per-component _REF)
  GM->>D_MAN: produce /opt/manifests (filter, normalize, copy odh-config/rhoai-config)
  MK->>D_BUILDER: build manager binary (GOARCH/TAGS)
  D_BUILDER-->>D_FINAL: copy /manager
  D_MAN-->>D_FINAL: copy /opt/manifests (chown/chmod)
  D_FINAL-->>Dev: runtime image with /manager and manifests

sequenceDiagram
  autonumber
  actor Dev as Developer
  participant MK as Make
  participant K as Kustomize
  participant OS as operator-sdk
  participant DB as Docker (bundle)

  Dev->>MK: make bundle (ODH_PLATFORM_TYPE)
  MK->>K: kustomize build (odh-config/ or rhoai-config/)
  K-->>MK: rendered manifests (CONFIG_DIR)
  MK->>OS: operator-sdk generate bundle (--package / --channels / --use-image-digests?)
  OS-->>MK: bundle artifacts (odh-bundle/ or rhoai-bundle/)
  MK->>DB: docker build bundle image (Dockerfiles/$(BUNDLE_DOCKERFILE_FILENAME), build-args)
  DB-->>Dev: bundle image including manifests & metadata

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~120–180 minutes

Poem

A rabbit nudges build args bright,
Two bundles hop into the night.
Kustomize burrows, patches sleep,
CRDs shuffle, manifests leap.
Manager squeaks — containers tight,
Hooray! the pipeline takes its flight. 🐇✨

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

✨ Finishing Touches

🧪 Generate unit tests

Create PR with unit tests
Post copyable unit tests in a comment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

Review comments: Directly reply to a review comment made by CodeRabbit. Example:
- I pushed a fix in commit <commit_id>, please review it.
- Open a follow-up GitHub issue for this discussion.
Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
- @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
- @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (`.coderabbit.yaml`)

You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
Please see the configuration documentation for more information.
If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

Visit our Status Page to check the current availability of CodeRabbit.
Visit our Documentation for detailed information on how to use CodeRabbit.
Join our Discord Community to get help, request features, and share feedback.
Follow us on X/Twitter for updates and announcements.

github-actions · 2025-07-24T19:17:20Z

This PR can't be merged just yet 😢

Please run make generate manifests api-docs and commit the changes.

For more info: https://github.com/opendatahub-io/opendatahub-operator/actions/runs/16505819922

github-actions · 2025-07-24T19:25:53Z

This PR can't be merged just yet 😢

Please run make generate manifests api-docs and commit the changes.

For more info: https://github.com/opendatahub-io/opendatahub-operator/actions/runs/16505941983

coderabbitai

Actionable comments posted: 23

🔭 Outside diff range comments (4)

config/default.rhoai/manager_auth_proxy_patch.yaml (1)
1-17: Harden the manager & proxy containers with a securityContext

Static analysis flags (CKV_K8S_20, CKV_K8S_23) indicate the containers may run as root and allow privilege escalation.
Add an explicit, restrictive securityContext (and mirror it in the side-car once it’s added) to satisfy common OCP/PSa policies:
       containers:
       - name: rhods-operator
+        securityContext:
+          runAsNonRoot: true
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: ["ALL"]
         args:
           - "--health-probe-bind-address=:8081"
           - "--metrics-bind-address=0.0.0.0:8080"
           - "--leader-elect"
+      # ensure the kube-rbac-proxy side-car gets the same treatment
+      - name: kube-rbac-proxy
+        # image, args …
+        securityContext:
+          runAsNonRoot: true
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: ["ALL"]
bundle.rhoai/manifests/components.platform.opendatahub.io_kserves.yaml (1)
267-273: Drop the generated status block before shipping the CRD

The status stanza is populated by the API server and should not be present in declarative manifests. Including it:

Bloats diffs with non-authoritative data.

Risks field is immutable errors during future upgrades.

Violates OLM bundle best-practices (bundle-lint warns).

Delete lines 267-273:
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: null
-  storedVersions: null
bundle.rhoai/manifests/components.platform.opendatahub.io_codeflares.yaml (1)

169-175: Remove CRD status section for the same reasons outlined in kserves CRD

See previous comment – identical rationale applies here.

bundle.rhoai/manifests/services.platform.opendatahub.io_monitorings.yaml (1)

257-263: Strip the autogenerated status block

Consistent with other CRDs, omit lines 257-263 before bundling.

♻️ Duplicate comments (6)

bundle.rhoai/manifests/components.platform.opendatahub.io_kueues.yaml (1)

197-202: Same status section concern as noted for Auth CRD – recommend dropping it to prevent drift.

bundle.rhoai/manifests/components.platform.opendatahub.io_modelcontrollers.yaml (1)

219-224: Duplicate note: drop the generated status block to keep CRDs clean and avoid apply drift.

bundle.rhoai/manifests/components.platform.opendatahub.io_trainingoperators.yaml (2)

5-6: Same cluster-generated field as above – please drop creationTimestamp: null.

170-175: Same status stub issue as above – remove entire status: block.

bundle.rhoai/manifests/features.opendatahub.io_featuretrackers.yaml (2)

5-6: Unnecessary creationTimestamp – recommended to omit.

130-135: Drop status placeholder – see rationale in earlier comment.

🧹 Nitpick comments (39)

api/dscinitialization/v1/dscinitialization_types.go (1)

1-2: Add legacy // +build tag for widest tool-chain compatibility

The modern //go:build !rhoai directive is correct, but some downstream CI environments still compile with < Go 1.17 tool-chains. Mirroring the line with the legacy form keeps the file buildable everywhere.
api/services/v1alpha1/monitoring_types.go (1)
1-2: Mirror legacy build tag for consistency

As above, consider adding
// +build odh
immediately below the //go:build odh line.
bundle/manifests/components.platform.opendatahub.io_feastoperators.yaml (1)
170-176: Drop the status block from checked-in CRDs.

status (and the empty acceptedNames/conditions/storedVersions) is server-managed; committing it adds churn every regenerate and is ignored when applied. Recommend trimming before commit.
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: null
-  storedVersions: null
bundle/manifests/components.platform.opendatahub.io_trustyais.yaml (1)

170-176: Same status stanza noise — recommend removal (see FeastOperator comment).

bundle/manifests/components.platform.opendatahub.io_rays.yaml (1)

170-176: Please strip the generated status block (same rationale as earlier).

bundle/manifests/components.platform.opendatahub.io_kueues.yaml (1)

197-203: Extraneous status section — consider removing to avoid diff churn.

bundle/manifests/datasciencecluster.opendatahub.io_datascienceclusters.yaml (1)

1418-1423: Confirm empty status block is intentional

The newly-added status.acceptedNames.kind|plural fields are empty strings. This is harmless but purely informational – Kubernetes overwrites the status section at runtime.
If this manifest is checked into source control only to be regenerated later, consider omitting the status stanza altogether to reduce churn in future diffs.

bundle.rhoai/manifests/infrastructure.opendatahub.io_hardwareprofiles.yaml (1)

197-203: Consider stripping generated status before commit

Same remark as for the DSC CRD: the empty status block is regenerated by the API server and usually omitted from checked-in manifests.

bundle/manifests/components.platform.opendatahub.io_kserves.yaml (1)

267-272: Generated status section – verify necessity

As with the other CRDs, the empty status fields are generally not required in declarative manifests. Omitting them keeps the diff surface smaller.
.gitignore (1)
68-76: Good call on ignoring build-generated artifacts

Adding PROJECT, config/rbac/role.yaml, and config/crd/bases prevents accidental commits of regenerated files.
Minor nit: to ignore the whole directory recursively, you may want a trailing slash:
-config/crd/bases
+config/crd/bases/
This avoids edge cases where a file named exactly config/crd/bases (unlikely, but possible) would bypass the rule.
config/samples.rhoai/services_v1alpha1_auth.yaml (1)
6-8: Provide a minimal, working sample spec

The sample currently contains only a TODO. Supplying at least one required field (or a comment explaining that all fields are optional) improves the usefulness of the example for end-users.

Example:
spec:
  clientID: example
  clientSecretRef:
    name: auth-secret
    key: clientSecret
config/manager.rhoai/kustomization.yaml.in (1)
1-12: Kustomize ordering & image replacement robustness

apiVersion / kind are legally placed anywhere but conventionally sit at the top – helps reviewers & automation.

generatorOptions.disableNameSuffixHash only affects generated ConfigMaps/Secrets; if the intent is to keep all resource names stable consider the top-level field nameSuffix: "".

images: only sets newName; if manager.yaml already contains a tag (e.g. controller:latest) the tag will survive, yielding REPLACE_IMAGE:latest. Usually both newName and newTag are needed.
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
 resources:
 - manager.yaml

- generatorOptions:
-   disableNameSuffixHash: true
+nameSuffix: ""

 images:
 - name: controller
-  newName: REPLACE_IMAGE
+  newName: REPLACE_IMAGE
+  newTag: latest
bundle.rhoai/manifests/redhat-ods-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml (1)
3-5: Remove generated junk to avoid noisy diffs

creationTimestamp: null is superfluous metadata that changes on every regenerate and bloats diffs.
-  creationTimestamp: null
config/rbac.rhoai/role_binding.yaml (1)

10-12: Hard-coded namespace may break non-default installs

Binding hard-codes namespace: system. If the operator is installed into a different namespace (make deploy OPERATOR_NAMESPACE=...) the binding breaks. Consider templating the namespace via kustomize namespace: or a var substitution.
bundle.rhoai/manifests/prometheus-k8s-viewer_rbac.authorization.k8s.io_v1_clusterrole.yaml (2)
3-5: Strip creationTimestamp: null

Same noise issue as above; drop the field.
-  creationTimestamp: null
6-16: Consider aggregating to built-in view roles

If this role is intended only for Prometheus scraping, add the standard aggregation label so platform admins automatically inherit the permissions:
 metadata:
   name: prometheus-k8s-viewer
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
bundle.rhoai/manifests/services.platform.opendatahub.io_auths.yaml (1)
137-142: Consider removing the pre-populated status stanza

status is managed server-side; committing it leads to noisy drifts and is ignored (or rejected on some clusters).
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: null
-  storedVersions: null
bundle.rhoai/manifests/redhat-ods-operator-controller-manager-metrics-service_v1_service.yaml (1)
9-14: Consider naming the port https for clarity

Port 8443 is almost always TLS-terminated by kube-rbac-proxy; naming it https improves self-documentation and avoids misleading dashboards that assume http.
-  - name: http
+  - name: https
     port: 8443
     protocol: TCP
     targetPort: http   # update this to `https` in the Deployment/service as well
bundle.rhoai/manifests/components.platform.opendatahub.io_feastoperators.yaml (1)
5-6: creationTimestamp: null is noise generated by controller-gen; safe to drop

The field is ignored by the API server and will always be overwritten. Removing it keeps the manifest minimal and avoids irrelevant diffs when the file is re-generated.
-  creationTimestamp: null
bundle.rhoai/manifests/components.platform.opendatahub.io_llamastackoperators.yaml (1)

5-6: Same creationTimestamp: null nit as other CRDs

See FeastOperator comment – consider dropping to keep the manifest lean.

bundle.rhoai/metadata/annotations.yaml (1)

13-15: Path correctness for scorecard config

operators.operatorframework.io.test.config.v1: tests/scorecard/ assumes that directory exists in the bundle image root. Double-check the Dockerfile copies the folder at that exact path; otherwise scorecard tests will silently be skipped.
config/webhook.rhoai/kustomizeconfig.yaml (1)
24-26: Expand varReference to cover future URL-based webhook endpoints

Only metadata/annotations is declared. If a webhook ever switches from a service reference to a direct clientConfig.url, variable substitution will silently break. Consider adding:
varReference:
- path: metadata/annotations
- path: webhooks/clientConfig/url
to keep substitution robust.
Dockerfiles/bundle.rhoai.Dockerfile (1)
1-22: Set a non-root user to satisfy hardened registries

Bundle images are never executed, but many registries (and OpenShift disconnected installs) reject images that run as root in scratch. Add an explicit non-privileged user:
COPY bundle.rhoai/tests/scorecard /tests/scorecard/
+
+# Non-root for compliance
+USER 65532:65532
This mirrors the UID used by operator-sdk generated bundles.
config/webhook.rhoai/service.yaml (1)
14-21: Minor label consistency suggestion

Consider mirroring the richer app.kubernetes.io/* label-set used elsewhere instead of the single name selector. It improves queryability and avoids accidental clashes with other workloads named rhods-operator.
-  selector:
-    name: rhods-operator
+  selector:
+    app.kubernetes.io/name: rhods-operator
+    app.kubernetes.io/component: controller
Not blocking, purely a hygiene tweak.
bundle.rhoai/manifests/components.platform.opendatahub.io_datasciencepipelines.yaml (1)

192-197: Consider dropping the generated status stanza

status is server-populated and usually stripped from CRD bundle manifests to avoid unnecessary git noise and merge conflicts. Removing it has no functional impact.

Safe to keep if you rely on diff tooling, but most operators omit it.

config/samples.rhoai/dscinitialization_v1_dscinitialization.yaml (1)

12-25: Use consistent quoting style to improve readability

The sample mixes single-quoted ('redhat-ods-*') and double-quoted ("Managed") scalars while most other strings are left unquoted. YAML has no semantic problem with this, but adopting a single convention (typically no quotes unless needed, or consistently double quotes) makes diffs cleaner and reduces accidental escaping issues when copy-pasting.
get_all_manifests.sh (1)
134-139: Declare the pids array instead of relying on implicit creation

Bash will autovivify the array, but an explicit declaration improves readability and avoids set -u issues later:
-# Track background job PIDs +declare -a pids=()
+declare -a pids=()   # Track background job PIDs
bundle.rhoai/manifests/dscinitialization.opendatahub.io_dscinitializations.yaml (1)
223-229: Double-quote escaping in CEL rule is hard to read

The validation rule embeds single quotes inside a single-quoted YAML scalar:
'self.backend != ''pv'' ? ...'

While syntactically valid, it is very easy to mis-count quotes when editing. Consider switching to double quotes for the scalar and escaping the inner double quotes instead, or use the block style:
rule: "self.backend != 'pv' ? has(self.secret) : true"
This reduces the chance of introducing invalid YAML during future edits.
config/manifests.rhoai/description-patch.yml (1)

17-29: Prefer block style lists for long CSV descriptions

YAML flow-style (*) bullet lists render fine, but block style (-) is easier to diff, edit and keep within OLM’s 512-character line-length soft limit. Consider re-formatting the component list to block style for long-term maintainability.

config/default.rhoai/kustomization.yaml (1)

34-41: Dead commented block can probably be removed

The commented [WEBHOOK] section (lines 38-42) duplicates the entry already supplied via patches:. Removing it reduces noise and avoids the chance of drifting docs.
config/samples.rhoai/datasciencecluster_v1_datasciencecluster.yaml (1)
19-33: Inline-flow mappings hurt readability & invite YAML foot-guns

Using JSON-style flow mappings split across lines works syntactically, but:

Editors & linters often mis-indent them → accidental syntax errors.

Any missing comma will only surface at deploy time.

Diff churn is high.

Recommend switching to block style:
-  kserve: {
-    managementState: "Managed",
-    nim: {
-      managementState: "Managed"
-    },
-    serving: {
-      …
-    }
-  }
+  kserve:
+    managementState: Managed
+    nim:
+      managementState: Managed
+    serving:
+      ingressGateway:
+        certificate:
+          type: OpenshiftDefaultIngress
+      name: knative-serving
+      managementState: Managed
bundle/manifests/opendatahub-operator.clusterserviceversion.yaml (1)

262-340: ClusterPermission size indicates possible over-privileging

The newly inserted rule block adds full-wildcard ('*') verbs for core and apps resources plus an apiGroups: '*' rule. This grants the operator super-cluster-admin.

If the intent is parity with existing SA, consider scoping to the exact resources required by controller-runtime watches; wildcard cluster-wide rights may fail partner-vendor certification.

config/manager.rhoai/manager.yaml (2)

27-36: Consider enabling seccomp profile for Pod hardening

The hard-commented seccompProfile: {type: RuntimeDefault} is recommended by Kubernetes PSP/NSA hardening guidelines and is already supported in OpenShift ≥ 4.11.
Uncomment unless you must support < 4.11.

74-80: Resource requests/limits look inconsistent

Requests (500m CPU / 256 Mi) and limits (500m CPU / 4 Gi) mean:
• CPU is effectively guaranteed at limit (fine).
• Memory can spike 16× the request, risking eviction on tight nodes.

Consider either tightening the limit (e.g. 1 Gi) or raising the request to reflect realistic usage.
bundle.rhoai/manifests/datasciencecluster.opendatahub.io_datascienceclusters.yaml (1)
1418-1423: Include-status in CRD manifests is discouraged

status: is populated by the API server and should be omitted from declarative manifests to avoid needless churn and patch conflicts:
- status:
-   acceptedNames: {}
-   conditions: null
-   storedVersions: null
Remove these lines unless you have a specific reason to ship server-generated state.
Dockerfiles/rhoai.Dockerfile (1)

60-63: Recursive chmod/chown in container build layers

chown -R + chmod -R on /opt/manifests can explode layer size. Consider setting ownership earlier in the manifests stage and using --from= copy with the right uid/gid instead.

config/manifests.rhoai/bases/rhods-operator.clusterserviceversion.yaml (1)

9-10: Placeholder image left in released CSV

containerImage: REPLACE_IMAGE:latest will surface in catalog metadata (even if deployments are patched). Replace it with the digest/tag pushed by CI.

api/services/v1alpha1/rhoai_monitoring_types.go (1)

135-149: Consider moving MonitoringCommonSpec earlier in the file.

The MonitoringCommonSpec is defined after the main Monitoring type that uses it. Consider moving it earlier (around line 37) for better code organization and readability.
Makefile (1)
272-278: sed -i GNU-ism – breaks on macOS / BSD

sed -i without a suffix is GNU-specific.
On macOS the command errors out, interrupting make prepare.
-	sed -i 's/projectName: .*/projectName: $(KUBEBUILDER_PROJECT_NAME)/' PROJECT
+	sed -i.bak 's/projectName: .*/projectName: $(KUBEBUILDER_PROJECT_NAME)/' PROJECT && rm -f PROJECT.bak
Alternatively use $(SED) with a platform check.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a268504 and 23e6955.

📒 Files selected for processing (89)

.gitignore (1 hunks)
Dockerfiles/bundle.rhoai.Dockerfile (1 hunks)
Dockerfiles/rhoai.Dockerfile (1 hunks)
Makefile (8 hunks)
api/components/v1alpha1/modelregistry_types.go (1 hunks)
api/components/v1alpha1/rhoai_modelregistry_types.go (1 hunks)
api/components/v1alpha1/rhoai_workbenches_types.go (1 hunks)
api/components/v1alpha1/workbenches_types.go (1 hunks)
api/dscinitialization/v1/dscinitialization_types.go (1 hunks)
api/dscinitialization/v1/rhoai_dscinitialization_types.go (1 hunks)
api/services/v1alpha1/monitoring_types.go (1 hunks)
api/services/v1alpha1/rhoai_monitoring_types.go (1 hunks)
bundle.rhoai/manifests/components.platform.opendatahub.io_codeflares.yaml (2 hunks)
bundle.rhoai/manifests/components.platform.opendatahub.io_dashboards.yaml (2 hunks)
bundle.rhoai/manifests/components.platform.opendatahub.io_datasciencepipelines.yaml (2 hunks)
bundle.rhoai/manifests/components.platform.opendatahub.io_feastoperators.yaml (2 hunks)
bundle.rhoai/manifests/components.platform.opendatahub.io_kserves.yaml (2 hunks)
bundle.rhoai/manifests/components.platform.opendatahub.io_kueues.yaml (2 hunks)
bundle.rhoai/manifests/components.platform.opendatahub.io_llamastackoperators.yaml (2 hunks)
bundle.rhoai/manifests/components.platform.opendatahub.io_modelcontrollers.yaml (2 hunks)
bundle.rhoai/manifests/components.platform.opendatahub.io_modelmeshservings.yaml (2 hunks)
bundle.rhoai/manifests/components.platform.opendatahub.io_modelregistries.yaml (3 hunks)
bundle.rhoai/manifests/components.platform.opendatahub.io_rays.yaml (2 hunks)
bundle.rhoai/manifests/components.platform.opendatahub.io_trainingoperators.yaml (2 hunks)
bundle.rhoai/manifests/components.platform.opendatahub.io_trustyais.yaml (2 hunks)
bundle.rhoai/manifests/components.platform.opendatahub.io_workbenches.yaml (3 hunks)
bundle.rhoai/manifests/datasciencecluster.opendatahub.io_datascienceclusters.yaml (4 hunks)
bundle.rhoai/manifests/dscinitialization.opendatahub.io_dscinitializations.yaml (5 hunks)
bundle.rhoai/manifests/features.opendatahub.io_featuretrackers.yaml (2 hunks)
bundle.rhoai/manifests/infrastructure.opendatahub.io_hardwareprofiles.yaml (2 hunks)
bundle.rhoai/manifests/prometheus-k8s-viewer_rbac.authorization.k8s.io_v1_clusterrole.yaml (1 hunks)
bundle.rhoai/manifests/prometheus-k8s-viewer_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml (1 hunks)
bundle.rhoai/manifests/redhat-ods-operator-controller-manager-metrics-service_v1_service.yaml (1 hunks)
bundle.rhoai/manifests/redhat-ods-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml (1 hunks)
bundle.rhoai/manifests/rhods-operator.clusterserviceversion.yaml (1 hunks)
bundle.rhoai/manifests/services.platform.opendatahub.io_auths.yaml (2 hunks)
bundle.rhoai/manifests/services.platform.opendatahub.io_monitorings.yaml (4 hunks)
bundle.rhoai/metadata/annotations.yaml (1 hunks)
bundle.rhoai/tests/scorecard/config.yaml (1 hunks)
bundle/manifests/components.platform.opendatahub.io_codeflares.yaml (1 hunks)
bundle/manifests/components.platform.opendatahub.io_dashboards.yaml (1 hunks)
bundle/manifests/components.platform.opendatahub.io_datasciencepipelines.yaml (1 hunks)
bundle/manifests/components.platform.opendatahub.io_feastoperators.yaml (1 hunks)
bundle/manifests/components.platform.opendatahub.io_kserves.yaml (1 hunks)
bundle/manifests/components.platform.opendatahub.io_kueues.yaml (1 hunks)
bundle/manifests/components.platform.opendatahub.io_llamastackoperators.yaml (1 hunks)
bundle/manifests/components.platform.opendatahub.io_modelcontrollers.yaml (1 hunks)
bundle/manifests/components.platform.opendatahub.io_modelmeshservings.yaml (1 hunks)
bundle/manifests/components.platform.opendatahub.io_modelregistries.yaml (1 hunks)
bundle/manifests/components.platform.opendatahub.io_rays.yaml (1 hunks)
bundle/manifests/components.platform.opendatahub.io_trainingoperators.yaml (1 hunks)
bundle/manifests/components.platform.opendatahub.io_trustyais.yaml (1 hunks)
bundle/manifests/components.platform.opendatahub.io_workbenches.yaml (1 hunks)
bundle/manifests/datasciencecluster.opendatahub.io_datascienceclusters.yaml (1 hunks)
bundle/manifests/dscinitialization.opendatahub.io_dscinitializations.yaml (1 hunks)
bundle/manifests/features.opendatahub.io_featuretrackers.yaml (1 hunks)
bundle/manifests/infrastructure.opendatahub.io_hardwareprofiles.yaml (1 hunks)
bundle/manifests/opendatahub-operator.clusterserviceversion.yaml (3 hunks)
bundle/manifests/services.platform.opendatahub.io_auths.yaml (1 hunks)
bundle/manifests/services.platform.opendatahub.io_monitorings.yaml (1 hunks)
config/crd/bases/_.yaml (0 hunks)
config/crd/external/route.openshift.io_routes.yaml (1 hunks)
config/crd/external/user.openshift.io_groups.yaml (1 hunks)
config/crd/external/user.openshift.io_identities.yaml (1 hunks)
config/crd/external/user.openshift.io_useridentitymappings.yaml (1 hunks)
config/crd/external/user.openshift.io_users.yaml (1 hunks)
config/default.rhoai/kustomization.yaml (1 hunks)
config/default.rhoai/manager_auth_proxy_patch.yaml (1 hunks)
config/default.rhoai/manager_webhook_patch.yaml (1 hunks)
config/manager.rhoai/kustomization.yaml (1 hunks)
config/manager.rhoai/kustomization.yaml.in (1 hunks)
config/manager.rhoai/manager.yaml (1 hunks)
config/manifests.rhoai/bases/rhods-operator.clusterserviceversion.yaml (1 hunks)
config/manifests.rhoai/description-patch.yml (1 hunks)
config/manifests.rhoai/kustomization.yaml (1 hunks)
config/rbac.rhoai/auth_proxy_client_clusterrole.yaml (1 hunks)
config/rbac.rhoai/auth_proxy_service.yaml (1 hunks)
config/rbac.rhoai/kustomization.yaml (1 hunks)
config/rbac.rhoai/role_binding.yaml (1 hunks)
config/rbac/role.yaml (0 hunks)
config/samples.rhoai/datasciencecluster_v1_datasciencecluster.yaml (1 hunks)
config/samples.rhoai/dscinitialization_v1_dscinitialization.yaml (1 hunks)
config/samples.rhoai/kustomization.yaml (1 hunks)
config/samples.rhoai/services_v1alpha1_auth.yaml (1 hunks)
config/webhook.rhoai/kustomization.yaml (1 hunks)
config/webhook.rhoai/kustomizeconfig.yaml (1 hunks)
config/webhook.rhoai/manifests.yaml (1 hunks)
config/webhook.rhoai/service.yaml (1 hunks)
get_all_manifests.sh (1 hunks)

💤 Files with no reviewable changes (2)

config/rbac/role.yaml
config/crd/bases/_.yaml

🧰 Additional context used

🧠 Learnings (58)

📓 Common learnings

Learnt from: AjayJagan
PR: opendatahub-io/opendatahub-operator#1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file `Dockerfiles/catalog.Dockerfile` in the opendatahub-operator repository is autogenerated and should not be manually modified.

Learnt from: AjayJagan
PR: opendatahub-io/opendatahub-operator#1990
File: hack/update-catalog-template.sh:36-43
Timestamp: 2025-05-27T08:29:05.312Z
Learning: The hack/update-catalog-template.sh script in opendatahub-operator is development tooling where simple regex patterns for version extraction are acceptable, and developers are expected to handle version format requirements themselves.

bundle/manifests/components.platform.opendatahub.io_llamastackoperators.yaml (3)

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

Learnt from: AjayJagan
PR: #1990
File: hack/update-catalog-template.sh:36-43
Timestamp: 2025-05-27T08:29:05.312Z
Learning: The hack/update-catalog-template.sh script in opendatahub-operator is development tooling where simple regex patterns for version extraction are acceptable, and developers are expected to handle version format requirements themselves.

bundle/manifests/components.platform.opendatahub.io_modelcontrollers.yaml (3)

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

Learnt from: AjayJagan
PR: #1990
File: hack/update-catalog-template.sh:36-43
Timestamp: 2025-05-27T08:29:05.312Z
Learning: The hack/update-catalog-template.sh script in opendatahub-operator is development tooling where simple regex patterns for version extraction are acceptable, and developers are expected to handle version format requirements themselves.

bundle/manifests/components.platform.opendatahub.io_modelmeshservings.yaml (2)

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

bundle/manifests/features.opendatahub.io_featuretrackers.yaml (3)

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

Learnt from: AjayJagan
PR: #1990
File: hack/update-catalog-template.sh:36-43
Timestamp: 2025-05-27T08:29:05.312Z
Learning: The hack/update-catalog-template.sh script in opendatahub-operator is development tooling where simple regex patterns for version extraction are acceptable, and developers are expected to handle version format requirements themselves.

bundle/manifests/services.platform.opendatahub.io_auths.yaml (2)

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

bundle.rhoai/manifests/infrastructure.opendatahub.io_hardwareprofiles.yaml (2)

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

bundle/manifests/dscinitialization.opendatahub.io_dscinitializations.yaml (2)

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

bundle.rhoai/manifests/components.platform.opendatahub.io_modelcontrollers.yaml (2)

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

bundle/manifests/infrastructure.opendatahub.io_hardwareprofiles.yaml (3)

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

Learnt from: AjayJagan
PR: #1990
File: hack/update-catalog-template.sh:36-43
Timestamp: 2025-05-27T08:29:05.312Z
Learning: The hack/update-catalog-template.sh script in opendatahub-operator is development tooling where simple regex patterns for version extraction are acceptable, and developers are expected to handle version format requirements themselves.

bundle.rhoai/manifests/components.platform.opendatahub.io_kueues.yaml (2)

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

Dockerfiles/bundle.rhoai.Dockerfile (1)

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

bundle.rhoai/manifests/components.platform.opendatahub.io_dashboards.yaml (2)

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

config/default.rhoai/manager_webhook_patch.yaml (1)

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

bundle.rhoai/manifests/services.platform.opendatahub.io_auths.yaml (2)

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

config/samples.rhoai/kustomization.yaml (1)

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

bundle.rhoai/manifests/components.platform.opendatahub.io_modelmeshservings.yaml (2)

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

bundle.rhoai/manifests/services.platform.opendatahub.io_monitorings.yaml (2)

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

bundle.rhoai/manifests/components.platform.opendatahub.io_workbenches.yaml (2)

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

bundle.rhoai/manifests/components.platform.opendatahub.io_llamastackoperators.yaml (2)

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

config/default.rhoai/kustomization.yaml (2)

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

bundle/manifests/components.platform.opendatahub.io_datasciencepipelines.yaml (3)

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

Learnt from: AjayJagan
PR: #1990
File: hack/update-catalog-template.sh:36-43
Timestamp: 2025-05-27T08:29:05.312Z
Learning: The hack/update-catalog-template.sh script in opendatahub-operator is development tooling where simple regex patterns for version extraction are acceptable, and developers are expected to handle version format requirements themselves.

bundle.rhoai/manifests/features.opendatahub.io_featuretrackers.yaml (1)

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

bundle/manifests/opendatahub-operator.clusterserviceversion.yaml (3)

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

Learnt from: AjayJagan
PR: #1990
File: hack/update-catalog-template.sh:36-43
Timestamp: 2025-05-27T08:29:05.312Z
Learning: The hack/update-catalog-template.sh script in opendatahub-operator is development tooling where simple regex patterns for version extraction are acceptable, and developers are expected to handle version format requirements themselves.

bundle.rhoai/manifests/datasciencecluster.opendatahub.io_datascienceclusters.yaml (2)

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

config/manager.rhoai/manager.yaml (2)

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

config/webhook.rhoai/kustomization.yaml (1)

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

get_all_manifests.sh (2)

Learnt from: AjayJagan
PR: #1990
File: hack/update-catalog-template.sh:36-43
Timestamp: 2025-05-27T08:29:05.312Z
Learning: The hack/update-catalog-template.sh script in opendatahub-operator is development tooling where simple regex patterns for version extraction are acceptable, and developers are expected to handle version format requirements themselves.

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

bundle/manifests/components.platform.opendatahub.io_dashboards.yaml (3)

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

Learnt from: AjayJagan
PR: #1990
File: hack/update-catalog-template.sh:36-43
Timestamp: 2025-05-27T08:29:05.312Z
Learning: The hack/update-catalog-template.sh script in opendatahub-operator is development tooling where simple regex patterns for version extraction are acceptable, and developers are expected to handle version format requirements themselves.

bundle/manifests/components.platform.opendatahub.io_modelregistries.yaml (3)

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

Learnt from: AjayJagan
PR: #1990
File: hack/update-catalog-template.sh:36-43
Timestamp: 2025-05-27T08:29:05.312Z
Learning: The hack/update-catalog-template.sh script in opendatahub-operator is development tooling where simple regex patterns for version extraction are acceptable, and developers are expected to handle version format requirements themselves.

bundle/manifests/components.platform.opendatahub.io_trustyais.yaml (2)

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

bundle/manifests/components.platform.opendatahub.io_trainingoperators.yaml (3)

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

Learnt from: AjayJagan
PR: #1990
File: hack/update-catalog-template.sh:36-43
Timestamp: 2025-05-27T08:29:05.312Z
Learning: The hack/update-catalog-template.sh script in opendatahub-operator is development tooling where simple regex patterns for version extraction are acceptable, and developers are expected to handle version format requirements themselves.

bundle/manifests/components.platform.opendatahub.io_workbenches.yaml (3)

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

Learnt from: AjayJagan
PR: #1990
File: hack/update-catalog-template.sh:36-43
Timestamp: 2025-05-27T08:29:05.312Z
Learning: The hack/update-catalog-template.sh script in opendatahub-operator is development tooling where simple regex patterns for version extraction are acceptable, and developers are expected to handle version format requirements themselves.

bundle/manifests/services.platform.opendatahub.io_monitorings.yaml (2)

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

bundle/manifests/components.platform.opendatahub.io_rays.yaml (2)

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

bundle/manifests/components.platform.opendatahub.io_kueues.yaml (2)

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

bundle/manifests/datasciencecluster.opendatahub.io_datascienceclusters.yaml (2)

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

.gitignore (2)

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

Learnt from: AjayJagan
PR: #1990
File: hack/update-catalog-template.sh:73-79
Timestamp: 2025-05-27T07:45:53.136Z
Learning: In the opendatahub-operator project, the || true pattern in Makefiles for catalog operations is intentionally used to ensure cleanup of catalog templates occurs even if the main script fails, prioritizing cleanup over strict error propagation.

bundle/manifests/components.platform.opendatahub.io_kserves.yaml (3)

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

Learnt from: AjayJagan
PR: #1990
File: hack/update-catalog-template.sh:36-43
Timestamp: 2025-05-27T08:29:05.312Z
Learning: The hack/update-catalog-template.sh script in opendatahub-operator is development tooling where simple regex patterns for version extraction are acceptable, and developers are expected to handle version format requirements themselves.

bundle.rhoai/manifests/rhods-operator.clusterserviceversion.yaml (2)

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

bundle/manifests/components.platform.opendatahub.io_feastoperators.yaml (3)

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

Learnt from: AjayJagan
PR: #1990
File: hack/update-catalog-template.sh:36-43
Timestamp: 2025-05-27T08:29:05.312Z
Learning: The hack/update-catalog-template.sh script in opendatahub-operator is development tooling where simple regex patterns for version extraction are acceptable, and developers are expected to handle version format requirements themselves.

bundle.rhoai/manifests/components.platform.opendatahub.io_feastoperators.yaml (3)

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

Learnt from: AjayJagan
PR: #1990
File: hack/update-catalog-template.sh:36-43
Timestamp: 2025-05-27T08:29:05.312Z
Learning: The hack/update-catalog-template.sh script in opendatahub-operator is development tooling where simple regex patterns for version extraction are acceptable, and developers are expected to handle version format requirements themselves.

bundle.rhoai/manifests/components.platform.opendatahub.io_rays.yaml (1)

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

bundle.rhoai/tests/scorecard/config.yaml (1)

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

bundle.rhoai/manifests/components.platform.opendatahub.io_modelregistries.yaml (2)

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

config/manifests.rhoai/kustomization.yaml (2)

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

config/manager.rhoai/kustomization.yaml (2)

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

bundle/manifests/components.platform.opendatahub.io_codeflares.yaml (3)

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

Learnt from: AjayJagan
PR: #1990
File: hack/update-catalog-template.sh:36-43
Timestamp: 2025-05-27T08:29:05.312Z
Learning: The hack/update-catalog-template.sh script in opendatahub-operator is development tooling where simple regex patterns for version extraction are acceptable, and developers are expected to handle version format requirements themselves.

bundle.rhoai/manifests/components.platform.opendatahub.io_trainingoperators.yaml (3)

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

Learnt from: AjayJagan
PR: #1990
File: hack/update-catalog-template.sh:36-43
Timestamp: 2025-05-27T08:29:05.312Z
Learning: The hack/update-catalog-template.sh script in opendatahub-operator is development tooling where simple regex patterns for version extraction are acceptable, and developers are expected to handle version format requirements themselves.

bundle.rhoai/manifests/components.platform.opendatahub.io_kserves.yaml (2)

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

bundle.rhoai/manifests/components.platform.opendatahub.io_trustyais.yaml (2)

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

bundle.rhoai/manifests/components.platform.opendatahub.io_codeflares.yaml (2)

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

bundle.rhoai/manifests/components.platform.opendatahub.io_datasciencepipelines.yaml (2)

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

bundle.rhoai/manifests/dscinitialization.opendatahub.io_dscinitializations.yaml (2)

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

Dockerfiles/rhoai.Dockerfile (1)

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

config/rbac.rhoai/kustomization.yaml (1)

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

config/manifests.rhoai/bases/rhods-operator.clusterserviceversion.yaml (2)

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

Learnt from: mlassak
PR: #2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

Makefile (3)

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

Learnt from: AjayJagan
PR: #1990
File: hack/update-catalog-template.sh:73-79
Timestamp: 2025-05-27T07:45:53.136Z
Learning: In the opendatahub-operator project, the || true pattern in Makefiles for catalog operations is intentionally used to ensure cleanup of catalog templates occurs even if the main script fails, prioritizing cleanup over strict error propagation.

Learnt from: AjayJagan
PR: #1990
File: hack/update-catalog-template.sh:36-43
Timestamp: 2025-05-27T08:29:05.312Z
Learning: The hack/update-catalog-template.sh script in opendatahub-operator is development tooling where simple regex patterns for version extraction are acceptable, and developers are expected to handle version format requirements themselves.

🧬 Code Graph Analysis (2)

api/components/v1alpha1/rhoai_modelregistry_types.go (3)

api/components/v1alpha1/modelregistry_types.go (7)

ModelRegistryComponentName (27-27)

ModelRegistry (76-82)

ModelRegistryCommonSpec (38-47)

ModelRegistryCommonStatus (57-60)

ModelRegistrySpec (50-54)

ModelRegistryStatus (63-66)

ModelRegistryList (111-115)

api/common/types.go (7)

PlatformObject (188-192)

DevFlagsSpec (36-40)

ComponentReleaseStatus (162-168)

Status (132-140)

Condition (71-129)

ComponentRelease (152-158)

ManagementSpec (12-23)

api/dscinitialization/v1/rhoai_dscinitialization_types.go (1)

DevFlags (62-74)

api/dscinitialization/v1/rhoai_dscinitialization_types.go (4)

api/services/v1alpha1/monitoring_types.go (2)

Monitoring (127-133)

DSCIMonitoring (180-185)

api/dscinitialization/v1/dscinitialization_types.go (6)

TrustedCABundleSpec (76-86)

DevFlags (62-74)

DSCInitializationStatus (89-106)

DSCInitializationSpec (32-58)

DSCInitialization (126-132)

DSCInitializationList (137-141)

api/common/types.go (3)

Condition (71-129)

Release (198-201)

Status (132-140)

api/infrastructure/v1alpha1/groupversion_info.go (1)

SchemeBuilder (32-32)

🪛 Checkov (3.2.334)

config/default.rhoai/manager_webhook_patch.yaml

[MEDIUM] 1-26: Containers should not run with allowPrivilegeEscalation

(CKV_K8S_20)

[MEDIUM] 1-26: Minimize the admission of root containers

(CKV_K8S_23)

config/default.rhoai/manager_auth_proxy_patch.yaml

[MEDIUM] 3-16: Containers should not run with allowPrivilegeEscalation

(CKV_K8S_20)

[MEDIUM] 3-16: Minimize the admission of root containers

(CKV_K8S_23)

🪛 GitHub Actions: Build and push operator images on PR update

get_all_manifests.sh

[error] 6-6: Shell script error: unary operator expected in line 6.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

GitHub Check: Run tests and collect coverage on internal and pkg
GitHub Check: golangci-lint

🔇 Additional comments (79)

api/components/v1alpha1/modelregistry_types.go (1)

1-2: Build-tag guard looks correct

The //go:build !rhoai directive is properly placed at the very top and followed by a blank line, so it will exclude the generic type from rhoai builds as intended.

api/components/v1alpha1/workbenches_types.go (1)

1-2: Correct platform split for Workbenches

Same as with ModelRegistry, the guard cleanly separates the non-rhoai implementation. No issues spotted.

bundle/manifests/infrastructure.opendatahub.io_hardwareprofiles.yaml (1)

5-5: Annotation updated — looks good

The manifest was regenerated; no manual edits detected.

bundle/manifests/components.platform.opendatahub.io_trainingoperators.yaml (1)

5-5: Aligned with new controller-gen version

Change matches the rest of the CRD refresh. Nothing further.

bundle/manifests/components.platform.opendatahub.io_modelcontrollers.yaml (2)

5-6: Controller-gen version bump looks good

The annotation now matches the repository-wide upgrade to v0.17.3.

219-224: Confirm need for committed empty status stanza

Committing status: with null fields can create noisy diffs when clusters later populate these fields. If not strictly required by downstream tooling, consider omitting it from version-controlled manifests.

config/crd/external/user.openshift.io_groups.yaml (1)

6-6: Annotation bump acknowledged

Aligns with controller-gen v0.17.3; no further concerns.

bundle/manifests/components.platform.opendatahub.io_dashboards.yaml (2)

5-6: Version annotation update is correct

Matches the toolchain update.

158-164: Verify necessity of empty status block

As with other CRDs, committing an empty status: may lead to perpetual diff churn. Confirm whether it can be excluded.

bundle/manifests/services.platform.opendatahub.io_auths.yaml (1)

4-7: Annotation / scaffold additions look correct

The controller-gen version bump, creationTimestamp: null, and the stub status block follow the standard pattern generated by controller-gen ≥ v0.17.0. They are harmless for cluster-installed CRDs and improve reproducibility.
No further action needed.

Also applies to: 137-142

bundle/manifests/components.platform.opendatahub.io_llamastackoperators.yaml (1)

4-7: Consistent controller-gen upgrade – LGTM

The manifest now reflects v0.17.3 output and includes the empty status scaffold. Everything complies with k8s CRD conventions.

Also applies to: 170-175

config/crd/external/user.openshift.io_useridentitymappings.yaml (1)

4-7: Version annotation updated correctly

Purely mechanical change; no schema impact.

bundle/manifests/components.platform.opendatahub.io_modelmeshservings.yaml (1)

4-7: Upgrade & status scaffold verified

Matches other CRDs generated with controller-gen v0.17.3; nothing else changed.

Also applies to: 170-175

config/crd/external/user.openshift.io_users.yaml (1)

4-7: Minor tooling bump only – OK to merge

No functional differences beyond annotation.

bundle/manifests/components.platform.opendatahub.io_datasciencepipelines.yaml (1)

5-5: Controller-gen version bump looks good

Moving to v0.17.3 keeps the generated CRD in sync with the upgraded toolchain; nothing else to flag.

bundle/manifests/components.platform.opendatahub.io_modelregistries.yaml (1)

5-5: Tooling version updated consistently

The annotation now reflects controller-gen v0.17.3, matching the rest of the bundle. No further action required.

bundle/manifests/components.platform.opendatahub.io_workbenches.yaml (1)

5-5: Annotation update acknowledged

CRD regenerated with controller-gen v0.17.3; change is correct and harmless.

bundle/manifests/services.platform.opendatahub.io_monitorings.yaml (1)

5-5: Version string refreshed

The controller-gen annotation now points to v0.17.3, aligning this manifest with the rest of the bundle.

bundle/manifests/components.platform.opendatahub.io_codeflares.yaml (1)

5-5: CRD regenerated with latest controller-gen

v0.17.3 annotation is correct; no issues spotted.

bundle/manifests/components.platform.opendatahub.io_feastoperators.yaml (1)

5-6: Controller-gen version bump looks correct.

