Skip to content

Split different controllers into separate Kustomize components #651

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
RobGeada wants to merge 7 commits into
base: main
Choose a base branch
from
+1,820 −209
Open

Split different controllers into separate Kustomize components #651

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
6de23c0
Split different controllers into separate Kustomize components
RobGeada Feb 25, 2026
6bb12ec
Remove 'do not edit' from controller-gen boilerplate
RobGeada Feb 26, 2026
0632108
Rebase main
RobGeada Mar 2, 2026
354d490
Adjust test suites to use new component layout
RobGeada Mar 2, 2026
5b0db1c
Fix flaky rm command in generate-components
RobGeada Mar 2, 2026
a8d7763
fix tests
RobGeada Mar 2, 2026
546109f
Move rbac folder, add debug info to smoke
RobGeada Mar 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 3 additions & 4 deletions .github/workflows/smoke.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,21 +42,20 @@ jobs:
curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash
sudo mv kustomize /usr/local/bin/

- name: Apply CRDs
- name: Apply external CRDs
run: |
kubectl apply -f tests/crds/monitoring.coreos.com_servicemonitors.yaml
kubectl apply -f tests/crds/route_crd.yaml
kubectl apply -f tests/crds/serving.kserve.io_inferenceservices.yaml
kustomize build config/crd | kubectl apply -f -

- name: Update params.env file
run: |
sed -i 's|trustyaiOperatorImage=quay.io/trustyai/trustyai-service-operator:latest|trustyaiOperatorImage=smoke/operator:pr-${{ github.event.pull_request.number || env.PR_NUMBER }}|' config/base/params.env

- name: Deploy the operator with kustomize
- name: Deploy the operator with testing overlay
run: |
kubectl create namespace system
kustomize build config/base | kubectl apply -n system -f -
kustomize build config/overlays/testing | kubectl apply -n system -f -

- name: Run smoke tests
run: ./tests/smoke/test_smoke.sh
Expand Down
64 changes: 55 additions & 9 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,28 @@ help: ## Display this help.

.PHONY: manifests
manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects.
$(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
$(CONTROLLER_GEN) rbac:roleName=manager-role,headerFile="hack/boilerplate.yaml.txt" crd:headerFile="hack/boilerplate.yaml.txt" webhook:headerFile="hack/boilerplate.yaml.txt" paths="./..." output:crd:artifacts:config=config/crd/bases
@$(MAKE) components-generate

.PHONY: components-generate
components