The annotation update to v0.17.3 aligns with the Makefile toolchain bump; no issues spotted.

bundle/manifests/components.platform.opendatahub.io_trustyais.yaml (1)

5-6: Controller-gen version bump acknowledged.

config/crd/external/user.openshift.io_identities.yaml (1)

6-6: Annotation update OK.

bundle/manifests/components.platform.opendatahub.io_rays.yaml (1)

5-6: Tool version annotation good.

bundle/manifests/components.platform.opendatahub.io_kueues.yaml (1)

5-6: v0.17.3 annotation LGTM.

config/crd/external/route.openshift.io_routes.yaml (1)

5-6: Controller-gen annotation bumped to v0.17.3 – looks good

The version bump is consistent with the tooling upgrade noted in the PR description and is the only change in this manifest.
No further action required as long as the CI image (or your local env) actually uses controller-gen v0.17.3.

If you haven’t already, run controller-gen --version in your build container to confirm the expected version is on PATH.

bundle/manifests/dscinitialization.opendatahub.io_dscinitializations.yaml (1)

4-6: CRD regenerated with controller-gen v0.17.3 – OK

The annotation update and the synthetic creationTimestamp: null line are normal artefacts of a fresh controller-gen run.
Nothing else in the schema changed, so this update is safe to merge.

bundle/manifests/datasciencecluster.opendatahub.io_datascienceclusters.yaml (1)

5-5: Controller-gen version bump looks good

The annotation is updated to v0.17.3, matching the toolchain upgrade introduced in this PR. No action needed.

bundle.rhoai/manifests/infrastructure.opendatahub.io_hardwareprofiles.yaml (1)

5-6: Version annotation & creationTimestamp null entry are fine

The manifest now reflects controller-gen v0.17.3; keeping creationTimestamp: null is standard for generated CRDs.

bundle/manifests/components.platform.opendatahub.io_kserves.yaml (1)

5-6: Tooling version sync acknowledged

controller-gen.kubebuilder.io/version updated to v0.17.3 — consistent with the repo-wide bump.

config/rbac.rhoai/auth_proxy_client_clusterrole.yaml (1)

1-9: Duplicate ClusterRole & missing binding may break apply

redhat-ods-operator-metrics-reader is declared again in the bundle directory (bundle.rhoai/..._metrics-reader_...yaml).
If both kustomizations are applied in the same overlay the duplicate name will cause a server-side conflict, and without a matching ClusterRoleBinding this role is never associated with a subject.

ensure this ClusterRole exists only once in the final manifest set

add (or reference) a ClusterRoleBinding to wire it to the service-account scraping metrics

bundle.rhoai/manifests/redhat-ods-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml (1)

1-10: Same role defined twice

See identical ClusterRole in config/rbac.rhoai/auth_proxy_client_clusterrole.yaml. Deduplicate before shipping the bundle, otherwise cluster-apply will fail.

bundle.rhoai/manifests/services.platform.opendatahub.io_auths.yaml (1)

5-6: Controller-gen version bump looks correct
Matches the toolchain update to v0.17.3, no concerns.

config/webhook.rhoai/kustomization.yaml (1)

1-11: Solid baseline Kustomize overlay
Resources, prefix, and CA-bundle annotation are well-formed. No action needed.

bundle.rhoai/manifests/prometheus-k8s-viewer_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml (1)

1-13: RBAC binding verified – companion ClusterRole exists

The prometheus-k8s-viewer ClusterRole is present in the bundle, so the ClusterRoleBinding will resolve correctly:

bundle.rhoai/manifests/prometheus-k8s-viewer_rbac.authorization.k8s.io_v1_clusterrole.yaml

No further changes needed.

bundle.rhoai/manifests/components.platform.opendatahub.io_rays.yaml (1)

5-7: Generated fields look fine – keep them autogenerated

The extra controller-gen.kubebuilder.io/version, creationTimestamp: null, and blank status scaffold are standard outputs from controller-gen ≥ v0.17 and do not impact cluster behaviour. No further action required as long as these files continue to be fully generated during the release process.

Also applies to: 170-175

bundle.rhoai/manifests/components.platform.opendatahub.io_modelmeshservings.yaml (1)

5-7: CRD metadata/status scaffold LGTM

Same comment as for the Ray CRD – these are harmless controller-gen artefacts; leaving them committed avoids noisy diffs.

Also applies to: 170-175

bundle.rhoai/manifests/components.platform.opendatahub.io_dashboards.yaml (1)

5-7: No issues with the controller-gen bump

The Dashboard CRD picks up the expected v0.17 annotations; nothing else changed. 👍

Also applies to: 158-163

bundle.rhoai/manifests/components.platform.opendatahub.io_workbenches.yaml (1)

78-81: Default namespace change may break seamless upgrades

Swapping the default from opendatahub to rhods-notebooks is fine for fresh installs, but clusters that already applied the CRD will retain the old default and violate the immutability validation (rule: self == oldSelf).
Please document a migration path or add a conversion webhook to tolerate the previous value.

bundle.rhoai/manifests/components.platform.opendatahub.io_modelregistries.yaml (1)

78-81: Changed default namespace requires upgrade consideration

Switching to rhoai-model-registries alters the out-of-box experience and, combined with the immutability rule, blocks users from updating an existing CR without manual edits.
Confirm that this is intentional and call out the upgrade step in release notes.

config/samples.rhoai/kustomization.yaml (1)

5-8: All referenced sample manifests are present
The files datasciencecluster_v1_datasciencecluster.yaml, dscinitialization_v1_dscinitialization.yaml, and services_v1alpha1_auth.yaml all exist under config/samples.rhoai/. No broken references.

bundle.rhoai/metadata/annotations.yaml (1)

7-9: Channel list vs. default channel

Confirm that all listed channels (alpha, stable, fast) are really produced by your release automation; OLM will warn if a channel is declared but no CSV exists for it.

config/webhook.rhoai/kustomizeconfig.yaml (1)

1-23: LGTM – rules are correct and match upstream kustomize guidance
No issues spotted.

bundle.rhoai/manifests/services.platform.opendatahub.io_monitorings.yaml (1)

130-136: Confirm downstream code expects the new default namespace & trimmed traces schema

Changing spec.namespace default to redhat-ods-monitoring and deleting sampleRatio is a breaking API change. Verify:

Controllers default correctly when field is omitted.

Existing clusters are migrated or validated.

Documentation & examples are updated.

No action needed in this file, but please double-check before merging.

Also applies to: 141-179
config/rbac.rhoai/auth_proxy_service.yaml (1)

9-14: Service targets a port (8443) that the deployment does not expose

manager_webhook_patch.yaml exposes 8080 (HTTP) and 9443 (webhook), but not 8443.
As a result, this Service will never receive traffic.

Either:

Add containerPort: 8443 (metrics) to the deployment, or

Point targetPort to the existing 8080 if that is the actual metrics port.
-  - name: http
-    port: 8443
-    protocol: TCP
-    targetPort: http
+  - name: metrics
+    port: 8080   # or 8443 if you expose it
+    protocol: TCP
+    targetPort: 8080
This mismatch will break Prometheus scraping and any readiness checks relying on the metrics endpoint.

Likely an incorrect or invalid review comment.
config/manifests.rhoai/kustomization.yaml (1)

13-18: Verify that description-patch.yml is present and picked up

patches: references description-patch.yml, but the file is not part of this PR excerpt. A missing patch file will cause kustomize build (and therefore make bundle) to fail at runtime.
Please double-check that the file exists at config/manifests.rhoai/description-patch.yml (or adjust the relative path).

config/rbac.rhoai/kustomization.yaml (1)

8-35: Patch objects look correct – no issues spotted

The delete patches clean up legacy resources and the YAML syntax/indentation is valid.
LGTM.

config/default.rhoai/kustomization.yaml (1)

78-82: Verify that both patch files exist in this overlay

manager_auth_proxy_patch.yaml and manager_webhook_patch.yaml are referenced here, but they are not shown in the PR. Kustomize will fail hard-stop if a patch is missing.
bundle.rhoai/manifests/datasciencecluster.opendatahub.io_datascienceclusters.yaml (2)

5-6: controller-gen version bump 👍

Updating to v0.17.3 (and explicitly setting creationTimestamp: null) is consistent with the rest of the PR and avoids noisy diffs when manifests are regenerated.

601-605: Default namespace rename: double-check upgrade path

Changing the default from odh-model-registries → rhoai-model-registries is fine for fresh clusters, but existing DSCs created before this change will suddenly fail validation if the field was left blank (it now evaluates as changed). Consider:
- default: rhoai-model-registries
+ default: odh-model-registries
+ # NOTE: will be patched to rhoai-model-registries at install-time when
+ #       ODH_PLATFORM_TYPE ≠ OpenDataHub
or add a conversion webhook to preserve old objects.
Dockerfiles/rhoai.Dockerfile (1)

2-3: Go 1.23 image tag may not exist yet

Red Hat’s UBI9 go-toolset images trail upstream releases. Verify that registry.access.redhat.com/ubi9/go-toolset:1.23 is published; otherwise CI will 404.

config/webhook.rhoai/manifests.yaml (1)

14-27: Webhook lacks caBundle – rely on OLM injection?

If this manifest is applied outside OLM (e.g., make deploy), TLS will break. Either:

Add caBundle: ${CERTIFICATE_BUNDLE} with kustomize substitution, or

Gate this manifest behind OLM-only installation.

Confirm the deployment scenario.

api/dscinitialization/v1/rhoai_dscinitialization_types.go (6)

31-58: LGTM! Well-structured spec with appropriate validations.

The DSCInitializationSpec is properly defined with:

Correct default namespace for RHOAI platform (redhat-ods-applications)

Appropriate immutability validation to prevent namespace changes

Proper pattern and length constraints for the namespace field

Clear documentation for each field

60-74: Good deprecation handling and backward compatibility.

The DevFlags struct properly maintains deprecated fields while guiding users to the recommended LogLevel field. The deprecation notices are clear and helpful.

76-86: Well-designed CA bundle management structure.

The TrustedCABundleSpec provides clear management options with safe defaults. The documentation helpfully indicates where the CA bundle will be stored in the ConfigMap.

88-116: Standard Kubernetes status implementation.

The DSCInitializationStatus follows Kubernetes conventions with proper condition management methods. Good use of common types for consistency across the codebase.

118-132: Proper Kubernetes resource definition.

The DSCInitialization resource is correctly defined as cluster-scoped with appropriate print columns for user visibility. The structure follows standard Kubernetes API patterns.

134-148: Standard list type and proper scheme registration.

The DSCInitializationList and init() function follow Kubernetes API conventions correctly.

bundle.rhoai/manifests/rhods-operator.clusterserviceversion.yaml (4)

216-314: Comprehensive CRD ownership declarations.

The CSV properly declares ownership of all RHOAI platform components and services. The versioning strategy (v1alpha1 for components, v1 for core resources) is consistent and appropriate.

1511-1593: Well-configured deployment with high availability and security.

The deployment configuration follows best practices:

High availability with 3 replicas

Proper health probes for liveness and readiness

Security context with least privilege

Appropriate resource limits

Webhook certificate volume properly mounted

1643-1722: Properly configured admission webhooks.

The webhook definitions are well-structured with:

Appropriate failure policies to ensure validation

Correct port configuration matching the deployment

Proper resource and operation scoping

Standard admission review version (v1)

422-430: Review wildcard RBAC permissions for scope

Our scan of rhods-operator.clusterserviceversion.yaml identified numerous verbs: ["*"] entries across many resources and API groups. While the operator may require broad access, you should confirm each is strictly necessary or narrow them to specific verbs and API groups. For example:

pods/exec, pods/log (apiGroup="")

services (apiGroup="*")

deployments, replicasets (apiGroup="extensions")

statefulsets, workflows (apiGroup=argoproj.io)

authconfigs (apiGroup=authorization.k8s.io)

jobs (apiGroup=build.openshift.io)

seldondeployments (apiGroup=maistra.io)

gateways, virtualservices (apiGroup=networking.istio.io)

authorinos, knativeservings (apiGroup=operator.knative.dev)

rolebindings, roles (apiGroup=route.openshift.io)

authorizationpolicies, securitycontextconstraints (apiGroup=security.openshift.io)

servingruntimes (apiGroup=snapshot.storage.k8s.io)

templates (apiGroup=tempo.grafana.com)

Action items:

Review each wildcard permission and restrict to only the verbs (get, list, watch, etc.) required at runtime.

Scope permissions to specific API groups or resource names where feasible.

api/components/v1alpha1/rhoai_modelregistry_types.go (5)

26-35: Good use of constants and compile-time interface validation.

The constants follow a consistent naming pattern and the compile-time check ensures ModelRegistry properly implements the PlatformObject interface.

37-66: Well-structured spec and status definitions.

The spec and status structs are properly designed with:

RHOAI-specific default namespace (rhoai-model-registries)

Appropriate validation constraints

Clear separation between common and internal fields

Comprehensive status tracking

68-82: Proper singleton resource definition.

The ModelRegistry resource correctly enforces the singleton pattern through validation and provides useful status information via print columns.

84-119: Complete and correct interface implementation.

All PlatformObject interface methods are properly implemented with standard getter/setter patterns. The scheme registration follows Kubernetes conventions.

121-137: Well-designed DSC integration with proper immutability constraints.

The DSC integration types correctly enforce that RegistriesNamespace cannot be changed when the component is in Managed state, preventing configuration drift. The validation rule is comprehensive.

api/components/v1alpha1/rhoai_workbenches_types.go (3)

37-55: Consistent structure with stricter immutability.

The WorkbenchesCommonSpec follows the same pattern as other components but enforces immutability at the field level (self == oldSelf) rather than conditionally based on management state. This is a stricter but simpler approach.

69-105: Complete and consistent component implementation.

The Workbenches resource follows the established pattern with proper singleton enforcement and complete interface implementation. The single-line getter at line 101 is acceptable for such a simple method.

120-132: Standard DSC integration types.

The DSC integration types follow the established pattern consistently. The simpler validation approach (field-level immutability) eliminates the need for complex conditional validation rules.

api/services/v1alpha1/rhoai_monitoring_types.go (3)

45-78: Well-designed metrics configuration with smart validation.

The Metrics struct includes:

Clever validation preventing replicas without proper resource allocation

Reasonable defaults for storage (5Gi, 1d retention) and resources

Proper use of Kubernetes resource quantities

Clear documentation for each field

87-116: Excellent storage backend abstraction with proper validation.

The traces configuration provides:

Smart validation ensuring secrets for cloud backends

Proper constraints on size field per backend type

Well-validated sample ratio with clear bounds

Support for multiple storage backends (pv, s3, gcs)

180-185: Appropriate DSC integration type.

The DSCIMonitoring type correctly follows the pattern for DSCInitialization integration, with the DSCI prefix clearly indicating its usage context.

Makefile (7)

357-363: Potential race / overwrite when moving the generated Dockerfile

bundle always mv bundle.Dockerfile … irrespective of the active platform.
Parallel builds (make -j) or consecutive ODH/RHOAI invocations can overwrite each
other’s Dockerfile in Dockerfiles/.

Consider copying with a unique temporary name or gating the mv behind
[ ! -f Dockerfiles/$(BUNDLE_DOCKERFILE_FILENAME) ].

21-23: Nice addition – single flag to switch platform
No issues spotted with the new ODH_PLATFORM_TYPE toggle.

58-78: Bundle channel / default-channel handling looks correct
Conditional expansion via origin keeps caller overrides intact.

101-101: Controller-tools bump to 0.17.3
Required for build-tag support – good catch.

191-191: Use of $(CONTROLLER_GEN_TAGS) avoids hard-coding build tags
Change is sound.

222-223: Propagating ODH_PLATFORM_TYPE to manifest fetch script
Matches the Makefile abstraction – LGTM.

296-301: Switch to $(KUSTOMIZE_BASE) for deploy/undeploy
Improves flexibility; looks good.

api/services/v1alpha1/rhoai_monitoring_types.go

bundle.rhoai/manifests/components.platform.opendatahub.io_feastoperators.yaml

bundle.rhoai/manifests/components.platform.opendatahub.io_llamastackoperators.yaml

bundle.rhoai/manifests/components.platform.opendatahub.io_modelregistries.yaml

bundle.rhoai/manifests/components.platform.opendatahub.io_trustyais.yaml

config/rbac.rhoai/role_binding.yaml

Dockerfiles/rhoai.Dockerfile

get_all_manifests.sh

Makefile

coderabbitai

Actionable comments posted: 0

🧹 Nitpick comments (1)

api/services/v1alpha1/rhoai_monitoring_types.go (1)

98-116: Review TracesStorage validation complexity.

The XValidation rules for TracesStorage have complex interdependencies. Consider if these constraints are necessary or if they could be simplified:

Line 98: Requires secret when backend is not 'pv'

Line 99: Prohibits size when backend is not 'pv'

These rules might be better expressed as enum-specific validation or moved to admission webhook logic for better error messages and maintainability.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 23e6955 and 03d8f33.

📒 Files selected for processing (4)

Makefile (8 hunks)
api/services/v1alpha1/monitoring_types.go (1 hunks)
api/services/v1alpha1/rhoai_monitoring_types.go (1 hunks)
get_all_manifests.sh (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

api/services/v1alpha1/monitoring_types.go
get_all_manifests.sh

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: AjayJagan
PR: opendatahub-io/opendatahub-operator#1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file `Dockerfiles/catalog.Dockerfile` in the opendatahub-operator repository is autogenerated and should not be manually modified.

Learnt from: AjayJagan
PR: opendatahub-io/opendatahub-operator#1990
File: hack/update-catalog-template.sh:36-43
Timestamp: 2025-05-27T08:29:05.312Z
Learning: The hack/update-catalog-template.sh script in opendatahub-operator is development tooling where simple regex patterns for version extraction are acceptable, and developers are expected to handle version format requirements themselves.

Makefile (3)

Learnt from: AjayJagan
PR: #1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file Dockerfiles/catalog.Dockerfile in the opendatahub-operator repository is autogenerated and should not be manually modified.

Learnt from: AjayJagan
PR: #1990
File: hack/update-catalog-template.sh:73-79
Timestamp: 2025-05-27T07:45:53.136Z
Learning: In the opendatahub-operator project, the || true pattern in Makefiles for catalog operations is intentionally used to ensure cleanup of catalog templates occurs even if the main script fails, prioritizing cleanup over strict error propagation.

Learnt from: AjayJagan
PR: #1990
File: hack/update-catalog-template.sh:36-43
Timestamp: 2025-05-27T08:29:05.312Z
Learning: The hack/update-catalog-template.sh script in opendatahub-operator is development tooling where simple regex patterns for version extraction are acceptable, and developers are expected to handle version format requirements themselves.

🪛 GitHub Actions: Unit Tests1

Makefile

[error] 463-463: Make target 'unit-test' failed with exit code 1 due to test suite failure.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

GitHub Check: Build/push catalog image
GitHub Check: golangci-lint
GitHub Check: Run tests and collect coverage on internal and pkg

🔇 Additional comments (11)

api/services/v1alpha1/rhoai_monitoring_types.go (4)

1-1: Build tag alignment resolved.

The build tag has been correctly updated to //go:build rhoai, which aligns with the RHOAI-specific build convention and addresses the previous inconsistency.

46-52: Validate the XValidation rule logic.

The validation rule !(self.storage == null && self.resources == null) || !has(self.replicas) || self.replicas == 0 appears to enforce that replicas can only be set to non-zero when either Storage or Resources is configured. However, this logic might be confusing to interpret.

Consider simplifying the validation rule for better readability:
-// +kubebuilder:validation:XValidation:rule="!(self.storage == null && self.resources == null) || !has(self.replicas) || self.replicas == 0",message="Replicas can only be set to non-zero value when either Storage or Resources is configured"
+// +kubebuilder:validation:XValidation:rule="has(self.replicas) && self.replicas > 0 ? (self.storage != null || self.resources != null) : true",message="Replicas can only be set to non-zero value when either Storage or Resources is configured"
This makes the intent clearer: "If replicas is set and > 0, then either storage or resources must be configured."

121-121: Singleton enforcement through validation.

The XValidation rule enforcing the singleton pattern with a fixed name is well-implemented. This prevents multiple Monitoring instances while maintaining the CRD's flexibility.

160-175: Interface implementation is correct.

The implementation of common.PlatformObject interface methods is correct and follows the expected patterns for status management and condition handling.
Makefile (7)

24-51: Platform abstraction implementation looks correct.

The conditional platform configuration properly sets different values for OpenDataHub vs RHOAI builds. The MANAGER_DIR issue mentioned in previous comments appears to be resolved with correct paths (config/manager for ODH, config/manager.rhoai for RHOAI).

281-284: Manager kustomization dependency correctly uses variable.

The dependency on $(MANAGER_DIR)/kustomization.yaml.in properly respects the platform-specific MANAGER_DIR variable, addressing the previous hardcoded path issue.

58-78: Bundle channel configuration enhancement.

The enhanced bundle channel configuration with proper conditional logic for CHANNELS and DEFAULT_CHANNEL variables improves flexibility for different deployment scenarios.

101-101: Controller-gen version upgrade.

The upgrade from v0.16.1 to v0.17.3 aligns with the PR objective to support build tags in controller-gen. This version supports the --load-build-tags functionality used in the platform-specific builds.

191-191: Platform-specific controller-gen flags.

The use of $(CONTROLLER_GEN_TAGS) properly applies platform-specific build tags (--load-build-tags=odh or --load-build-tags=rhoai) to generate appropriate manifests for each platform.

274-277: New projectfile target enhances platform support.

The projectfile target that generates a platform-specific PROJECT file from PROJECT.in template is a clean solution for maintaining different kubebuilder project names across platforms.

357-362: Bundle generation improvements.

The platform-specific bundle generation using $(KUSTOMIZE_DIR), $(BUNDLE_DIR), and $(BUNDLE_DOCKERFILE_FILENAME) variables properly abstracts the differences between ODH and RHOAI builds. The cleanup of webhook service YAML files for both variants is appropriate.

kahowell · 2025-07-25T16:14:57Z

/retest

coderabbitai

Actionable comments posted: 16

🔭 Outside diff range comments (1)

config/rbac.rhoai/role.yaml (1)

1-1170: ClusterRole is extremely permissive – violates least-privilege

The role grants:

Wild-card verbs ('*') over core workload APIs

Full control of RBAC, SCCs, webhook configurations, CRDs, etc.

Static-analysis (CKV_K8S_155/157/158) justly flags these as high-risk. Unless the operator genuinely performs cluster-admin duties at runtime, tighten the scope:

Split cluster-scoped and namespaced duties into separate roles.

Remove '*' verb sets; list only required verbs.

Drop permissions for validatingwebhookconfigurations, securitycontextconstraints, and RBAC escalation unless strictly necessary.

If cluster-admin privileges are unavoidable, add a justification doc and an admission-control policy preventing accidental bindings.

♻️ Duplicate comments (4)

config/crd.rhoai/bases/dscinitialization.opendatahub.io_dscinitializations.yaml (1)

300-307: Same enum/regex mismatch repeats in other managementState fields

The serviceMesh.managementState and trustedCABundle.managementState blocks have the identical inconsistency (regex admits Force, enum does not). Align them as suggested above to avoid validation failures.

Also applies to: 322-331

bundle.rhoai/manifests/dscinitialization.opendatahub.io_dscinitializations.yaml (2)

90-107: CRD copy carries over the same enum restrictions

The bundle CRD still limits managementState to Managed|Removed, conflicting with the regex that allows more states. Keep the bundle and base CRDs in sync with the fix proposed earlier; otherwise OLM installs will reject valid custom resources.

Also applies to: 300-307, 322-331

19-29: Duplicate creationTimestamp columns

Same redundancy (Age vs Created At) exists here; remove one before shipping the bundle.

bundle.rhoai/manifests/rhods-operator.clusterserviceversion.yaml (1)

115-115: Replace containerImage placeholder before shipping the bundle

containerImage: REPLACE_IMAGE:latest is still present. If left unpatched, OLM will pull a non-existent image and the installation will fail. Make sure the build/publish pipeline substitutes the real digest-pinned image reference.

🧹 Nitpick comments (19)

config/crd.rhoai/patches/webhook_in_dscinitialization.opendatahub.io_dscinitializations.yaml (1)

11-14: Minor: hard-coded namespace limits re-use

Hard-coding namespace: system ties the operator to a single install
namespace. Consider replacing with ${OPERATOR_NAMESPACE} or omitting
namespace so kustomize can patch it per-environment.
config/crd.rhoai/bases/services.platform.opendatahub.io_auths.yaml (1)
51-58: Tighten array validation to prevent empty or duplicate groups

Both adminGroups and allowedGroups are required but currently accept
an empty list or duplicates. Adding minItems and x-kubernetes-list-type
strengthens validation and user feedback.
-              adminGroups:
-                items:
-                  type: string
-                type: array
+              adminGroups:
+                items:
+                  type: string
+                minItems: 1
+                x-kubernetes-list-type: set
+                type: array
-              allowedGroups:
-                items:
-                  type: string
-                type: array
+              allowedGroups:
+                items:
+                  type: string
+                minItems: 1
+                x-kubernetes-list-type: set
+                type: array
config/crd.rhoai/bases/components.platform.opendatahub.io_feastoperators.yaml (1)
54-75: Add list semantics & defaults for spec.devFlags.manifests

The manifests array stores unique URIs; declaring it as a
set prevents duplicates and clarifies intent. Providing an example
default helps users.
-                    type: array
+                    x-kubernetes-list-type: set
+                    type: array
+                  default: []
config/crd.rhoai/bases/components.platform.opendatahub.io_trustyais.yaml (1)
81-136: Use a map-keyed list for Conditions to enable strategic-merge patches

status.conditions is declared with x-kubernetes-list-type: atomic. This forces clients to replace the entire list on every update, which makes concurrent updates from multiple controllers brittle. Kubernetes upstream conventions use:
x-kubernetes-list-type: map
x-kubernetes-list-map-keys:
- type
Switching to a map list (keyed by type) improves patchability and aligns with metav1.Condition guidance.
config/crd.rhoai/bases/components.platform.opendatahub.io_rays.yaml (1)

80-136: Consider switching status.conditions list to type=map

Same rationale as noted in TrustyAI CRD – using atomic hampers concurrent condition updates. A map list keyed by type is the de-facto standard.

config/crd.rhoai/bases/components.platform.opendatahub.io_trainingoperators.yaml (1)

80-136: status.conditions should be a map list for better patch semantics

Recommend the x-kubernetes-list-type: map / x-kubernetes-list-map-keys: [type] pattern instead of atomic, mirroring upstream CRDs.

config/crd.rhoai/bases/components.platform.opendatahub.io_codeflares.yaml (2)

162-165: Singleton-only name validation is too restrictive

x-kubernetes-validations forces every CodeFlare object to be called default-codeflare, effectively preventing users and tests from creating additional (e.g., canary) instances in the same cluster.
Consider relaxing this rule or making it optional via a separate CRD overlay.

48-76: Missing preserveUnknownFields: false could bite on upgrades

Neither the root schema nor the spec/status sub-schemas set x-kubernetes-preserve-unknown-fields: false.
Without it, older apiserver versions may silently drop unknown fields, making forward-compatibility hard to diagnose. Add the stanza explicitly so behaviour is unambiguous.

config/crd.rhoai/bases/components.platform.opendatahub.io_llamastackoperators.yaml (2)

164-166: Over-restrictive singleton validation

Same concern as other CRDs: forcing the name to default-llamastackoperator disallows additional instances for dev or multi-tenant scenarios.

48-77: Explicitly declare unknown-field strategy

Add x-kubernetes-preserve-unknown-fields: false under the root schema (and optionally under spec, status) for clearer API evolution.

config/crd.rhoai/bases/components.platform.opendatahub.io_modelregistries.yaml (1)

172-174: Singleton validation may hinder multi-tenant clusters

Enforcing default-modelregistry only may block future use cases. Evaluate whether this needs to be loosened.

config/crd.rhoai/bases/components.platform.opendatahub.io_datasciencepipelines.yaml (1)

185-187: Singleton name lock-in

Validation forces default-datasciencepipelines; same comment as other CRDs.
config/crd.rhoai/bases/components.platform.opendatahub.io_dashboards.yaml (2)
26-29: Printer column for URL is great – consider priority: 1

Marking the URL column with priority: 1 hides it from default kubectl get output but keeps it with -o wide, reducing clutter while still surfacing valuable info.
-    - description: URL
+    - description: URL
       jsonPath: .status.url
       name: URL
       type: string
+      priority: 1
151-153: Default-only name restriction

As with the other CRDs, hard-coding the resource name may impede future multi-instance support.
config/crd.rhoai/bases/components.platform.opendatahub.io_kserves.yaml (1)

255-257: status.serverlessMode uses regex with values not guaranteed by controller

status.serverlessMode re-uses the same regex including Force, yet nothing in the spec writes Force. Re-eval whether Force is a legitimate status or remove it for clarity.

config/crd.rhoai/bases/dscinitialization.opendatahub.io_dscinitializations.yaml (1)

19-29: Redundant printer columns for the same field

Both Age (type date) and Created At (type string) point to .metadata.creationTimestamp. This clutters kubectl get output without adding new information. Drop one of them (preferably Age, which kubectl already derives automatically).
config/crd.rhoai/bases/services.platform.opendatahub.io_monitorings.yaml (2)
144-149: Use numeric type for sampleRatio to avoid quoting-issues

sampleRatio represents a floating-point number but is declared as a string.
Clients must wrap numbers in quotes ("0.25") which is error-prone and breaks simple kubectl patch commands.
-                    type: string
+                    type: number
(No regex needed; minimum/maximum can be added if tighter bounds are required.)

124-129: Validation rule message and logic slightly diverge

Message: “Replicas can only be set to non-zero value when either Storage or Resources is configured”.
Rule: permits replicas == 0 even when storage/resources are not set, which is fine, but also lets replicas > 0 pass when either storage or resources is configured (good). Consider tightening the wording to “replicas > 0 requires Storage or Resources configured” for clarity.
Makefile (1)
280-281: sed -i without extension is not portable to macOS

GNU sed accepts -i with no argument; BSD sed (macOS) requires -i ''. Use a cross-platform form:
-	sed -i 's/projectName: .*/projectName: $(KUBEBUILDER_PROJECT_NAME)/' PROJECT
+	sed -e 's/projectName: .*/projectName: $(KUBEBUILDER_PROJECT_NAME)/' PROJECT > PROJECT.tmp && mv PROJECT.tmp PROJECT
or detect the OS and set SED_INPLACE:= -i'' accordingly.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 03d8f33 and 3793435.

📒 Files selected for processing (64)

.gitignore (1 hunks)
Makefile (8 hunks)
bundle.rhoai/manifests/dscinitialization.opendatahub.io_dscinitializations.yaml (1 hunks)
bundle.rhoai/manifests/rhods-operator.clusterserviceversion.yaml (1 hunks)
bundle.rhoai/manifests/services.platform.opendatahub.io_monitorings.yaml (1 hunks)
bundle/manifests/opendatahub-operator.clusterserviceversion.yaml (3 hunks)
config/crd.rhoai/bases/_.yaml (1 hunks)
config/crd.rhoai/bases/components.platform.opendatahub.io_codeflares.yaml (1 hunks)
config/crd.rhoai/bases/components.platform.opendatahub.io_dashboards.yaml (1 hunks)
config/crd.rhoai/bases/components.platform.opendatahub.io_datasciencepipelines.yaml (1 hunks)
config/crd.rhoai/bases/components.platform.opendatahub.io_feastoperators.yaml (1 hunks)
config/crd.rhoai/bases/components.platform.opendatahub.io_kserves.yaml (1 hunks)
config/crd.rhoai/bases/components.platform.opendatahub.io_kueues.yaml (1 hunks)
config/crd.rhoai/bases/components.platform.opendatahub.io_llamastackoperators.yaml (1 hunks)
config/crd.rhoai/bases/components.platform.opendatahub.io_modelcontrollers.yaml (1 hunks)
config/crd.rhoai/bases/components.platform.opendatahub.io_modelmeshservings.yaml (1 hunks)
config/crd.rhoai/bases/components.platform.opendatahub.io_modelregistries.yaml (1 hunks)
config/crd.rhoai/bases/components.platform.opendatahub.io_rays.yaml (1 hunks)
config/crd.rhoai/bases/components.platform.opendatahub.io_trainingoperators.yaml (1 hunks)
config/crd.rhoai/bases/components.platform.opendatahub.io_trustyais.yaml (1 hunks)
config/crd.rhoai/bases/components.platform.opendatahub.io_workbenches.yaml (1 hunks)
config/crd.rhoai/bases/datasciencecluster.opendatahub.io_datascienceclusters.yaml (1 hunks)
config/crd.rhoai/bases/dscinitialization.opendatahub.io_dscinitializations.yaml (1 hunks)
config/crd.rhoai/bases/features.opendatahub.io_featuretrackers.yaml (1 hunks)
config/crd.rhoai/bases/infrastructure.opendatahub.io_hardwareprofiles.yaml (1 hunks)
config/crd.rhoai/bases/services.platform.opendatahub.io_auths.yaml (1 hunks)
config/crd.rhoai/bases/services.platform.opendatahub.io_monitorings.yaml (1 hunks)
config/crd.rhoai/kustomization.yaml (1 hunks)
config/crd.rhoai/kustomizeconfig.yaml (1 hunks)
config/crd.rhoai/patches/cainjection_in_datasciencecluster_datascienceclusters.yaml (1 hunks)
config/crd.rhoai/patches/cainjection_in_dscinitialization.opendatahub.io_dscinitializations.yaml (1 hunks)
config/crd.rhoai/patches/cainjection_in_dscinitialization_dscinitializations.yaml (1 hunks)
config/crd.rhoai/patches/cainjection_in_services_auths.yaml (1 hunks)
config/crd.rhoai/patches/cainjection_in_services_monitorings.yaml (1 hunks)
config/crd.rhoai/patches/webhook_in_datasciencecluster_datascienceclusters.yaml (1 hunks)
config/crd.rhoai/patches/webhook_in_dscinitialization.opendatahub.io_dscinitializations.yaml (1 hunks)
config/crd.rhoai/patches/webhook_in_dscinitialization_dscinitializations.yaml (1 hunks)
config/crd.rhoai/patches/webhook_in_services_auths.yaml (1 hunks)
config/crd.rhoai/patches/webhook_in_services_monitorings.yaml (1 hunks)
config/crd/bases/_.yaml (1 hunks)
config/crd/bases/components.platform.opendatahub.io_codeflares.yaml (1 hunks)
config/crd/bases/components.platform.opendatahub.io_dashboards.yaml (1 hunks)
config/crd/bases/components.platform.opendatahub.io_datasciencepipelines.yaml (1 hunks)
config/crd/bases/components.platform.opendatahub.io_feastoperators.yaml (1 hunks)
config/crd/bases/components.platform.opendatahub.io_kserves.yaml (1 hunks)
config/crd/bases/components.platform.opendatahub.io_kueues.yaml (1 hunks)
config/crd/bases/components.platform.opendatahub.io_llamastackoperators.yaml (1 hunks)
config/crd/bases/components.platform.opendatahub.io_modelcontrollers.yaml (1 hunks)
config/crd/bases/components.platform.opendatahub.io_modelmeshservings.yaml (1 hunks)
config/crd/bases/components.platform.opendatahub.io_modelregistries.yaml (1 hunks)
config/crd/bases/components.platform.opendatahub.io_rays.yaml (1 hunks)
config/crd/bases/components.platform.opendatahub.io_trainingoperators.yaml (1 hunks)
config/crd/bases/components.platform.opendatahub.io_trustyais.yaml (1 hunks)
config/crd/bases/components.platform.opendatahub.io_workbenches.yaml (1 hunks)
config/crd/bases/datasciencecluster.opendatahub.io_datascienceclusters.yaml (1 hunks)
config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml (1 hunks)
config/crd/bases/features.opendatahub.io_featuretrackers.yaml (1 hunks)
config/crd/bases/infrastructure.opendatahub.io_hardwareprofiles.yaml (1 hunks)
config/crd/bases/services.platform.opendatahub.io_auths.yaml (1 hunks)
config/crd/bases/services.platform.opendatahub.io_monitorings.yaml (1 hunks)
config/default.rhoai/kustomization.yaml (1 hunks)
config/rbac.rhoai/kustomization.yaml (1 hunks)
config/rbac.rhoai/role.yaml (1 hunks)
config/rbac/role.yaml (1 hunks)

✅ Files skipped from review due to trivial changes (33)

config/crd/bases/components.platform.opendatahub.io_modelmeshservings.yaml
config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml
config/crd/bases/components.platform.opendatahub.io_modelregistries.yaml
config/crd/bases/components.platform.opendatahub.io_codeflares.yaml
config/crd/bases/components.platform.opendatahub.io_trainingoperators.yaml
config/crd/bases/components.platform.opendatahub.io_trustyais.yaml
config/crd/bases/components.platform.opendatahub.io_workbenches.yaml
config/crd/bases/services.platform.opendatahub.io_auths.yaml
config/crd/bases/components.platform.opendatahub.io_feastoperators.yaml
config/crd/bases/components.platform.opendatahub.io_kueues.yaml
config/crd.rhoai/patches/webhook_in_datasciencecluster_datascienceclusters.yaml
config/crd/bases/components.platform.opendatahub.io_llamastackoperators.yaml
config/crd/bases/components.platform.opendatahub.io_modelcontrollers.yaml
config/crd/bases/features.opendatahub.io_featuretrackers.yaml
config/crd/bases/components.platform.opendatahub.io_rays.yaml
config/crd/bases/components.platform.opendatahub.io_dashboards.yaml
config/crd/bases/components.platform.opendatahub.io_kserves.yaml
config/crd/bases/datasciencecluster.opendatahub.io_datascienceclusters.yaml
config/crd/bases/services.platform.opendatahub.io_monitorings.yaml
config/crd.rhoai/patches/webhook_in_services_monitorings.yaml
config/crd/bases/infrastructure.opendatahub.io_hardwareprofiles.yaml
config/crd.rhoai/patches/webhook_in_dscinitialization_dscinitializations.yaml
config/crd.rhoai/patches/webhook_in_services_auths.yaml
config/crd.rhoai/patches/cainjection_in_datasciencecluster_datascienceclusters.yaml
config/crd.rhoai/kustomization.yaml
config/crd.rhoai/kustomizeconfig.yaml
config/crd/bases/components.platform.opendatahub.io_datasciencepipelines.yaml
config/crd.rhoai/patches/cainjection_in_services_monitorings.yaml
config/crd.rhoai/patches/cainjection_in_dscinitialization_dscinitializations.yaml
config/crd.rhoai/patches/cainjection_in_services_auths.yaml
config/rbac/role.yaml
config/crd.rhoai/bases/components.platform.opendatahub.io_modelmeshservings.yaml
config/crd.rhoai/bases/features.opendatahub.io_featuretrackers.yaml

🚧 Files skipped from review as they are similar to previous changes (5)

.gitignore
config/crd/bases/_.yaml
config/rbac.rhoai/kustomization.yaml
bundle/manifests/opendatahub-operator.clusterserviceversion.yaml
config/default.rhoai/kustomization.yaml

🧰 Additional context used

🪛 Checkov (3.2.334)

config/rbac.rhoai/role.yaml

[MEDIUM] 2-1169: Minimize Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings

(CKV_K8S_157)

[HIGH] 2-1169: Minimize ClusterRoles that grant control over validating or mutating admission webhook configurations

(CKV_K8S_155)

[MEDIUM] 2-1169: Minimize Roles and ClusterRoles that grant permissions to escalate Roles or ClusterRoles

(CKV_K8S_158)

🪛 GitHub Actions: Build and push operator images on PR update

Makefile

[error] 260-260: Makefile target 'image-build' failed with exit code 125 due to podman build error.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

GitHub Check: Run tests and collect coverage on internal and pkg
GitHub Check: golangci-lint
GitHub Check: Run tests and collect coverage on tests/integration

🔇 Additional comments (2)

config/crd.rhoai/bases/infrastructure.opendatahub.io_hardwareprofiles.yaml (1)

1-197: Schema looks consistent – no blocking issues spotted

The validation rules, int-or-string handling and mutually-exclusive scheduling logic are well-defined.
Nice use of x-kubernetes-validations for complex invariants.

config/crd.rhoai/bases/datasciencecluster.opendatahub.io_datascienceclusters.yaml (1)

985-988: serverlessMode validation looks copy-pasted and wrong

The status field serverlessMode inherits the same ^(Managed|Unmanaged|Force|Removed)$ pattern as a managementState, but its semantic description refers to KServe’s run-time mode (serverless vs raw-deployment).
Please verify the allowed values and adjust the pattern/enum accordingly, otherwise consumers cannot report the real state without violating the schema.

bundle.rhoai/manifests/rhods-operator.clusterserviceversion.yaml

bundle.rhoai/manifests/services.platform.opendatahub.io_monitorings.yaml

config/crd.rhoai/bases/_.yaml

config/crd.rhoai/bases/components.platform.opendatahub.io_datasciencepipelines.yaml

config/crd.rhoai/bases/dscinitialization.opendatahub.io_dscinitializations.yaml

...ig/crd.rhoai/patches/cainjection_in_dscinitialization.opendatahub.io_dscinitializations.yaml

config/crd.rhoai/patches/webhook_in_dscinitialization.opendatahub.io_dscinitializations.yaml

Makefile

kahowell · 2025-07-28T18:14:46Z

/retest

Makefile

openshift-ci · 2025-08-08T22:48:37Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign valdar for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

coderabbitai

Actionable comments posted: 5

🔭 Outside diff range comments (2)

bundle.rhoai/manifests/infrastructure.opendatahub.io_hardwareprofiles.yaml (1)

197-203: Remove server-managed status block from CRD

This block is populated by the API server and should not be included in the shipped CRD to keep bundles deterministic.
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: null
-  storedVersions: null

Makefile (1)

285-293: Use CRD_DIR in install/uninstall so RHOAI applies the right CRDs

Hardcoded config/crd breaks RHOAI developer flows. Use the platform-aware CRD_DIR.

-install: prepare ## Install CRDs into the K8s cluster specified in ~/.kube/config.
-	$(KUSTOMIZE) build config/crd | kubectl apply -f -
+install: prepare ## Install CRDs into the K8s cluster specified in ~/.kube/config.
+	$(KUSTOMIZE) build $(CRD_DIR) | kubectl apply -f -
@@
-uninstall: prepare ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion.
-	$(KUSTOMIZE) build config/crd | kubectl delete --ignore-not-found=$(ignore-not-found) -f -
+uninstall: prepare ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion.
+	$(KUSTOMIZE) build $(CRD_DIR) | kubectl delete --ignore-not-found=$(ignore-not-found) -f -

♻️ Duplicate comments (6)

bundle.rhoai/manifests/components.platform.opendatahub.io_modelregistries.yaml (1)
179-184: Remove server-managed status block from CRD
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: null
-  storedVersions: null
bundle.rhoai/manifests/components.platform.opendatahub.io_workbenches.yaml (1)
182-187: Drop the generated status section
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: null
-  storedVersions: null
bundle.rhoai/manifests/components.platform.opendatahub.io_llamastackoperators.yaml (1)
170-175: Remove superfluous status block
-status:
-  acceptedNames:
-    kind: ""
-    plural: ""
-  conditions: null
-  storedVersions: null
bundle.rhoai/manifests/rhods-operator.clusterserviceversion.yaml (2)

115-116: Placeholder image already covered in earlier review

1548-1549: Intentional latest image reference – no further action

bundle.rhoai/manifests/datasciencecluster.opendatahub.io_datascienceclusters.yaml (1)

798-808: Workbench namespace default was rewritten to rhods-notebooks — plan migration

Changing the default to rhods-notebooks combined with immutability can block updates for existing objects lacking an explicit value. Ensure a conversion/migration plan is documented (e.g., backfill the field before upgrade).

Would you like me to draft an upgrade note and a one-liner to pre-mutate existing DSCs?

🧹 Nitpick comments (3)

bundle.rhoai/manifests/infrastructure.opendatahub.io_hardwareprofiles.yaml (1)
17-26: Optional: add a printer column for scheduling type

Improves kubectl UX when listing HardwareProfiles.
   versions:
-  - name: v1alpha1
+  - additionalPrinterColumns:
+    - name: SchedulingType
+      type: string
+      jsonPath: .spec.scheduling.type
+    name: v1alpha1
bundle.rhoai/manifests/components.platform.opendatahub.io_modelcontrollers.yaml (1)

26-29: Printer column references non-existent field

.status.URI is not defined in the CRD’s status schema, so the “URI” column will always be empty.
Consider removing the column or adding the field to the status struct generated from Go types.
Makefile (1)
355-362: Streamline bundle generation: the kustomize pipe is redundant

operator-sdk generate bundle already reads from --kustomize-dir; the extra kustomize build pipe adds cost without effect.
-	$(OPERATOR_SDK) generate kustomize manifests --package $(OPERATOR_PACKAGE) --input-dir $(KUSTOMIZE_DIR) --output-dir $(KUSTOMIZE_DIR) -q
-	$(KUSTOMIZE) build $(KUSTOMIZE_DIR) | $(OPERATOR_SDK) generate bundle $(BUNDLE_GEN_FLAGS) --package $(OPERATOR_PACKAGE) --kustomize-dir $(KUSTOMIZE_DIR) --output-dir $(BUNDLE_DIR) 2>&1 | grep -v $(WARNINGMSG)
+	$(OPERATOR_SDK) generate kustomize manifests --package $(OPERATOR_PACKAGE) --input-dir $(KUSTOMIZE_DIR) --output-dir $(KUSTOMIZE_DIR) -q
+	$(OPERATOR_SDK) generate bundle $(BUNDLE_GEN_FLAGS) --package $(OPERATOR_PACKAGE) --kustomize-dir $(KUSTOMIZE_DIR) --output-dir $(BUNDLE_DIR) 2>&1 | grep -v $(WARNINGMSG)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3793435 and 1ccd5a1.

📒 Files selected for processing (107)

Dockerfiles/bundle.rhoai.Dockerfile (1 hunks)
Dockerfiles/rhoai.Dockerfile (1 hunks)
Makefile (8 hunks)
api/components/v1alpha1/modelregistry_types.go (1 hunks)
api/components/v1alpha1/rhoai_modelregistry_types.go (1 hunks)
api/components/v1alpha1/rhoai_workbenches_types.go (1 hunks)
api/components/v1alpha1/workbenches_types.go (1 hunks)
api/dscinitialization/v1/dscinitialization_types.go (1 hunks)
api/dscinitialization/v1/rhoai_dscinitialization_types.go (1 hunks)
api/services/v1alpha1/monitoring_types.go (1 hunks)
api/services/v1alpha1/rhoai_monitoring_types.go (1 hunks)
bundle.rhoai/manifests/components.platform.opendatahub.io_codeflares.yaml (1 hunks)
bundle.rhoai/manifests/components.platform.opendatahub.io_dashboards.yaml (1 hunks)
bundle.rhoai/manifests/components.platform.opendatahub.io_datasciencepipelines.yaml (1 hunks)
bundle.rhoai/manifests/components.platform.opendatahub.io_feastoperators.yaml (1 hunks)
bundle.rhoai/manifests/components.platform.opendatahub.io_kserves.yaml (1 hunks)
bundle.rhoai/manifests/components.platform.opendatahub.io_kueues.yaml (1 hunks)
bundle.rhoai/manifests/components.platform.opendatahub.io_llamastackoperators.yaml (1 hunks)
bundle.rhoai/manifests/components.platform.opendatahub.io_modelcontrollers.yaml (1 hunks)
bundle.rhoai/manifests/components.platform.opendatahub.io_modelmeshservings.yaml (1 hunks)
bundle.rhoai/manifests/components.platform.opendatahub.io_modelregistries.yaml (1 hunks)
bundle.rhoai/manifests/components.platform.opendatahub.io_rays.yaml (1 hunks)
bundle.rhoai/manifests/components.platform.opendatahub.io_trainingoperators.yaml (1 hunks)
bundle.rhoai/manifests/components.platform.opendatahub.io_trustyais.yaml (1 hunks)
bundle.rhoai/manifests/components.platform.opendatahub.io_workbenches.yaml (1 hunks)
bundle.rhoai/manifests/datasciencecluster.opendatahub.io_datascienceclusters.yaml (1 hunks)
bundle.rhoai/manifests/dscinitialization.opendatahub.io_dscinitializations.yaml (1 hunks)
bundle.rhoai/manifests/features.opendatahub.io_featuretrackers.yaml (1 hunks)
bundle.rhoai/manifests/infrastructure.opendatahub.io_hardwareprofiles.yaml (1 hunks)
bundle.rhoai/manifests/prometheus-k8s-viewer_rbac.authorization.k8s.io_v1_clusterrole.yaml (1 hunks)
bundle.rhoai/manifests/prometheus-k8s-viewer_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml (1 hunks)
bundle.rhoai/manifests/redhat-ods-operator-controller-manager-metrics-service_v1_service.yaml (1 hunks)
bundle.rhoai/manifests/redhat-ods-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml (1 hunks)
bundle.rhoai/manifests/rhods-operator.clusterserviceversion.yaml (1 hunks)
bundle.rhoai/manifests/services.platform.opendatahub.io_auths.yaml (1 hunks)
bundle.rhoai/manifests/services.platform.opendatahub.io_monitorings.yaml (1 hunks)
bundle.rhoai/metadata/annotations.yaml (1 hunks)
bundle.rhoai/tests/scorecard/config.yaml (1 hunks)
bundle/manifests/components.platform.opendatahub.io_codeflares.yaml (1 hunks)
bundle/manifests/components.platform.opendatahub.io_dashboards.yaml (1 hunks)
bundle/manifests/components.platform.opendatahub.io_datasciencepipelines.yaml (1 hunks)
bundle/manifests/components.platform.opendatahub.io_feastoperators.yaml (1 hunks)
bundle/manifests/components.platform.opendatahub.io_kserves.yaml (1 hunks)
bundle/manifests/components.platform.opendatahub.io_kueues.yaml (1 hunks)
bundle/manifests/components.platform.opendatahub.io_llamastackoperators.yaml (1 hunks)
bundle/manifests/components.platform.opendatahub.io_modelcontrollers.yaml (1 hunks)
bundle/manifests/components.platform.opendatahub.io_modelmeshservings.yaml (1 hunks)
bundle/manifests/components.platform.opendatahub.io_modelregistries.yaml (1 hunks)
bundle/manifests/components.platform.opendatahub.io_rays.yaml (1 hunks)
bundle/manifests/components.platform.opendatahub.io_trainingoperators.yaml (1 hunks)
bundle/manifests/components.platform.opendatahub.io_trustyais.yaml (1 hunks)
bundle/manifests/components.platform.opendatahub.io_workbenches.yaml (1 hunks)
bundle/manifests/datasciencecluster.opendatahub.io_datascienceclusters.yaml (1 hunks)
bundle/manifests/dscinitialization.opendatahub.io_dscinitializations.yaml (1 hunks)
bundle/manifests/features.opendatahub.io_featuretrackers.yaml (1 hunks)
bundle/manifests/infrastructure.opendatahub.io_hardwareprofiles.yaml (1 hunks)
bundle/manifests/opendatahub-operator.clusterserviceversion.yaml (3 hunks)
bundle/manifests/services.platform.opendatahub.io_auths.yaml (1 hunks)
bundle/manifests/services.platform.opendatahub.io_monitorings.yaml (1 hunks)
config/crd.rhoai/bases/_.yaml (1 hunks)
config/crd.rhoai/bases/components.platform.opendatahub.io_codeflares.yaml (1 hunks)
config/crd.rhoai/bases/components.platform.opendatahub.io_dashboards.yaml (1 hunks)
config/crd.rhoai/bases/components.platform.opendatahub.io_datasciencepipelines.yaml (1 hunks)
config/crd.rhoai/bases/components.platform.opendatahub.io_feastoperators.yaml (1 hunks)
config/crd.rhoai/bases/components.platform.opendatahub.io_kserves.yaml (1 hunks)
config/crd.rhoai/bases/components.platform.opendatahub.io_kueues.yaml (1 hunks)
config/crd.rhoai/bases/components.platform.opendatahub.io_llamastackoperators.yaml (1 hunks)
config/crd.rhoai/bases/components.platform.opendatahub.io_modelcontrollers.yaml (1 hunks)
config/crd.rhoai/bases/components.platform.opendatahub.io_modelmeshservings.yaml (1 hunks)
config/crd.rhoai/bases/components.platform.opendatahub.io_modelregistries.yaml (1 hunks)
config/crd.rhoai/bases/components.platform.opendatahub.io_rays.yaml (1 hunks)
config/crd.rhoai/bases/components.platform.opendatahub.io_trainingoperators.yaml (1 hunks)
config/crd.rhoai/bases/components.platform.opendatahub.io_trustyais.yaml (1 hunks)
config/crd.rhoai/bases/components.platform.opendatahub.io_workbenches.yaml (1 hunks)
config/crd.rhoai/bases/datasciencecluster.opendatahub.io_datascienceclusters.yaml (1 hunks)
config/crd.rhoai/bases/dscinitialization.opendatahub.io_dscinitializations.yaml (1 hunks)
config/crd.rhoai/bases/features.opendatahub.io_featuretrackers.yaml (1 hunks)
config/crd.rhoai/bases/infrastructure.opendatahub.io_hardwareprofiles.yaml (1 hunks)
config/crd.rhoai/bases/services.platform.opendatahub.io_auths.yaml (1 hunks)
config/crd.rhoai/bases/services.platform.opendatahub.io_monitorings.yaml (1 hunks)
config/crd.rhoai/kustomization.yaml (1 hunks)
config/crd.rhoai/kustomizeconfig.yaml (1 hunks)
config/crd.rhoai/patches/cainjection_in_datasciencecluster_datascienceclusters.yaml (1 hunks)
config/crd.rhoai/patches/cainjection_in_dscinitialization.opendatahub.io_dscinitializations.yaml (1 hunks)
config/crd.rhoai/patches/cainjection_in_dscinitialization_dscinitializations.yaml (1 hunks)
config/crd.rhoai/patches/cainjection_in_services_auths.yaml (1 hunks)
config/crd.rhoai/patches/cainjection_in_services_monitorings.yaml (1 hunks)
config/crd.rhoai/patches/webhook_in_datasciencecluster_datascienceclusters.yaml (1 hunks)
config/crd.rhoai/patches/webhook_in_dscinitialization.opendatahub.io_dscinitializations.yaml (1 hunks)
config/crd.rhoai/patches/webhook_in_dscinitialization_dscinitializations.yaml (1 hunks)
config/crd.rhoai/patches/webhook_in_services_auths.yaml (1 hunks)
config/crd.rhoai/patches/webhook_in_services_monitorings.yaml (1 hunks)
config/crd/bases/_.yaml (1 hunks)
config/crd/bases/components.platform.opendatahub.io_codeflares.yaml (1 hunks)
config/crd/bases/components.platform.opendatahub.io_dashboards.yaml (1 hunks)
config/crd/bases/components.platform.opendatahub.io_datasciencepipelines.yaml (1 hunks)
config/crd/bases/components.platform.opendatahub.io_feastoperators.yaml (1 hunks)
config/crd/bases/components.platform.opendatahub.io_kserves.yaml (1 hunks)
config/crd/bases/components.platform.opendatahub.io_kueues.yaml (1 hunks)
config/crd/bases/components.platform.opendatahub.io_llamastackoperators.yaml (1 hunks)
config/crd/bases/components.platform.opendatahub.io_modelcontrollers.yaml (1 hunks)
config/crd/bases/components.platform.opendatahub.io_modelmeshservings.yaml (1 hunks)
config/crd/bases/components.platform.opendatahub.io_modelregistries.yaml (1 hunks)
config/crd/bases/components.platform.opendatahub.io_rays.yaml (1 hunks)
config/crd/bases/components.platform.opendatahub.io_trainingoperators.yaml (1 hunks)
config/crd/bases/components.platform.opendatahub.io_trustyais.yaml (1 hunks)
config/crd/bases/components.platform.opendatahub.io_workbenches.yaml (1 hunks)

⛔ Files not processed due to max files limit (35)

config/crd/bases/datasciencecluster.opendatahub.io_datascienceclusters.yaml
config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml
config/crd/bases/features.opendatahub.io_featuretrackers.yaml
config/crd/bases/infrastructure.opendatahub.io_hardwareprofiles.yaml
config/crd/bases/services.platform.opendatahub.io_auths.yaml
config/crd/bases/services.platform.opendatahub.io_monitorings.yaml
config/crd/external/route.openshift.io_routes.yaml
config/crd/external/user.openshift.io_groups.yaml
config/crd/external/user.openshift.io_identities.yaml
config/crd/external/user.openshift.io_useridentitymappings.yaml
config/crd/external/user.openshift.io_users.yaml
config/default.rhoai/kustomization.yaml
config/default.rhoai/manager_auth_proxy_patch.yaml
config/default.rhoai/manager_webhook_patch.yaml
config/manager.rhoai/kustomization.yaml
config/manager.rhoai/kustomization.yaml.in
config/manager.rhoai/manager.yaml
config/manifests.rhoai/bases/rhods-operator.clusterserviceversion.yaml
config/manifests.rhoai/description-patch.yml
config/manifests.rhoai/kustomization.yaml
config/rbac.rhoai/auth_proxy_client_clusterrole.yaml
config/rbac.rhoai/auth_proxy_service.yaml
config/rbac.rhoai/kustomization.yaml
config/rbac.rhoai/role.yaml
config/rbac.rhoai/role_binding.yaml
config/rbac/role.yaml
config/samples.rhoai/datasciencecluster_v1_datasciencecluster.yaml
config/samples.rhoai/dscinitialization_v1_dscinitialization.yaml
config/samples.rhoai/kustomization.yaml
config/samples.rhoai/services_v1alpha1_auth.yaml
config/webhook.rhoai/kustomization.yaml
config/webhook.rhoai/kustomizeconfig.yaml
config/webhook.rhoai/manifests.yaml
config/webhook.rhoai/service.yaml
get_all_manifests.sh

✅ Files skipped from review due to trivial changes (33)

config/crd/bases/components.platform.opendatahub.io_trustyais.yaml
api/components/v1alpha1/modelregistry_types.go
api/components/v1alpha1/workbenches_types.go
bundle/manifests/components.platform.opendatahub.io_modelcontrollers.yaml
bundle/manifests/components.platform.opendatahub.io_codeflares.yaml
bundle/manifests/services.platform.opendatahub.io_auths.yaml
bundle/manifests/components.platform.opendatahub.io_dashboards.yaml
bundle/manifests/components.platform.opendatahub.io_trustyais.yaml
bundle/manifests/infrastructure.opendatahub.io_hardwareprofiles.yaml
bundle/manifests/components.platform.opendatahub.io_datasciencepipelines.yaml
bundle/manifests/components.platform.opendatahub.io_rays.yaml
config/crd/bases/components.platform.opendatahub.io_dashboards.yaml
bundle/manifests/components.platform.opendatahub.io_trainingoperators.yaml
config/crd/bases/components.platform.opendatahub.io_modelmeshservings.yaml
config/crd/bases/components.platform.opendatahub.io_modelcontrollers.yaml
bundle/manifests/components.platform.opendatahub.io_kueues.yaml
bundle/manifests/components.platform.opendatahub.io_feastoperators.yaml
bundle/manifests/datasciencecluster.opendatahub.io_datascienceclusters.yaml
bundle/manifests/components.platform.opendatahub.io_kserves.yaml
bundle/manifests/services.platform.opendatahub.io_monitorings.yaml
config/crd/bases/components.platform.opendatahub.io_modelregistries.yaml
bundle/manifests/components.platform.opendatahub.io_modelmeshservings.yaml
bundle/manifests/components.platform.opendatahub.io_workbenches.yaml
config/crd/bases/components.platform.opendatahub.io_workbenches.yaml
bundle/manifests/components.platform.opendatahub.io_llamastackoperators.yaml
config/crd/bases/components.platform.opendatahub.io_kserves.yaml
bundle.rhoai/manifests/prometheus-k8s-viewer_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml
bundle/manifests/dscinitialization.opendatahub.io_dscinitializations.yaml
config/crd.rhoai/patches/webhook_in_dscinitialization.opendatahub.io_dscinitializations.yaml
config/crd.rhoai/patches/cainjection_in_dscinitialization.opendatahub.io_dscinitializations.yaml
bundle/manifests/features.opendatahub.io_featuretrackers.yaml
config/crd/bases/components.platform.opendatahub.io_codeflares.yaml
config/crd.rhoai/bases/components.platform.opendatahub.io_feastoperators.yaml

🚧 Files skipped from review as they are similar to previous changes (62)

config/crd/bases/components.platform.opendatahub.io_llamastackoperators.yaml
api/services/v1alpha1/monitoring_types.go
config/crd/bases/_.yaml
config/crd/bases/components.platform.opendatahub.io_kueues.yaml
api/dscinitialization/v1/dscinitialization_types.go
config/crd/bases/components.platform.opendatahub.io_rays.yaml
config/crd/bases/components.platform.opendatahub.io_trainingoperators.yaml
bundle/manifests/components.platform.opendatahub.io_modelregistries.yaml
Dockerfiles/bundle.rhoai.Dockerfile
config/crd/bases/components.platform.opendatahub.io_datasciencepipelines.yaml
config/crd/bases/components.platform.opendatahub.io_feastoperators.yaml
config/crd.rhoai/patches/cainjection_in_datasciencecluster_datascienceclusters.yaml
config/crd.rhoai/patches/webhook_in_dscinitialization_dscinitializations.yaml
config/crd.rhoai/patches/webhook_in_services_auths.yaml
bundle.rhoai/manifests/redhat-ods-operator-controller-manager-metrics-service_v1_service.yaml
bundle.rhoai/manifests/prometheus-k8s-viewer_rbac.authorization.k8s.io_v1_clusterrole.yaml
bundle.rhoai/metadata/annotations.yaml
config/crd.rhoai/patches/cainjection_in_services_auths.yaml
config/crd.rhoai/patches/cainjection_in_services_monitorings.yaml
bundle.rhoai/tests/scorecard/config.yaml
config/crd.rhoai/patches/webhook_in_datasciencecluster_datascienceclusters.yaml
config/crd.rhoai/bases/_.yaml
config/crd.rhoai/patches/webhook_in_services_monitorings.yaml
config/crd.rhoai/kustomization.yaml
bundle.rhoai/manifests/redhat-ods-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml
config/crd.rhoai/patches/cainjection_in_dscinitialization_dscinitializations.yaml
config/crd.rhoai/bases/components.platform.opendatahub.io_modelmeshservings.yaml
bundle.rhoai/manifests/components.platform.opendatahub.io_rays.yaml
bundle.rhoai/manifests/components.platform.opendatahub.io_trainingoperators.yaml
bundle.rhoai/manifests/features.opendatahub.io_featuretrackers.yaml
config/crd.rhoai/bases/services.platform.opendatahub.io_auths.yaml
config/crd.rhoai/bases/components.platform.opendatahub.io_modelregistries.yaml
bundle.rhoai/manifests/services.platform.opendatahub.io_monitorings.yaml
config/crd.rhoai/bases/components.platform.opendatahub.io_rays.yaml
config/crd.rhoai/bases/components.platform.opendatahub.io_kueues.yaml
bundle.rhoai/manifests/components.platform.opendatahub.io_feastoperators.yaml
config/crd.rhoai/bases/components.platform.opendatahub.io_datasciencepipelines.yaml
bundle.rhoai/manifests/components.platform.opendatahub.io_kueues.yaml
config/crd.rhoai/bases/features.opendatahub.io_featuretrackers.yaml
config/crd.rhoai/bases/components.platform.opendatahub.io_kserves.yaml
config/crd.rhoai/bases/components.platform.opendatahub.io_trustyais.yaml
config/crd.rhoai/bases/components.platform.opendatahub.io_llamastackoperators.yaml
bundle.rhoai/manifests/components.platform.opendatahub.io_modelmeshservings.yaml
bundle.rhoai/manifests/dscinitialization.opendatahub.io_dscinitializations.yaml
bundle.rhoai/manifests/components.platform.opendatahub.io_trustyais.yaml
config/crd.rhoai/bases/components.platform.opendatahub.io_trainingoperators.yaml
api/dscinitialization/v1/rhoai_dscinitialization_types.go
config/crd.rhoai/kustomizeconfig.yaml
bundle.rhoai/manifests/components.platform.opendatahub.io_dashboards.yaml
bundle.rhoai/manifests/services.platform.opendatahub.io_auths.yaml
config/crd.rhoai/bases/dscinitialization.opendatahub.io_dscinitializations.yaml
config/crd.rhoai/bases/datasciencecluster.opendatahub.io_datascienceclusters.yaml
config/crd.rhoai/bases/infrastructure.opendatahub.io_hardwareprofiles.yaml
config/crd.rhoai/bases/components.platform.opendatahub.io_workbenches.yaml
api/components/v1alpha1/rhoai_modelregistry_types.go
config/crd.rhoai/bases/components.platform.opendatahub.io_codeflares.yaml
config/crd.rhoai/bases/services.platform.opendatahub.io_monitorings.yaml
config/crd.rhoai/bases/components.platform.opendatahub.io_dashboards.yaml
config/crd.rhoai/bases/components.platform.opendatahub.io_modelcontrollers.yaml
Dockerfiles/rhoai.Dockerfile
api/services/v1alpha1/rhoai_monitoring_types.go
bundle/manifests/opendatahub-operator.clusterserviceversion.yaml

🧰 Additional context used

🧠 Learnings (8)

📓 Common learnings

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: bundle.rhoai/manifests/rhods-operator.clusterserviceversion.yaml:1548-1550
Timestamp: 2025-07-29T18:44:42.749Z
Learning: In the opendatahub-operator repository's rhoai branch, the CSV manifest intentionally uses `quay.io/opendatahub/opendatahub-operator:latest` as the image reference even though it's for the rhods-operator, and this configuration difference from the main branch is by design.

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: config/crd.rhoai/bases/dscinitialization.opendatahub.io_dscinitializations.yaml:90-107
Timestamp: 2025-07-29T18:45:24.518Z
Learning: In the opendatahub-operator repository, CRD files under config/crd.rhoai/bases/ are generated files (using controller-gen from Go structs), and inconsistencies between enum and pattern validation should not be flagged as they require upstream source code changes rather than direct YAML modifications.

Learnt from: mlassak
PR: opendatahub-io/opendatahub-operator#2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: config/crd.rhoai/patches/cainjection_in_dscinitialization.opendatahub.io_dscinitializations.yaml:5-7
Timestamp: 2025-07-29T18:43:10.232Z
Learning: In RHOAI patch files, there are two naming patterns for DSCInitialization CRD patches: files with `.opendatahub.io` in their filename use the duplicated pattern `dscinitializations.dscinitialization.opendatahub.io.opendatahub.io` in the CRD name, while files without the group in filename use the standard pattern `dscinitializations.dscinitialization.opendatahub.io`. This duplication appears to be intentional and exists in both regular and RHOAI branches.

📚 Learning: 2025-07-29T18:45:24.518Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: config/crd.rhoai/bases/dscinitialization.opendatahub.io_dscinitializations.yaml:90-107
Timestamp: 2025-07-29T18:45:24.518Z
Learning: In the opendatahub-operator repository, CRD files under config/crd.rhoai/bases/ are generated files (using controller-gen from Go structs), and inconsistencies between enum and pattern validation should not be flagged as they require upstream source code changes rather than direct YAML modifications.

Applied to files:

bundle.rhoai/manifests/components.platform.opendatahub.io_llamastackoperators.yaml
bundle.rhoai/manifests/infrastructure.opendatahub.io_hardwareprofiles.yaml
bundle.rhoai/manifests/components.platform.opendatahub.io_workbenches.yaml
bundle.rhoai/manifests/components.platform.opendatahub.io_kserves.yaml
bundle.rhoai/manifests/components.platform.opendatahub.io_codeflares.yaml
bundle.rhoai/manifests/components.platform.opendatahub.io_datasciencepipelines.yaml
bundle.rhoai/manifests/components.platform.opendatahub.io_modelcontrollers.yaml
bundle.rhoai/manifests/components.platform.opendatahub.io_modelregistries.yaml
bundle.rhoai/manifests/rhods-operator.clusterserviceversion.yaml
api/components/v1alpha1/rhoai_workbenches_types.go
bundle.rhoai/manifests/datasciencecluster.opendatahub.io_datascienceclusters.yaml
Makefile

📚 Learning: 2025-07-22T10:32:09.737Z

Learnt from: mlassak
PR: opendatahub-io/opendatahub-operator#2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

Applied to files:

bundle.rhoai/manifests/components.platform.opendatahub.io_llamastackoperators.yaml
bundle.rhoai/manifests/infrastructure.opendatahub.io_hardwareprofiles.yaml
bundle.rhoai/manifests/components.platform.opendatahub.io_workbenches.yaml
bundle.rhoai/manifests/components.platform.opendatahub.io_kserves.yaml
bundle.rhoai/manifests/components.platform.opendatahub.io_codeflares.yaml
bundle.rhoai/manifests/components.platform.opendatahub.io_datasciencepipelines.yaml
bundle.rhoai/manifests/components.platform.opendatahub.io_modelcontrollers.yaml
bundle.rhoai/manifests/components.platform.opendatahub.io_modelregistries.yaml
bundle.rhoai/manifests/rhods-operator.clusterserviceversion.yaml
bundle.rhoai/manifests/datasciencecluster.opendatahub.io_datascienceclusters.yaml
Makefile

📚 Learning: 2025-07-29T18:44:42.749Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: bundle.rhoai/manifests/rhods-operator.clusterserviceversion.yaml:1548-1550
Timestamp: 2025-07-29T18:44:42.749Z
Learning: In the opendatahub-operator repository's rhoai branch, the CSV manifest intentionally uses `quay.io/opendatahub/opendatahub-operator:latest` as the image reference even though it's for the rhods-operator, and this configuration difference from the main branch is by design.

Applied to files:

bundle.rhoai/manifests/components.platform.opendatahub.io_llamastackoperators.yaml
bundle.rhoai/manifests/infrastructure.opendatahub.io_hardwareprofiles.yaml
bundle.rhoai/manifests/components.platform.opendatahub.io_workbenches.yaml
bundle.rhoai/manifests/components.platform.opendatahub.io_kserves.yaml
bundle.rhoai/manifests/components.platform.opendatahub.io_codeflares.yaml
bundle.rhoai/manifests/components.platform.opendatahub.io_datasciencepipelines.yaml
bundle.rhoai/manifests/components.platform.opendatahub.io_modelcontrollers.yaml
bundle.rhoai/manifests/components.platform.opendatahub.io_modelregistries.yaml
bundle.rhoai/manifests/rhods-operator.clusterserviceversion.yaml
bundle.rhoai/manifests/datasciencecluster.opendatahub.io_datascienceclusters.yaml
Makefile

📚 Learning: 2025-05-27T11:28:21.229Z

Learnt from: AjayJagan
PR: opendatahub-io/opendatahub-operator#1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file `Dockerfiles/catalog.Dockerfile` in the opendatahub-operator repository is autogenerated and should not be manually modified.

Applied to files:

bundle.rhoai/manifests/components.platform.opendatahub.io_llamastackoperators.yaml
bundle.rhoai/manifests/components.platform.opendatahub.io_workbenches.yaml
bundle.rhoai/manifests/components.platform.opendatahub.io_codeflares.yaml
bundle.rhoai/manifests/components.platform.opendatahub.io_datasciencepipelines.yaml
bundle.rhoai/manifests/components.platform.opendatahub.io_modelregistries.yaml
bundle.rhoai/manifests/rhods-operator.clusterserviceversion.yaml
Makefile

📚 Learning: 2025-07-29T18:43:10.232Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: config/crd.rhoai/patches/cainjection_in_dscinitialization.opendatahub.io_dscinitializations.yaml:5-7
Timestamp: 2025-07-29T18:43:10.232Z
Learning: In RHOAI patch files, there are two naming patterns for DSCInitialization CRD patches: files with `.opendatahub.io` in their filename use the duplicated pattern `dscinitializations.dscinitialization.opendatahub.io.opendatahub.io` in the CRD name, while files without the group in filename use the standard pattern `dscinitializations.dscinitialization.opendatahub.io`. This duplication appears to be intentional and exists in both regular and RHOAI branches.

Applied to files:

bundle.rhoai/manifests/components.platform.opendatahub.io_llamastackoperators.yaml
bundle.rhoai/manifests/infrastructure.opendatahub.io_hardwareprofiles.yaml
bundle.rhoai/manifests/components.platform.opendatahub.io_workbenches.yaml
bundle.rhoai/manifests/components.platform.opendatahub.io_kserves.yaml
bundle.rhoai/manifests/components.platform.opendatahub.io_codeflares.yaml
bundle.rhoai/manifests/components.platform.opendatahub.io_datasciencepipelines.yaml
bundle.rhoai/manifests/components.platform.opendatahub.io_modelcontrollers.yaml
bundle.rhoai/manifests/components.platform.opendatahub.io_modelregistries.yaml
bundle.rhoai/manifests/rhods-operator.clusterserviceversion.yaml
bundle.rhoai/manifests/datasciencecluster.opendatahub.io_datascienceclusters.yaml
Makefile

📚 Learning: 2025-05-27T08:29:05.312Z

Learnt from: AjayJagan
PR: opendatahub-io/opendatahub-operator#1990
File: hack/update-catalog-template.sh:36-43
Timestamp: 2025-05-27T08:29:05.312Z
Learning: The hack/update-catalog-template.sh script in opendatahub-operator is development tooling where simple regex patterns for version extraction are acceptable, and developers are expected to handle version format requirements themselves.

Applied to files:

bundle.rhoai/manifests/rhods-operator.clusterserviceversion.yaml
Makefile

📚 Learning: 2025-05-27T07:45:53.136Z

Learnt from: AjayJagan
PR: opendatahub-io/opendatahub-operator#1990
File: hack/update-catalog-template.sh:73-79
Timestamp: 2025-05-27T07:45:53.136Z
Learning: In the opendatahub-operator project, the `|| true` pattern in Makefiles for catalog operations is intentionally used to ensure cleanup of catalog templates occurs even if the main script fails, prioritizing cleanup over strict error propagation.

Applied to files:

Makefile

🧬 Code Graph Analysis (1)

api/components/v1alpha1/rhoai_workbenches_types.go (2)

api/common/types.go (7)

PlatformObject (188-192)

DevFlagsSpec (36-40)

ComponentReleaseStatus (162-168)

Status (132-140)

Condition (71-129)

ComponentRelease (152-158)

ManagementSpec (12-23)

api/infrastructure/v1alpha1/groupversion_info.go (1)

SchemeBuilder (32-32)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

GitHub Check: Build/push catalog image
GitHub Check: golangci-lint

🔇 Additional comments (5)

bundle.rhoai/manifests/components.platform.opendatahub.io_codeflares.yaml (1)

1-175: CRD looks good

No issues spotted – schema, additional printer columns and singleton XValidation all look correct for a generated manifest.

bundle.rhoai/manifests/components.platform.opendatahub.io_kserves.yaml (1)

1-273: No blocking issues

Schema and singleton rule look consistent with other generated component CRDs.
api/components/v1alpha1/rhoai_workbenches_types.go (1)

93-99: Potential compile error – pointer receiver mismatch

c.Status.GetConditions() assumes a value-receiver method. If common.Status implements GetConditions with a pointer receiver (as other components do), this won’t compile.
-func (c *Workbenches) GetConditions() []common.Condition {
-    return c.Status.GetConditions()
-}
+func (c *Workbenches) GetConditions() []common.Condition {
+    return (&c.Status).GetConditions()
+}
Please verify the build.
bundle.rhoai/manifests/datasciencecluster.opendatahub.io_datascienceclusters.yaml (1)

1-8: CRD generation/versioning looks consistent with the toolchain

apiextensions v1, single served/storage version v1, controller-gen v0.17.3 — aligns with the Makefile upgrade.

Makefile (1)

224-228: CRD directory layout and kustomizations verified

Both config/crd/kustomization.yaml and config/crd.rhoai/kustomization.yaml are present, and each has a corresponding bases/ directory (config/crd/bases/ and config/crd.rhoai/bases/). No further changes are needed to ensure install/uninstall will work across both modes.

api/components/v1alpha1/rhoai_workbenches_types.go

bundle.rhoai/manifests/components.platform.opendatahub.io_datasciencepipelines.yaml

bundle.rhoai/manifests/datasciencecluster.opendatahub.io_datascienceclusters.yaml

bundle.rhoai/manifests/infrastructure.opendatahub.io_hardwareprofiles.yaml

Makefile

coderabbitai

Actionable comments posted: 2

🔭 Outside diff range comments (1)

Makefile (1)
436-444: Update Go patch version in Toolbox target

The TOOLBOX_GOLANG_VERSION is currently pinned to 1.23.8, but the latest Go 1.23 patch is 1.23.10 (which includes important CVE fixes and is available in official images). Please bump the version to avoid build failures and stay up-to-date:

• File: Makefile, lines 436–444
• Change:
- TOOLBOX_GOLANG_VERSION := 1.23.8
+ TOOLBOX_GOLANG_VERSION := 1.23.10

♻️ Duplicate comments (2)

bundle.rhoai/manifests/rhods-operator.clusterserviceversion.yaml (1)
115-115: Replace CSV containerImage placeholder during build

The annotation still contains containerImage: REPLACE_IMAGE:latest. Ensure your bundle build replaces this with the actual operator image, otherwise OLM and scanners will flag it.

Apply a post-generation substitution in the Makefile’s bundle target to inject $(IMG) (or your intended release image):
 bundle: prepare operator-sdk ## Generate bundle manifests and metadata, then validate generated files.
 	$(OPERATOR_SDK) generate kustomize manifests --package $(OPERATOR_PACKAGE) --input-dir $(KUSTOMIZE_DIR) --output-dir $(KUSTOMIZE_DIR) -q
 	$(KUSTOMIZE) build $(KUSTOMIZE_DIR) | $(OPERATOR_SDK) generate bundle $(BUNDLE_GEN_FLAGS) --package $(OPERATOR_PACKAGE) --kustomize-dir $(KUSTOMIZE_DIR) --output-dir $(BUNDLE_DIR) 2>&1 | grep -v $(WARNINGMSG)
+	# Inject image into CSV annotation containerImage
+	sed -i 's#containerImage: .*#containerImage: $(IMG)#' $(BUNDLE_DIR)/manifests/*clusterserviceversion.yaml
 	$(OPERATOR_SDK) bundle validate ./$(BUNDLE_DIR) 2>&1 | grep -v $(WARNINGMSG)
 	mv bundle.Dockerfile Dockerfiles/$(BUNDLE_DOCKERFILE_FILENAME)
 	rm -f $(BUNDLE_DIR)/manifests/opendatahub-operator-webhook-service_v1_service.yaml
 	rm -f $(BUNDLE_DIR)/manifests/rhods-operator-webhook-service_v1_service.yaml
bundle/manifests/opendatahub-operator.clusterserviceversion.yaml (1)
1488-1490: Replace image tag 'latest' with version or digest; align with spec.version and annotations

Using image:latest with imagePullPolicy: Always breaks reproducibility and upgrades in OLM. Also, annotations.containerImage is v2.33.0 while the deployment uses :latest — inconsistent.

Pin to the released version (or a digest) that matches spec.version (2.33.0), and consider IfNotPresent.
-                image: quay.io/opendatahub/opendatahub-operator:latest
-                imagePullPolicy: Always
+                image: quay.io/opendatahub/opendatahub-operator:v2.33.0
+                imagePullPolicy: IfNotPresent
Note: The retrieved learning about intentionally using :latest applies to the RHOAI CSV; this manifest is the ODH CSV, so pinning here is still expected.

If you prefer digest pinning, I can look up and propose the exact sha256 for v2.33.0.

🧹 Nitpick comments (1)

bundle.rhoai/manifests/rhods-operator.clusterserviceversion.yaml (1)
1605-1634: Deduplicate keywords to reduce noise

Several keywords are repeated (RHOAI, ODH, OAI, AI, ML, Machine Learning, Data Science). Trimming duplicates helps keep metadata clean.

Suggested cleanup:
   keywords:
   - Operator
   - OpenShift
   - Open Data Hub
   - ODH
   - opendatahub
   - Red Hat OpenShift AI
   - RHOAI
-  - OAI
-  - ML
-  - Machine Learning
-  - Data Science
   - notebooks
   - serving
   - training
   - kserve
   - distributed-workloads
   - trustyai
   - modelregistry
-  - RHOAI
-  - ODH
-  - OAI
-  - AI
-  - ML
-  - Machine Learning
-  - Data Science
   - Feast
   - featurestore
   - llamastack

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1ccd5a1 and 4f3c4ab.

📒 Files selected for processing (8)

Makefile (7 hunks)
api/services/v1alpha1/monitoring_types.go (1 hunks)
bundle.rhoai/manifests/rhods-operator.clusterserviceversion.yaml (1 hunks)
bundle/manifests/dscinitialization.opendatahub.io_dscinitializations.yaml (1 hunks)
bundle/manifests/opendatahub-operator.clusterserviceversion.yaml (3 hunks)
bundle/manifests/services.platform.opendatahub.io_monitorings.yaml (1 hunks)
config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml (1 hunks)
config/crd/bases/services.platform.opendatahub.io_monitorings.yaml (1 hunks)

✅ Files skipped from review due to trivial changes (1)

config/crd/bases/services.platform.opendatahub.io_monitorings.yaml

🚧 Files skipped from review as they are similar to previous changes (4)

api/services/v1alpha1/monitoring_types.go
bundle/manifests/services.platform.opendatahub.io_monitorings.yaml
bundle/manifests/dscinitialization.opendatahub.io_dscinitializations.yaml
config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml

🧰 Additional context used

🧠 Learnings (6)

📓 Common learnings

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: bundle.rhoai/manifests/rhods-operator.clusterserviceversion.yaml:1548-1550
Timestamp: 2025-07-29T18:44:42.749Z
Learning: In the opendatahub-operator repository's rhoai branch, the CSV manifest intentionally uses `quay.io/opendatahub/opendatahub-operator:latest` as the image reference even though it's for the rhods-operator, and this configuration difference from the main branch is by design.

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: config/crd.rhoai/bases/dscinitialization.opendatahub.io_dscinitializations.yaml:90-107
Timestamp: 2025-07-29T18:45:24.518Z
Learning: In the opendatahub-operator repository, CRD files under config/crd.rhoai/bases/ are generated files (using controller-gen from Go structs), and inconsistencies between enum and pattern validation should not be flagged as they require upstream source code changes rather than direct YAML modifications.

📚 Learning: 2025-07-29T18:44:42.749Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: bundle.rhoai/manifests/rhods-operator.clusterserviceversion.yaml:1548-1550
Timestamp: 2025-07-29T18:44:42.749Z
Learning: In the opendatahub-operator repository's rhoai branch, the CSV manifest intentionally uses `quay.io/opendatahub/opendatahub-operator:latest` as the image reference even though it's for the rhods-operator, and this configuration difference from the main branch is by design.

Applied to files:

bundle/manifests/opendatahub-operator.clusterserviceversion.yaml
bundle.rhoai/manifests/rhods-operator.clusterserviceversion.yaml

📚 Learning: 2025-05-27T11:28:21.229Z

Learnt from: AjayJagan
PR: opendatahub-io/opendatahub-operator#1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file `Dockerfiles/catalog.Dockerfile` in the opendatahub-operator repository is autogenerated and should not be manually modified.

Applied to files:

bundle.rhoai/manifests/rhods-operator.clusterserviceversion.yaml
Makefile

📚 Learning: 2025-07-22T10:32:09.737Z

Learnt from: mlassak
PR: opendatahub-io/opendatahub-operator#2010
File: config/crd/kustomization.yaml:22-22
Timestamp: 2025-07-22T10:32:09.737Z
Learning: In the opendatahub-operator repository, when FeatureTrackers are being removed or deprecated, the FeatureTracker CRD reference in config/crd/kustomization.yaml should be kept for backward compatibility during the migration period, even if some components no longer use FeatureTrackers.

Applied to files:

bundle.rhoai/manifests/rhods-operator.clusterserviceversion.yaml

📚 Learning: 2025-07-29T18:45:24.518Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: config/crd.rhoai/bases/dscinitialization.opendatahub.io_dscinitializations.yaml:90-107
Timestamp: 2025-07-29T18:45:24.518Z
Learning: In the opendatahub-operator repository, CRD files under config/crd.rhoai/bases/ are generated files (using controller-gen from Go structs), and inconsistencies between enum and pattern validation should not be flagged as they require upstream source code changes rather than direct YAML modifications.

Applied to files:

Makefile

📚 Learning: 2025-05-27T07:45:53.136Z

Learnt from: AjayJagan
PR: opendatahub-io/opendatahub-operator#1990
File: hack/update-catalog-template.sh:73-79
Timestamp: 2025-05-27T07:45:53.136Z
Learning: In the opendatahub-operator project, the `|| true` pattern in Makefiles for catalog operations is intentionally used to ensure cleanup of catalog templates occurs even if the main script fails, prioritizing cleanup over strict error propagation.

Applied to files:

Makefile

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

GitHub Check: Build/push catalog image

🔇 Additional comments (5)

bundle.rhoai/manifests/rhods-operator.clusterserviceversion.yaml (1)

1265-1273: RBAC includes invalid resource “customresourcedefinitions” under operators.coreos.com

CRDs live under apiextensions.k8s.io, not operators.coreos.com. You already grant CRD perms for apiextensions.k8s.io above; this stanza is redundant and may trip linters/cert checks.

Consider removing this block:
-        - apiGroups:
-          - operators.coreos.com
-          resources:
-          - customresourcedefinitions
-          verbs:
-          - create
-          - delete
-          - get
-          - patch
If this CSV is generated, fix the RBAC source (role) rather than hand-editing the CSV.
Makefile (3)

58-58: DEFAULT_MANIFESTS_PATH mismatch with runtime default

Makefile default is “opt/manifests” (relative), while the CSV sets /opt/manifests (absolute). If local run depends on this path, the mismatch can cause file-not-found issues.

Option A (align to absolute path):
-DEFAULT_MANIFESTS_PATH ?= opt/manifests
+DEFAULT_MANIFESTS_PATH ?= /opt/manifests
Then update CLEANFILES to match (e.g., CLEANFILES += /opt/manifests/*) only if your repo actually creates that path locally. Otherwise, keep relative for dev and pass an absolute value in container environments.

224-227: Pass platform context to manifest fetch — looks good

get-manifests now forwards ODH_PLATFORM_TYPE and VERSION to get_all_manifests.sh. This matches the PR objective and keeps main branch builds platform-aware.

193-197: Controller-gen with build tags and platform-specific CRD/RBAC outputs — good use of tags

Using $(CONTROLLER_GEN_TAGS) with output paths per platform (CRD_DIR/RBAC_DIR) aligns with the irreconcilable struct differences and build-tag approach.
bundle/manifests/opendatahub-operator.clusterserviceversion.yaml (1)

117-117: Timestamp update looks fine

createdAt appears to be regenerated by the bundle build; no issues.

bundle/manifests/opendatahub-operator.clusterserviceversion.yaml

Makefile

coderabbitai

Actionable comments posted: 24

🔭 Outside diff range comments (3)

.github/workflows/run-integration-tests.yaml (1)
3-7: Workflow never triggers on label events; add labeled to event types.

Jobs gate on the run-integration-tests label (Line 25-27), but pull_request_target.types omits labeled, so applying the label alone won’t start the workflow.

Apply this diff to include the labeled event:
 on:
   pull_request_target:
     # action steps require 'run-integration-tests' label to be present, otherwise it's skipped
-    types: [ synchronize, reopened ]
+    types: [ synchronize, reopened, labeled ]
     paths:
.github/scripts/update-versions.sh (1)
3-3: Script aborts early: invalid set flags.

set -euo is invalid because -o requires an argument; the script will error out before doing any work.

Use this:
-set -euo
+set -Eeuo pipefail
Makefile (1)
250-253: Fix image-build failure: pass CONFIG_DIR build-arg and update Dockerfiles' COPY paths

CI failing because Dockerfiles still COPY from config/...; verification found hard-coded COPYs in the repo:

Dockerfiles/Dockerfile — lines 26, 29, 32

Dockerfiles/rhoai.Dockerfile — lines 26, 29, 32

Apply Makefile change:
 image-build: # unit-test ## Build image with the manager.
-	$(IMAGE_BUILDER) buildx build --no-cache -f Dockerfiles/Dockerfile ${IMAGE_BUILD_FLAGS} -t $(IMG) .
+	$(IMAGE_BUILDER) buildx build --no-cache -f Dockerfiles/Dockerfile ${IMAGE_BUILD_FLAGS} \
+		--build-arg CONFIG_DIR=$(CONFIG_DIR) \
+		-t $(IMG) .
Update the affected Dockerfiles (add default ARG and replace COPY paths):

Add near the top of each Dockerfile:
ARG CONFIG_DIR=config

Replace occurrences like:
COPY config/monitoring/ /opt/manifests/monitoring
COPY config/osd-configs/ /opt/manifests/osd-configs
COPY config/kueue-configs/ /opt/manifests/kueue-configs

with:
COPY ${CONFIG_DIR}/monitoring/ /opt/manifests/monitoring
COPY ${CONFIG_DIR}/osd-configs/ /opt/manifests/osd-configs
COPY ${CONFIG_DIR}/kueue-configs/ /opt/manifests/kueue-configs

Note: other Dockerfiles scanned (rhoai-bundle.Dockerfile, odh-bundle.Dockerfile, toolbox.Dockerfile, catalog.Dockerfile) had no hard-coded COPY config/ entries. Update any additional Dockerfiles if similar COPYs are added later.

♻️ Duplicate comments (1)

Makefile (1)

347-353: Automate CSV containerImage annotation substitution during bundle generation.

Without normalizing containerImage in the CSV, downstream tooling may see stale placeholders. Add a post-generate sed to set it to $(IMG).

Apply:

 bundle: prepare operator-sdk ## Generate bundle manifests and metadata, then validate generated files.
 	$(OPERATOR_SDK) generate kustomize manifests --package $(OPERATOR_PACKAGE) --input-dir $(CONFIG_DIR)/manifests --output-dir $(CONFIG_DIR)/manifests -q
 	$(KUSTOMIZE) build $(CONFIG_DIR)/manifests | $(OPERATOR_SDK) generate bundle $(BUNDLE_GEN_FLAGS) --package $(OPERATOR_PACKAGE) --kustomize-dir $(CONFIG_DIR)/manifests --output-dir $(BUNDLE_DIR) 2>&1 | grep -v $(WARNINGMSG)
+	# Ensure CSV annotation containerImage is set to the build image
+	sed -i 's#^\(\s*containerImage:\s*\).*#\1$(IMG)#' $(BUNDLE_DIR)/manifests/*clusterserviceversion.yaml
 	$(OPERATOR_SDK) bundle validate ./$(BUNDLE_DIR) 2>&1 | grep -v $(WARNINGMSG)
 	mv bundle.Dockerfile Dockerfiles/$(BUNDLE_DOCKERFILE_FILENAME)
 	rm -f $(BUNDLE_DIR)/manifests/opendatahub-operator-webhook-service_v1_service.yaml
 	rm -f $(BUNDLE_DIR)/manifests/rhods-operator-webhook-service_v1_service.yaml

🧹 Nitpick comments (33)

rhoai-config/crd/bases/infrastructure.opendatahub.io_hardwareprofiles.yaml (4)
176-185: Tighten CEL messages and (optionally) assert non-empty localQueueName in the rule

Messages refer to "schedulingType", but the field is named "type". Align wording to avoid user confusion.

The rule checks presence via has(self.kueue.localQueueName). If you want the CEL rule itself to enforce non-empty (instead of relying on minLength alone), add a non-empty check.

Apply this diff to the generated YAML for illustration; implement the change in the Go kubebuilder markers so it persists:
-                - message: When schedulingType is 'Queue', the 'kueue.localQueueName'
-                    field must be specified and non-empty, and the 'node' field must
-                    not be set
-                  rule: 'self.type == ''Queue'' ? (has(self.kueue) && has(self.kueue.localQueueName)
-                    && !has(self.node)) : true'
-                - message: When schedulingType is 'Node', the 'node' field must be
-                    set, and the 'kueue' field must not be set
+                - message: When type is 'Queue', the 'kueue.localQueueName'
+                    field must be specified and non-empty, and the 'node' field must
+                    not be set
+                  rule: 'self.type == ''Queue'' ? (has(self.kueue) && has(self.kueue.localQueueName)
+                    && self.kueue.localQueueName != "" && !has(self.node)) : true'
+                - message: When type is 'Node', the 'node' field must be
+                    set, and the 'kueue' field must not be set
                   rule: 'self.type == ''Node'' ? (has(self.node) && !has(self.kueue))
                     : true'
If you want, I can draft the kubebuilder annotations in the Go types to generate these exact messages and rules.

141-147: Description says “Defaults to Equal” but no default is specified

The schema does not set a default for operator, yet the description promises a default. Either:

add a default in the Go type via kubebuilder marker so the generator emits it; or

drop the “Defaults to Equal.” sentence to avoid misleading users.

Preferred: set the default via kubebuilder on the source type (don’t hand-edit this file):

Example in Go (adjust the actual type/field path accordingly):
// +kubebuilder:validation:Enum=Exists;Equal
// +kubebuilder:default=Equal
Operator string `json:"operator,omitempty"`
Optionally, also validate effect:
// +kubebuilder:validation:Enum=NoSchedule;PreferNoSchedule;NoExecute
Effect string `json:"effect,omitempty"`
I can open a follow-up PR adding these markers to the Go structs driving this CRD.

130-135: Consider constraining “effect” and “operator” with enums

To catch typos early, add enum validations:

effect: NoSchedule, PreferNoSchedule, NoExecute

operator: Exists, Equal

Implement via kubebuilder validation enums on the Go fields; controller-gen will emit the enums here. This avoids hand-editing generated YAML.

Also applies to: 141-147

46-70: Confirm intent behind int-or-string for counts

defaultCount/minCount/maxCount accept string values. If this is to support quantities (e.g., “8Gi” for Memory), all good. If CPUs/Accelerators should be integers only, consider:

documenting expected formats in the field comments, or

splitting fields by resourceType with tighter validation, or

adding CEL constraints keyed off resourceType (more complex).

Given this file is generated, any tightening should be done in the Go types/markers.
rhoai-bundle/manifests/redhat-ods-operator-metrics-reader_rbac.authorization.k8s.io_v1_clusterrole.yaml (2)
7-10: Consider allowing subpaths if you ever expose metrics under nested routes

If the metrics endpoint might serve subpaths (e.g., /metrics/*), you can future-proof the rule by including the wildcard. Not required if you only serve /metrics.

Apply this diff if desired:
 rules:
 - nonResourceURLs:
   - /metrics
+  - /metrics/*
   verbs:
   - get
3-5: Optional: add traceability labels (if this file isn’t generated)
Adding standard labels helps ops/debugging and ownership tracking in clusters managed by multiple operators. If this manifest is generated from source, add labels at the source (e.g., config/rbac) so they flow into the bundle.

Apply this diff (or add equivalent labels in the RBAC source):
 metadata:
   creationTimestamp: null
   name: redhat-ods-operator-metrics-reader
+  labels:
+    app.kubernetes.io/name: redhat-ods-operator
+    app.kubernetes.io/component: metrics
+    app.kubernetes.io/part-of: rhoai
rhoai-bundle/manifests/prometheus-k8s-viewer_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml (2)
3-13: Confirm policy acceptance for binding to openshift-monitoring’s Prometheus SA

This ClusterRoleBinding grants cluster-wide read access to the cluster-monitoring Prometheus (ServiceAccount prometheus-k8s in openshift-monitoring). This is outside the operator’s own namespace and may be disallowed in some environments or when cluster-monitoring is disabled. Please confirm this is an intentional, supported cross-component dependency for the RHOAI variant and that installation should fail if openshift-monitoring is absent.

If this dependency is required, consider documenting it in the CSV description/README and adding a preflight check or install-time validation. If the intent is to allow optional integration, consider deferring the binding creation behind a feature flag or a separate optional manifest.

3-6: Remove generated “creationTimestamp: null”

This field is a no-op in static manifests and can be omitted to reduce churn.
 metadata:
-  creationTimestamp: null
   name: prometheus-k8s-viewer
rhoai-bundle/manifests/prometheus-k8s-viewer_rbac.authorization.k8s.io_v1_clusterrole.yaml (1)
3-5: Drop generated “creationTimestamp: null”

Not needed in declarative YAML; omitting reduces noise.
 metadata:
-  creationTimestamp: null
   name: prometheus-k8s-viewer
.github/workflows/run-integration-tests.yaml (1)
60-72: Minor: use the shell env var instead of GitHub expression for logging.

Within the same step, prefer ${OPERATOR_REPOSITORY_NAME} over ${{ env.OPERATOR_REPOSITORY_NAME }} for consistent, non-empty logging.
-            echo "Failed to retrieve a valid release tag from ${{ env.OPERATOR_REPOSITORY_NAME }}, API call failed. Please re-run the action if possible."
+            echo "Failed to retrieve a valid release tag from ${OPERATOR_REPOSITORY_NAME}, API call failed. Please re-run the action if possible."
docs/integration-testing.md (1)
19-19: Minor grammar: remove redundant “directory.”

Optional readability tweak.
-- **Bundle Manifests** (`odh-bundle/` and `rhoai-bundle/` directory changes)
+- **Bundle Manifests** (`odh-bundle/` and `rhoai-bundle/` changes)
rhoai-bundle/manifests/features.opendatahub.io_featuretrackers.yaml (1)

64-118: Optional: align conditions list typing with other CRDs

Other CRDs in this PR (e.g., Ray, TrainingOperator) mark conditions as x-kubernetes-list-type: atomic. Not required, but adding it here would keep consistency across your APIs (if generated from Go types, this would be a marker change upstream rather than hand-edit here).

rhoai-bundle/tests/scorecard/config.yaml (2)

11-11: Align scorecard-test image versions or document intentional skew

The basic check uses v1.31.0 while the OLM tests use v1.24.1. Mixed versions can introduce inconsistent behavior. If there’s a compatibility reason, consider capturing it in a comment; otherwise, standardize on one tag.

If standardizing, update the remaining images to v1.31.0 for consistency with the API version in use.

21-21: Follow-up: if standardizing image versions, update these as well

If you decide to align versions, update all these image tags to the chosen version.

Also applies to: 31-31, 41-41, 51-51, 61-61

rhoai-config/crd/bases/components.platform.opendatahub.io_modelmeshservings.yaml (1)

17-25: Optional: add a Phase printer column for quick at-a-glance status

You already surface Ready/Reason. Consider adding a printer column for .status.phase to improve operability (similar to other CRDs that expose a Phase). Note: do this by adding a kubebuilder printcolumn annotation in the Go type so the generated CRD stays the source of truth.

rhoai-config/crd/bases/services.platform.opendatahub.io_monitorings.yaml (1)

140-186: Optional: Consider ResourceQuantity types for traces.storage.size.

Unlike metrics.storage.size (int-or-string with quantity pattern), traces.storage.size is a plain string with no quantity validation. Consider aligning it to k8s resource.Quantity semantics for consistency.

Note: implement via Go type/annotations, not hand-editing the generated YAML.

rhoai-config/crd/bases/components.platform.opendatahub.io_rays.yaml (1)

10-14: Optional: add shortNames to improve kubectl UX (via upstream annotations)

If desirable, consider adding a short name (e.g., ray) to the resource for easier CLI interaction. This would be done in the Go type with kubebuilder tags and then regenerated.

Example in Go types (for upstream change):
// +kubebuilder:resource:scope=Cluster,shortName=ray

rhoai-config/crd/bases/components.platform.opendatahub.io_datasciencepipelines.yaml (1)

55-69: Documentation nit: clarify user-facing allowed values for managementState

Description mentions overall controller behavior; consider ensuring end-user docs clearly state the supported values for RHOAI builds (e.g., Managed, Removed) and any values intentionally unsupported in this platform mode.

If you want, I can draft a short doc snippet for the RHOAI README explaining managementState semantics.

rhoai-bundle/manifests/components.platform.opendatahub.io_modelcontrollers.yaml (2)

17-29: AdditionalPrinterColumn references a non-declared status field (status.URI).

Column "URI" points to .status.URI, but the schema for status does not declare a URI field. If consumers rely on this column, they’ll always see blanks. Please either add status.URI to the status schema or remove/adjust the column in the Go type’s kubebuilder markers (so the generated CRD and bundle stay consistent).

If this is intentional, ignore. Otherwise, adjust the source Go type annotations instead of hand-editing the YAML.

Also applies to: 145-211

56-58: Description looks mismatched for field ‘kserve’.

The description mentions “ModelMeshServing DSCModelMeshServing json:"modelMeshServing,omitempty"” under the kserve property, which reads like a copy/paste artifact and a tag mismatch. If this is generated from struct comments/tags, fix the source struct or kubebuilder comment so the generated CRD is accurate.

rhoai-bundle/manifests/infrastructure.opendatahub.io_hardwareprofiles.yaml (1)

46-85: Consider adding numeric consistency validation for identifier counts.

Right now, defaultCount/minCount/maxCount are typed (int-or-string) but there’s no CEL ensuring ordering. If meaningful, add rules in the Go types to enforce minCount ≤ defaultCount ≤ maxCount (when provided). Example (to be placed on the item struct via kubebuilder:validation: rules):

self.minCount <= self.defaultCount

has(self.maxCount) ? self.defaultCount <= self.maxCount : true

has(self.maxCount) ? self.minCount <= self.maxCount : true

This improves input validation without changing runtime behavior.

I can draft the kubebuilder validation markers in Go if you point me to the source type.

rhoai-config/crd/bases/components.platform.opendatahub.io_modelcontrollers.yaml (2)

17-31: Printer column references status.URI but status schema lacks URI.

Same as in the bundle CRD: “URI” column points to .status.URI, which isn’t declared. If you want that column populated, add the field to the status in the source Go type or drop the column annotation.

Generated file note: address in Go types/kubebuilder markers, not here.

Also applies to: 145-211

56-58: Suspicious description for ‘kserve’ (looks copied/mistagged).

The description under kserve mentions ModelMeshServing and shows a different json tag. If this is not intentional, fix the source struct comments/tags so the generated content aligns with the actual field.

rhoai-config/crd/bases/components.platform.opendatahub.io_trustyais.yaml (1)

8-26: Optional: consider adding shortNames for UX

Adding a shortNames entry (e.g., trustyai) improves CLI ergonomics. Since this file is generated, apply via kubebuilder marker on the Go type (e.g., +kubebuilder:resource:shortName=trustyai) rather than editing YAML.

rhoai-bundle/manifests/components.platform.opendatahub.io_kueues.yaml (1)

10-15: Optional: add shortNames for CLI ergonomics

Consider defining a short name (e.g., kq). Apply via kubebuilder markers on the Go type (+kubebuilder:resource:shortName=kq) so generated YAML includes it.

rhoai-config/crd/bases/components.platform.opendatahub.io_kueues.yaml (1)

86-103: Enum vs pattern mismatch and “Unmanaged” description copy-paste (generated; fix upstream Go comments).

enum allows Managed|Unmanaged|Removed but pattern also allows Force. This mismatch is expected in generated files and should be addressed in the Go source if needed.

The “Unmanaged” description appears to be copy-pasted from “Managed” and is misleading for users.

Action: If you want to clean this up, update the kubebuilder comments/markers in the Go type and re-generate. Don’t hand-edit this YAML.

rhoai-config/crd/bases/components.platform.opendatahub.io_workbenches.yaml (1)

10-15: Singular name equals plural; verify this is intentional in the Go markers.

names.singular is set to “workbenches” (same as plural). If this is intended (given Kind is plural “Workbenches”), no change needed. If you want a conventional singular (e.g., “workbenches” -> “workbenches” vs “workbench”), adjust kubebuilder resource markers in the Go type and re-generate.

If you want help, I can point to the exact kubebuilder markers to tweak in the Go source.

rhoai-config/crd/bases/components.platform.opendatahub.io_kserves.yaml (1)

118-141: Add conditional validation: require secretName when certificate.type is Provided

Right now, users can set spec.serving.ingressGateway.certificate.type: Provided without supplying secretName. Consider adding an XValidation to enforce secretName presence when type == "Provided". Since this file is generated, apply the change in the Go types using kubebuilder markers.

Example (in the Go type on the Certificate struct):

+kubebuilder:validation:XValidation:rule="self.type != 'Provided' || (has(self.secretName) && self.secretName != '')",message="secretName must be set when certificate.type is Provided"

I can draft the kubebuilder markers in the source type if you point me to the struct file.

rhoai-config/crd/bases/components.platform.opendatahub.io_modelregistries.yaml (1)

77-84: Consider making registriesNamespace immutable (if “configurable only once” is required)

Description says “configurable only once,” but there is no immutability rule. If immutability is expected, add an XValidation to prevent changes after initial set. As this file is generated, please apply via kubebuilder markers on the source type.

Example (on the field in the Go type):

+kubebuilder:validation:XValidation:rule="self == oldSelf",message="RegistriesNamespace is immutable"

I can prepare the exact kubebuilder tag in the corresponding type; point me to the file.

rhoai-bundle/manifests/dscinitialization.opendatahub.io_dscinitializations.yaml (1)

19-29: Minor: duplicate timestamp printer columns

You expose both Age and Created At from creationTimestamp. This is fine, but if column budget is tight you could drop one. Since this is generated, only change if desired upstream.

rhoai-bundle/manifests/components.platform.opendatahub.io_kserves.yaml (1)

118-141: Nit: tiny wording tweak in generated description (upstream only)

The sentence “TLS certificate secure HTTP communications” reads awkwardly. Consider updating the upstream Go doc/kubebuilder comment to: “TLS certificate to secure HTTP communications”. This will flow into generated CRDs next time.

If you want, I can propose the precise comment change in the Go type so future controller-gen runs pick it up.
rhoai-bundle/manifests/rhods-operator.clusterserviceversion.yaml (2)
384-405: Redundant/ineffective core-group RBAC entries for non-core resources

“deployments” are not in the core API group (“”), they are under apps (already covered later). Keeping these in the core group does nothing. Optional cleanup to reduce noise.

Apply this diff to trim the redundant stanza:
-        - apiGroups:
-          - ""
-          resources:
-          - deployments
-          - persistentvolumeclaims
-          - persistentvolumes
-          - pods
-          - pods/exec
-          - pods/log
-          verbs:
-          - '*'
+        - apiGroups:
+          - ""
+          resources:
+          - persistentvolumeclaims
+          - persistentvolumes
+          - pods
+          - pods/exec
+          - pods/log
+          verbs:
+          - '*'
1638-1639: Nit: brand capitalization

“Red Hat Openshift AI” should be “Red Hat OpenShift AI”.
-    name: Red Hat Openshift AI
+    name: Red Hat OpenShift AI

.github/scripts/update-versions.sh

.github/workflows/prometheus-unit-tests.yaml

.gitignore

docs/integration-testing.md

rhoai-bundle/tests/scorecard/config.yaml

rhoai-config/crd/bases/_.yaml

rhoai-config/crd/bases/components.platform.opendatahub.io_feastoperators.yaml

rhoai-config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml

rhoai-config/crd/bases/services.platform.opendatahub.io_monitorings.yaml

coderabbitai

Actionable comments posted: 1

🔭 Outside diff range comments (3)

.github/workflows/build-push-images-on-pr-update.yaml (1)
5-12: Sync workflow path filters with new repo layout (odh-config/ρhoai-config and odh-bundle/ρhoai-bundle).

The workflow still watches legacy bundle/** and does not watch rhoai-config/, odh-bundle/, or rhoai-bundle/**. Update the triggers to reflect the platform split to avoid missed or unnecessary runs.

Apply:
   pull_request_target:
     types: [ opened, synchronize, reopened ]
     paths:
-      - 'bundle/**'
-      - 'odh-config/**'
+      - 'odh-bundle/**'
+      - 'rhoai-bundle/**'
+      - 'odh-config/**'
+      - 'rhoai-config/**'
       - 'Dockerfiles/**'
       - 'internal/**'
       - 'pkg/**'
       - 'cmd/main.go'
get_all_manifests.sh (2)
134-139: Fix background jobs tracking: stray “+” and missing pids array declaration.

The comment includes a stray “+” and the pids array is not explicitly declared. While bash will create it on first append, be explicit and remove the noise to avoid confusion.
-# Track background job PIDs +declare -a pids=()
+# Track background job PIDs
+declare -a pids=()
 # Use parallel processing
 for key in "${!COMPONENT_MANIFESTS[@]}"; do
     download_manifest "$key" "${COMPONENT_MANIFESTS[$key]}" &
     pids+=($!)
 done
102-111: Quote paths and use “cp -r …/.” to avoid globbing pitfalls and spaces issues.

Improve robustness of git/workdir and copy steps with proper quoting and avoiding naked globs.
-    mkdir -p $dir
-    pushd $dir &>/dev/null
+    mkdir -p "$dir"
+    pushd "$dir" &>/dev/null
     git init -q
     # try tag first, avoid printing fatal: couldn't find remote ref
-    if ! $git_fetch refs/tags/$ref 2>/dev/null ; then
-        $git_fetch refs/heads/$ref
+    if ! $git_fetch "refs/tags/$ref" 2>/dev/null ; then
+        $git_fetch "refs/heads/$ref"
     fi
     git reset -q --hard FETCH_HEAD
     popd &>/dev/null
-    git_fetch_ref ${repo_url} ${repo_ref} ${repo_dir}
+    git_fetch_ref "${repo_url}" "${repo_ref}" "${repo_dir}"
-
-    mkdir -p ./opt/manifests/${target_path}
-    cp -rf ${repo_dir}/${source_path}/* ./opt/manifests/${target_path}
+    mkdir -p "./opt/manifests/${target_path}"
+    cp -rf "${repo_dir}/${source_path}/." "./opt/manifests/${target_path}"
Also applies to: 128-132

♻️ Duplicate comments (1)

docs/integration-testing.md (1)

92-96: LGTM: Monitored paths now match workflow filters.

The list now includes odh-config/ and rhoai-config/, aligning with CI triggers suggested earlier.

🧹 Nitpick comments (2)

docs/integration-testing.md (1)

85-86: Minor formatting nit: add spaces around inline code for readability.

-    - Expected format is`v<X>.<Y>.<Z>-pr-<pr_number>`
-        - For example:`v2.32.0-pr-1`
+    - Expected format is `v<X>.<Y>.<Z>-pr-<pr_number>`
+        - For example: `v2.32.0-pr-1`

Makefile (1)

347-354: Optionally set CSV containerImage to the build image to prevent drift.

If CSV containerImage isn’t set elsewhere, add a post-generation substitution step so bundle metadata consistently reflects the image being built.

 bundle: prepare operator-sdk ## Generate bundle manifests and metadata, then validate generated files.
 	$(OPERATOR_SDK) generate kustomize manifests --package $(OPERATOR_PACKAGE) --input-dir $(CONFIG_DIR)/manifests --output-dir $(CONFIG_DIR)/manifests -q
 	$(KUSTOMIZE) build $(CONFIG_DIR)/manifests | $(OPERATOR_SDK) generate bundle $(BUNDLE_GEN_FLAGS) --package $(OPERATOR_PACKAGE) --kustomize-dir $(CONFIG_DIR)/manifests --output-dir $(BUNDLE_DIR) 2>&1 | grep -v $(WARNINGMSG)
+	# Ensure CSV annotation containerImage matches the build IMG
+	sed -i 's#^\(\s*containerImage:\s*\).*#\1$(IMG)#' $(BUNDLE_DIR)/manifests/*clusterserviceversion.yaml
 	$(OPERATOR_SDK) bundle validate ./$(BUNDLE_DIR) 2>&1 | grep -v $(WARNINGMSG)
 	mv bundle.Dockerfile Dockerfiles/$(BUNDLE_DOCKERFILE_FILENAME)
 	rm -f $(BUNDLE_DIR)/manifests/opendatahub-operator-webhook-service_v1_service.yaml
 	rm -f $(BUNDLE_DIR)/manifests/rhods-operator-webhook-service_v1_service.yaml

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 847cbed and 34112cf.

📒 Files selected for processing (7)

.github/workflows/build-push-images-on-pr-update.yaml (1 hunks)
Dockerfiles/Dockerfile (1 hunks)
Dockerfiles/rhoai.Dockerfile (1 hunks)
Makefile (8 hunks)
docs/integration-testing.md (2 hunks)
get_all_manifests.sh (1 hunks)
hack/update-catalog-template.sh (1 hunks)

✅ Files skipped from review due to trivial changes (1)

hack/update-catalog-template.sh

🚧 Files skipped from review as they are similar to previous changes (1)

Dockerfiles/rhoai.Dockerfile

🧰 Additional context used

🧠 Learnings (9)

📓 Common learnings

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: bundle.rhoai/manifests/rhods-operator.clusterserviceversion.yaml:1548-1550
Timestamp: 2025-07-29T18:44:42.749Z
Learning: In the opendatahub-operator repository's rhoai branch, the CSV manifest intentionally uses `quay.io/opendatahub/opendatahub-operator:latest` as the image reference even though it's for the rhods-operator, and this configuration difference from the main branch is by design.

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: rhoai-config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml:227-235
Timestamp: 2025-08-13T21:03:04.247Z
Learning: CRD YAML files in rhoai-config/crd/bases/ and odh-config/crd/bases/ directories are generated from Go code using controller-gen/kubebuilder. Changes should be made to the source Go structs with appropriate kubebuilder validation markers, not to the generated YAML files directly.

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: .github/workflows/prometheus-unit-tests.yaml:5-5
Timestamp: 2025-08-13T21:04:32.656Z
Learning: In the opendatahub-operator repository, prometheus monitoring configurations are shared between ODH and RHOAI platforms. The prometheus directory only exists in odh-config/monitoring/prometheus/, not in rhoai-config. Both platforms reference the same prometheus manifests from the odh-config location.

📚 Learning: 2025-05-27T11:28:21.229Z

Learnt from: AjayJagan
PR: opendatahub-io/opendatahub-operator#1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file `Dockerfiles/catalog.Dockerfile` in the opendatahub-operator repository is autogenerated and should not be manually modified.

Applied to files:

Dockerfiles/Dockerfile
Makefile

📚 Learning: 2025-08-13T21:03:04.247Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: rhoai-config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml:227-235
Timestamp: 2025-08-13T21:03:04.247Z
Learning: CRD YAML files in rhoai-config/crd/bases/ and odh-config/crd/bases/ directories are generated from Go code using controller-gen/kubebuilder. Changes should be made to the source Go structs with appropriate kubebuilder validation markers, not to the generated YAML files directly.

Applied to files:

Makefile

📚 Learning: 2025-08-13T21:03:23.304Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: rhoai-config/crd/bases/_.yaml:1-13
Timestamp: 2025-08-13T21:03:23.304Z
Learning: In the opendatahub-operator repository, placeholder CRD files (like _.yaml with empty group/kind/plural/scope and versions: null) in generated directories such as rhoai-config/crd/bases/ are part of the automated generation process and should not be flagged as invalid, as the build system handles them appropriately.

Applied to files:

Makefile

📚 Learning: 2025-07-29T18:45:24.518Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: config/crd.rhoai/bases/dscinitialization.opendatahub.io_dscinitializations.yaml:90-107
Timestamp: 2025-07-29T18:45:24.518Z
Learning: In the opendatahub-operator repository, CRD files under config/crd.rhoai/bases/ are generated files (using controller-gen from Go structs), and inconsistencies between enum and pattern validation should not be flagged as they require upstream source code changes rather than direct YAML modifications.

Applied to files:

Makefile

📚 Learning: 2025-08-13T21:04:32.656Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: .github/workflows/prometheus-unit-tests.yaml:5-5
Timestamp: 2025-08-13T21:04:32.656Z
Learning: In the opendatahub-operator repository, prometheus monitoring configurations are shared between ODH and RHOAI platforms. The prometheus directory only exists in odh-config/monitoring/prometheus/, not in rhoai-config. Both platforms reference the same prometheus manifests from the odh-config location.

Applied to files:

Makefile
docs/integration-testing.md

📚 Learning: 2025-08-13T14:40:18.443Z

Learnt from: mlassak
PR: opendatahub-io/opendatahub-operator#2010
File: config/crd/bases/services.platform.opendatahub.io_servicemeshes.yaml:114-114
Timestamp: 2025-08-13T14:40:18.443Z
Learning: In the opendatahub-operator repository, CRD files under config/crd/bases/ are auto-generated files (using `make generate manifests api-docs` command), and inconsistencies between enum and pattern validation should not be flagged as they require upstream source code changes in Go structs/kubebuilder annotations rather than direct YAML modifications.

Applied to files:

Makefile

📚 Learning: 2025-08-13T18:07:20.843Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: bundle/manifests/opendatahub-operator.clusterserviceversion.yaml:264-338
Timestamp: 2025-08-13T18:07:20.843Z
Learning: Bundle manifest files (like bundle/manifests/*.yaml) in operator projects are typically generated artifacts, not source files. RBAC and permission issues should be addressed in the source configurations (config/rbac/, CSV base templates, etc.) that generate these bundles, not in the generated files themselves.

Applied to files:

Makefile

📚 Learning: 2025-05-27T07:45:53.136Z

Learnt from: AjayJagan
PR: opendatahub-io/opendatahub-operator#1990
File: hack/update-catalog-template.sh:73-79
Timestamp: 2025-05-27T07:45:53.136Z
Learning: In the opendatahub-operator project, the `|| true` pattern in Makefiles for catalog operations is intentionally used to ensure cleanup of catalog templates occurs even if the main script fails, prioritizing cleanup over strict error propagation.

Applied to files:

Makefile

🧬 Code Graph Analysis (1)

get_all_manifests.sh (1)

pkg/cluster/const.go (1)

OpenDataHub (11-11)

🪛 checkmake (0.2.2)

Makefile

[warning] 182-182: Target "output" should be declared PHONY.

(phonydeclared)

🔇 Additional comments (5)

docs/integration-testing.md (1)

19-20: LGTM: Updated directories (odh-bundle/ρhoai-bundle and odh-config/ρhoai-config).

The doc accurately reflects the platform split and new monitored paths.

Dockerfiles/Dockerfile (1)

25-33: LGTM: COPY paths updated to odh-config/…

Switching monitoring, osd-configs, and kueue-configs to odh-config aligns with the repo restructuring. This also matches the shared Prometheus location noted for both platforms.

Makefile (3)

24-47: LGTM: Platform-aware defaults and config directories.

The ODH vs RHOAI split (VERSION/CHANNELS/CONFIG_DIR/GO tags) is clean and aligns with the new tree structure. This should unblock per-platform builds and bundle generation.

185-190: Correct use of build tags with controller-gen.

Passing CONTROLLER_GEN_TAGS enables proper conditional compilation for CRDs/RBAC/webhooks per platform.

135-140: LGTM: Prometheus paths updated to odh-config.

Matches the shared-prometheus location used by both platforms.

get_all_manifests.sh

coderabbitai

Actionable comments posted: 1

♻️ Duplicate comments (4)

Makefile (4)
135-138: Prometheus config path moved to odh-config as intended

Per repo conventions, both platforms share the odh-config/monitoring/prometheus location. These references are correct.

272-276: Manager kustomization now respects CONFIG_DIR

Using $(CONFIG_DIR)/manager and the in-tree kustomize edit step removes hardcoding and works for both ODH and RHOAI.

278-292: Install/deploy paths correctly parameterized by CONFIG_DIR

Building from $(CONFIG_DIR)/crd and $(CONFIG_DIR)/default fixes previous hardcoding and unblocks RHOAI mode. The ignore-not-found usage is also appropriate.

348-354: Bundle flow is correct; consider automating CSV containerImage substitution

The operator-sdk generate/move/cleanup sequence is sound. To ensure the CSV’s containerImage annotation points at the image being built, add a substitution step post-generation.

Apply:
 	$(KUSTOMIZE) build $(CONFIG_DIR)/manifests | $(OPERATOR_SDK) generate bundle $(BUNDLE_GEN_FLAGS) --package $(OPERATOR_PACKAGE) --kustomize-dir $(CONFIG_DIR)/manifests --output-dir $(BUNDLE_DIR) 2>&1 | grep -v $(WARNINGMSG)
+	# Ensure CSV annotation containerImage is set to the build image
+	sed -i 's#^$\s*containerImage:\s*$.*#\1$(IMG)#' $(BUNDLE_DIR)/manifests/*clusterserviceversion.yaml
 	$(OPERATOR_SDK) bundle validate ./$(BUNDLE_DIR) 2>&1 | grep -v $(WARNINGMSG)

🧹 Nitpick comments (1)

Makefile (1)
404-415: Make catalog template path platform-aware with fallback

Currently, the template is always copied from odh-config. If/when rhoai-config provides a specific template, prefer $(CONFIG_DIR)/catalog/… with a safe fallback to odh-config to avoid breaking current builds.

Apply:
-	cp odh-config/catalog/fbc-basic-template.yaml catalog/fbc-basic-template.yaml
+	if [ -f "$(CONFIG_DIR)/catalog/fbc-basic-template.yaml" ]; then \
+	  cp "$(CONFIG_DIR)/catalog/fbc-basic-template.yaml" catalog/fbc-basic-template.yaml; \
+	else \
+	  cp odh-config/catalog/fbc-basic-template.yaml catalog/fbc-basic-template.yaml; \
+	fi
Please confirm whether a rhoai-config/catalog template is planned; if yes, the above will adopt it automatically when added.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

MCP integration is disabled by default for public repositories
Jira integration is disabled by default for public repositories
Linear integration is disabled by default for public repositories

You can enable these settings in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 34112cf and baf07c9.

📒 Files selected for processing (2)

Dockerfiles/bundle.Dockerfile (1 hunks)
Makefile (8 hunks)

🧰 Additional context used

🧠 Learnings (9)

📓 Common learnings

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: rhoai-config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml:227-235
Timestamp: 2025-08-13T21:03:04.317Z
Learning: CRD YAML files in rhoai-config/crd/bases/ and odh-config/crd/bases/ directories are generated from Go code using controller-gen/kubebuilder. Changes should be made to the source Go structs with appropriate kubebuilder validation markers, not to the generated YAML files directly.

📚 Learning: 2025-08-13T21:03:04.317Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: rhoai-config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml:227-235
Timestamp: 2025-08-13T21:03:04.317Z
Learning: CRD YAML files in rhoai-config/crd/bases/ and odh-config/crd/bases/ directories are generated from Go code using controller-gen/kubebuilder. Changes should be made to the source Go structs with appropriate kubebuilder validation markers, not to the generated YAML files directly.

Applied to files:

Makefile

📚 Learning: 2025-08-13T21:03:23.347Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: rhoai-config/crd/bases/_.yaml:1-13
Timestamp: 2025-08-13T21:03:23.347Z
Learning: In the opendatahub-operator repository, placeholder CRD files (like _.yaml with empty group/kind/plural/scope and versions: null) in generated directories such as rhoai-config/crd/bases/ are part of the automated generation process and should not be flagged as invalid, as the build system handles them appropriately.

Applied to files:

Makefile

📚 Learning: 2025-07-29T18:45:24.518Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: config/crd.rhoai/bases/dscinitialization.opendatahub.io_dscinitializations.yaml:90-107
Timestamp: 2025-07-29T18:45:24.518Z
Learning: In the opendatahub-operator repository, CRD files under config/crd.rhoai/bases/ are generated files (using controller-gen from Go structs), and inconsistencies between enum and pattern validation should not be flagged as they require upstream source code changes rather than direct YAML modifications.

Applied to files:

Makefile

📚 Learning: 2025-08-13T21:04:32.696Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: .github/workflows/prometheus-unit-tests.yaml:5-5
Timestamp: 2025-08-13T21:04:32.696Z
Learning: In the opendatahub-operator repository, prometheus monitoring configurations are shared between ODH and RHOAI platforms. The prometheus directory only exists in odh-config/monitoring/prometheus/, not in rhoai-config. Both platforms reference the same prometheus manifests from the odh-config location.

Applied to files:

Makefile

📚 Learning: 2025-08-13T14:40:18.443Z

Learnt from: mlassak
PR: opendatahub-io/opendatahub-operator#2010
File: config/crd/bases/services.platform.opendatahub.io_servicemeshes.yaml:114-114
Timestamp: 2025-08-13T14:40:18.443Z
Learning: In the opendatahub-operator repository, CRD files under config/crd/bases/ are auto-generated files (using `make generate manifests api-docs` command), and inconsistencies between enum and pattern validation should not be flagged as they require upstream source code changes in Go structs/kubebuilder annotations rather than direct YAML modifications.

Applied to files:

Makefile

📚 Learning: 2025-08-13T18:07:20.881Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: bundle/manifests/opendatahub-operator.clusterserviceversion.yaml:264-338
Timestamp: 2025-08-13T18:07:20.881Z
Learning: Bundle manifest files (like bundle/manifests/*.yaml) in operator projects are typically generated artifacts, not source files. RBAC and permission issues should be addressed in the source configurations (config/rbac/, CSV base templates, etc.) that generate these bundles, not in the generated files themselves.

Applied to files:

Makefile

📚 Learning: 2025-05-27T11:28:21.229Z

Learnt from: AjayJagan
PR: opendatahub-io/opendatahub-operator#1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file `Dockerfiles/catalog.Dockerfile` in the opendatahub-operator repository is autogenerated and should not be manually modified.

Applied to files:

Makefile

📚 Learning: 2025-05-27T07:45:53.136Z

Learnt from: AjayJagan
PR: opendatahub-io/opendatahub-operator#1990
File: hack/update-catalog-template.sh:73-79
Timestamp: 2025-05-27T07:45:53.136Z
Learning: In the opendatahub-operator project, the `|| true` pattern in Makefiles for catalog operations is intentionally used to ensure cleanup of catalog templates occurs even if the main script fails, prioritizing cleanup over strict error propagation.

Applied to files:

Makefile

🪛 checkmake (0.2.2)

Makefile

[warning] 182-182: Target "output" should be declared PHONY.

(phonydeclared)

🔇 Additional comments (8)

Dockerfiles/bundle.Dockerfile (1)

18-20: Path updates correctly align with odh-bundle layout

COPY sources now point to odh-bundle, matching the repo reorg and Makefile defaults for ODH builds. No issues spotted.

Makefile (7)

21-47: Platform gating looks solid; confirm defaults and image naming intent

The split by ODH_PLATFORM_TYPE with CONFIG_DIR/GO_RUN_ARGS/OPERATOR_PACKAGE/ROLE_NAME is clean.

Please confirm the RHOAI default VERSION=2.23.0 is intentional given ODH defaults to 2.33.0.

Consider whether IMAGE_TAG_BASE should vary per platform. As-is, both ODH and RHOAI bundles push under quay.io/opendatahub/opendatahub-operator*. If RHOAI images/bundles should live elsewhere, add platform-aware IMAGE_TAG_BASE.

54-71: Bundle metadata options constructed correctly

BUNDLE_CHANNELS/DEFAULT_CHANNEL are gated by origin checks and composed into BUNDLE_METADATA_OPTS. This avoids emitting empty flags and supports platform-specific defaults.

95-99: controller-tools upgrade enables build-tags support

Bumping CONTROLLER_TOOLS_VERSION to v0.17.3 aligns with using --load-build-tags; good catch to keep these in sync.

177-183: External CRDs now emit under $(CONFIG_DIR)/crd/external

This makes fetch-external-crds platform-aware and keeps artifacts collocated with the active CONFIG_DIR.

185-190: controller-gen flags are correct with build tags and per-platform outputs

Using $(CONTROLLER_GEN_TAGS) with --load-build-tags and per-platform output dirs is correct.

ROLE_NAME is set per platform, so RBAC artifacts get the right role name.

216-219: get-manifests correctly forwards platform and version

Passing ODH_PLATFORM_TYPE and VERSION to get_all_manifests.sh matches the new script behavior.

355-358: Bundle build uses the correct per-platform Dockerfile

This correctly leverages Dockerfiles/$(BUNDLE_DOCKERFILE_FILENAME) and honors $(PLATFORM). All good.

Makefile

coderabbitai

Actionable comments posted: 4

🔭 Outside diff range comments (3)

odh-bundle/manifests/opendatahub-operator.clusterserviceversion.yaml (3)

340-347: Remove wildcard apiGroup rules for deployments/replicasets/services/statefulsets.

These are redundant with specific apps/core rules and unnecessarily broad.

-        - apiGroups:
-          - '*'
-          resources:
-          - deployments
-          - replicasets
-          - services
-          verbs:
-          - '*'
-        - apiGroups:
-          - '*'
-          resources:
-          - statefulsets
-          verbs:
-          - create
-          - delete
-          - get
-          - list
-          - patch
-          - update
-          - watch

Also applies to: 348-358

1223-1231: Reduce RBAC escalation: avoid full CRUD on ClusterRoles/RoleBindings.

Granting '*' on clusterroles/clusterrolebindings/roles/rolebindings enables bind/escalate. Limit verbs to the minimal set required.

-        - apiGroups:
+        - apiGroups:
           - rbac.authorization.k8s.io
           resources:
           - clusterrolebindings
           - clusterroles
           - rolebindings
           - roles
           verbs:
-          - '*'
+          - create
+          - delete
+          - get
+          - list
+          - patch
+          - watch

1257-1278: Scope SCC permissions to “use” on specific SCCs instead of wildcard.

Avoid modifying SCC objects and restrict to use on named SCCs. This lowers risk and matches common operator patterns.

-        - apiGroups:
+        - apiGroups:
           - security.openshift.io
           resources:
           - securitycontextconstraints
           verbs:
-          - '*'
+          - get
+          - list
+          - watch
         - apiGroups:
           - security.openshift.io
           resourceNames:
           - anyuid
           resources:
           - securitycontextconstraints
           verbs:
-          - '*'
+          - use
         - apiGroups:
           - security.openshift.io
           resourceNames:
           - restricted
           resources:
           - securitycontextconstraints
           verbs:
-          - '*'
+          - use

♻️ Duplicate comments (7)

odh-config/rbac/role.yaml (5)
7-15: Remove invalid core-group rule for clusterversions and rhmis

These resources are not in the core API group (""). clusterversions belong to config.openshift.io (already covered later), and rhmis belong to integreatly.org (also covered later). Keeping this block is incorrect and redundant.

Apply this diff to delete the invalid block:
-- apiGroups:
-  - ""
-  resources:
-  - clusterversions
-  - rhmis
-  verbs:
-  - get
-  - list
-  - watch
17-33: Scope finalizers subresources to update-only and split into a separate rule

Granting broad verbs on secrets/finalizers and services/finalizers is unnecessary. Finalizers only require update.

Apply this diff:
 - apiGroups:
   - ""
   resources:
   - configmaps
   - events
   - namespaces
   - secrets
-  - secrets/finalizers
   - serviceaccounts
-  - services/finalizers
   verbs:
   - create
   - delete
   - get
   - list
   - patch
   - update
   - watch
+ - apiGroups:
+   - ""
+   resources:
+   - secrets/finalizers
+   - services/finalizers
+   verbs:
+   - update
35-42: Remove configmaps/status — ConfigMaps have no status subresource

This rule is invalid and misleading.

Apply this diff to delete the block:
- - apiGroups:
-   - ""
-   resources:
-   - configmaps/status
-   verbs:
-   - delete
-   - get
-   - patch
-   - update
44-53: Remove deployments from core-group resources

deployments belong to the apps API group, not core (""). You already grant apps/deployments below.

Apply this diff:
 - apiGroups:
   - ""
   resources:
-  - deployments
   - persistentvolumeclaims
   - persistentvolumes
   - pods
   - pods/exec
   - pods/log
   verbs:
   - '*'
66-75: Restrict namespaces/finalizers to update-only

Finalizers management requires only update. Broader verbs are unnecessary.

Apply this diff:
 - apiGroups:
   - ""
   resources:
   - namespaces/finalizers
   verbs:
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
+  - update
odh-bundle/manifests/opendatahub-operator.clusterserviceversion.yaml (2)
264-338: Fix invalid/ineffective RBAC resources and subresources in core API group (same cleanup as role.yaml).

The CSV embeds rules with:

deployments in core apiGroup ("") — should be under apps.

configmaps/status — invalid subresource.

namespaces/finalizers — should be namespaces/finalize.

secrets/finalizers and services/finalizers — invalid subresources.

Clean them to ensure RBAC is effective and minimal. See concrete diff in the role.yaml comment; the same changes apply here.

1487-1488: Pin deployment image to the CSV version (avoid “latest”).

The CSV annotation containerImage is v2.33.0, but the deployment uses :latest. Pin to v2.33.0 for reproducibility.
-                image: quay.io/opendatahub/opendatahub-operator:latest
+                image: quay.io/opendatahub/opendatahub-operator:v2.33.0

🧹 Nitpick comments (4)

rhoai-config/rbac/role.yaml (2)

103-116: Admission webhook admin privileges: justify scope or reduce verbs where possible.

Full CRUD on mutating/validating webhook configurations is highly privileged (CKV_K8S_155). If the operator only manages its own webhooks, consider:

Restricting verbs to get, list, watch, patch, update (only create/delete during install/cleanup).

Narrowing via resourceNames if feasible.

1-1170: Note: If this file is generated by controller-gen, make changes in Go markers.

Given controller-tools were upgraded to support build tags and you keep generated RBAC under config/, edits here should come from controller-gen annotations (// +kubebuilder:rbac) in Go code, then re-generate. Direct YAML edits will drift.

If you confirm this is generated, I can propose corresponding kubebuilder RBAC markers to produce the cleaned RBAC and a regeneration plan.
odh-bundle/manifests/opendatahub-operator.clusterserviceversion.yaml (2)
738-753: Drop legacy “extensions” API group usage for deployments/replicasets/ingresses.

Kubernetes 1.25+ removed extensions for these resources; you already cover apps/networking.k8s.io elsewhere. Removing reduces noise and potential confusion.
-        - apiGroups:
-          - extensions
-          resources:
-          - deployments
-          - replicasets
-          verbs:
-          - '*'
-        - apiGroups:
-          - extensions
-          resources:
-          - ingresses
-          verbs:
-          - delete
-          - get
-          - list
-          - patch
-          - watch
360-374: High-privilege webhook RBAC: justify or narrow.

Full CRUD on mutating/validating webhook configurations is powerful. If only managing operator-owned webhooks, consider limiting to get/list/watch/patch/update, and reserve create/delete for install/uninstall paths.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

MCP integration is disabled by default for public repositories
Jira integration is disabled by default for public repositories
Linear integration is disabled by default for public repositories

You can enable these settings in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between baf07c9 and 4e067e9.

📒 Files selected for processing (4)

odh-bundle/manifests/opendatahub-operator.clusterserviceversion.yaml (3 hunks)
odh-config/rbac/role.yaml (1 hunks)
rhoai-bundle/manifests/rhods-operator.clusterserviceversion.yaml (1 hunks)
rhoai-config/rbac/role.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

rhoai-bundle/manifests/rhods-operator.clusterserviceversion.yaml

🧰 Additional context used

🧠 Learnings (3)

📓 Common learnings

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: rhoai-config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml:227-235
Timestamp: 2025-08-13T21:03:04.317Z
Learning: CRD YAML files in rhoai-config/crd/bases/ and odh-config/crd/bases/ directories are generated from Go code using controller-gen/kubebuilder. Changes should be made to the source Go structs with appropriate kubebuilder validation markers, not to the generated YAML files directly.

📚 Learning: 2025-07-29T18:44:42.749Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: bundle.rhoai/manifests/rhods-operator.clusterserviceversion.yaml:1548-1550
Timestamp: 2025-07-29T18:44:42.749Z
Learning: In the opendatahub-operator repository's rhoai branch, the CSV manifest intentionally uses `quay.io/opendatahub/opendatahub-operator:latest` as the image reference even though it's for the rhods-operator, and this configuration difference from the main branch is by design.

Applied to files:

odh-bundle/manifests/opendatahub-operator.clusterserviceversion.yaml

📚 Learning: 2025-08-13T21:03:23.347Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: rhoai-config/crd/bases/_.yaml:1-13
Timestamp: 2025-08-13T21:03:23.347Z
Learning: In the opendatahub-operator repository, placeholder CRD files (like _.yaml with empty group/kind/plural/scope and versions: null) in generated directories such as rhoai-config/crd/bases/ are part of the automated generation process and should not be flagged as invalid, as the build system handles them appropriately.

Applied to files:

odh-bundle/manifests/opendatahub-operator.clusterserviceversion.yaml

🪛 Checkov (3.2.334)

rhoai-config/rbac/role.yaml

[MEDIUM] 2-1170: Minimize Roles and ClusterRoles that grant permissions to bind RoleBindings or ClusterRoleBindings

(CKV_K8S_157)

[HIGH] 2-1170: Minimize ClusterRoles that grant control over validating or mutating admission webhook configurations

(CKV_K8S_155)

[MEDIUM] 2-1170: Minimize Roles and ClusterRoles that grant permissions to escalate Roles or ClusterRoles

(CKV_K8S_158)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

GitHub Check: Build/push catalog image
GitHub Check: golangci-lint

🔇 Additional comments (2)

odh-config/rbac/role.yaml (1)

55-64: No 'patch' verb required for Endpoints — confirmed

Repo search shows many client.Patch/RawPatch usages but no references to corev1/v1.Endpoints and no Patch calls targeting Endpoints. Examples of Patch usage (not Endpoints):

internal/controller/services/secretgenerator/secretgenerator_controller.go

pkg/deploy/deploy.go

pkg/feature/resource/operations.go

Conclusion: do not add "- patch" to the endpoints RBAC block unless you later introduce code that explicitly patches Endpoints.

rhoai-config/rbac/role.yaml (1)

251-274: RBAC coverage for ODH components looks consistent with RHOAI build intent.

The explicit rules for components.platform.opendatahub.io and dashboard.opendatahub.io align with the multi-component management the operator performs in RHOAI mode.

Also applies to: 294-314, 372-389

odh-config/rbac/role.yaml

rhoai-config/rbac/role.yaml

coderabbitai

Actionable comments posted: 5

♻️ Duplicate comments (5)

odh-bundle/manifests/opendatahub-operator.clusterserviceversion.yaml (1)
264-338: Clean up invalid/mis-scoped core RBAC entries (generated at source, not in CSV)

The rules under apiGroup "" include invalid or mis-scoped entries:

deployments is not in the core group (belongs to apps)

configmaps/status is not a valid subresource

namespaces/finalizers should be namespaces/finalize

secrets/finalizers and services/finalizers are not valid subresources

These entries are ineffective noise. Please fix in the RBAC source (config/…/rbac) and regenerate the bundle.

Proposed cleanup (CSV shows intent only):
         - apiGroups:
           - ""
           resources:
           - configmaps
           - events
           - namespaces
           - secrets
-          - secrets/finalizers
           - serviceaccounts
-          - services/finalizers
           verbs:
           - create
           - delete
           - get
           - list
           - patch
           - update
           - watch
-        - apiGroups:
-          - ""
-          resources:
-          - configmaps/status
-          verbs:
-          - delete
-          - get
-          - patch
-          - update
         - apiGroups:
           - ""
           resources:
-          - deployments
           - persistentvolumeclaims
           - persistentvolumes
           - pods
           - pods/exec
           - pods/log
           verbs:
           - '*'
         - apiGroups:
           - ""
           resources:
-          - namespaces/finalizers
+          - namespaces/finalize
           verbs:
           - delete
           - get
           - list
           - patch
           - update
           - watch
Note: CSVs are generated artifacts; please fix the RBAC role inputs and re-run manifests/bundle generation.
Makefile (2)
24-47: Allow env/CLI overrides for CHANNELS/DEFAULT_CHANNEL (use ?= defaults)

Using plain = here masks environment variables and contradicts the comments that say env overrides are supported. Switch to ?= so these are defaults.
-	CHANNELS=fast
+	CHANNELS ?= fast
@@
-	CHANNELS=alpha,stable,fast
-	DEFAULT_CHANNEL=stable
+	CHANNELS ?= alpha,stable,fast
+	DEFAULT_CHANNEL ?= stable
351-354: Replace CSV image placeholder with the actual operator image

This sed forces REPLACE_IMAGE:latest into the CSV. It will render the bundle non-runnable. Set both the CSV annotation containerImage and the Deployment image to $(IMG) at build time.
-	sed -i 's#quay.io/opendatahub/opendatahub-operator:.*#REPLACE_IMAGE:latest#' $(BUNDLE_DIR)/manifests/*clusterserviceversion*
+	# Ensure CSV annotation containerImage is set to the build image
+	sed -i 's#^$\s*containerImage:\s*$.*#\1$(IMG)#' $(BUNDLE_DIR)/manifests/*clusterserviceversion.yaml
+	# Ensure the operator Deployment image inside the CSV matches the build image
+	sed -i 's#^$\s*image:\s*$.*#\1$(IMG)#' $(BUNDLE_DIR)/manifests/*clusterserviceversion.yaml
rhoai-bundle/manifests/rhods-operator.clusterserviceversion.yaml (2)
1265-1273: Remove invalid operators.coreos.com/customresourcedefinitions rule

CRDs are under apiextensions.k8s.io and are already covered above. This rule is invalid and should be removed.
-        - apiGroups:
-          - operators.coreos.com
-          resources:
-          - customresourcedefinitions
-          verbs:
-          - create
-          - delete
-          - get
-          - patch
1315-1321: Router metrics should use nonResourceURLs, not route.openshift.io resources

route.openshift.io does not serve routers/metrics or routers/federate resources. Use nonResourceURLs to request /metrics and /federate instead.
-        - apiGroups:
-          - route.openshift.io
-          resources:
-          - routers/federate
-          - routers/metrics
-          verbs:
-          - get
+        - nonResourceURLs:
+          - /metrics
+          - /federate
+          verbs:
+          - get

🧹 Nitpick comments (1)

Makefile (1)
49-51: Align DEFAULT_MANIFESTS_PATH default with runtime usage (/opt/manifests)

The default here is “opt/manifests”, but both Deployments set DEFAULT_MANIFESTS_PATH to “/opt/manifests”. Make these consistent.
-DEFAULT_MANIFESTS_PATH ?= opt/manifests
+DEFAULT_MANIFESTS_PATH ?= /opt/manifests

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

MCP integration is disabled by default for public repositories
Jira integration is disabled by default for public repositories
Linear integration is disabled by default for public repositories

You can enable these settings in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 4e067e9 and df2a36d.

📒 Files selected for processing (3)

Makefile (8 hunks)
odh-bundle/manifests/opendatahub-operator.clusterserviceversion.yaml (2 hunks)
rhoai-bundle/manifests/rhods-operator.clusterserviceversion.yaml (1 hunks)

🧰 Additional context used

🧠 Learnings (12)

📓 Common learnings

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: odh-config/rbac/role.yaml:77-81
Timestamp: 2025-08-14T14:00:35.037Z
Learning: The RBAC configurations in odh-config/rbac/role.yaml and rhoai-config/rbac/role.yaml are intentionally different (as of this PR). The rhoai-config variant uses metadata.name: rhods-operator-role while odh-config uses controller-manager-role, and they may have different permission sets. These differences should not be flagged as drift issues during code review.

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: rhoai-config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml:227-235
Timestamp: 2025-08-13T21:03:04.317Z
Learning: CRD YAML files in rhoai-config/crd/bases/ and odh-config/crd/bases/ directories are generated from Go code using controller-gen/kubebuilder. Changes should be made to the source Go structs with appropriate kubebuilder validation markers, not to the generated YAML files directly.

📚 Learning: 2025-07-29T18:44:42.749Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: bundle.rhoai/manifests/rhods-operator.clusterserviceversion.yaml:1548-1550
Timestamp: 2025-07-29T18:44:42.749Z
Learning: In the opendatahub-operator repository's rhoai branch, the CSV manifest intentionally uses `quay.io/opendatahub/opendatahub-operator:latest` as the image reference even though it's for the rhods-operator, and this configuration difference from the main branch is by design.

Applied to files:

odh-bundle/manifests/opendatahub-operator.clusterserviceversion.yaml
rhoai-bundle/manifests/rhods-operator.clusterserviceversion.yaml

📚 Learning: 2025-08-13T21:03:23.347Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: rhoai-config/crd/bases/_.yaml:1-13
Timestamp: 2025-08-13T21:03:23.347Z
Learning: In the opendatahub-operator repository, placeholder CRD files (like _.yaml with empty group/kind/plural/scope and versions: null) in generated directories such as rhoai-config/crd/bases/ are part of the automated generation process and should not be flagged as invalid, as the build system handles them appropriately.

Applied to files:

odh-bundle/manifests/opendatahub-operator.clusterserviceversion.yaml
rhoai-bundle/manifests/rhods-operator.clusterserviceversion.yaml
Makefile

📚 Learning: 2025-08-14T14:00:35.037Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: odh-config/rbac/role.yaml:77-81
Timestamp: 2025-08-14T14:00:35.037Z
Learning: The RBAC configurations in odh-config/rbac/role.yaml and rhoai-config/rbac/role.yaml are intentionally different (as of this PR). The rhoai-config variant uses metadata.name: rhods-operator-role while odh-config uses controller-manager-role, and they may have different permission sets. These differences should not be flagged as drift issues during code review.

Applied to files:

odh-bundle/manifests/opendatahub-operator.clusterserviceversion.yaml
rhoai-bundle/manifests/rhods-operator.clusterserviceversion.yaml
Makefile

📚 Learning: 2025-08-14T13:59:44.732Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: rhoai-config/rbac/role.yaml:18-33
Timestamp: 2025-08-14T13:59:44.732Z
Learning: RBAC files in rhoai-config/rbac/ are generated and should not be manually edited. Issues with RBAC rules should be addressed in the generation tooling, not the manifests themselves.

Applied to files:

rhoai-bundle/manifests/rhods-operator.clusterserviceversion.yaml

📚 Learning: 2025-07-29T18:45:24.518Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: config/crd.rhoai/bases/dscinitialization.opendatahub.io_dscinitializations.yaml:90-107
Timestamp: 2025-07-29T18:45:24.518Z
Learning: In the opendatahub-operator repository, CRD files under config/crd.rhoai/bases/ are generated files (using controller-gen from Go structs), and inconsistencies between enum and pattern validation should not be flagged as they require upstream source code changes rather than direct YAML modifications.

Applied to files:

rhoai-bundle/manifests/rhods-operator.clusterserviceversion.yaml
Makefile

📚 Learning: 2025-08-13T14:40:18.443Z

Learnt from: mlassak
PR: opendatahub-io/opendatahub-operator#2010
File: config/crd/bases/services.platform.opendatahub.io_servicemeshes.yaml:114-114
Timestamp: 2025-08-13T14:40:18.443Z
Learning: In the opendatahub-operator repository, CRD files under config/crd/bases/ are auto-generated files (using `make generate manifests api-docs` command), and inconsistencies between enum and pattern validation should not be flagged as they require upstream source code changes in Go structs/kubebuilder annotations rather than direct YAML modifications.

Applied to files:

rhoai-bundle/manifests/rhods-operator.clusterserviceversion.yaml
Makefile

📚 Learning: 2025-08-13T21:03:04.317Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: rhoai-config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml:227-235
Timestamp: 2025-08-13T21:03:04.317Z
Learning: CRD YAML files in rhoai-config/crd/bases/ and odh-config/crd/bases/ directories are generated from Go code using controller-gen/kubebuilder. Changes should be made to the source Go structs with appropriate kubebuilder validation markers, not to the generated YAML files directly.

Applied to files:

Makefile

📚 Learning: 2025-08-13T21:04:32.696Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: .github/workflows/prometheus-unit-tests.yaml:5-5
Timestamp: 2025-08-13T21:04:32.696Z
Learning: In the opendatahub-operator repository, prometheus monitoring configurations are shared between ODH and RHOAI platforms. The prometheus directory only exists in odh-config/monitoring/prometheus/, not in rhoai-config. Both platforms reference the same prometheus manifests from the odh-config location.

Applied to files:

Makefile

📚 Learning: 2025-08-13T18:07:20.881Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: bundle/manifests/opendatahub-operator.clusterserviceversion.yaml:264-338
Timestamp: 2025-08-13T18:07:20.881Z
Learning: Bundle manifest files (like bundle/manifests/*.yaml) in operator projects are typically generated artifacts, not source files. RBAC and permission issues should be addressed in the source configurations (config/rbac/, CSV base templates, etc.) that generate these bundles, not in the generated files themselves.

Applied to files:

Makefile

📚 Learning: 2025-05-27T11:28:21.229Z

Learnt from: AjayJagan
PR: opendatahub-io/opendatahub-operator#1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file `Dockerfiles/catalog.Dockerfile` in the opendatahub-operator repository is autogenerated and should not be manually modified.

Applied to files:

Makefile

📚 Learning: 2025-05-27T07:45:53.136Z

Learnt from: AjayJagan
PR: opendatahub-io/opendatahub-operator#1990
File: hack/update-catalog-template.sh:73-79
Timestamp: 2025-05-27T07:45:53.136Z
Learning: In the opendatahub-operator project, the `|| true` pattern in Makefiles for catalog operations is intentionally used to ensure cleanup of catalog templates occurs even if the main script fails, prioritizing cleanup over strict error propagation.

Applied to files:

Makefile

🪛 checkmake (0.2.2)

Makefile

[warning] 182-182: Target "output" should be declared PHONY.

(phonydeclared)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

GitHub Check: Build/push catalog image
GitHub Check: golangci-lint

odh-bundle/manifests/opendatahub-operator.clusterserviceversion.yaml

rhoai-bundle/manifests/rhods-operator.clusterserviceversion.yaml

coderabbitai

Actionable comments posted: 0

🔭 Outside diff range comments (1)

Makefile (1)
244-247: Fix build tags composition: run-nowebhook currently drops the platform tag

run-nowebhook appends -tags nowebhook to GO_RUN_ARGS which already contains -tags=odh or -tags=rhoai. Go’s flag parsing takes the last -tags, so the platform tag is lost, resulting in compiling the wrong code path.

Refactor to compose tags once and reuse:
@@
-	GO_RUN_ARGS=-tags=odh
+	GO_BUILD_TAGS=odh
@@
-	GO_RUN_ARGS=-tags=rhoai
+	GO_BUILD_TAGS=rhoai
@@
-endif
+endif
+
+# Derive final go run args from composed build tags
+GO_RUN_ARGS=-tags=$(GO_BUILD_TAGS)
@@
-run-nowebhook: GO_RUN_ARGS += -tags nowebhook
+run-nowebhook: GO_BUILD_TAGS := $(GO_BUILD_TAGS),nowebhook
Also applies to: 24-47

🧹 Nitpick comments (1)

Makefile (1)
351-354: Make CSV containerImage replacement robust across ODH/RHOAI

The current sed only matches opendatahub-operator images. In RHOAI mode, the CSV may not contain that string, and the replacement to the required placeholder won’t occur. Replace the entire containerImage line regardless of its original value.
-	sed -i 's#quay.io/opendatahub/opendatahub-operator:.*#REPLACE_IMAGE:latest#' $(BUNDLE_DIR)/manifests/*clusterserviceversion*
+	# Normalize CSV containerImage annotation/value for CI to replace later
+	sed -i 's#^$\s*containerImage:\s*$.*#\1REPLACE_IMAGE:latest#' $(BUNDLE_DIR)/manifests/*clusterserviceversion.yaml
Note: This aligns with the documented intent to keep a placeholder that CI replaces.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

MCP integration is disabled by default for public repositories
Jira integration is disabled by default for public repositories
Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between df2a36d and 6bb4d0e.

📒 Files selected for processing (2)

.gitignore (1 hunks)
Makefile (8 hunks)

🧰 Additional context used

🧠 Learnings (11)

📓 Common learnings

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: rhoai-config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml:227-235
Timestamp: 2025-08-13T21:03:04.317Z
Learning: CRD YAML files in rhoai-config/crd/bases/ and odh-config/crd/bases/ directories are generated from Go code using controller-gen/kubebuilder. Changes should be made to the source Go structs with appropriate kubebuilder validation markers, not to the generated YAML files directly.

📚 Learning: 2025-08-14T14:00:35.037Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: odh-config/rbac/role.yaml:77-81
Timestamp: 2025-08-14T14:00:35.037Z
Learning: The RBAC configurations in odh-config/rbac/role.yaml and rhoai-config/rbac/role.yaml are intentionally different (as of this PR). The rhoai-config variant uses metadata.name: rhods-operator-role while odh-config uses controller-manager-role, and they may have different permission sets. These differences should not be flagged as drift issues during code review.

Applied to files:

Makefile

📚 Learning: 2025-08-13T21:03:04.317Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: rhoai-config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml:227-235
Timestamp: 2025-08-13T21:03:04.317Z
Learning: CRD YAML files in rhoai-config/crd/bases/ and odh-config/crd/bases/ directories are generated from Go code using controller-gen/kubebuilder. Changes should be made to the source Go structs with appropriate kubebuilder validation markers, not to the generated YAML files directly.

Applied to files:

Makefile
.gitignore

📚 Learning: 2025-08-13T21:03:23.347Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: rhoai-config/crd/bases/_.yaml:1-13
Timestamp: 2025-08-13T21:03:23.347Z
Learning: In the opendatahub-operator repository, placeholder CRD files (like _.yaml with empty group/kind/plural/scope and versions: null) in generated directories such as rhoai-config/crd/bases/ are part of the automated generation process and should not be flagged as invalid, as the build system handles them appropriately.

Applied to files:

Makefile

📚 Learning: 2025-07-29T18:45:24.518Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: config/crd.rhoai/bases/dscinitialization.opendatahub.io_dscinitializations.yaml:90-107
Timestamp: 2025-07-29T18:45:24.518Z
Learning: In the opendatahub-operator repository, CRD files under config/crd.rhoai/bases/ are generated files (using controller-gen from Go structs), and inconsistencies between enum and pattern validation should not be flagged as they require upstream source code changes rather than direct YAML modifications.

Applied to files:

Makefile

📚 Learning: 2025-08-15T19:40:21.839Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: odh-bundle/manifests/opendatahub-operator.clusterserviceversion.yaml:116-118
Timestamp: 2025-08-15T19:40:21.839Z
Learning: In the opendatahub-operator repository, the CSV manifest uses REPLACE_IMAGE:latest as a placeholder image reference intentionally, as the CI pipeline depends on this placeholder and replaces it with the actual operator image during the build process.

Applied to files:

Makefile

📚 Learning: 2025-08-13T21:04:32.696Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: .github/workflows/prometheus-unit-tests.yaml:5-5
Timestamp: 2025-08-13T21:04:32.696Z
Learning: In the opendatahub-operator repository, prometheus monitoring configurations are shared between ODH and RHOAI platforms. The prometheus directory only exists in odh-config/monitoring/prometheus/, not in rhoai-config. Both platforms reference the same prometheus manifests from the odh-config location.

Applied to files:

Makefile

📚 Learning: 2025-08-13T14:40:18.443Z

Learnt from: mlassak
PR: opendatahub-io/opendatahub-operator#2010
File: config/crd/bases/services.platform.opendatahub.io_servicemeshes.yaml:114-114
Timestamp: 2025-08-13T14:40:18.443Z
Learning: In the opendatahub-operator repository, CRD files under config/crd/bases/ are auto-generated files (using `make generate manifests api-docs` command), and inconsistencies between enum and pattern validation should not be flagged as they require upstream source code changes in Go structs/kubebuilder annotations rather than direct YAML modifications.

Applied to files:

Makefile

📚 Learning: 2025-08-13T18:07:20.881Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: bundle/manifests/opendatahub-operator.clusterserviceversion.yaml:264-338
Timestamp: 2025-08-13T18:07:20.881Z
Learning: Bundle manifest files (like bundle/manifests/*.yaml) in operator projects are typically generated artifacts, not source files. RBAC and permission issues should be addressed in the source configurations (config/rbac/, CSV base templates, etc.) that generate these bundles, not in the generated files themselves.

Applied to files:

Makefile

📚 Learning: 2025-05-27T11:28:21.229Z

Learnt from: AjayJagan
PR: opendatahub-io/opendatahub-operator#1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file `Dockerfiles/catalog.Dockerfile` in the opendatahub-operator repository is autogenerated and should not be manually modified.

Applied to files:

Makefile

📚 Learning: 2025-05-27T07:45:53.136Z

Learnt from: AjayJagan
PR: opendatahub-io/opendatahub-operator#1990
File: hack/update-catalog-template.sh:73-79
Timestamp: 2025-05-27T07:45:53.136Z
Learning: In the opendatahub-operator project, the `|| true` pattern in Makefiles for catalog operations is intentionally used to ensure cleanup of catalog templates occurs even if the main script fails, prioritizing cleanup over strict error propagation.

Applied to files:

Makefile

🪛 checkmake (0.2.2)

Makefile

[warning] 182-182: Target "output" should be declared PHONY.

(phonydeclared)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

GitHub Check: Build/push catalog image
GitHub Check: build
GitHub Check: golangci-lint

🔇 Additional comments (8)

.gitignore (1)

60-61: LGTM: Ignore generated manager kustomization.yaml per platform

These files are now generated (and untracked), so ignoring them here is correct and avoids local noise. This also resolves the earlier “tracked but ignored” footgun in a clean way.

Makefile (7)

24-47: Solid platform split: sane defaults and env-overridable settings

Per-platform CONFIG_DIR/BUNDLE_DIR/OPERATOR_PACKAGE/ROLE_NAME/CHANNELS look consistent.

Using ?= preserves env/CLI overrides as documented.

Controller-gen build tags and go run tags separated per platform looks good.

54-75: Good composition of bundle metadata flags

Deriving BUNDLE_CHANNELS/DEFAULT_CHANNEL only when defined and composing BUNDLE_METADATA_OPTS keeps the bundle generation flexible and correct across platforms.

136-138: Prometheus paths correctly point to shared odh-config

Per project conventions, prometheus manifests live under odh-config for both platforms. These paths are correct.

180-183: CRD fetch output path follows CONFIG_DIR

Routing external CRDs into $(CONFIG_DIR)/crd/external matches the new per-platform layout and prevents cross-mode pollution.

216-219: get_all_manifests.sh now platform-aware

Passing ODH_PLATFORM_TYPE and VERSION down is the right hook for downstream inference and keeps Makefile logic lean.

272-276: Manager kustomization respects CONFIG_DIR and generated kustomization.yaml

Using $(CONFIG_DIR)/manager and copying kustomization.yaml.in aligns with the ignore rules and supports both platforms cleanly.

347-355: Bundle generation flow looks correct and build-tag aware

Using per-platform manifests input/output.

Moving the Dockerfile to Dockerfiles/$(BUNDLE_DOCKERFILE_FILENAME).

Removing platform-specific webhook services to keep the bundle tidy.

coderabbitai

Actionable comments posted: 8

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (7)

api/dscinitialization/v1/dscinitialization_types.go (2)
49-53: Fix user-facing CRD doc grammar and capitalization (ConfigMap, plurality).

These comments flow into CRD OpenAPI descriptions and are user-facing. Suggest tightening wording to avoid confusion.

Apply this diff:
-  // When set to `Managed`, adds odh-trusted-ca-bundle Configmap to all namespaces that includes
-  // cluster-wide Trusted CA Bundle in .data["ca-bundle.crt"].
-  // Additionally, this fields allows admins to add custom CA bundles to the configmap using the .CustomCABundle field.
+  // When set to `Managed`, adds the odh-trusted-ca-bundle ConfigMap to all namespaces that include
+  // the cluster-wide Trusted CA Bundle in .data["ca-bundle.crt"].
+  // Additionally, this field allows admins to add custom CA bundles to the ConfigMap using the .CustomCABundle field.
81-85: Tidy CRD field description: remove double spaces and clarify storage path.

Small wording fixes improve rendered CRD docs and avoid ambiguity about the target key.

Apply this diff:
-  // A custom CA bundle that will be available for  all  components in the
-
-  // Data Science Cluster(DSC). This bundle will be stored in odh-trusted-ca-bundle
-
-  // ConfigMap .data.odh-ca-bundle.crt .
+  // A custom CA bundle that will be available for all components in the Data Science Cluster (DSC).
+  // This bundle will be stored in the odh-trusted-ca-bundle ConfigMap under .data["odh-ca-bundle.crt"].
rhoai-config/crd/kustomizeconfig.yaml (1)
18-20: Add missing vars: definitions and enable CA-injection patches

It looks like the vars: block for CERTIFICATE_NAMESPACE and CERTIFICATE_NAME is not defined in rhoai-config/crd/kustomization.yaml, and the CA-injection patches are commented out. Without these, the placeholders $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) remain unsubstituted in your built overlays.

Please make the following changes:
In rhoai-config/crd/kustomization.yaml:
Under patches: uncomment or add:

patches/cainjection_in_dscinitializations.yaml

patches/cainjection_in_datascienceclusters.yaml
Add a vars: section mapping your placeholders to real object fields, for example:
vars:
- name: CERTIFICATE_NAMESPACE
  objref:
    kind: Namespace
    name: <your-namespace>
  fieldref:
    fieldpath: metadata.name
- name: CERTIFICATE_NAME
  objref:
    kind: Certificate
    name: <your-certificate-resource>
  fieldref:
    fieldpath: metadata.name
Confirm that your varReference in rhoai-config/crd/kustomizeconfig.yaml matches these var names:
varReference:
- path: metadata/annotations
  kind: Patch
  group: builtin
  version: v1
  fieldSpecs:
  - kind: Patch
    path: metadata/annotations
Sanity scans currently show literal placeholders in your CRD patches, e.g.:

rhoai-config/crd/patches/*: line 6 still contains cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)

Ensuring the vars: block is present and the patches are applied will allow Kustomize to substitute these values correctly.
rhoai-config/manager/kustomization.yaml.in (1)
1-12: Fix image override name to match the base image

The image override in rhoai-config/manager/kustomization.yaml.in won’t apply because the base manifest (manager.yaml) uses image: REPLACE_IMAGE:latest, not controller. Update the override to match:

• File: rhoai-config/manager/kustomization.yaml.in
images:
-- name: controller
-  newName: REPLACE_IMAGE
+images:
+- name: REPLACE_IMAGE
+  newName: REPLACE_IMAGE
This ensures that Kustomize matches REPLACE_IMAGE:latest from manager.yaml and correctly applies the substitution.
rhoai-config/default/manager_auth_proxy_patch.yaml (1)
1-17: Secure controller manager metrics: bind to localhost and inject RBAC proxy sidecar

The patch’s comment claims a kube-rbac-proxy sidecar is injected, but the manifest only adjusts the main container and still binds metrics to 0.0.0.0, exposing them without RBAC. We must harden this immediately.

• File needing change:
– rhoai-config/default/manager_auth_proxy_patch.yaml (container “rhods-operator”)
• Issue: metrics bound on all interfaces; no kube-rbac-proxy sidecar present

Apply the following diff to bind metrics locally:
--- a/rhoai-config/default/manager_auth_proxy_patch.yaml
+++ b/rhoai-config/default/manager_auth_proxy_patch.yaml
@@ spec:
       containers:
       - name: rhods-operator
         args:
         - "--health-probe-bind-address=:8081"
-        - "--metrics-bind-address=0.0.0.0:8080"
+        - "--metrics-bind-address=127.0.0.1:8080"
         - "--leader-elect"
Then add a kube-rbac-proxy sidecar alongside “rhods-operator” to terminate TLS/RBAC, for example:
      - name: kube-rbac-proxy
        image: <your-registry>/kube-rbac-proxy:<tag>
        args:
        - "--secure-listen-address=0.0.0.0:8443"
        - "--upstream=http://127.0.0.1:8080/"
        - "--authorization-mode=rbac"
        - "--logtostderr=true"
        - "--v=2"
        ports:
        - containerPort: 8443
          name: https
Please update the image reference to match your repo conventions. This will ensure all metrics traffic is routed through the RBAC proxy and no longer exposed publicly.
rhoai-config/default/manager_webhook_patch.yaml (1)
22-27: The default overlay does not actually generate or include the webhook‐cert Secret, so the volume mount will break unless you supply it. Please update the kustomization (or add a resource) so that the redhat-ods-operator-controller-webhook-cert Secret exists in the same system namespace:

• In rhoai-config/default/kustomization.yaml, add:
secretGenerator:
- name: redhat-ods-operator-controller-webhook-cert
  # point to your cert/key files or use commands to generate them
  files:
  - tls.crt=path/to/tls.crt
  - tls.key=path/to/tls.key
Or else ensure you manually create the Secret in the system namespace (e.g. via cert-manager). Without this, the Deployment’s volume mount (in manager_webhook_patch.yaml) will fail.
get_all_manifests.sh (1)
130-132: Robust copy when source directories may be empty or contain dotfiles.

cp …/* fails when the directory is empty and skips dotfiles. Using the “.” form copies correctly in all cases.
-    mkdir -p ./opt/manifests/${target_path}
-    cp -rf ${repo_dir}/${source_path}/* ./opt/manifests/${target_path}
+    mkdir -p "./opt/manifests/${target_path}"
+    cp -a "${repo_dir}/${source_path}/." "./opt/manifests/${target_path}/"

♻️ Duplicate comments (3)

.gitignore (1)

60-61: Resolution confirmed: ignoring kustomization.yaml now that they’re untracked

You chose to drop these files from tracking; keeping them ignored here is consistent and removes the earlier “tracked-but-ignored” footgun.

api/services/v1alpha1/rhoai_monitoring_types.go (1)

1-1: Build tag correctly restricted to RHOAI builds — LGTM

The file is now gated behind //go:build rhoai, aligning with the repo’s RHOAI build-tag convention and resolving the earlier inconsistency.

docs/integration-testing.md (1)

19-21: Resolved: paths updated to per-platform directories.

The bullets now correctly reference odh-bundle/rhoai-bundle and odh-config/rhoai-config. This addresses prior feedback about the legacy bundle/ and config/ paths.

🧹 Nitpick comments (36)

rhoai-config/crd/patches/cainjection_in_dscinitialization_dscinitializations.yaml (1)
6-6: Nit: quote the annotation value to avoid edge-case YAML/tooling parsing quirks.

Quoting isn’t required here, but it avoids accidental interpretation during templating/env substitution flows.

Apply:
-    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+    cert-manager.io/inject-ca-from: "$(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)"
api/dscinitialization/v1/dscinitialization_types.go (1)
118-124: Consider removing redundant print column that duplicates Age.

Both "Age" and "Created At" surface the creation timestamp; keeping one reduces clutter in kubectl listings.

Apply this diff:
 //+kubebuilder:printcolumn:name="Age",type=date,JSONPath=.metadata.creationTimestamp
 //+kubebuilder:printcolumn:name="Phase",type=string,JSONPath=.status.phase,description="Current Phase"
-//+kubebuilder:printcolumn:name="Created At",type=string,JSONPath=.metadata.creationTimestamp
.gitignore (1)
72-83: Make directory ignores explicit with trailing slashes

Minor clarity tweak: add trailing slashes to directory entries so future readers (and tooling) read these as directories, not files. No behavior change for Git, but it’s clearer and avoids accidental matches.

Apply this diff:
-odh-config/crd/bases
+odh-config/crd/bases/
 odh-config/rbac/role.yaml
-odh-config/crd/external
+odh-config/crd/external/
 odh-config/webhook/manifests.yaml
-rhoai-config/crd/bases
+rhoai-config/crd/bases/
 rhoai-config/rbac/role.yaml
-rhoai-config/crd/external
+rhoai-config/crd/external/
 rhoai-config/webhook/manifests.yaml
-rhoai-bundle/
-odh-bundle/
+rhoai-bundle/
+odh-bundle/
api/services/v1alpha1/rhoai_monitoring_types.go (5)
29-33: Minor typo in comment and tighten wording

Fix “whats” → “what’s” and clarify that the constant must match the XValidation rule below.
- // MonitoringInstanceName the name of the Monitoring instance singleton.
- // value should match whats set in the XValidation below
+ // MonitoringInstanceName is the name of the Monitoring instance singleton.
+ // Value must match what's set in the XValidation below.
38-43: Stray comment about “internal api” without corresponding fields

MonitoringSpec currently only inlines MonitoringCommonSpec. The “exposed only to internal api” comment is misleading; either add the internal-only fields or remove the comment.
 type MonitoringSpec struct {
-  // monitoring spec exposed to DSCI api
+  // Monitoring spec exposed to DSCI API
   MonitoringCommonSpec `json:",inline"`
-  // monitoring spec exposed only to internal api
 }
45-52: Replicas default in comment conflicts with validation and no CRD default is set

The comment says “default is 2 if not set” but there is no +kubebuilder:default and the XValidation forbids non-zero replicas unless Storage/Resources are configured. If a controller/webhook sets 2 later, please state that explicitly; otherwise, update the comment or add a safe default strategy.

Option A — clarify the comment (no schema default, controller may default later):
- // Replicas specifies the number of replicas in monitoringstack, default is 2 if not set
+ // Replicas specifies the number of replicas in the MonitoringStack.
+ // Note: No schema default is applied. If unset, the operator may choose a platform default.
Option B — set a schema default only if you also ensure Storage/Resources are set by a mutating webhook before validation (or relax the XValidation accordingly).

90-95: Consider numeric type for SampleRatio or stronger validation

A string regex works, but a numeric type (e.g., string with x-kubernetes-int-or-string=false is still string) isn’t available; if you keep string, consider also constraining length to prevent pathological inputs, or add controller-side bounds checking. Not blocking.

139-147: Docstring typo and immutability message clarity

“Dashboard” is likely a copy/paste; should be “Monitoring”.

Message says “MonitoringNamespace is immutable” but the field is Namespace.
-// MonitoringCommonSpec spec defines the shared desired state of Dashboard
+// MonitoringCommonSpec defines the shared desired state of Monitoring
 ...
-// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="MonitoringNamespace is immutable"
+// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Namespace is immutable"
.dockerignore (1)
10-10: The ignore pattern targets image paths, not repo paths; consider ignoring examples at source.

.dockerignore filters the build context (repo files), not files created in later Docker layers. The pattern opt/manifests/**/example-* likely never matches anything in the context. If the goal is to keep example manifests out of the build context, ignore them where they live in-repo.

Suggested update:
- opt/manifests/**/example-*
+ odh-config/**/example-*
+ rhoai-config/**/example-*
.github/scripts/update-versions.sh (1)
7-14: CSV path update looks correct; minor robustness nitpicks for version extraction and sed use.

The CSV_FILE switch to odh-config/manifests/bases/... aligns with the repo layout. LGTM.

Minor: avoid UUOC when extracting CURRENT_VERSION; awk is simpler and avoids relying on exact spacing.

Minimal tweak:
-CURRENT_VERSION=$(cat Makefile | grep -w "VERSION ?=" | cut -d ' ' -f 3)
+CURRENT_VERSION=$(awk '/^VERSION \?=/{print $3; exit}' Makefile)
Optional (future): consider yq for YAML edits to reduce regex brittleness, but not blocking for this script.
rhoai-config/crd/patches/cainjection_in_datasciencecluster_datascienceclusters.yaml (1)
5-7: Optionally add OpenShift’s service-ca injection for resilience on clusters without cert-manager.

Including both annotations is harmless and makes the patch work on OpenShift clusters even when cert-manager isn’t present.
 metadata:
   annotations:
     cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+    service.beta.openshift.io/inject-cabundle: "true"
I can add this across the related CRD CA-injection patches if you want.
rhoai-config/crd/patches/cainjection_in_dscinitialization.opendatahub.io_dscinitializations.yaml (1)
5-7: Consider adding OpenShift service-ca injection alongside cert-manager.

This improves portability across clusters.
 metadata:
   annotations:
     cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+    service.beta.openshift.io/inject-cabundle: "true"
docs/integration-testing.md (3)
9-9: Grammar fix: singular subject requires “is”.

“The main reason for this setup are …” → “is …”.
-The main reason for this setup are resource usage and performance considerations.
+The main reason for this setup is resource usage and performance considerations.
105-107: Minor formatting: add missing space and code formatting in example.

Improves readability of the version format and example.
-    - Expected format is`v<X>.<Y>.<Z>-pr-<pr_number>`
-        - For example:`v2.32.0-pr-1`
+    - Expected format is `v<X>.<Y>.<Z>-pr-<pr_number>`
+        - For example: `v2.32.0-pr-1`
74-77: Tighten wording: merge broken sentence across line breaks.

Combines the two lines into a single clear sentence.
-4. **Monitor the image building process**: Keep an eye on the `Build Catalog FBC and run Integration tests` GitHub Action. 
-Once this action succeeds, 
-   `github-actions bot` will comment on the PR, which will automatically trigger the Jenkins pipeline
+4. **Monitor the image building process**: Keep an eye on the `Build Catalog FBC and run Integration tests` GitHub Action. Once this action succeeds, the `github-actions bot` will comment on the PR, which will automatically trigger the Jenkins pipeline.
rhoai-config/crd/kustomization.yaml (1)
28-41: Typos in commented patch filenames; remove duplicates to avoid future confusion.

Two commented entries use “dscinitiatlizations” (misspelling) alongside the correct “dscinitializations”. Even though commented, they’re easy to accidentally enable later.
 # patches here are for enabling the conversion webhook for each CRD
-#- patches/webhook_in_dscinitiatlizations.yaml
 #- patches/webhook_in_dscinitializations.yaml
@@
 # patches here are for enabling the CA injection for each CRD
-#- patches/cainjection_in_dscinitiatlizations.yaml
 #- patches/cainjection_in_dscinitializations.yaml
rhoai-config/manifests/description-patch.yml (2)
11-11: Capitalize “TensorFlow”.
-    Your Data Scientists will feel right at home with quick and simple access to the Notebook interface they are used to. They can leverage the default Notebook Images (Including PyTorch, tensorflow, and CUDA), or add custom ones. Your MLOps engineers will be able to leverage Data Science Pipelines to easily parallelize and/or schedule the required workloads. They can then quickly serve, monitor, and update the created AI/ML models. They can do that by either using the provided out-of-the-box OpenVino Server Model Runtime or by adding their own custom serving runtime instead. These activities are tied together with the concept of Data Science Projects, simplifying both organization and collaboration.
+    Your Data Scientists will feel right at home with quick and simple access to the Notebook interface they are used to. They can leverage the default Notebook Images (including PyTorch, TensorFlow, and CUDA), or add custom ones. Your MLOps engineers will be able to leverage Data Science Pipelines to easily parallelize and/or schedule the required workloads. They can then quickly serve, monitor, and update the created AI/ML models. They can do that by either using the provided out-of-the-box OpenVINO Model Runtime or by adding their own custom serving runtime instead. These activities are tied together with the concept of Data Science Projects, simplifying both organization and collaboration.
17-25: Product/style consistency: KServe capitalization and “Custom” images.

Minor branding/style tweaks for consistency with the components list and upstream project names.
-    * Ability to add Custom Images
+    * Ability to add custom images
@@
-    * Model Serving using ModelMesh and Kserve.
+    * Model Serving using ModelMesh and KServe.
rhoai-config/manifests/kustomization.yaml (2)
13-17: Pin CSV apiVersion in patch target to avoid unintended matches.

Patching by only group/kind risks catching future types if a new CSV apiVersion is introduced. Safer to constrain the target to the current CSV apiVersion.

Apply this diff:
 patches:
 - path: description-patch.yml
   target:
     group: operators.coreos.com
+    version: v1alpha1
     kind: ClusterServiceVersion
19-37: Convert commented JSON6902 example into an opt-in Kustomize component/overlay.

The commented block is easy to drift (array indices) and easy to forget to re-enable. Prefer a dedicated component or overlay you can include when building with webhooks enabled. Use strategic merge with name-based deletion to avoid brittle indices.

Example component (create rhoai-config/manifests/components/webhook-cert-volume-prune/kustomization.yaml):
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+patches:
+- target:
+    group: apps
+    version: v1
+    kind: Deployment
+    name: controller-manager
+  patch: |-
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      name: controller-manager
+    spec:
+      template:
+        spec:
+          containers:
+          - name: manager
+            volumeMounts:
+            - name: cert
+              $patch: delete
+          volumes:
+          - name: cert
+            $patch: delete
Then opt-in by adding to components in a build-specific kustomization instead of keeping commented YAML in the base.
Dockerfiles/build-bundle.Dockerfile (3)
21-23: Tool bootstrap is good; consider pinning versions for reproducibility.

make operator-sdk controller-gen kustomize without explicit versions can drift over time and produce different bundles. If your Makefile already pins versions, ignore this; otherwise, consider pinning here via MAKEFLAGS or environment.

30-36: Avoid copying unnecessary build context.

COPY Dockerfiles/ Dockerfiles/ inflates the build context and cache but is not needed to generate bundles. Safe to drop unless your Makefile shells into that directory.
- COPY Dockerfiles/ Dockerfiles/
37-39: Emit artifacts in a minimal final stage (and ensure both bundles aren’t clobbering each other).

Right now the image ends at the builder stage and keeps the entire toolchain/source. If the intent is to publish build artifacts, add a final scratch stage that only contains the outputs. Also, you run both “odh” and “rhoai” bundle targets; ensure their outputs land in distinct dirs so the second run doesn’t overwrite the first.

Apply this diff to produce a slim image with both bundles exported (adjust paths if your Makefile differs):
 RUN VERSION=$OPERATOR_VERSION make bundle
 RUN VERSION=$OPERATOR_VERSION make bundle ODH_PLATFORM_TYPE=rhoai
-FROM registry.access.redhat.com/ubi9/go-toolset:$GOLANG_VERSION as builder
+FROM registry.access.redhat.com/ubi9/go-toolset:$GOLANG_VERSION as builder
@@
-RUN VERSION=$OPERATOR_VERSION make bundle
-RUN VERSION=$OPERATOR_VERSION make bundle ODH_PLATFORM_TYPE=rhoai
+RUN VERSION=$OPERATOR_VERSION make bundle
+RUN VERSION=$OPERATOR_VERSION make bundle ODH_PLATFORM_TYPE=rhoai
+
+FROM scratch
+# Export both bundles as artifacts in the final image
+COPY --from=builder /workspace/odh-bundle /odh-bundle/
+COPY --from=builder /workspace/rhoai-bundle /rhoai-bundle/
If you prefer not to ship an image, consider using BuildKit’s local/inline outputs instead of a final stage.
Dockerfiles/rhoai-bundle.Dockerfile (1)
37-39: Drop the non-rhoai bundle build to speed up this image.

This Dockerfile only ships the rhoai-bundle artifacts in the final stage, so the “odh” bundle build wastes time/cache space.
-RUN VERSION=$OPERATOR_VERSION make bundle
 RUN VERSION=$OPERATOR_VERSION make bundle ODH_PLATFORM_TYPE=rhoai
rhoai-config/default/manager_webhook_patch.yaml (1)
9-22: Add a container securityContext (no privilege escalation, non-root, read-only FS).

Static analysis flags are valid if the base container lacks explicit settings. Add a minimal securityContext to the rhods-operator container.
       - name: rhods-operator
         ports:
           - containerPort: 9443
             name: webhook-server
             protocol: TCP
           - containerPort: 8080
             name: http
             protocol: TCP
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
+          capabilities:
+            drop: ["ALL"]
         volumeMounts:
           - mountPath: /tmp/k8s-webhook-server/serving-certs
             name: cert
             readOnly: true
If the base manager already sets these, ignore—this patch won’t override existing fields due to strategic-merge semantics, but being explicit here prevents regressions.
rhoai-config/manager/manager.yaml (2)
33-38: Pod anti-affinity likely matches the wrong label value (self-spread may be ineffective).

The selector matches pods with label name in [opendatahub-operator], while this Deployment labels pods with name: rhods-operator. If intentional (to avoid co-location with a different operator), ignore. If the goal is to spread rhods-operator replicas across nodes, switch the value.
-                - key: name
-                  operator: In
-                  values:
-                  - opendatahub-operator
+                - key: name
+                  operator: In
+                  values:
+                  - rhods-operator
95-100: Consider right-sizing memory requests to reduce oversubscription risk.

limits.memory is 4Gi while requests.memory is 256Mi. If the operator routinely exceeds 256Mi under load, scheduling pressure and OOM kills are more likely. Consider bumping requests.memory (e.g., 512Mi–1Gi) based on observed usage.
Dockerfiles/rhoai.Dockerfile (3)
53-54: Nit: comment typo.

“stripe” → “strip”.
-# Build stripe out debug info to minimize binary size
+# Build: strip out debug info to minimize binary size
35-38: Go toolchain version drift vs. Makefile/toolbox.

This Dockerfile defaults to ARG GOLANG_VERSION=1.23, while the Makefile’s TOOLBOX_GOLANG_VERSION is 1.24.6. If reproducibility across local toolbox builds and CI images matters, align these or pass GOLANG_VERSION via the Makefile.

Makefile-side adjustment (add to the IMAGE_BUILD_FLAGS block):
 IMAGE_BUILD_FLAGS ?= --build-arg USE_LOCAL=$(USE_LOCAL)
 IMAGE_BUILD_FLAGS += --build-arg CGO_ENABLED=$(CGO_ENABLED)
 IMAGE_BUILD_FLAGS += --platform $(PLATFORM)
+IMAGE_BUILD_FLAGS += --build-arg GOLANG_VERSION=$(TOOLBOX_GOLANG_VERSION)
57-58: Pin or parameterize base image tag for reproducibility.

FROM ubi9/ubi-minimal:latest can drift over time. Consider pinning to a minor tag (e.g., 9.4) or exposing an overridable ARG used in FROM to lock down builds in CI and enable intentional upgrades.
get_all_manifests.sh (2)
22-22: Harden DEFAULT_REF derivation: quote VERSION and escape dots in sed.

Quoting avoids word-splitting; escaping '.' (or using -E) makes the regex explicit for semantic clarity.
-    DEFAULT_REF="rhoai-$(echo $VERSION | sed 's/$[0-9]\+$.$[0-9]\+$.*/\1.\2/')"
+    DEFAULT_REF="rhoai-$(echo "${VERSION}" | sed -E 's/^([0-9]+)\.([0-9]+).*/\1.\2/')"
2-2: Enable stricter shell flags to catch latent issues.

set -e is good; adding -u (unset vars) and -o pipefail improves safety in CI.
-set -e
+set -euo pipefail
rhoai-config/manifests/bases/rhods-operator.clusterserviceversion.yaml (2)

248-251: Docs link version may be stale.

The link points to self-managed 2.23.0, while the default RHOAI VERSION in Makefile is 2.24.0. If you want CSV links to track the declared product version, consider updating the generator inputs so the link is templated.

220-247: Duplicate keywords (RHOAI/ODH/OAI/AI/ML) — consider deduplication.

Not functional, but cleaner metadata improves readability. If this is generated, adjust the source template rather than editing this file.
Makefile (2)
255-258: Local developer ergonomics: consider dropping --no-cache by default.

image-build uses --no-cache, which slows repeated local builds. Consider making this opt-in via an env/flag (e.g., NO_CACHE=true).
-	$(IMAGE_BUILDER) buildx build --no-cache -f Dockerfiles/Dockerfile ${IMAGE_BUILD_FLAGS} -t $(IMG) .
+	$(IMAGE_BUILDER) buildx build $(if $(NO_CACHE),--no-cache) -f Dockerfiles/Dockerfile ${IMAGE_BUILD_FLAGS} -t $(IMG) .
136-138: Propagate Go toolchain version to the Docker build (keep versions aligned).

To ensure Docker builds use the same Go version as your toolbox/dev env, forward the version as a build-arg.
 IMAGE_BUILD_FLAGS ?= --build-arg USE_LOCAL=$(USE_LOCAL)
 IMAGE_BUILD_FLAGS += --build-arg CGO_ENABLED=$(CGO_ENABLED)
 IMAGE_BUILD_FLAGS += --platform $(PLATFORM)
+IMAGE_BUILD_FLAGS += --build-arg GOLANG_VERSION=$(TOOLBOX_GOLANG_VERSION)

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

MCP integration is disabled by default for public repositories
Jira integration is disabled by default for public repositories
Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 6bb4d0e and a73d74d.

📒 Files selected for processing (102)

.dockerignore (1 hunks)
.github/scripts/update-versions.sh (1 hunks)
.github/workflows/build-push-images-on-pr-update.yaml (1 hunks)
.github/workflows/prometheus-unit-tests.yaml (1 hunks)
.github/workflows/release-staging.yaml (1 hunks)
.github/workflows/run-integration-tests.yaml (2 hunks)
.gitignore (2 hunks)
Dockerfiles/Dockerfile (1 hunks)
Dockerfiles/build-bundle.Dockerfile (1 hunks)
Dockerfiles/bundle.Dockerfile (2 hunks)
Dockerfiles/rhoai-bundle.Dockerfile (1 hunks)
Dockerfiles/rhoai.Dockerfile (1 hunks)
Makefile (8 hunks)
api/components/v1alpha1/modelregistry_types.go (1 hunks)
api/components/v1alpha1/rhoai_modelregistry_types.go (1 hunks)
api/components/v1alpha1/rhoai_workbenches_types.go (1 hunks)
api/components/v1alpha1/workbenches_types.go (1 hunks)
api/dscinitialization/v1/dscinitialization_types.go (1 hunks)
api/dscinitialization/v1/rhoai_dscinitialization_types.go (1 hunks)
api/services/v1alpha1/monitoring_types.go (1 hunks)
api/services/v1alpha1/rhoai_monitoring_types.go (1 hunks)
bundle/manifests/components.platform.opendatahub.io_codeflares.yaml (0 hunks)
bundle/manifests/components.platform.opendatahub.io_dashboards.yaml (0 hunks)
bundle/manifests/components.platform.opendatahub.io_datasciencepipelines.yaml (0 hunks)
bundle/manifests/components.platform.opendatahub.io_feastoperators.yaml (0 hunks)
bundle/manifests/components.platform.opendatahub.io_kserves.yaml (0 hunks)
bundle/manifests/components.platform.opendatahub.io_kueues.yaml (0 hunks)
bundle/manifests/components.platform.opendatahub.io_llamastackoperators.yaml (0 hunks)
bundle/manifests/components.platform.opendatahub.io_modelcontrollers.yaml (0 hunks)
bundle/manifests/components.platform.opendatahub.io_modelmeshservings.yaml (0 hunks)
bundle/manifests/components.platform.opendatahub.io_modelregistries.yaml (0 hunks)
bundle/manifests/components.platform.opendatahub.io_rays.yaml (0 hunks)
bundle/manifests/components.platform.opendatahub.io_trainingoperators.yaml (0 hunks)
bundle/manifests/components.platform.opendatahub.io_trustyais.yaml (0 hunks)
bundle/manifests/components.platform.opendatahub.io_workbenches.yaml (0 hunks)
bundle/manifests/datasciencecluster.opendatahub.io_datascienceclusters.yaml (0 hunks)
bundle/manifests/dscinitialization.opendatahub.io_dscinitializations.yaml (0 hunks)
bundle/manifests/features.opendatahub.io_featuretrackers.yaml (0 hunks)
bundle/manifests/infrastructure.opendatahub.io_hardwareprofiles.yaml (0 hunks)
bundle/manifests/opendatahub-operator-controller-manager-metrics-service_v1_service.yaml (0 hunks)
bundle/manifests/opendatahub-operator.clusterserviceversion.yaml (0 hunks)
bundle/manifests/prometheus-k8s-viewer_rbac.authorization.k8s.io_v1_clusterrole.yaml (0 hunks)
bundle/manifests/prometheus-k8s-viewer_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml (0 hunks)
bundle/manifests/services.platform.opendatahub.io_auths.yaml (0 hunks)
bundle/manifests/services.platform.opendatahub.io_monitorings.yaml (0 hunks)
bundle/metadata/annotations.yaml (0 hunks)
bundle/tests/scorecard/config.yaml (0 hunks)
config/crd/bases/_.yaml (0 hunks)
config/crd/bases/components.platform.opendatahub.io_codeflares.yaml (0 hunks)
config/crd/bases/components.platform.opendatahub.io_dashboards.yaml (0 hunks)
config/crd/bases/components.platform.opendatahub.io_datasciencepipelines.yaml (0 hunks)
config/crd/bases/components.platform.opendatahub.io_feastoperators.yaml (0 hunks)
config/crd/bases/components.platform.opendatahub.io_kserves.yaml (0 hunks)
config/crd/bases/components.platform.opendatahub.io_kueues.yaml (0 hunks)
config/crd/bases/components.platform.opendatahub.io_llamastackoperators.yaml (0 hunks)
config/crd/bases/components.platform.opendatahub.io_modelcontrollers.yaml (0 hunks)
config/crd/bases/components.platform.opendatahub.io_modelmeshservings.yaml (0 hunks)
config/crd/bases/components.platform.opendatahub.io_modelregistries.yaml (0 hunks)
config/crd/bases/components.platform.opendatahub.io_rays.yaml (0 hunks)
config/crd/bases/components.platform.opendatahub.io_trainingoperators.yaml (0 hunks)
config/crd/bases/components.platform.opendatahub.io_trustyais.yaml (0 hunks)
config/crd/bases/components.platform.opendatahub.io_workbenches.yaml (0 hunks)
config/crd/bases/datasciencecluster.opendatahub.io_datascienceclusters.yaml (0 hunks)
config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml (0 hunks)
config/crd/bases/features.opendatahub.io_featuretrackers.yaml (0 hunks)
config/crd/bases/infrastructure.opendatahub.io_hardwareprofiles.yaml (0 hunks)
config/crd/bases/services.platform.opendatahub.io_auths.yaml (0 hunks)
config/crd/bases/services.platform.opendatahub.io_monitorings.yaml (0 hunks)
config/crd/external/config.openshift.io_authentications.yaml (0 hunks)
config/crd/external/operators.coreos.com_catalogsources.yaml (0 hunks)
config/crd/external/operators.coreos.com_operatorconditions.yaml (0 hunks)
config/crd/external/route.openshift.io_routes.yaml (0 hunks)
config/crd/external/user.openshift.io_groups.yaml (0 hunks)
config/crd/external/user.openshift.io_identities.yaml (0 hunks)
config/crd/external/user.openshift.io_useridentitymappings.yaml (0 hunks)
config/crd/external/user.openshift.io_users.yaml (0 hunks)
config/rbac/role.yaml (0 hunks)
config/webhook/manifests.yaml (0 hunks)
docs/integration-testing.md (2 hunks)
get_all_manifests.sh (1 hunks)
hack/update-catalog-template.sh (1 hunks)
odh-config/manager/manager.yaml (1 hunks)
rhoai-config/crd/kustomization.yaml (1 hunks)
rhoai-config/crd/kustomizeconfig.yaml (1 hunks)
rhoai-config/crd/patches/cainjection_in_datasciencecluster_datascienceclusters.yaml (1 hunks)
rhoai-config/crd/patches/cainjection_in_dscinitialization.opendatahub.io_dscinitializations.yaml (1 hunks)
rhoai-config/crd/patches/cainjection_in_dscinitialization_dscinitializations.yaml (1 hunks)
rhoai-config/crd/patches/cainjection_in_services_auths.yaml (1 hunks)
rhoai-config/crd/patches/cainjection_in_services_monitorings.yaml (1 hunks)
rhoai-config/crd/patches/webhook_in_datasciencecluster_datascienceclusters.yaml (1 hunks)
rhoai-config/crd/patches/webhook_in_dscinitialization.opendatahub.io_dscinitializations.yaml (1 hunks)
rhoai-config/crd/patches/webhook_in_dscinitialization_dscinitializations.yaml (1 hunks)
rhoai-config/crd/patches/webhook_in_services_auths.yaml (1 hunks)
rhoai-config/crd/patches/webhook_in_services_monitorings.yaml (1 hunks)
rhoai-config/default/kustomization.yaml (1 hunks)
rhoai-config/default/manager_auth_proxy_patch.yaml (1 hunks)
rhoai-config/default/manager_webhook_patch.yaml (1 hunks)
rhoai-config/manager/kustomization.yaml.in (1 hunks)
rhoai-config/manager/manager.yaml (1 hunks)
rhoai-config/manifests/bases/rhods-operator.clusterserviceversion.yaml (1 hunks)
rhoai-config/manifests/description-patch.yml (1 hunks)
rhoai-config/manifests/kustomization.yaml (1 hunks)

💤 Files with no reviewable changes (57)

bundle/manifests/prometheus-k8s-viewer_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml
config/crd/bases/components.platform.opendatahub.io_modelcontrollers.yaml
config/crd/bases/components.platform.opendatahub.io_rays.yaml
config/crd/external/user.openshift.io_users.yaml
config/crd/external/route.openshift.io_routes.yaml
bundle/manifests/components.platform.opendatahub.io_trainingoperators.yaml
config/crd/external/config.openshift.io_authentications.yaml
bundle/manifests/components.platform.opendatahub.io_kueues.yaml
bundle/tests/scorecard/config.yaml
config/crd/bases/_.yaml
config/crd/bases/components.platform.opendatahub.io_trainingoperators.yaml
config/crd/bases/features.opendatahub.io_featuretrackers.yaml
config/crd/bases/components.platform.opendatahub.io_llamastackoperators.yaml
bundle/manifests/prometheus-k8s-viewer_rbac.authorization.k8s.io_v1_clusterrole.yaml
bundle/manifests/components.platform.opendatahub.io_rays.yaml
config/rbac/role.yaml
config/crd/external/operators.coreos.com_catalogsources.yaml
bundle/manifests/opendatahub-operator-controller-manager-metrics-service_v1_service.yaml
config/crd/bases/components.platform.opendatahub.io_modelregistries.yaml
config/crd/bases/components.platform.opendatahub.io_kserves.yaml
bundle/manifests/components.platform.opendatahub.io_feastoperators.yaml
bundle/manifests/dscinitialization.opendatahub.io_dscinitializations.yaml
config/crd/bases/components.platform.opendatahub.io_trustyais.yaml
config/crd/bases/components.platform.opendatahub.io_feastoperators.yaml
config/crd/external/user.openshift.io_useridentitymappings.yaml
bundle/manifests/services.platform.opendatahub.io_monitorings.yaml
config/crd/external/user.openshift.io_groups.yaml
bundle/manifests/components.platform.opendatahub.io_llamastackoperators.yaml
config/crd/bases/components.platform.opendatahub.io_datasciencepipelines.yaml
config/crd/bases/components.platform.opendatahub.io_modelmeshservings.yaml
config/webhook/manifests.yaml
config/crd/bases/components.platform.opendatahub.io_kueues.yaml
bundle/manifests/components.platform.opendatahub.io_modelcontrollers.yaml
bundle/manifests/components.platform.opendatahub.io_workbenches.yaml
config/crd/bases/infrastructure.opendatahub.io_hardwareprofiles.yaml
bundle/metadata/annotations.yaml
config/crd/bases/components.platform.opendatahub.io_workbenches.yaml
bundle/manifests/components.platform.opendatahub.io_datasciencepipelines.yaml
config/crd/bases/components.platform.opendatahub.io_codeflares.yaml
config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml
bundle/manifests/components.platform.opendatahub.io_dashboards.yaml
bundle/manifests/services.platform.opendatahub.io_auths.yaml
bundle/manifests/infrastructure.opendatahub.io_hardwareprofiles.yaml
config/crd/bases/components.platform.opendatahub.io_dashboards.yaml
bundle/manifests/opendatahub-operator.clusterserviceversion.yaml
bundle/manifests/components.platform.opendatahub.io_codeflares.yaml
config/crd/bases/services.platform.opendatahub.io_monitorings.yaml
config/crd/external/user.openshift.io_identities.yaml
bundle/manifests/datasciencecluster.opendatahub.io_datascienceclusters.yaml
config/crd/external/operators.coreos.com_operatorconditions.yaml
config/crd/bases/datasciencecluster.opendatahub.io_datascienceclusters.yaml
bundle/manifests/components.platform.opendatahub.io_trustyais.yaml
bundle/manifests/components.platform.opendatahub.io_modelregistries.yaml
bundle/manifests/components.platform.opendatahub.io_kserves.yaml
bundle/manifests/features.opendatahub.io_featuretrackers.yaml
bundle/manifests/components.platform.opendatahub.io_modelmeshservings.yaml
config/crd/bases/services.platform.opendatahub.io_auths.yaml

🚧 Files skipped from review as they are similar to previous changes (11)

.github/workflows/prometheus-unit-tests.yaml
api/services/v1alpha1/monitoring_types.go
hack/update-catalog-template.sh
Dockerfiles/bundle.Dockerfile
api/components/v1alpha1/workbenches_types.go
api/components/v1alpha1/modelregistry_types.go
Dockerfiles/Dockerfile
api/components/v1alpha1/rhoai_workbenches_types.go
.github/workflows/run-integration-tests.yaml
api/dscinitialization/v1/rhoai_dscinitialization_types.go
api/components/v1alpha1/rhoai_modelregistry_types.go

🧰 Additional context used

🧠 Learnings (17)

📓 Common learnings

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: rhoai-config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml:227-235
Timestamp: 2025-08-13T21:03:04.317Z
Learning: CRD YAML files in rhoai-config/crd/bases/ and odh-config/crd/bases/ directories are generated from Go code using controller-gen/kubebuilder. Changes should be made to the source Go structs with appropriate kubebuilder validation markers, not to the generated YAML files directly.

📚 Learning: 2025-07-29T18:43:10.232Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: config/crd.rhoai/patches/cainjection_in_dscinitialization.opendatahub.io_dscinitializations.yaml:5-7
Timestamp: 2025-07-29T18:43:10.232Z
Learning: In RHOAI patch files, there are two naming patterns for DSCInitialization CRD patches: files with `.opendatahub.io` in their filename use the duplicated pattern `dscinitializations.dscinitialization.opendatahub.io.opendatahub.io` in the CRD name, while files without the group in filename use the standard pattern `dscinitializations.dscinitialization.opendatahub.io`. This duplication appears to be intentional and exists in both regular and RHOAI branches.

Applied to files:

rhoai-config/crd/patches/webhook_in_dscinitialization_dscinitializations.yaml
rhoai-config/crd/patches/cainjection_in_datasciencecluster_datascienceclusters.yaml
rhoai-config/crd/patches/cainjection_in_dscinitialization.opendatahub.io_dscinitializations.yaml
rhoai-config/crd/patches/webhook_in_dscinitialization.opendatahub.io_dscinitializations.yaml
rhoai-config/crd/patches/cainjection_in_dscinitialization_dscinitializations.yaml

📚 Learning: 2025-08-15T19:40:21.860Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: odh-bundle/manifests/opendatahub-operator.clusterserviceversion.yaml:116-118
Timestamp: 2025-08-15T19:40:21.860Z
Learning: In the opendatahub-operator repository, the CSV manifest uses REPLACE_IMAGE:latest as a placeholder image reference intentionally, as the CI pipeline depends on this placeholder and replaces it with the actual operator image during the build process.

Applied to files:

odh-config/manager/manager.yaml
.github/workflows/release-staging.yaml
Makefile

📚 Learning: 2025-07-29T18:45:24.518Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: config/crd.rhoai/bases/dscinitialization.opendatahub.io_dscinitializations.yaml:90-107
Timestamp: 2025-07-29T18:45:24.518Z
Learning: In the opendatahub-operator repository, CRD files under config/crd.rhoai/bases/ are generated files (using controller-gen from Go structs), and inconsistencies between enum and pattern validation should not be flagged as they require upstream source code changes rather than direct YAML modifications.

Applied to files:

rhoai-config/crd/patches/cainjection_in_datasciencecluster_datascienceclusters.yaml
rhoai-config/crd/patches/webhook_in_services_auths.yaml
rhoai-config/default/kustomization.yaml
rhoai-config/manifests/kustomization.yaml
.gitignore
rhoai-config/crd/kustomizeconfig.yaml
rhoai-config/crd/kustomization.yaml
Makefile

📚 Learning: 2025-05-27T11:28:21.229Z

Learnt from: AjayJagan
PR: opendatahub-io/opendatahub-operator#1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file `Dockerfiles/catalog.Dockerfile` in the opendatahub-operator repository is autogenerated and should not be manually modified.

Applied to files:

Dockerfiles/build-bundle.Dockerfile
Dockerfiles/rhoai-bundle.Dockerfile
.gitignore
Makefile

📚 Learning: 2025-08-13T21:03:04.317Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: rhoai-config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml:227-235
Timestamp: 2025-08-13T21:03:04.317Z
Learning: CRD YAML files in rhoai-config/crd/bases/ and odh-config/crd/bases/ directories are generated from Go code using controller-gen/kubebuilder. Changes should be made to the source Go structs with appropriate kubebuilder validation markers, not to the generated YAML files directly.

Applied to files:

rhoai-config/default/kustomization.yaml
rhoai-config/manifests/kustomization.yaml
.gitignore
rhoai-config/crd/kustomizeconfig.yaml
api/services/v1alpha1/rhoai_monitoring_types.go
rhoai-config/crd/kustomization.yaml
Makefile

📚 Learning: 2025-08-13T21:03:23.347Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: rhoai-config/crd/bases/_.yaml:1-13
Timestamp: 2025-08-13T21:03:23.347Z
Learning: In the opendatahub-operator repository, placeholder CRD files (like _.yaml with empty group/kind/plural/scope and versions: null) in generated directories such as rhoai-config/crd/bases/ are part of the automated generation process and should not be flagged as invalid, as the build system handles them appropriately.

Applied to files:

rhoai-config/default/kustomization.yaml
.gitignore
rhoai-config/crd/kustomization.yaml
Makefile

📚 Learning: 2025-08-14T14:00:35.037Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: odh-config/rbac/role.yaml:77-81
Timestamp: 2025-08-14T14:00:35.037Z
Learning: The RBAC configurations in odh-config/rbac/role.yaml and rhoai-config/rbac/role.yaml are intentionally different (as of this PR). The rhoai-config variant uses metadata.name: rhods-operator-role while odh-config uses controller-manager-role, and they may have different permission sets. These differences should not be flagged as drift issues during code review.

Applied to files:

rhoai-config/default/kustomization.yaml
rhoai-config/manager/manager.yaml
rhoai-config/default/manager_auth_proxy_patch.yaml
Makefile
docs/integration-testing.md

📚 Learning: 2025-07-29T18:44:42.749Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: bundle.rhoai/manifests/rhods-operator.clusterserviceversion.yaml:1548-1550
Timestamp: 2025-07-29T18:44:42.749Z
Learning: In the opendatahub-operator repository's rhoai branch, the CSV manifest intentionally uses `quay.io/opendatahub/opendatahub-operator:latest` as the image reference even though it's for the rhods-operator, and this configuration difference from the main branch is by design.

Applied to files:

rhoai-config/default/manager_webhook_patch.yaml
Dockerfiles/rhoai-bundle.Dockerfile
rhoai-config/manager/manager.yaml
rhoai-config/manifests/kustomization.yaml
.github/scripts/update-versions.sh
rhoai-config/manifests/bases/rhods-operator.clusterserviceversion.yaml
Dockerfiles/rhoai.Dockerfile

📚 Learning: 2025-08-15T19:41:15.838Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: rhoai-bundle/manifests/rhods-operator.clusterserviceversion.yaml:821-837
Timestamp: 2025-08-15T19:41:15.838Z
Learning: ClusterServiceVersion files (like rhoai-bundle/manifests/rhods-operator.clusterserviceversion.yaml) are generated content and should not be manually edited. Any RBAC or other changes should be made to the source files that generate the CSV.

Applied to files:

rhoai-config/manifests/kustomization.yaml
.github/scripts/update-versions.sh
rhoai-config/manifests/description-patch.yml
rhoai-config/manifests/bases/rhods-operator.clusterserviceversion.yaml
rhoai-config/crd/kustomization.yaml

📚 Learning: 2025-08-15T19:41:06.435Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: rhoai-bundle/manifests/rhods-operator.clusterserviceversion.yaml:357-421
Timestamp: 2025-08-15T19:41:06.435Z
Learning: ClusterServiceVersion manifests in rhoai-bundle/manifests/ are generated files and should not be manually edited. Any issues with these files should be addressed in the generation tooling or source configuration.

Applied to files:

rhoai-config/manifests/kustomization.yaml
rhoai-config/manifests/description-patch.yml

📚 Learning: 2025-08-13T18:07:20.881Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: bundle/manifests/opendatahub-operator.clusterserviceversion.yaml:264-338
Timestamp: 2025-08-13T18:07:20.881Z
Learning: Bundle manifest files (like bundle/manifests/*.yaml) in operator projects are typically generated artifacts, not source files. RBAC and permission issues should be addressed in the source configurations (config/rbac/, CSV base templates, etc.) that generate these bundles, not in the generated files themselves.

Applied to files:

.gitignore
Makefile

📚 Learning: 2025-08-13T14:40:18.443Z

Learnt from: mlassak
PR: opendatahub-io/opendatahub-operator#2010
File: config/crd/bases/services.platform.opendatahub.io_servicemeshes.yaml:114-114
Timestamp: 2025-08-13T14:40:18.443Z
Learning: In the opendatahub-operator repository, CRD files under config/crd/bases/ are auto-generated files (using `make generate manifests api-docs` command), and inconsistencies between enum and pattern validation should not be flagged as they require upstream source code changes in Go structs/kubebuilder annotations rather than direct YAML modifications.

Applied to files:

.gitignore
rhoai-config/crd/kustomization.yaml
Makefile

📚 Learning: 2025-05-27T08:29:05.312Z

Learnt from: AjayJagan
PR: opendatahub-io/opendatahub-operator#1990
File: hack/update-catalog-template.sh:36-43
Timestamp: 2025-05-27T08:29:05.312Z
Learning: The hack/update-catalog-template.sh script in opendatahub-operator is development tooling where simple regex patterns for version extraction are acceptable, and developers are expected to handle version format requirements themselves.

Applied to files:

.github/scripts/update-versions.sh

📚 Learning: 2025-08-15T19:39:14.673Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: get_all_manifests.sh:22-34
Timestamp: 2025-08-15T19:39:14.673Z
Learning: In the opendatahub-operator repository, the VERSION format used in get_all_manifests.sh does not include prefixes (like 'v') or dashes. The version follows a simple format without these additional characters.

Applied to files:

.github/scripts/update-versions.sh
get_all_manifests.sh

📚 Learning: 2025-08-13T21:04:32.696Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: .github/workflows/prometheus-unit-tests.yaml:5-5
Timestamp: 2025-08-13T21:04:32.696Z
Learning: In the opendatahub-operator repository, prometheus monitoring configurations are shared between ODH and RHOAI platforms. The prometheus directory only exists in odh-config/monitoring/prometheus/, not in rhoai-config. Both platforms reference the same prometheus manifests from the odh-config location.

Applied to files:

Makefile
docs/integration-testing.md

📚 Learning: 2025-05-27T07:45:53.136Z

Learnt from: AjayJagan
PR: opendatahub-io/opendatahub-operator#1990
File: hack/update-catalog-template.sh:73-79
Timestamp: 2025-05-27T07:45:53.136Z
Learning: In the opendatahub-operator project, the `|| true` pattern in Makefiles for catalog operations is intentionally used to ensure cleanup of catalog templates occurs even if the main script fails, prioritizing cleanup over strict error propagation.

Applied to files:

Makefile

🧬 Code graph analysis (2)

api/services/v1alpha1/rhoai_monitoring_types.go (1)

api/common/types.go (4)

PlatformObject (188-192)

Status (132-140)

Condition (71-129)

ManagementSpec (12-23)

get_all_manifests.sh (1)

pkg/cluster/const.go (1)

OpenDataHub (11-11)

🪛 Checkov (3.2.334)

rhoai-config/default/manager_webhook_patch.yaml

[MEDIUM] 1-26: Containers should not run with allowPrivilegeEscalation

(CKV_K8S_20)

[MEDIUM] 1-26: Minimize the admission of root containers

(CKV_K8S_23)

rhoai-config/default/manager_auth_proxy_patch.yaml

[MEDIUM] 3-16: Containers should not run with allowPrivilegeEscalation

(CKV_K8S_20)

[MEDIUM] 3-16: Minimize the admission of root containers

(CKV_K8S_23)

🪛 checkmake (0.2.2)

Makefile

[warning] 186-186: Target "output" should be declared PHONY.

(phonydeclared)

🪛 LanguageTool

docs/integration-testing.md

[grammar] ~19-~19: There might be a mistake here.
Context: ...andrhoai-bundle/ directory changes) - **Operator Configuration** (odh-config/` ...

(QB_NEW_EN)

[grammar] ~20-~20: There might be a mistake here.
Context: ...andrhoai-config/ directory changes) - **Feature Framework** (pkg/feature/` chan...

(QB_NEW_EN)

coderabbitai · 2025-08-21T21:51:19Z

.github/workflows/build-push-images-on-pr-update.yaml

    paths:
      - 'bundle/**'
-      - 'config/**'
+      - 'odh-config/**'
      - 'Dockerfiles/**'
      - 'internal/**'
      - 'pkg/**'


⚠️ Potential issue

Update trigger paths for renamed bundles/config and add rhoai globs to avoid missed builds.

The workflow still watches bundle/** but the repo now uses odh-bundle/** and adds rhoai-bundle/; similarly we should also watch rhoai-config/ alongside odh-config/**. Otherwise PRs that only touch odh-bundle/ or rhoai-* paths won’t trigger this build/push workflow.

Apply this diff to fix the triggers:

pull_request_target: types: [ opened, synchronize, reopened ] paths: - - 'bundle/**' - - 'odh-config/**' + - 'odh-bundle/**' + - 'rhoai-bundle/**' + - 'odh-config/**' + - 'rhoai-config/**' - 'Dockerfiles/**' - 'internal/**' - 'pkg/**' - 'cmd/main.go'

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

paths:

- 'bundle/**'

- 'config/**'

- 'odh-config/**'

- 'Dockerfiles/**'

- 'internal/**'

- 'pkg/**'

pull_request_target:

types: [ opened, synchronize, reopened ]

paths:

- 'odh-bundle/**'

- 'rhoai-bundle/**'

- 'odh-config/**'

- 'rhoai-config/**'

- 'Dockerfiles/**'

- 'internal/**'

- 'pkg/**'

- 'cmd/main.go'

🤖 Prompt for AI Agents

In .github/workflows/build-push-images-on-pr-update.yaml around lines 5 to 10, the paths trigger still uses bundle/** and only odh-config/**; update the paths block to include the new repo layout by replacing the current list with entries for odh-bundle/** and rhoai-bundle/** (and optionally remove bundle/**), include rhoai-config/** alongside odh-config/**, and keep Dockerfiles/**, internal/**, and pkg/** so PRs touching those renamed bundle/config paths will trigger the workflow.

api/dscinitialization/v1/dscinitialization_types.go

coderabbitai · 2025-08-21T21:51:19Z

api/services/v1alpha1/rhoai_monitoring_types.go

+	// CPULimit specifies the maximum CPU allocation (e.g., "500m", "2")
+	// +kubebuilder:default="500m"
+	CPULimit resource.Quantity `json:"cpulimit,omitempty"`
+	// MemoryLimit specifies the maximum memory allocation (e.g., "1Gi", "512Mi")
+	// +kubebuilder:default="512Mi"
+	MemoryLimit resource.Quantity `json:"memorylimit,omitempty"`
+	// CPURequest specifies the minimum CPU allocation (e.g., "100m", "0.5")
+	// +kubebuilder:default="100m"
+	CPURequest resource.Quantity `json:"cpurequest,omitempty"`
+	// MemoryRequest specifies the minimum memory allocation (e.g., "256Mi", "1Gi")
+	// +kubebuilder:default="256Mi"
+	MemoryRequest resource.Quantity `json:"memoryrequest,omitempty"`


💡 Verification agent

🧩 Analysis chain

JSON field names should be lowerCamelCase to match Kubernetes conventions

Use cpuLimit, memoryLimit, cpuRequest, memoryRequest. Current snake-ish casing (cpulimit, etc.) is inconsistent and surprising for users and tools.

type MetricsResources struct { // CPULimit specifies the maximum CPU allocation (e.g., "500m", "2") // +kubebuilder:default="500m" - CPULimit resource.Quantity `json:"cpulimit,omitempty"` + CPULimit resource.Quantity `json:"cpuLimit,omitempty"` // MemoryLimit specifies the maximum memory allocation (e.g., "1Gi", "512Mi") // +kubebuilder:default="512Mi" - MemoryLimit resource.Quantity `json:"memorylimit,omitempty"` + MemoryLimit resource.Quantity `json:"memoryLimit,omitempty"` // CPURequest specifies the minimum CPU allocation (e.g., "100m", "0.5") // +kubebuilder:default="100m" - CPURequest resource.Quantity `json:"cpurequest,omitempty"` + CPURequest resource.Quantity `json:"cpuRequest,omitempty"` // MemoryRequest specifies the minimum memory allocation (e.g., "256Mi", "1Gi") // +kubebuilder:default="256Mi" - MemoryRequest resource.Quantity `json:"memoryrequest,omitempty"` + MemoryRequest resource.Quantity `json:"memoryRequest,omitempty"` }

Run this to spot any docs or manifests already using the current keys:

🏁 Script executed:

#!/bin/bash rg -nP -C2 '\b(cpulimit|memorylimit|cpurequest|memoryrequest)\b'

Length of output: 4497

Refactor JSON field names to lowerCamelCase across code, docs, and tests

We’ve identified that the MetricsResources type (in both rhoai_monitoring_types.go and the duplicate monitoring_types.go) currently uses snake-like JSON tags (cpulimit, memorylimit, cpurequest, memoryrequest), but Kubernetes conventions favor lowerCamelCase (cpuLimit, memoryLimit, cpuRequest, memoryRequest). Renaming these fields is a breaking change, so we must update all occurrences in code, documentation, and tests in lockstep to avoid build or runtime failures.

• api/services/v1alpha1/rhoai_monitoring_types.go &
api/services/v1alpha1/monitoring_types.go
– Change struct tags:
diff - CPULimit resource.Quantity `json:"cpulimit,omitempty"` + CPULimit resource.Quantity `json:"cpuLimit,omitempty"` - MemoryLimit resource.Quantity `json:"memorylimit,omitempty"` + MemoryLimit resource.Quantity `json:"memoryLimit,omitempty"` - CPURequest resource.Quantity `json:"cpurequest,omitempty"` + CPURequest resource.Quantity `json:"cpuRequest,omitempty"` - MemoryRequest resource.Quantity `json:"memoryrequest,omitempty"` + MemoryRequest resource.Quantity `json:"memoryRequest,omitempty"`

• README.md (lines ~337–342)
– Update example YAML:
diff resources: - cpulimit: 500m - cpurequest: 100m - memorylimit: 512Mi - memoryrequest: 256Mi + cpuLimit: 500m + cpuRequest: 100m + memoryLimit: 512Mi + memoryRequest: 256Mi

• docs/api-overview.md (table rows ~2903–2906)
– Rename the “Field” column entries from cpulimit, cpurequest, etc., to lowerCamelCase.

• tests/e2e/monitoring_test.go (around lines 286–291)
– Update the JSON keys in the test’s resource map to use cpuLimit, cpuRequest, memoryLimit, and memoryRequest so assertions match the new serialization.

Please ensure any generated CRD manifests or client code are regenerated and existing persisted objects are migrated or handled via a conversion webhook to preserve backwards compatibility.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

// CPULimit specifies the maximum CPU allocation (e.g., "500m", "2")

// +kubebuilder:default="500m"

CPULimit resource.Quantity `json:"cpulimit,omitempty"`

// MemoryLimit specifies the maximum memory allocation (e.g., "1Gi", "512Mi")

// +kubebuilder:default="512Mi"

MemoryLimit resource.Quantity `json:"memorylimit,omitempty"`

// CPURequest specifies the minimum CPU allocation (e.g., "100m", "0.5")

// +kubebuilder:default="100m"

CPURequest resource.Quantity `json:"cpurequest,omitempty"`

// MemoryRequest specifies the minimum memory allocation (e.g., "256Mi", "1Gi")

// +kubebuilder:default="256Mi"

MemoryRequest resource.Quantity `json:"memoryrequest,omitempty"`

// CPULimit specifies the maximum CPU allocation (e.g., "500m", "2")

// +kubebuilder:default="500m"

CPULimit resource.Quantity `json:"cpuLimit,omitempty"`

// MemoryLimit specifies the maximum memory allocation (e.g., "1Gi", "512Mi")

// +kubebuilder:default="512Mi"

MemoryLimit resource.Quantity `json:"memoryLimit,omitempty"`

// CPURequest specifies the minimum CPU allocation (e.g., "100m", "0.5")

// +kubebuilder:default="100m"

CPURequest resource.Quantity `json:"cpuRequest,omitempty"`

// MemoryRequest specifies the minimum memory allocation (e.g., "256Mi", "1Gi")

// +kubebuilder:default="256Mi"

MemoryRequest resource.Quantity `json:"memoryRequest,omitempty"`

coderabbitai · 2025-08-21T21:51:20Z

docs/integration-testing.md

 ### Jenkins pipeline not triggering
 - Verify the `/label run-integration-tests` command was successful
- Check that your changes affect monitored paths (`bundle/`, `cmd/`, `config/`, `internal/`, `pkg/`)
+- Check that your changes affect monitored paths (`odh-bundle/`, `rhoai-bundle/`, `cmd/`, `odh-config/`, `rhoai-config/`, `internal/`, `pkg/`)
 - Ensure the GitHub Action `Build Catalog FBC and run Integration tests` completed successfully
 - Look for the automated `/test-integration` comment from the `github-actions bot`


💡 Verification agent

🧩 Analysis chain

Verify workflow path filters match this documentation.

The “monitored paths” list here includes odh-config/ and rhoai-config/. Please verify .github/workflows/run-integration-tests.yaml includes the same paths in its on.push/on.pull_request path filters.

🏁 Script executed:

#!/bin/bash # Show path filters in the integration test workflow(s). fd -a 'run-integration-tests.yaml' .github/workflows | while read f; do echo "=== $f ===" rg -nC2 -e 'paths?:' -e '^- .+/(bundle|config)/' -e '^- (cmd|internal|pkg)/' "$f" done # Expect to see odh-bundle/, rhoai-bundle/, odh-config/, rhoai-config/, cmd/, internal/, pkg/

Length of output: 689

Add missing path filters to run-integration-tests workflow

The on.push/on.pull_request paths section in .github/workflows/run-integration-tests.yaml currently only includes the bundle directories. To match the “monitored paths” documented in docs/integration-testing.md (lines 112-116), you must add the remaining paths:

• Bundles (present)

odh-bundle/**

rhoai-bundle/**

• Missing (add these)

odh-config/**

rhoai-config/**

cmd/**

internal/**

pkg/**

Suggested diff:

on: push: types: [synchronize, reopened] paths: - 'odh-bundle/**' - 'rhoai-bundle/**' + - 'odh-config/**' + - 'rhoai-config/**' + - 'cmd/**' + - 'internal/**' + - 'pkg/**'

This ensures that any changes under those config, command, internal, or package directories will trigger the integration-test workflow as intended.

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In docs/integration-testing.md around lines 112-116 you document monitored paths for the integration tests, but the actual workflow .github/workflows/run-integration-tests.yaml only includes the bundle directories; update that workflow’s on.push and on.pull_request paths filters to include the missing patterns so they match the docs: add odh-config/**, rhoai-config/**, cmd/**, internal/**, and pkg/** alongside the existing odh-bundle/** and rhoai-bundle/** entries; ensure patterns use double-star globs and save the workflow so changes in those directories trigger the integration-test job.

coderabbitai · 2025-08-21T21:51:20Z

rhoai-config/crd/patches/cainjection_in_dscinitialization_dscinitializations.yaml

+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+  name: dscinitializations.dscinitialization.opendatahub.io


💡 Verification agent

🧩 Analysis chain

Ensure the patch is wired into all intended kustomizations.

This file won’t take effect unless included in the appropriate kustomization.yaml (e.g., under rhoai-config/crd or overlays used by the RHOAI bundle build).

Use this to confirm it’s referenced:

🏁 Script executed:

#!/bin/bash set -euo pipefail # Expect at least one hit in kustomization.yaml files rg -nP -C2 'cainjection_in_dscinitialization_dscinitializations\.ya?ml' --iglob 'kustomization.y*ml' || { echo "WARNING: Patch not referenced by any kustomization.*yaml"; exit 1; }

Length of output: 254

Patch Not Wired into Any Kustomization

The CA-injection CRD patch rhoai-config/crd/patches/cainjection_in_dscinitialization_dscinitializations.yaml isn’t referenced by any kustomization.yaml in the repo, so it will never be applied.

• Locate the appropriate kustomization.yaml (e.g., in rhoai-config/crd or an overlay under overlays/[…]/kustomization.yaml).
• Under resources: (or patches: in Kustomize v3.8+), add the relative path to your patch:

resources: - patches/cainjection_in_dscinitialization_dscinitializations.yaml

(or)

patches: - path: patches/cainjection_in_dscinitialization_dscinitializations.yaml

Please update all relevant kustomizations so this patch is included in your RHOAI bundle builds.

🤖 Prompt for AI Agents

In rhoai-config/crd/patches/cainjection_in_dscinitialization_dscinitializations.yaml around lines 2 to 7: the patch file is not referenced by any kustomization so it never gets applied; open the kustomization.yaml that builds the CRDs (e.g., rhoai-config/crd/kustomization.yaml or any overlay kustomization under overlays/…) and add the relative patch path so it’s included—if the kustomization uses resources: add the path under resources with the relative path to patches/cainjection_in_dscinitialization_dscinitializations.yaml, or if it uses Kustomize v3.8+ use the patches: stanza and add the file path there; update every relevant kustomization that assembles the RHOAI bundle so this patch is included.

coderabbitai · 2025-08-21T21:51:20Z

rhoai-config/crd/patches/cainjection_in_services_auths.yaml

+  annotations:
+    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+  name: auths.services.opendatahub.io


💡 Verification agent

🧩 Analysis chain

CRITICAL: CRD name group mismatch prevents patch from applying.

Bases list uses services.platform.opendatahub.io, but this patch targets auths.services.opendatahub.io (missing “.platform”). The patch won’t match the CRD.

metadata: annotations: cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) - name: auths.services.opendatahub.io + name: auths.services.platform.opendatahub.io

Also verify that CERTIFICATE_NAMESPACE and CERTIFICATE_NAME are defined in the overlay that applies this patch (e.g., via kustomize vars or replacement transforms), otherwise cert-manager will not resolve the reference.

🏁 Script executed:

#!/bin/bash set -e # Search for CRD name with .platform in the codebase echo ">>>> Searching for CRD definitions with .platform" rg -nP --type=yaml "name: auths\\.services\\.platform\\.opendatahub\\.io" -C3 || true # Search for CRD name without .platform echo ">>>> Searching for CRD definitions without .platform" rg -nP --type=yaml "name: auths\\.services\\.opendatahub\\.io" -C3 || true # Search for group: services.platform.opendatahub.io echo ">>>> Searching for group definitions with .platform" rg -nP --type=yaml "group: services\\.platform\\.opendatahub\\.io" -C3 || true # Search for group: services.opendatahub.io echo ">>>> Searching for group definitions without .platform" rg -nP --type=yaml "group: services\\.opendatahub\\.io" -C3 || true # Locate kustomization.yaml referencing this patch echo ">>>> Locating kustomization references to cainjection_in_services_auths.yaml" rg -nP "cainjection_in_services_auths\\.yaml" -C3

Length of output: 4471

🏁 Script executed:

#!/bin/bash set -e # List kustomization.yaml files under rhoai-config echo ">>>> kustomization.yaml files" rg -l "kustomization.yaml" -g "rhoai-config/**" # Search for patch reference in kustomization.yaml echo ">>>> Patch references in kustomization.yaml" rg -nP "cainjection_in_services_auths\\.yaml" -g "rhoai-config/**/kustomization.yaml" -C3 || echo "No references found" # Search for CERTIFICATE_NAMESPACE definition echo ">>>> Searching for CERTIFICATE_NAMESPACE definitions" rg -n "CERTIFICATE_NAMESPACE" -C2 rhoai-config || echo "Not found" # Search for CERTIFICATE_NAME definition echo ">>>> Searching for CERTIFICATE_NAME definitions" rg -n "CERTIFICATE_NAME" -C2 rhoai-config || echo "Not found"

Length of output: 6771

🏁 Script executed:

#!/bin/bash set -e echo ">>>> Finding all CRD definition files" rg -l "kind: CustomResourceDefinition" -g "rhoai-config/crd/**" || true echo ">>>> Grep group in CRD definitions" rg -nP "^ group: " -C2 -g "rhoai-config/crd/**" || true echo ">>>> Extract CRD spec names" rg -nP "^ names:" -C5 -g "rhoai-config/crd/**" || true

Length of output: 1568

🏁 Script executed:

#!/bin/bash set -e echo "===== rhoai-config/crd/kustomization.yaml =====" sed -n '1,200p' rhoai-config/crd/kustomization.yaml || true

Length of output: 2658

CRITICAL: CRD patch metadata.name doesn’t match Auth CRD group

The CA-injection patch in
rhoai-config/crd/patches/cainjection_in_services_auths.yaml
is targeting
auths.services.opendatahub.io
but the Auth CRD lives at
auths.services.platform.opendatahub.io
(see bases/services.platform.opendatahub.io_auths.yaml). As a result, this patch will never apply.

Please update the metadata.name to include the “.platform” group:

metadata: annotations: cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME) - name: auths.services.opendatahub.io + name: auths.services.platform.opendatahub.io

Additionally, ensure that your overlay (e.g. in rhoai-config/default/kustomization.yaml) actually defines the CERTIFICATE_NAMESPACE and CERTIFICATE_NAME vars (they’re commented out by default), otherwise cert-manager won’t be able to resolve the reference.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

annotations:

cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)

name: auths.services.opendatahub.io

metadata:

annotations:

cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)

name: auths.services.platform.opendatahub.io

🤖 Prompt for AI Agents

In rhoai-config/crd/patches/cainjection_in_services_auths.yaml around lines 5-7, the CRD patch metadata.name is incorrect — it targets auths.services.opendatahub.io but the Auth CRD group is auths.services.platform.opendatahub.io; change the metadata.name to auths.services.platform.opendatahub.io so the patch applies, and also ensure the overlay kustomization (e.g. rhoai-config/default/kustomization.yaml) defines the CERTIFICATE_NAMESPACE and CERTIFICATE_NAME variables (they are commented out by default) so cert-manager can resolve the cert reference.

coderabbitai · 2025-08-21T21:51:20Z

rhoai-config/default/manager_auth_proxy_patch.yaml

+      - name: rhods-operator
+        args:
+        - "--health-probe-bind-address=:8081"
+        - "--metrics-bind-address=0.0.0.0:8080"
+        - "--leader-elect"


🛠️ Refactor suggestion

Harden container security context per cluster defaults and Checkov hints.

Set an explicit restricted securityContext for the controller container. This addresses CKV_K8S_20 and CKV_K8S_23 and aligns with OpenShift restricted SCC expectations.

Apply this diff:

- name: rhods-operator args: - "--health-probe-bind-address=:8081" - - "--metrics-bind-address=0.0.0.0:8080" + - "--metrics-bind-address=127.0.0.1:8080" - "--leader-elect" + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault + capabilities: + drop: ["ALL"]

If this patch is strategic-merge applied over a base defining the container, the name-based merge will augment the existing container spec without duplication.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

- name: rhods-operator

args:

- "--health-probe-bind-address=:8081"

- "--metrics-bind-address=0.0.0.0:8080"

- "--leader-elect"

- name: rhods-operator

args:

- "--health-probe-bind-address=:8081"

- "--metrics-bind-address=127.0.0.1:8080"

- "--leader-elect"

securityContext:

allowPrivilegeEscalation: false

runAsNonRoot: true

readOnlyRootFilesystem: true

seccompProfile:

type: RuntimeDefault

capabilities:

drop: ["ALL"]

🧰 Tools

🪛 Checkov (3.2.334)

[MEDIUM] 3-16: Containers should not run with allowPrivilegeEscalation

(CKV_K8S_20)

[MEDIUM] 3-16: Minimize the admission of root containers

(CKV_K8S_23)

coderabbitai · 2025-08-21T21:51:20Z

rhoai-config/default/manager_webhook_patch.yaml

+  namespace: system
+spec:


⚠️ Potential issue

Namespace “system” likely conflicts with your overlay namespace.

default/kustomization.yaml sets namespace: redhat-ods-operator, but this patch hardcodes metadata.namespace: system. If the Service/Secret live in redhat-ods-operator (typical for this project), the webhook server won’t find its cert Secret, and the CRD conversion webhook (which currently points to “system”) will fail at runtime.

Apply this diff to let Kustomize set the correct namespace from the overlay (or change it to redhat-ods-operator explicitly, if preferred):

- namespace: system

Follow-up: ensure the CRD webhook clientConfig.service.namespace in your CRD patch also resolves to the same namespace (see my comment there).

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

namespace: system

spec:

spec:

🤖 Prompt for AI Agents

In rhoai-config/default/manager_webhook_patch.yaml around lines 5-6 the patch hardcodes metadata.namespace: system which conflicts with the overlay namespace (default/kustomization.yaml uses redhat-ods-operator); remove the hardcoded namespace so Kustomize can inject the overlay namespace, or if you prefer an explicit namespace set it to redhat-ods-operator, and then ensure the CRD patch's webhook clientConfig.service.namespace uses the same resolved namespace.

Instead generate them as needed. In order to allow the bundle to be built from the existing `bundle.Dockerfile` mechanism, I introduced some some logic to generate it as a multi-stage dockerfile, where the first stage runs `make bundle`. Testing ------- 1. Build the bundle from main (`make bundle-build`), make note of the image hash 2. Build the bundle from this branch (`make bundle-build`), make note of the image hash 3. Mount both images (`podman image mount $hash1 ; podman image mount $hash2`) 4. compare the directories. I use `meld` for this. Note the only difference is in timestamp.

This required sigificant changes to the Makefile and a few different strategies: - conditionally build different versions of some structs, where there is an irreconcilable difference between `main` and `rhoai` branches (using build tags) - maintain a separate overlay of manifests and separate bundle, tracking `rhoai` specific changes where necessary. Renamed directories: - `bundle` -> `odh-bundle` - `config` -> `odh-config` New directories: - `rhoai-bundle`: contains the RHOAI bundle - `rhoai-config`: contains the RHOAI manifests With these changes most Make targets now accept the `ODH_PLATFORM_TYPE` parameter, and operate in either an odh-mode by default, or a rhoai mode if overridden to any value other than `OpenDataHub`. `get_all_manifests.sh` now has a different mode when passed `ODH_PLATFORM_TYPE` other than `OpenDataHub`, where it looks at $VERSION and infers the downstream git reference to use. (It is most easily invoked via `make get-manifests ODH_PLATFORM_TYPE=rhoai`). This adds RHOAI-specific Dockerfiles for the operator and the bundle. See the difference between the rhoai versions and odh versions by using a diff tool, such as `meld` or `diff -u`. You can compare the resulting bundle for differences by checking out the rhoai branch, and comparing `bundle.rhoai` to `bundle` in the `rhoai` branch. There are a number of small differences related to changes that haven't been made to the `rhoai` branch.

coderabbitai

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

get_all_manifests.sh (1)

128-133: USE_LOCAL check ignores the value and will always copy from adjacent checkout if present.

[[ -v USE_LOCAL ]] only checks “is set and non-null”; with USE_LOCAL="false" it still passes, causing unintended local copies whenever a sibling repo exists.

-    if [[ -v USE_LOCAL ]] && [[ -e ../${repo_name} ]]; then
-        echo "copying from adjacent checkout ..."
-        mkdir -p ./opt/manifests/${target_path}
-        cp -rf "../${repo_name}/${source_path}"/* ./opt/manifests/${target_path}
-        return
-    fi
+    if [[ "${USE_LOCAL:-false}" == "true" ]] && [[ -e "../${repo_name}" ]]; then
+        echo "copying from adjacent checkout ..."
+        mkdir -p "./opt/manifests/${target_path}"
+        # copy including dotfiles; robust when source is empty
+        cp -a "../${repo_name}/${source_path}/." "./opt/manifests/${target_path}"
+        return
+    fi

♻️ Duplicate comments (5)

.gitignore (1)

60-61: Resolved: choosing “generate-and-ignore” for manager kustomization files is consistent.

You dropped these files from tracking and kept the ignore rules, which removes the tracked-vs-ignored footgun raised earlier. LGTM.
api/services/v1alpha1/rhoai_monitoring_types.go (1)
66-77: Use lowerCamelCase JSON field names to match Kubernetes conventions.

This mirrors prior feedback and avoids surprising users/clients. Ensure docs/tests/manifests are updated together.
 type MetricsResources struct {
   // CPULimit specifies the maximum CPU allocation (e.g., "500m", "2")
   // +kubebuilder:default="500m"
-  CPULimit resource.Quantity `json:"cpulimit,omitempty"`
+  CPULimit resource.Quantity `json:"cpuLimit,omitempty"`
   // MemoryLimit specifies the maximum memory allocation (e.g., "1Gi", "512Mi")
   // +kubebuilder:default="512Mi"
-  MemoryLimit resource.Quantity `json:"memorylimit,omitempty"`
+  MemoryLimit resource.Quantity `json:"memoryLimit,omitempty"`
   // CPURequest specifies the minimum CPU allocation (e.g., "100m", "0.5")
   // +kubebuilder:default="100m"
-  CPURequest resource.Quantity `json:"cpurequest,omitempty"`
+  CPURequest resource.Quantity `json:"cpuRequest,omitempty"`
   // MemoryRequest specifies the minimum memory allocation (e.g., "256Mi", "1Gi")
   // +kubebuilder:default="256Mi"
-  MemoryRequest resource.Quantity `json:"memoryrequest,omitempty"`
+  MemoryRequest resource.Quantity `json:"memoryRequest,omitempty"`
 }
To find and update any remaining references:
#!/bin/bash
rg -nP -C2 '\b(cpulimit|memorylimit|cpurequest|memoryrequest)\b'
docs/integration-testing.md (1)

112-116: Ensure workflow path filters match this doc (odh-config/ and rhoai-config/ included).

Confirm .github/workflows/run-integration-tests.yaml includes these paths so the doc and triggers stay in sync.
rhoai-config/default/manager_auth_proxy_patch.yaml (1)
15-15: Bind metrics to localhost (defense-in-depth).

Expose 8080 only to the sidecar; keep the Service on 8443 via the proxy.
-        - "--metrics-bind-address=0.0.0.0:8080"
+        - "--metrics-bind-address=127.0.0.1:8080"
rhoai-config/default/manager_webhook_patch.yaml (1)
3-6: Fix hardcoded namespace to avoid webhook cert lookup failures.

Hardcoding metadata.namespace: system will conflict with overlays that set namespace (e.g., redhat-ods-operator). This can break the webhook server’s cert Secret lookup and CRD conversion webhooks at runtime. Let Kustomize inject the namespace (remove the field) or set it explicitly to the overlay namespace.

Apply this diff:
   name: rhods-operator
-  namespace: system
Follow-up: ensure any CRD/webhook clientConfig.service.namespace resolves to the same namespace as this Deployment.

🧹 Nitpick comments (26)

.gitignore (1)
71-83: Harden ignore rules for generated artifacts (anchor to repo root, ignore dirs explicitly).

Minor robustness/clarity tweaks: anchor patterns and add trailing slashes for directories; consider broadening RBAC ignores if multiple files are generated.

Apply this diff:
-odh-config/crd/bases
-odh-config/rbac/role.yaml
-odh-config/crd/external
-odh-config/webhook/manifests.yaml
-rhoai-config/crd/bases
-rhoai-config/rbac/role.yaml
-rhoai-config/crd/external
-rhoai-config/webhook/manifests.yaml
-rhoai-bundle/
-odh-bundle/
+/odh-config/crd/bases/
+/odh-config/rbac/role.yaml
+# If RBAC generation emits multiple files, prefer the broader pattern below and remove the single-file rule:
+# /odh-config/rbac/*.yaml
+/odh-config/crd/external/
+/odh-config/webhook/manifests.yaml
+/rhoai-config/crd/bases/
+/rhoai-config/rbac/role.yaml
+# If RBAC generation emits multiple files, prefer the broader pattern below and remove the single-file rule:
+# /rhoai-config/rbac/*.yaml
+/rhoai-config/crd/external/
+/rhoai-config/webhook/manifests.yaml
+/rhoai-bundle/
+/odh-bundle/
Optional: if you keep empty generated dirs in the repo, add keep-outs:

/odh-config/crd/bases/.keep and /rhoai-config/crd/bases/.keep, with negate rules:

!/odh-config/crd/bases/.keep

!/rhoai-config/crd/bases/.keep
rhoai-config/manifests/kustomization.yaml (2)
13-18: Tighten patch target with version.

Add version: v1alpha1 to avoid accidental matches if CSV api version changes or multiple versions exist.
 patches:
 - path: description-patch.yml
   target:
     group: operators.coreos.com
+    version: v1alpha1
     kind: ClusterServiceVersion
19-38: Avoid duplicate top-level “patches” and prefer name-based patching over indices.

If someone uncomments this block as-is, YAML will contain two top-level patches keys; that’s error-prone.

Using JSON6902 array indices (containers/1, volumeMounts/0, volumes/0) is brittle. Prefer a strategic-merge patch selecting the container by name.

Replace the commented example with an entry that can be appended to the existing patches list and targets by name:
-#patches:
-#- target:
-#    group: apps
-#    version: v1
-#    kind: Deployment
-#    name: controller-manager
-#    namespace: system
-#  patch: |-
-#    # Remove the manager container's "cert" volumeMount, since OLM will create and mount a set of certs.
-#    # Update the indices in this path if adding or removing containers/volumeMounts in the manager's Deployment.
-#    - op: remove
-#      path: /spec/template/spec/containers/1/volumeMounts/0
-#    # Remove the "cert" volume, since OLM will create and mount a set of certs.
-#    # Update the indices in this path if adding or removing volumes in the manager's Deployment.
-#    - op: remove
-#      path: /spec/template/spec/volumes/0
+## Append the following to the existing `patches:` list to remove the cert volume/volumeMount when enabling webhooks under OLM:
+#- target:
+#    group: apps
+#    version: v1
+#    kind: Deployment
+#    name: controller-manager
+#  path: webhook-cert-volume-remove.yaml
And create webhook-cert-volume-remove.yaml (strategic-merge) alongside this kustomization:
apiVersion: apps/v1
kind: Deployment
metadata:
  name: controller-manager
spec:
  template:
    spec:
      containers:
        - name: manager
          volumeMounts:
            - name: cert
              $patch: delete
      volumes:
        - name: cert
          $patch: delete
api/services/v1alpha1/rhoai_monitoring_types.go (6)
29-33: Minor doc nit: fix grammar/capitalization in the constant comment.

Apply:
- // value should match whats set in the XValidation below
+ // Value should match what's set in the XValidation below.
46-52: Replicas comment claims a default of 2, but no defaulting annotation present.

Either add a CRD default or adjust the comment. If controller-level defaulting exists, ignore. Otherwise:
 type Metrics struct {
   Storage   *MetricsStorage   `json:"storage,omitempty"`
   Resources *MetricsResources `json:"resources,omitempty"`
   // Replicas specifies the number of replicas in monitoringstack, default is 2 if not set
-  Replicas int32 `json:"replicas,omitempty"`
+  // +kubebuilder:default=2
+  Replicas int32 `json:"replicas,omitempty"`
}
If you keep the comment only, please confirm no webhook/CR admission relies on a CRD default.

107-111: Align Size type with other resource sizes (use resource.Quantity).

Metrics uses resource.Quantity; tracing size should too for consistency and validation.
-  // +optional
-  Size string `json:"size,omitempty"`
+  // +optional
+  Size resource.Quantity `json:"size,omitempty"`
Note: This is a schema change; update any examples/tests accordingly.

117-120: Consider making metrics and traces retention types consistent.

Metrics uses string (“90d”); traces uses metav1.Duration. Pick one for UX consistency (prefer Duration for stricter validation).

If you switch metrics to Duration later, remember to add a conversion or handle existing CRs.

84-85: Optional: add URI format validation for status URL.

Improves kubectl UX and early feedback.
 type MonitoringStatus struct {
   common.Status `json:",inline"`
 
-  URL string `json:"url,omitempty"`
+  // +kubebuilder:validation:Format=uri
+  URL string `json:"url,omitempty"`
 }
139-147: Fix copy/paste and message text in field comments/validation.
-// MonitoringCommonSpec spec defines the shared desired state of Dashboard
+// MonitoringCommonSpec defines the shared desired state of Monitoring
 ...
-// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="MonitoringNamespace is immutable"
+// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="Namespace is immutable"
rhoai-config/samples/datasciencecluster_v1_datasciencecluster.yaml (1)
19-33: Expand inline YAML for readability and diff-ability.

The kserve block uses inline JSON-style mappings, which are harder to maintain and review. Prefer expanded YAML.
-    kserve: {
-      managementState: "Managed",
-      nim: {
-        managementState: "Managed"
-      },
-      serving: {
-        ingressGateway: {
-          certificate: {
-            type: OpenshiftDefaultIngress
-          }
-        },
-        name: "knative-serving",
-        managementState: "Managed"
-      }
-    }
+    kserve:
+      managementState: "Managed"
+      nim:
+        managementState: "Managed"
+      serving:
+        ingressGateway:
+          certificate:
+            type: OpenshiftDefaultIngress
+        name: "knative-serving"
+        managementState: "Managed"
get_all_manifests.sh (3)
22-22: Quote VERSION and escape the dot in sed.

Avoid word-splitting and ensure the dot matches a literal period.
-    DEFAULT_REF="rhoai-$(echo $VERSION | sed 's/$[0-9]\+$.$[0-9]\+$.*/\1.\2/')"
+    DEFAULT_REF="rhoai-$(echo "${VERSION}" | sed 's/$[0-9]\+$\.$[0-9]\+$.*/\1.\2/')"
100-111: Harden quoting and copying; include dotfiles and handle empty dirs.

Safer quoting prevents globbing/word-splitting; prefer cp -a src/. dest over *.
-    local git_fetch="git fetch -q --depth 1 $repo"
+    local git_fetch="git fetch -q --depth 1 ${repo}"
@@
-    mkdir -p $dir
-    pushd $dir &>/dev/null
+    mkdir -p "${dir}"
+    pushd "${dir}" &>/dev/null
@@
-    git reset -q --hard FETCH_HEAD
+    git reset -q --hard FETCH_HEAD
@@
-    git_fetch_ref ${repo_url} ${repo_ref} ${repo_dir}
+    git_fetch_ref "${repo_url}" "${repo_ref}" "${repo_dir}"
@@
-    mkdir -p ./opt/manifests/${target_path}
-    cp -rf ${repo_dir}/${source_path}/* ./opt/manifests/${target_path}
+    mkdir -p "./opt/manifests/${target_path}"
+    cp -a "${repo_dir}/${source_path}/." "./opt/manifests/${target_path}"
Also applies to: 135-139

141-146: Declare the PIDs array explicitly (minor clarity).

Bash will create an array with +=, but an explicit declaration matches the comment and avoids ambiguity.
-# Track background job PIDs +declare -a pids=()
+# Track background job PIDs
+declare -a pids=()
Dockerfiles/bundle.Dockerfile (1)
37-38: Avoid building the RHOAI bundle in the ODH bundle Dockerfile.

This Dockerfile copies only odh-bundle artifacts into the final image; the extra make bundle ODH_PLATFORM_TYPE=rhoai adds build time without contributing outputs.
 RUN VERSION=$OPERATOR_VERSION make bundle
-RUN VERSION=$OPERATOR_VERSION make bundle ODH_PLATFORM_TYPE=rhoai
rhoai-config/rbac/auth_proxy_service.yaml (2)
10-13: Confirm targetPort name matches the sidecar’s containerPort name.

Service targets named port "http" at 8443. Kube-rbac-proxy commonly exposes a named port "https" on 8443. If your sidecar uses "https", update both fields accordingly.

Proposed change if the sidecar port is "https":
-  - name: http
-    port: 8443
-    protocol: TCP
-    targetPort: http
+  - name: https
+    port: 8443
+    protocol: TCP
+    targetPort: https
14-15: Double-check selector-to-pod labels.

Selector uses name=rhods-operator. Ensure the Deployment pod template sets the same label, or switch to app.kubernetes.io/* labels for consistency.
rhoai-config/default/manager_auth_proxy_patch.yaml (1)
1-2: Nit: comment grammar.

“This patch inject a sidecar…” → “injects”.
-# This patch inject a sidecar container which is a HTTP proxy for the
+# This patch injects a sidecar container which is an HTTP proxy for the
rhoai-config/rbac/kustomization.yaml (1)
26-29: Indentation consistency in delete patch.

metadata’s children are over-indented relative to other patches. YAML likely parses, but align for readability and to avoid accidental mistakes.
-      metadata:
-          name: controller-manager
-          namespace: system
+      metadata:
+        name: controller-manager
+        namespace: system
rhoai-config/default/manager_webhook_patch.yaml (2)
18-26: Verify Secret name and consider parameterizing for overlays.

Secret redhat-ods-operator-controller-webhook-cert must exist in the Deployment’s namespace. If different overlays rename the operator or cert, this will drift. Consider a kustomize var/patch to derive the secret name from the operator name, or document this coupling.

Possible guarded change (only if you standardize a var WEBHOOK_CERT_SECRET via kustomize):
-          secretName: redhat-ods-operator-controller-webhook-cert
+          secretName: $(WEBHOOK_CERT_SECRET)
10-22: Harden the container per security best practices (addresses CKV_K8S_20, CKV_K8S_23).

Add a securityContext to prevent privilege escalation, drop capabilities, and prefer non-root execution.
       - name: rhods-operator
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
+          seccompProfile:
+            type: RuntimeDefault
+          capabilities:
+            drop:
+              - ALL
         ports:
           - containerPort: 9443
             name: webhook-server
             protocol: TCP
           - containerPort: 8080
             name: http
             protocol: TCP
api/components/v1alpha1/rhoai_modelregistry_types.go (4)
42-47: Namespace validation looks correct; consider whether empty should be allowed.

Pattern/max length match namespace rules. If empty should never be user-specified (given a default), add +kubebuilder:validation:MinLength=1 and drop omitempty. Otherwise, keep as-is.

68-74: Resource annotations: add discoverability niceties (optional).

Consider adding short name and categories to ease kubectl/oc UX.

Apply within the existing resource marker:
-// +kubebuilder:resource:scope=Cluster
+// +kubebuilder:resource:scope=Cluster,shortName=mr,categories={odh,rhoai}
121-123: Simplify immutability rule (defaulting makes the empty-old-value clause redundant).

Because a default is set on registriesNamespace, oldSelf.registriesNamespace == '' will rarely (if ever) be true after creation. The rule can be simplified without changing intent.
-// +kubebuilder:validation:XValidation:rule="(self.managementState != 'Managed') || (oldSelf.registriesNamespace == '') || (oldSelf.managementState != 'Managed')|| (self.registriesNamespace == oldSelf.registriesNamespace)",message="RegistriesNamespace is immutable when model registry is Managed"
+// +kubebuilder:validation:XValidation:rule="(self.managementState != 'Managed') || (oldSelf.managementState != 'Managed') || (self.registriesNamespace == oldSelf.registriesNamespace)",message="RegistriesNamespace is immutable when model registry is Managed"
133-137: Status struct embeds ManagementSpec—intentional?

Embedding ManagementSpec inside status is atypical but fine if you want to surface the management state in DSC status. Confirm consumers rely on it; otherwise consider mirroring only as fields you truly need.
rhoai-config/crd/patches/cainjection_in_services_monitorings.yaml (2)
1-1: Nit: hyphenate “cert-manager” in the comment.
For consistency with upstream naming.
-# The following patch adds a directive for certmanager to inject CA into the CRD
+# The following patch adds a directive for cert-manager to inject CA into the CRD
5-7: Consider adding the Secret-based CA injection annotation for broader compatibility.
Some clusters rely on inject-ca-from-secret. Safe to include both; if your Certificate’s secretName differs from its name, wire a $(CERTIFICATE_SECRET_NAME) variable instead.
   annotations:
     cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+    cert-manager.io/inject-ca-from-secret: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

MCP integration is disabled by default for public repositories
Jira integration is disabled by default for public repositories
Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between a73d74d and 9644306.

📒 Files selected for processing (107)

.dockerignore (1 hunks)
.github/scripts/update-versions.sh (1 hunks)
.github/workflows/build-push-images-on-pr-update.yaml (1 hunks)
.github/workflows/prometheus-unit-tests.yaml (1 hunks)
.github/workflows/release-staging.yaml (1 hunks)
.github/workflows/run-integration-tests.yaml (2 hunks)
.gitignore (2 hunks)
Dockerfiles/Dockerfile (1 hunks)
Dockerfiles/build-bundle.Dockerfile (1 hunks)
Dockerfiles/bundle.Dockerfile (2 hunks)
Dockerfiles/rhoai-bundle.Dockerfile (1 hunks)
Dockerfiles/rhoai.Dockerfile (1 hunks)
Makefile (7 hunks)
api/components/v1alpha1/modelregistry_types.go (1 hunks)
api/components/v1alpha1/rhoai_modelregistry_types.go (1 hunks)
api/components/v1alpha1/rhoai_workbenches_types.go (1 hunks)
api/components/v1alpha1/workbenches_types.go (1 hunks)
api/dscinitialization/v1/dscinitialization_types.go (1 hunks)
api/dscinitialization/v1/rhoai_dscinitialization_types.go (1 hunks)
api/services/v1alpha1/monitoring_types.go (1 hunks)
api/services/v1alpha1/rhoai_monitoring_types.go (1 hunks)
bundle/manifests/components.platform.opendatahub.io_codeflares.yaml (0 hunks)
bundle/manifests/components.platform.opendatahub.io_dashboards.yaml (0 hunks)
bundle/manifests/components.platform.opendatahub.io_datasciencepipelines.yaml (0 hunks)
bundle/manifests/components.platform.opendatahub.io_feastoperators.yaml (0 hunks)
bundle/manifests/components.platform.opendatahub.io_kserves.yaml (0 hunks)
bundle/manifests/components.platform.opendatahub.io_kueues.yaml (0 hunks)
bundle/manifests/components.platform.opendatahub.io_llamastackoperators.yaml (0 hunks)
bundle/manifests/components.platform.opendatahub.io_modelcontrollers.yaml (0 hunks)
bundle/manifests/components.platform.opendatahub.io_modelmeshservings.yaml (0 hunks)
bundle/manifests/components.platform.opendatahub.io_modelregistries.yaml (0 hunks)
bundle/manifests/components.platform.opendatahub.io_rays.yaml (0 hunks)
bundle/manifests/components.platform.opendatahub.io_trainingoperators.yaml (0 hunks)
bundle/manifests/components.platform.opendatahub.io_trustyais.yaml (0 hunks)
bundle/manifests/components.platform.opendatahub.io_workbenches.yaml (0 hunks)
bundle/manifests/datasciencecluster.opendatahub.io_datascienceclusters.yaml (0 hunks)
bundle/manifests/dscinitialization.opendatahub.io_dscinitializations.yaml (0 hunks)
bundle/manifests/features.opendatahub.io_featuretrackers.yaml (0 hunks)
bundle/manifests/infrastructure.opendatahub.io_hardwareprofiles.yaml (0 hunks)
bundle/manifests/opendatahub-operator-controller-manager-metrics-service_v1_service.yaml (0 hunks)
bundle/manifests/opendatahub-operator.clusterserviceversion.yaml (0 hunks)
bundle/manifests/prometheus-k8s-viewer_rbac.authorization.k8s.io_v1_clusterrole.yaml (0 hunks)
bundle/manifests/prometheus-k8s-viewer_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml (0 hunks)
bundle/manifests/services.platform.opendatahub.io_auths.yaml (0 hunks)
bundle/manifests/services.platform.opendatahub.io_monitorings.yaml (0 hunks)
bundle/metadata/annotations.yaml (0 hunks)
bundle/tests/scorecard/config.yaml (0 hunks)
config/crd/bases/_.yaml (0 hunks)
config/crd/bases/components.platform.opendatahub.io_codeflares.yaml (0 hunks)
config/crd/bases/components.platform.opendatahub.io_dashboards.yaml (0 hunks)
config/crd/bases/components.platform.opendatahub.io_datasciencepipelines.yaml (0 hunks)
config/crd/bases/components.platform.opendatahub.io_feastoperators.yaml (0 hunks)
config/crd/bases/components.platform.opendatahub.io_kserves.yaml (0 hunks)
config/crd/bases/components.platform.opendatahub.io_kueues.yaml (0 hunks)
config/crd/bases/components.platform.opendatahub.io_llamastackoperators.yaml (0 hunks)
config/crd/bases/components.platform.opendatahub.io_modelcontrollers.yaml (0 hunks)
config/crd/bases/components.platform.opendatahub.io_modelmeshservings.yaml (0 hunks)
config/crd/bases/components.platform.opendatahub.io_modelregistries.yaml (0 hunks)
config/crd/bases/components.platform.opendatahub.io_rays.yaml (0 hunks)
config/crd/bases/components.platform.opendatahub.io_trainingoperators.yaml (0 hunks)
config/crd/bases/components.platform.opendatahub.io_trustyais.yaml (0 hunks)
config/crd/bases/components.platform.opendatahub.io_workbenches.yaml (0 hunks)
config/crd/bases/datasciencecluster.opendatahub.io_datascienceclusters.yaml (0 hunks)
config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml (0 hunks)
config/crd/bases/features.opendatahub.io_featuretrackers.yaml (0 hunks)
config/crd/bases/infrastructure.opendatahub.io_hardwareprofiles.yaml (0 hunks)
config/crd/bases/services.platform.opendatahub.io_auths.yaml (0 hunks)
config/crd/bases/services.platform.opendatahub.io_monitorings.yaml (0 hunks)
config/crd/external/config.openshift.io_authentications.yaml (0 hunks)
config/crd/external/operators.coreos.com_catalogsources.yaml (0 hunks)
config/crd/external/operators.coreos.com_operatorconditions.yaml (0 hunks)
config/crd/external/route.openshift.io_routes.yaml (0 hunks)
config/crd/external/user.openshift.io_groups.yaml (0 hunks)
config/crd/external/user.openshift.io_identities.yaml (0 hunks)
config/crd/external/user.openshift.io_useridentitymappings.yaml (0 hunks)
config/crd/external/user.openshift.io_users.yaml (0 hunks)
config/rbac/role.yaml (0 hunks)
config/webhook/manifests.yaml (0 hunks)
docs/integration-testing.md (2 hunks)
get_all_manifests.sh (1 hunks)
hack/update-catalog-template.sh (1 hunks)
odh-config/manager/manager.yaml (1 hunks)
rhoai-config/crd/kustomization.yaml (1 hunks)
rhoai-config/crd/kustomizeconfig.yaml (1 hunks)
rhoai-config/crd/patches/cainjection_in_datasciencecluster_datascienceclusters.yaml (1 hunks)
rhoai-config/crd/patches/cainjection_in_dscinitialization.opendatahub.io_dscinitializations.yaml (1 hunks)
rhoai-config/crd/patches/cainjection_in_dscinitialization_dscinitializations.yaml (1 hunks)
rhoai-config/crd/patches/cainjection_in_services_auths.yaml (1 hunks)
rhoai-config/crd/patches/cainjection_in_services_monitorings.yaml (1 hunks)
rhoai-config/crd/patches/webhook_in_datasciencecluster_datascienceclusters.yaml (1 hunks)
rhoai-config/crd/patches/webhook_in_dscinitialization.opendatahub.io_dscinitializations.yaml (1 hunks)
rhoai-config/crd/patches/webhook_in_dscinitialization_dscinitializations.yaml (1 hunks)
rhoai-config/crd/patches/webhook_in_services_auths.yaml (1 hunks)
rhoai-config/crd/patches/webhook_in_services_monitorings.yaml (1 hunks)
rhoai-config/default/kustomization.yaml (1 hunks)
rhoai-config/default/manager_auth_proxy_patch.yaml (1 hunks)
rhoai-config/default/manager_webhook_patch.yaml (1 hunks)
rhoai-config/manager/kustomization.yaml.in (1 hunks)
rhoai-config/manager/manager.yaml (1 hunks)
rhoai-config/manifests/bases/rhods-operator.clusterserviceversion.yaml (1 hunks)
rhoai-config/manifests/description-patch.yml (1 hunks)
rhoai-config/manifests/kustomization.yaml (1 hunks)
rhoai-config/rbac/auth_proxy_client_clusterrole.yaml (1 hunks)
rhoai-config/rbac/auth_proxy_service.yaml (1 hunks)
rhoai-config/rbac/kustomization.yaml (1 hunks)
rhoai-config/rbac/role_binding.yaml (1 hunks)
rhoai-config/samples/datasciencecluster_v1_datasciencecluster.yaml (1 hunks)

⛔ Files not processed due to max files limit (6)

rhoai-config/samples/dscinitialization_v1_dscinitialization.yaml
rhoai-config/samples/kustomization.yaml
rhoai-config/samples/services_v1alpha1_auth.yaml
rhoai-config/webhook/kustomization.yaml
rhoai-config/webhook/kustomizeconfig.yaml
rhoai-config/webhook/service.yaml

💤 Files with no reviewable changes (57)

bundle/manifests/components.platform.opendatahub.io_kueues.yaml
bundle/manifests/opendatahub-operator-controller-manager-metrics-service_v1_service.yaml
config/crd/external/user.openshift.io_identities.yaml
config/rbac/role.yaml
bundle/manifests/components.platform.opendatahub.io_workbenches.yaml
bundle/manifests/components.platform.opendatahub.io_modelcontrollers.yaml
config/crd/bases/components.platform.opendatahub.io_modelregistries.yaml
bundle/manifests/components.platform.opendatahub.io_datasciencepipelines.yaml
config/crd/bases/components.platform.opendatahub.io_workbenches.yaml
bundle/manifests/prometheus-k8s-viewer_rbac.authorization.k8s.io_v1_clusterrolebinding.yaml
bundle/manifests/components.platform.opendatahub.io_feastoperators.yaml
config/crd/bases/components.platform.opendatahub.io_modelcontrollers.yaml
config/webhook/manifests.yaml
bundle/manifests/services.platform.opendatahub.io_monitorings.yaml
bundle/manifests/dscinitialization.opendatahub.io_dscinitializations.yaml
config/crd/bases/_.yaml
bundle/manifests/opendatahub-operator.clusterserviceversion.yaml
config/crd/external/user.openshift.io_useridentitymappings.yaml
config/crd/bases/components.platform.opendatahub.io_feastoperators.yaml
config/crd/bases/services.platform.opendatahub.io_monitorings.yaml
config/crd/bases/components.platform.opendatahub.io_codeflares.yaml
bundle/tests/scorecard/config.yaml
config/crd/bases/components.platform.opendatahub.io_llamastackoperators.yaml
bundle/metadata/annotations.yaml
config/crd/bases/components.platform.opendatahub.io_trustyais.yaml
bundle/manifests/services.platform.opendatahub.io_auths.yaml
config/crd/external/user.openshift.io_groups.yaml
bundle/manifests/components.platform.opendatahub.io_modelregistries.yaml
config/crd/bases/components.platform.opendatahub.io_datasciencepipelines.yaml
config/crd/bases/components.platform.opendatahub.io_trainingoperators.yaml
bundle/manifests/components.platform.opendatahub.io_codeflares.yaml
bundle/manifests/components.platform.opendatahub.io_dashboards.yaml
bundle/manifests/components.platform.opendatahub.io_rays.yaml
bundle/manifests/components.platform.opendatahub.io_trainingoperators.yaml
config/crd/bases/infrastructure.opendatahub.io_hardwareprofiles.yaml
config/crd/external/route.openshift.io_routes.yaml
bundle/manifests/components.platform.opendatahub.io_trustyais.yaml
config/crd/external/operators.coreos.com_operatorconditions.yaml
config/crd/bases/components.platform.opendatahub.io_kserves.yaml
config/crd/external/operators.coreos.com_catalogsources.yaml
bundle/manifests/components.platform.opendatahub.io_modelmeshservings.yaml
config/crd/bases/components.platform.opendatahub.io_rays.yaml
bundle/manifests/features.opendatahub.io_featuretrackers.yaml
config/crd/bases/services.platform.opendatahub.io_auths.yaml
config/crd/bases/components.platform.opendatahub.io_kueues.yaml
config/crd/external/user.openshift.io_users.yaml
config/crd/external/config.openshift.io_authentications.yaml
config/crd/bases/features.opendatahub.io_featuretrackers.yaml
bundle/manifests/components.platform.opendatahub.io_kserves.yaml
bundle/manifests/infrastructure.opendatahub.io_hardwareprofiles.yaml
bundle/manifests/prometheus-k8s-viewer_rbac.authorization.k8s.io_v1_clusterrole.yaml
config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml
config/crd/bases/components.platform.opendatahub.io_modelmeshservings.yaml
bundle/manifests/components.platform.opendatahub.io_llamastackoperators.yaml
config/crd/bases/components.platform.opendatahub.io_dashboards.yaml
bundle/manifests/datasciencecluster.opendatahub.io_datascienceclusters.yaml
config/crd/bases/datasciencecluster.opendatahub.io_datascienceclusters.yaml

🚧 Files skipped from review as they are similar to previous changes (34)

rhoai-config/manager/kustomization.yaml.in
rhoai-config/crd/patches/webhook_in_dscinitialization.opendatahub.io_dscinitializations.yaml
odh-config/manager/manager.yaml
api/dscinitialization/v1/dscinitialization_types.go
api/services/v1alpha1/monitoring_types.go
rhoai-config/crd/patches/cainjection_in_datasciencecluster_datascienceclusters.yaml
.github/workflows/release-staging.yaml
Dockerfiles/build-bundle.Dockerfile
rhoai-config/crd/patches/webhook_in_datasciencecluster_datascienceclusters.yaml
rhoai-config/crd/patches/webhook_in_services_monitorings.yaml
.github/workflows/build-push-images-on-pr-update.yaml
hack/update-catalog-template.sh
api/components/v1alpha1/workbenches_types.go
rhoai-config/crd/patches/webhook_in_dscinitialization_dscinitializations.yaml
api/components/v1alpha1/modelregistry_types.go
Dockerfiles/Dockerfile
rhoai-config/manifests/description-patch.yml
.github/workflows/prometheus-unit-tests.yaml
rhoai-config/crd/patches/cainjection_in_services_auths.yaml
rhoai-config/crd/kustomizeconfig.yaml
Dockerfiles/rhoai.Dockerfile
rhoai-config/manager/manager.yaml
rhoai-config/crd/patches/cainjection_in_dscinitialization_dscinitializations.yaml
.dockerignore
.github/scripts/update-versions.sh
api/components/v1alpha1/rhoai_workbenches_types.go
rhoai-config/crd/patches/webhook_in_services_auths.yaml
Dockerfiles/rhoai-bundle.Dockerfile
rhoai-config/crd/kustomization.yaml
api/dscinitialization/v1/rhoai_dscinitialization_types.go
rhoai-config/default/kustomization.yaml
.github/workflows/run-integration-tests.yaml
rhoai-config/crd/patches/cainjection_in_dscinitialization.opendatahub.io_dscinitializations.yaml
rhoai-config/manifests/bases/rhods-operator.clusterserviceversion.yaml

🧰 Additional context used

🧠 Learnings (14)

📓 Common learnings

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: rhoai-config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml:227-235
Timestamp: 2025-08-13T21:03:04.317Z
Learning: CRD YAML files in rhoai-config/crd/bases/ and odh-config/crd/bases/ directories are generated from Go code using controller-gen/kubebuilder. Changes should be made to the source Go structs with appropriate kubebuilder validation markers, not to the generated YAML files directly.

📚 Learning: 2025-08-14T14:00:35.037Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: odh-config/rbac/role.yaml:77-81
Timestamp: 2025-08-14T14:00:35.037Z
Learning: The RBAC configurations in odh-config/rbac/role.yaml and rhoai-config/rbac/role.yaml are intentionally different (as of this PR). The rhoai-config variant uses metadata.name: rhods-operator-role while odh-config uses controller-manager-role, and they may have different permission sets. These differences should not be flagged as drift issues during code review.

Applied to files:

rhoai-config/rbac/kustomization.yaml
rhoai-config/rbac/auth_proxy_service.yaml
rhoai-config/rbac/auth_proxy_client_clusterrole.yaml
rhoai-config/rbac/role_binding.yaml
rhoai-config/manifests/kustomization.yaml
Makefile
docs/integration-testing.md
rhoai-config/default/manager_auth_proxy_patch.yaml

📚 Learning: 2025-08-14T13:59:44.732Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: rhoai-config/rbac/role.yaml:18-33
Timestamp: 2025-08-14T13:59:44.732Z
Learning: RBAC files in rhoai-config/rbac/ are generated and should not be manually edited. Issues with RBAC rules should be addressed in the generation tooling, not the manifests themselves.

Applied to files:

rhoai-config/rbac/kustomization.yaml
rhoai-config/rbac/auth_proxy_service.yaml
rhoai-config/rbac/role_binding.yaml

📚 Learning: 2025-08-13T21:03:04.317Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: rhoai-config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml:227-235
Timestamp: 2025-08-13T21:03:04.317Z
Learning: CRD YAML files in rhoai-config/crd/bases/ and odh-config/crd/bases/ directories are generated from Go code using controller-gen/kubebuilder. Changes should be made to the source Go structs with appropriate kubebuilder validation markers, not to the generated YAML files directly.

Applied to files:

rhoai-config/rbac/kustomization.yaml
rhoai-config/manifests/kustomization.yaml
api/services/v1alpha1/rhoai_monitoring_types.go
Makefile
.gitignore

📚 Learning: 2025-08-15T19:41:15.838Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: rhoai-bundle/manifests/rhods-operator.clusterserviceversion.yaml:821-837
Timestamp: 2025-08-15T19:41:15.838Z
Learning: ClusterServiceVersion files (like rhoai-bundle/manifests/rhods-operator.clusterserviceversion.yaml) are generated content and should not be manually edited. Any RBAC or other changes should be made to the source files that generate the CSV.

Applied to files:

rhoai-config/rbac/auth_proxy_service.yaml
rhoai-config/samples/datasciencecluster_v1_datasciencecluster.yaml
rhoai-config/rbac/auth_proxy_client_clusterrole.yaml
rhoai-config/rbac/role_binding.yaml
rhoai-config/manifests/kustomization.yaml

📚 Learning: 2025-08-26T07:45:19.984Z

Learnt from: lburgazzoli
PR: opendatahub-io/opendatahub-operator#2010
File: internal/controller/services/servicemesh/servicemesh_controller_actions.go:264-274
Timestamp: 2025-08-26T07:45:19.984Z
Learning: In the opendatahub-operator codebase, rr.DSCI is guaranteed to be non-nil when ServiceMesh controller action functions are called, as shown in pkg/controller/reconciler/reconciler.go lines 292-298 where the reconciler populates the DSCI field before executing actions.

Applied to files:

rhoai-config/samples/datasciencecluster_v1_datasciencecluster.yaml

📚 Learning: 2025-08-15T19:39:14.673Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: get_all_manifests.sh:22-34
Timestamp: 2025-08-15T19:39:14.673Z
Learning: In the opendatahub-operator repository, the VERSION format used in get_all_manifests.sh does not include prefixes (like 'v') or dashes. The version follows a simple format without these additional characters.

Applied to files:

get_all_manifests.sh

📚 Learning: 2025-08-13T21:03:23.347Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: rhoai-config/crd/bases/_.yaml:1-13
Timestamp: 2025-08-13T21:03:23.347Z
Learning: In the opendatahub-operator repository, placeholder CRD files (like _.yaml with empty group/kind/plural/scope and versions: null) in generated directories such as rhoai-config/crd/bases/ are part of the automated generation process and should not be flagged as invalid, as the build system handles them appropriately.

Applied to files:

Makefile
.gitignore

📚 Learning: 2025-07-29T18:45:24.518Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: config/crd.rhoai/bases/dscinitialization.opendatahub.io_dscinitializations.yaml:90-107
Timestamp: 2025-07-29T18:45:24.518Z
Learning: In the opendatahub-operator repository, CRD files under config/crd.rhoai/bases/ are generated files (using controller-gen from Go structs), and inconsistencies between enum and pattern validation should not be flagged as they require upstream source code changes rather than direct YAML modifications.

Applied to files:

Makefile
.gitignore

📚 Learning: 2025-08-15T19:40:21.860Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: odh-bundle/manifests/opendatahub-operator.clusterserviceversion.yaml:116-118
Timestamp: 2025-08-15T19:40:21.860Z
Learning: In the opendatahub-operator repository, the CSV manifest uses REPLACE_IMAGE:latest as a placeholder image reference intentionally, as the CI pipeline depends on this placeholder and replaces it with the actual operator image during the build process.

Applied to files:

Makefile

📚 Learning: 2025-08-13T21:04:32.696Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: .github/workflows/prometheus-unit-tests.yaml:5-5
Timestamp: 2025-08-13T21:04:32.696Z
Learning: In the opendatahub-operator repository, prometheus monitoring configurations are shared between ODH and RHOAI platforms. The prometheus directory only exists in odh-config/monitoring/prometheus/, not in rhoai-config. Both platforms reference the same prometheus manifests from the odh-config location.

Applied to files:

Makefile
docs/integration-testing.md

📚 Learning: 2025-08-13T14:40:18.443Z

Learnt from: mlassak
PR: opendatahub-io/opendatahub-operator#2010
File: config/crd/bases/services.platform.opendatahub.io_servicemeshes.yaml:114-114
Timestamp: 2025-08-13T14:40:18.443Z
Learning: In the opendatahub-operator repository, CRD files under config/crd/bases/ are auto-generated files (using `make generate manifests api-docs` command), and inconsistencies between enum and pattern validation should not be flagged as they require upstream source code changes in Go structs/kubebuilder annotations rather than direct YAML modifications.

Applied to files:

Makefile
.gitignore

📚 Learning: 2025-08-13T18:07:20.881Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: bundle/manifests/opendatahub-operator.clusterserviceversion.yaml:264-338
Timestamp: 2025-08-13T18:07:20.881Z
Learning: Bundle manifest files (like bundle/manifests/*.yaml) in operator projects are typically generated artifacts, not source files. RBAC and permission issues should be addressed in the source configurations (config/rbac/, CSV base templates, etc.) that generate these bundles, not in the generated files themselves.

Applied to files:

Makefile
.gitignore

📚 Learning: 2025-05-27T11:28:21.229Z

Learnt from: AjayJagan
PR: opendatahub-io/opendatahub-operator#1990
File: Dockerfiles/catalog.Dockerfile:6-6
Timestamp: 2025-05-27T11:28:21.229Z
Learning: The file `Dockerfiles/catalog.Dockerfile` in the opendatahub-operator repository is autogenerated and should not be manually modified.

Applied to files:

.gitignore

🧬 Code graph analysis (3)

api/components/v1alpha1/rhoai_modelregistry_types.go (1)

api/common/types.go (7)

PlatformObject (188-192)

DevFlagsSpec (36-40)

ComponentReleaseStatus (162-168)

Status (132-140)

Condition (71-129)

ComponentRelease (152-158)

ManagementSpec (12-23)

get_all_manifests.sh (1)

pkg/cluster/const.go (1)

OpenDataHub (11-11)

api/services/v1alpha1/rhoai_monitoring_types.go (1)

api/common/types.go (4)

PlatformObject (188-192)

Status (132-140)

Condition (71-129)

ManagementSpec (12-23)

🪛 checkmake (0.2.2)

Makefile

[warning] 194-194: Target "output" should be declared PHONY.

(phonydeclared)

🪛 LanguageTool

docs/integration-testing.md

[grammar] ~19-~19: There might be a mistake here.
Context: ...andrhoai-bundle/ directory changes) - **Operator Configuration** (odh-config/` ...

(QB_NEW_EN)

[grammar] ~20-~20: There might be a mistake here.
Context: ...andrhoai-config/ directory changes) - **Feature Framework** (pkg/feature/` chan...

(QB_NEW_EN)

🪛 Checkov (3.2.334)

rhoai-config/default/manager_auth_proxy_patch.yaml

[MEDIUM] 3-16: Containers should not run with allowPrivilegeEscalation

(CKV_K8S_20)

[MEDIUM] 3-16: Minimize the admission of root containers

(CKV_K8S_23)

rhoai-config/default/manager_webhook_patch.yaml

[MEDIUM] 1-26: Containers should not run with allowPrivilegeEscalation

(CKV_K8S_20)

[MEDIUM] 1-26: Minimize the admission of root containers

(CKV_K8S_23)

🔇 Additional comments (21)

rhoai-config/manifests/kustomization.yaml (3)
1-5: Kustomize header looks correct.

apiVersion/kind are appropriate for Kustomize. No issues.

7-8: CSV base + patching approach is appropriate.

Referencing a generated CSV base and applying description patches aligns with the “don’t hand-edit CSV” practice noted for this repo. Keep generation sources authoritative; use patches here for overlay tweaks.

6-12: Verification Required: Confirm Kustomize Build Output

All resource paths in rhoai-config/manifests/kustomization.yaml exist, but we still need to ensure the final bundle is shaped correctly. Please run the following in your local environment and verify:
cd rhoai-config/manifests
kustomize build . > /tmp/rhoai-manifests.yaml

# 1. Ensure the ClusterServiceVersion is included
rg -n 'kind:\s*ClusterServiceVersion' /tmp/rhoai-manifests.yaml

# 2. Ensure alm-examples are populated in the CSV
rg -n 'alm-examples' /tmp/rhoai-manifests.yaml

# 3. Confirm no standalone Sample or other test CRs are emitted
rg -nP '^\s*kind:\s*(DSCInitialization|KfDef|.*Sample)' /tmp/rhoai-manifests.yaml || echo "No stray Sample CRs"
• Verify that only the CSV includes the sample definitions under alm-examples and that no Sample CRs (or similar test resources) appear as separate manifests.
• Report any missing entries or unexpected resources.
api/services/v1alpha1/rhoai_monitoring_types.go (2)

1-1: Build tag is correctly scoped to RHOAI builds.

Matches the repo’s RHOAI convention and resolves earlier inconsistency.

122-129: CRD markers look good; singleton constraints and printcolumns are clear.

No issues spotted with scope/printing/XValidation.

rhoai-config/samples/datasciencecluster_v1_datasciencecluster.yaml (1)

25-29: Certificate type enum spelling is correct

The certificate.type value “OpenshiftDefaultIngress” exactly matches the enum defined in api/infrastructure/v1/cert_types.go (line 8) and in the ClusterServiceVersion manifest (line 56) as the valid enum value. No change is required.

docs/integration-testing.md (1)

19-20: Paths updated correctly to odh-/rhoai- bundle and config.

Looks good and consistent with the repo layout changes.

Makefile (2)

285-289: Nice: platform-aware kustomize image substitution.

Using $(CONFIG_DIR)/manager and replacing REPLACE_IMAGE keeps ODH/RHOAI flows clean.

197-202: Controller-gen outputs parameterization is solid.

Directing CRD/RBAC/Webhook outputs to $(CONFIG_DIR) with build tags aligns with the dual-platform build.

rhoai-config/rbac/auth_proxy_client_clusterrole.yaml (1)

4-9: LGTM: minimal, correct metrics reader ClusterRole.

Non-resource URL "/metrics" with get is correct; naming aligns with RHOAI.

rhoai-config/default/manager_auth_proxy_patch.yaml (1)

11-16: Missing kube-rbac-proxy sidecar
I searched the rhoai-config overlays (and the entire repo) and found no definition of a kube-rbac-proxy container. Without that sidecar, metrics bound to 8443 will fail. Please confirm one of the following:

A base manifest or another overlay injects the kube-rbac-proxy container at render time.

You need to add a kube-rbac-proxy sidecar to rhoai-config/default/manager_auth_proxy_patch.yaml.

rhoai-config/rbac/kustomization.yaml (2)

3-8: Resource layering approach looks sound.

Including ../../odh-config/rbac then pruning/replacing via patches is a reasonable pattern for RHOAI deltas.

31-41: Name collision check.

You delete ClusterRole metrics-reader and add redhat-ods-operator-metrics-reader elsewhere. Good. Just confirm no consumers still reference the old name.
rhoai-config/rbac/role_binding.yaml (1)
8-12: Missing ClusterRole and ServiceAccount Definitions in rhoai-config Overlay

The RoleBinding in rhoai-config/rbac/role_binding.yaml references:

ClusterRole rhods-operator-role

ServiceAccount redhat-ods-operator-controller-manager (namespace: system)

However, neither resource is defined in this overlay:

• No ClusterRole named rhods-operator-role found under rhoai-config/rbac – you need to add a file (e.g. role.yaml) defining this ClusterRole.
• No ServiceAccount redhat-ods-operator-controller-manager in any rhoai-config overlay – create it (e.g. in rbac/service_account.yaml) before referencing it in the RoleBinding.

Please add or import these resources so the RoleBinding can be applied successfully.
⛔ Skipped due to learnings
Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: odh-config/rbac/role.yaml:77-81
Timestamp: 2025-08-14T14:00:35.037Z
Learning: The RBAC configurations in odh-config/rbac/role.yaml and rhoai-config/rbac/role.yaml are intentionally different (as of this PR). The rhoai-config variant uses metadata.name: rhods-operator-role while odh-config uses controller-manager-role, and they may have different permission sets. These differences should not be flagged as drift issues during code review.
Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: rhoai-config/rbac/role.yaml:18-33
Timestamp: 2025-08-14T13:59:44.732Z
Learning: RBAC files in rhoai-config/rbac/ are generated and should not be manually edited. Issues with RBAC rules should be addressed in the generation tooling, not the manifests themselves.
Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: rhoai-bundle/manifests/rhods-operator.clusterserviceversion.yaml:821-837
Timestamp: 2025-08-15T19:41:15.838Z
Learning: ClusterServiceVersion files (like rhoai-bundle/manifests/rhods-operator.clusterserviceversion.yaml) are generated content and should not be manually edited. Any RBAC or other changes should be made to the source files that generate the CSV.
Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: rhoai-config/crd/bases/_.yaml:1-13
Timestamp: 2025-08-13T21:03:23.347Z
Learning: In the opendatahub-operator repository, placeholder CRD files (like _.yaml with empty group/kind/plural/scope and versions: null) in generated directories such as rhoai-config/crd/bases/ are part of the automated generation process and should not be flagged as invalid, as the build system handles them appropriately.
Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: config/crd.rhoai/bases/dscinitialization.opendatahub.io_dscinitializations.yaml:90-107
Timestamp: 2025-07-29T18:45:24.518Z
Learning: In the opendatahub-operator repository, CRD files under config/crd.rhoai/bases/ are generated files (using controller-gen from Go structs), and inconsistencies between enum and pattern validation should not be flagged as they require upstream source code changes rather than direct YAML modifications.
Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: rhoai-config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml:227-235
Timestamp: 2025-08-13T21:03:04.317Z
Learning: CRD YAML files in rhoai-config/crd/bases/ and odh-config/crd/bases/ directories are generated from Go code using controller-gen/kubebuilder. Changes should be made to the source Go structs with appropriate kubebuilder validation markers, not to the generated YAML files directly.
rhoai-config/default/manager_webhook_patch.yaml (2)

11-17: Ports and naming look good.

webhook-server on 9443 and http on 8080 align with controller-runtime defaults and common probes.

3-4: Patch target names verified as correct

All overlays consistently target the matching base Deployment names, so the strategic-merge patches will apply cleanly without creating duplicates or no-ops.

• rhoai-config
– Base: rhoai-config/manager/manager.yaml → Deployment name rhods-operator
– Patch: rhoai-config/default/manager_webhook_patch.yaml → targets rhods-operator

• odh-config
– Base: odh-config/manager/manager.yaml → Deployment name controller-manager
– Patches: odh-config/default/manager_webhook_patch.yaml and odh-config/default/manager_auth_proxy_patch.yaml → both target controller-manager

No inconsistencies or unintended duplicate Deployments detected.

api/components/v1alpha1/rhoai_modelregistry_types.go (4)

34-36: Good: compile-time interface conformance.

The PlatformObject assertion ensures breakages are caught at build-time. Keep.

84-106: Methods satisfy the platform interfaces.

GetDevFlags, GetStatus, conditions accessors, and release status accessors are coherent with common.PlatformObject.

68-71: Confirm cluster scope is intended.

scope=Cluster means a singleton cluster-scoped CR with name constraint below. Ensure controllers/watchers and RBAC align.

1-2: Build tag pairing for ModelRegistry verified

I’ve confirmed exactly two ModelRegistry struct definitions in the codebase and that they are correctly gated:

api/components/v1alpha1/modelregistry_types.go is guarded by //go:build !rhoai

api/components/v1alpha1/rhoai_modelregistry_types.go is guarded by //go:build rhoai

No other type ModelRegistry struct declarations were found under conflicting or duplicate build tags.

rhoai-config/crd/patches/cainjection_in_services_monitorings.yaml (1)

2-7: LGTM: Patch-based CA injection aligns with generated-CRD workflow.
Using a kustomize patch (vs. editing bases) matches the repo’s “generate then patch” approach for CRDs.

coderabbitai · 2025-08-27T13:51:06Z

api/services/v1alpha1/rhoai_monitoring_types.go

+	// +kubebuilder:default:="pv"
+	Backend string `json:"backend"`


⚠️ Potential issue

Kubebuilder default annotation typo breaks defaulting for backend.

Use default="pv", not default:="pv".

- // +kubebuilder:default:="pv" + // +kubebuilder:default="pv"

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

// +kubebuilder:default:="pv"

Backend string `json:"backend"`

// +kubebuilder:default="pv"

Backend string `json:"backend"`

🤖 Prompt for AI Agents

In api/services/v1alpha1/rhoai_monitoring_types.go around lines 104-105, the kubebuilder default annotation is malformed as `+kubebuilder:default:="pv"` which prevents controller-runtime from applying the default; change the annotation to `+kubebuilder:default="pv"` directly above the Backend field so the CRD defaulting works as intended.

coderabbitai · 2025-08-27T13:51:06Z

Makefile

+	ifeq ($(VERSION), )
+		VERSION ?= 2.24.0
+	endif


⚠️ Potential issue

RHOAI default VERSION may remain empty due to use of '?=' inside an emptiness check.

Inside ifeq ($(VERSION), ), using VERSION ?= won’t assign if VERSION is defined-but-empty, leaving it blank and breaking downstream targets.

- ifeq ($(VERSION), ) - VERSION ?= 2.24.0 - endif + ifeq ($(VERSION), ) + VERSION = 2.24.0 + endif

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

ifeq ($(VERSION), )

VERSION ?= 2.24.0

endif

ifeq ($(VERSION), )

VERSION = 2.24.0

endif

🤖 Prompt for AI Agents

In Makefile around lines 46-48, the conditional uses ifeq ($(VERSION), ) but then assigns VERSION with '?=' which does not set a value when VERSION is defined-but-empty; change the assignment to a definitive one (e.g., VERSION = 2.24.0 or VERSION := 2.24.0) so the default is applied when VERSION is empty, or alternatively tighten the check to ifeq ($(strip $(VERSION)),) if you prefer to keep '?=' semantics.

coderabbitai · 2025-08-27T13:51:06Z

rhoai-config/crd/patches/cainjection_in_services_monitorings.yaml

+metadata:
+  annotations:
+    cert-manager.io/inject-ca-from: $(CERTIFICATE_NAMESPACE)/$(CERTIFICATE_NAME)
+  name: monitorings.services.platform.opendatahub.io


💡 Verification agent

🧩 Analysis chain

Verify CRD name matches the base to ensure patch application.
Confirm monitorings.services.platform.opendatahub.io exists in rhoai-config bases/resources, or the patch will be a no-op.

🏁 Script executed:

#!/bin/bash set -euo pipefail # 1) Confirm the CRD exists rg -nC2 -g '!*vendor*' -g '!**/node_modules/**' $'^kind: *CustomResourceDefinition' -n rg -nC2 $'^ name: *monitorings\.services\.platform\.opendatahub\.io$' -g '!**/node_modules/**' -g '!*vendor*' # 2) Ensure this patch is referenced by kustomization fd -a kustomization.yaml rhoai-config | while read -r k; do echo ">>> $k"; rg -n 'cainjection_in_services_monitorings\.yaml' "$k" || true done

Length of output: 17835

🏁 Script executed:

#!/bin/bash # Display the contents of the CRD kustomization to see how patches are referenced sed -n '1,200p' rhoai-config/crd/kustomization.yaml

Length of output: 2544

#!/bin/bash set -euo pipefail # Show the CRD metadata in the base to verify its name sed -n '1,50p' rhoai-config/crd/bases/services.platform.opendatahub.io_monitorings.yaml

#!/bin/bash set -euo pipefail # Show apiVersion, kind, metadata.name in the base CRD to confirm its name grep -nE '^(apiVersion|kind|metadata:| name:)' -A1 rhoai-config/crd/bases/services.platform.opendatahub.io_monitorings.yaml

#!/bin/bash set -euo pipefail echo "=== Base CRD Definition ===" sed -n '1,50p' rhoai-config/crd/bases/services.platform.opendatahub.io_monitorings.yaml echo -e "\n=== Default Overlay kustomization.yaml ===" sed -n '1,200p' rhoai-config/default/kustomization.yaml

#!/bin/bash set -euo pipefail echo "=== Default Overlay kustomization.yaml ===" sed -n '1,200p' rhoai-config/default/kustomization.yaml echo -e "\n=== Patch References in default overlay ===" grep -R "cainjection_in_services_monitorings.yaml" -n rhoai-config/default echo -e "\n=== Base CRD Name ===" grep -nE "name:" rhoai-config/crd/bases/services.platform.opendatahub.io_monitorings.yaml | head -n10

Include and apply the CA-injection patch for the Monitorings CRD

The patch rhoai-config/crd/patches/cainjection_in_services_monitorings.yaml correctly targets the base CRD services.platform.opendatahub.io_monitorings.yaml (which defines monitorings.services.platform.opendatahub.io), but it isn’t currently enabled in any kustomization. To ensure Cert-Manager injects the CA as intended:

In rhoai-config/crd/kustomization.yaml, uncomment (or add) the cert-manager patch line for monitorings:
# [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix. # patches here are for enabling the CA injection for each CRD

- patches/cainjection_in_monitorings.yaml

patches/cainjection_in_services_monitorings.yaml

- Confirm that your overlay’s `kustomization.yaml` (e.g., in `rhoai-config/default/`) includes the CRD kustomization as a resource so that the patch is applied. With these changes, the `monitorings.services.platform.opendatahub.io` patch will no longer be a no-op and Cert-Manager will inject the CA as expected. <details> <summary>🤖 Prompt for AI Agents</summary>

In rhoai-config/crd/patches/cainjection_in_services_monitorings.yaml around line
7, the CA-injection patch is present but not applied because
rhoai-config/crd/kustomization.yaml does not include it; update
rhoai-config/crd/kustomization.yaml to uncomment or add the cert-manager patch
entry referencing patches/cainjection_in_services_monitorings.yaml (ensure the
path and name match exactly), and then ensure your overlay kustomization (e.g.,
rhoai-config/default/kustomization.yaml) lists the crd kustomization under
resources so the CRD-level patch is included in the rendered output; after these
edits, re-run kustomize build/apply to verify the
monitorings.services.platform.opendatahub.io CRD receives the CA injection
patch.

</details>  

coderabbitai

Actionable comments posted: 0

♻️ Duplicate comments (1)

Makefile (1)

360-369: Automate CSV containerImage substitution post-bundle gen

Prevents stale/placeholder containerImage annotations in CSV across platforms.

 bundle: prepare operator-sdk ## Generate bundle manifests and metadata, then validate generated files.
 	$(OPERATOR_SDK) generate kustomize manifests --package $(OPERATOR_PACKAGE) --input-dir $(CONFIG_DIR)/manifests --output-dir $(CONFIG_DIR)/manifests -q
 	$(KUSTOMIZE) build $(CONFIG_DIR)/manifests | $(OPERATOR_SDK) generate bundle $(BUNDLE_GEN_FLAGS) --package $(OPERATOR_PACKAGE) --kustomize-dir $(CONFIG_DIR)/manifests --output-dir $(BUNDLE_DIR) 2>&1 | grep -v $(WARNINGMSG)
+	# Ensure CSV annotation containerImage matches the built image
+	sed -i 's#^\(\s*containerImage:\s*\).*#\1$(IMG)#' $(BUNDLE_DIR)/manifests/*clusterserviceversion.yaml
 	$(OPERATOR_SDK) bundle validate ./$(BUNDLE_DIR) 2>&1 | grep -v $(WARNINGMSG)
 	sed -i 's#COPY #COPY --from=builder /workspace/#' bundle.Dockerfile
 	cat Dockerfiles/build-bundle.Dockerfile bundle.Dockerfile > Dockerfiles/$(BUNDLE_DOCKERFILE_FILENAME)
 	rm bundle.Dockerfile
 	rm -f $(BUNDLE_DIR)/manifests/opendatahub-operator-webhook-service_v1_service.yaml
 	rm -f $(BUNDLE_DIR)/manifests/rhods-operator-webhook-service_v1_service.yaml

🧹 Nitpick comments (3)

Makefile (3)

11-24: Defaulting IMG to REPLACE_IMAGE hampers local builds; gate placeholder behind a toggle

Using origin=file makes IMG default to REPLACE_IMAGE:latest even for dev flows, causing prepare/deploy/image-build to reference a non-pullable image. Prefer a simple, explicit switch.

Apply:

-ifeq ($(IMAGE_TAG_BASE), )
-	IMAGE_TAG_BASE = quay.io/opendatahub/opendatahub-operator
-endif
-
-# keep the name based on IMG which already used from command line
-ifeq ($(IMG_TAG), )
-	IMG_TAG = latest
-endif
-# Set image to REPLACE_IMAGE:latest unless IMAGE_TAG_BASE is provided
-ifeq ($(origin IMAGE_TAG_BASE), file)
-	IMG ?= REPLACE_IMAGE:latest
-else
-	IMG ?= $(IMAGE_TAG_BASE):$(IMG_TAG)
-endif
+IMAGE_TAG_BASE ?= quay.io/opendatahub/opendatahub-operator
+IMG_TAG        ?= latest
+# Use a placeholder only when explicitly requested (e.g., for CI CSV substitution).
+USE_PLACEHOLDER_IMG ?= false
+ifeq ($(USE_PLACEHOLDER_IMG), true)
+  IMG ?= REPLACE_IMAGE:latest
+else
+  IMG ?= $(IMAGE_TAG_BASE):$(IMG_TAG)
+endif

234-238: Avoid hardcoding Openshift API pseudo-version in docs link

The sed line embeds a specific module pseudo-version; this will drift. Compute from go.mod to keep it evergreen.

Apply:

-	sed -i "s|](#managementstate)|](https://pkg.go.dev/github.com/openshift/[email protected]/operator/v1#ManagementState)|g" ./docs/api-overview.md
+	sed -i "s|](#managementstate)|](https://pkg.go.dev/$(OPENSHIFT_API_MODULE)@$(OPENSHIFT_API_MODULE_VERSION)/operator/v1#ManagementState)|g" ./docs/api-overview.md

Add (outside this block) near other “Tool Versions/Vars”:

OPENSHIFT_API_MODULE ?= github.com/openshift/api
OPENSHIFT_API_MODULE_VERSION ?= $(shell go list -m -f "{{ .Version }}" $(OPENSHIFT_API_MODULE))

285-289: Guard against placeholder IMG in prepare

If IMG stays REPLACE_IMAGE:latest, deploys will reference a non-pullable image. Fail fast in manager-kustomization.

 manager-kustomization: $(CONFIG_DIR)/manager/kustomization.yaml.in
-	cd $(CONFIG_DIR)/manager \
+	@if [ "$(IMG)" = "REPLACE_IMAGE:latest" ]; then echo "ERROR: IMG is REPLACE_IMAGE:latest. Set IMAGE_TAG_BASE/IMG or set USE_PLACEHOLDER_IMG=false."; exit 1; fi
+	cd $(CONFIG_DIR)/manager \
 		&& cp -f kustomization.yaml.in kustomization.yaml \
 		&& $(KUSTOMIZE) edit set image REPLACE_IMAGE=$(IMG)

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

MCP integration is disabled by default for public repositories
Jira integration is disabled by default for public repositories
Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 9644306 and fccaa6c.

📒 Files selected for processing (1)

Makefile (7 hunks)

🧰 Additional context used

🧠 Learnings (9)

📓 Common learnings

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: rhoai-config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml:227-235
Timestamp: 2025-08-13T21:03:04.317Z
Learning: CRD YAML files in rhoai-config/crd/bases/ and odh-config/crd/bases/ directories are generated from Go code using controller-gen/kubebuilder. Changes should be made to the source Go structs with appropriate kubebuilder validation markers, not to the generated YAML files directly.

📚 Learning: 2025-08-14T14:00:35.037Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: odh-config/rbac/role.yaml:77-81
Timestamp: 2025-08-14T14:00:35.037Z
Learning: The RBAC configurations in odh-config/rbac/role.yaml and rhoai-config/rbac/role.yaml are intentionally different (as of this PR). The rhoai-config variant uses metadata.name: rhods-operator-role while odh-config uses controller-manager-role, and they may have different permission sets. These differences should not be flagged as drift issues during code review.

Applied to files:

Makefile

📚 Learning: 2025-08-13T21:03:04.317Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: rhoai-config/crd/bases/dscinitialization.opendatahub.io_dscinitializations.yaml:227-235
Timestamp: 2025-08-13T21:03:04.317Z
Learning: CRD YAML files in rhoai-config/crd/bases/ and odh-config/crd/bases/ directories are generated from Go code using controller-gen/kubebuilder. Changes should be made to the source Go structs with appropriate kubebuilder validation markers, not to the generated YAML files directly.

Applied to files:

Makefile

📚 Learning: 2025-08-13T21:03:23.347Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: rhoai-config/crd/bases/_.yaml:1-13
Timestamp: 2025-08-13T21:03:23.347Z
Learning: In the opendatahub-operator repository, placeholder CRD files (like _.yaml with empty group/kind/plural/scope and versions: null) in generated directories such as rhoai-config/crd/bases/ are part of the automated generation process and should not be flagged as invalid, as the build system handles them appropriately.

Applied to files:

Makefile

📚 Learning: 2025-07-29T18:45:24.518Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: config/crd.rhoai/bases/dscinitialization.opendatahub.io_dscinitializations.yaml:90-107
Timestamp: 2025-07-29T18:45:24.518Z
Learning: In the opendatahub-operator repository, CRD files under config/crd.rhoai/bases/ are generated files (using controller-gen from Go structs), and inconsistencies between enum and pattern validation should not be flagged as they require upstream source code changes rather than direct YAML modifications.

Applied to files:

Makefile

📚 Learning: 2025-08-15T19:40:21.860Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: odh-bundle/manifests/opendatahub-operator.clusterserviceversion.yaml:116-118
Timestamp: 2025-08-15T19:40:21.860Z
Learning: In the opendatahub-operator repository, the CSV manifest uses REPLACE_IMAGE:latest as a placeholder image reference intentionally, as the CI pipeline depends on this placeholder and replaces it with the actual operator image during the build process.

Applied to files:

Makefile

📚 Learning: 2025-08-13T21:04:32.696Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: .github/workflows/prometheus-unit-tests.yaml:5-5
Timestamp: 2025-08-13T21:04:32.696Z
Learning: In the opendatahub-operator repository, prometheus monitoring configurations are shared between ODH and RHOAI platforms. The prometheus directory only exists in odh-config/monitoring/prometheus/, not in rhoai-config. Both platforms reference the same prometheus manifests from the odh-config location.

Applied to files:

Makefile

📚 Learning: 2025-08-13T14:40:18.443Z

Learnt from: mlassak
PR: opendatahub-io/opendatahub-operator#2010
File: config/crd/bases/services.platform.opendatahub.io_servicemeshes.yaml:114-114
Timestamp: 2025-08-13T14:40:18.443Z
Learning: In the opendatahub-operator repository, CRD files under config/crd/bases/ are auto-generated files (using `make generate manifests api-docs` command), and inconsistencies between enum and pattern validation should not be flagged as they require upstream source code changes in Go structs/kubebuilder annotations rather than direct YAML modifications.

Applied to files:

Makefile

📚 Learning: 2025-08-13T18:07:20.881Z

Learnt from: kahowell
PR: opendatahub-io/opendatahub-operator#2220
File: bundle/manifests/opendatahub-operator.clusterserviceversion.yaml:264-338
Timestamp: 2025-08-13T18:07:20.881Z
Learning: Bundle manifest files (like bundle/manifests/*.yaml) in operator projects are typically generated artifacts, not source files. RBAC and permission issues should be addressed in the source configurations (config/rbac/, CSV base templates, etc.) that generate these bundles, not in the generated files themselves.

Applied to files:

Makefile

🪛 checkmake (0.2.2)

Makefile

[warning] 194-194: Target "output" should be declared PHONY.

(phonydeclared)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

GitHub Check: Build/push catalog image
GitHub Check: build
GitHub Check: golangci-lint

🔇 Additional comments (9)

Makefile (9)

32-59: Platform-aware defaults look correct; please confirm VERSION streams

ODH defaults to 2.33.0, RHOAI to 2.24.0. If these are intentional streams, LGTM. Please confirm they match your release plan and docs.

66-87: Bundle metadata wiring via CHANNELS/DEFAULT_CHANNEL is solid

Correctly guarded with origin checks and composed into BUNDLE_GEN_FLAGS. LGTM.

147-150: Prometheus paths unified under odh-config — OK per repo convention

Matches the shared monitoring setup noted for both platforms. LGTM.

189-195: fetch-external-crds now honors CONFIG_DIR — good

External CRDs land under $(CONFIG_DIR)/crd/external for each platform. LGTM.

197-202: controller-gen invocation with build tags is correct

rbac/crd/webhook outputs point to per-platform dirs; includes ignoreUnexportedFields. LGTM.

229-231: get-manifests passes ODH_PLATFORM_TYPE and VERSION — good

Keeps the script platform-aware and reproducible. LGTM.

291-305: Install/deploy targets correctly use CONFIG_DIR

Platform-specific CRD/default overlays are respected. LGTM.

371-377: Bundle build args and multi-arch flags look good

No issues spotted. LGTM.

427-427: Catalog template sourced from odh-config — OK

Consistent with shared catalog templates. LGTM.

openshift-ci · 2025-09-10T13:15:38Z

@kahowell: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/opendatahub-operator-e2e	`fccaa6c`	link	true	`/test opendatahub-operator-e2e`

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

github-project-automation bot added this to ODH Platform Planning Jul 24, 2025

github-project-automation bot moved this to Todo in ODH Platform Planning Jul 24, 2025

openshift-ci bot requested review from CFSNM and StevenTobin July 24, 2025 19:16

kahowell force-pushed the rhoai-from-main branch from fadffbf to 23e6955 Compare July 24, 2025 19:22

coderabbitai bot reviewed Jul 24, 2025

View reviewed changes

coderabbitai bot reviewed Jul 25, 2025

View reviewed changes

kahowell force-pushed the rhoai-from-main branch from 3793435 to cf43ba1 Compare July 29, 2025 18:41

coderabbitai bot mentioned this pull request Jul 30, 2025

fix: monitoring service wrong tempo endpoint in otel-collector and owns + testcase on deletion #2222

Merged

5 tasks

lburgazzoli reviewed Jul 30, 2025

View reviewed changes

Makefile Outdated Show resolved Hide resolved

This was referenced Jul 30, 2025

feat: add webhook for notebook on create/update #2234

Merged

RHOAIENG-29275: Migrate auth validation from webhook to CEL validation #2213

Merged

kahowell force-pushed the rhoai-from-main branch from cf43ba1 to 1ccd5a1 Compare August 8, 2025 22:48

coderabbitai bot reviewed Aug 8, 2025

View reviewed changes

coderabbitai bot reviewed Aug 12, 2025

View reviewed changes

bundle/manifests/opendatahub-operator.clusterserviceversion.yaml Outdated Show resolved Hide resolved

Makefile Outdated Show resolved Hide resolved

zdtsw reviewed Aug 13, 2025

View reviewed changes

Makefile Outdated Show resolved Hide resolved

coderabbitai bot reviewed Aug 13, 2025

View reviewed changes

get_all_manifests.sh Show resolved Hide resolved

openshift-merge-robot added the needs-rebase label Aug 14, 2025

coderabbitai bot reviewed Aug 14, 2025

View reviewed changes

Makefile Outdated Show resolved Hide resolved

openshift-merge-robot removed the needs-rebase label Aug 14, 2025

coderabbitai bot reviewed Aug 14, 2025

View reviewed changes

odh-config/rbac/role.yaml Outdated Show resolved Hide resolved

rhoai-config/rbac/role.yaml Outdated Show resolved Hide resolved

rhoai-config/rbac/role.yaml Outdated Show resolved Hide resolved

rhoai-config/rbac/role.yaml Outdated Show resolved Hide resolved

coderabbitai bot reviewed Aug 14, 2025

View reviewed changes

coderabbitai bot reviewed Aug 15, 2025

View reviewed changes

kahowell mentioned this pull request Aug 19, 2025

build: Remove generated files from build #2329

Open

6 tasks

kahowell force-pushed the rhoai-from-main branch from 6bb4d0e to d84c5e7 Compare August 19, 2025 20:56

coderabbitai bot reviewed Aug 21, 2025

View reviewed changes

kahowell added 9 commits August 26, 2025 16:18

Set controller image in manager.yaml to REPLACE_IMAGE

efbe970

Also remove config/crd/external from source

02376e6

Remove generated webhook manifest

838833f

Fix typo in .gitignore

e6afab6

Pass version information as build args

dcc5d3b

Handle empty env vars for build args

5ae00fd

Update rhoai-specific files to 2.24

9644306

kahowell force-pushed the rhoai-from-main branch from a73d74d to 9644306 Compare August 27, 2025 13:37

coderabbitai bot reviewed Aug 27, 2025

View reviewed changes

Fix typo in version defaulting

fccaa6c

coderabbitai bot reviewed Aug 27, 2025

View reviewed changes

-      - name: rhods-operator
-        args:
-        - "--health-probe-bind-address=:8081"
-        - "--metrics-bind-address=0.0.0.0:8080"
-        - "--leader-elect"
+      - name: rhods-operator
+        args:
+        - "--health-probe-bind-address=:8081"
+        - "--metrics-bind-address=127.0.0.1:8080"
+        - "--leader-elect"
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
+          seccompProfile:
+            type: RuntimeDefault
+          capabilities:
+            drop: ["ALL"]

		// +kubebuilder:default:="pv"
		Backend string `json:"backend"`

feat: Enable rhoai build from main branch #2220

Are you sure you want to change the base?

feat: Enable rhoai build from main branch #2220

Uh oh!

Conversation

kahowell commented Jul 24, 2025 • edited by coderabbitai bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

How Has This Been Tested?

Screenshot or short clip

Merge criteria

Summary by CodeRabbit

Uh oh!

coderabbitai bot commented Jul 24, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Sequence Diagram(s)

Estimated code review effort

Poem

Chat

Support

CodeRabbit Commands (Invoked using PR/Issue comments)

Other keywords and placeholders

CodeRabbit Configuration File (.coderabbit.yaml)

Status, Documentation and Community

Uh oh!

github-actions bot commented Jul 24, 2025

This PR can't be merged just yet 😢

Uh oh!

github-actions bot commented Jul 24, 2025

This PR can't be merged just yet 😢

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

kahowell commented Jul 25, 2025

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

kahowell commented Jul 28, 2025

Uh oh!

Uh oh!

openshift-ci bot commented Aug 8, 2025

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

kahowell commented Jul 24, 2025 •

edited by coderabbitai bot

Loading

coderabbitai bot commented Jul 24, 2025 •

edited

Loading

CodeRabbit Configuration File (`.coderabbit.yaml`)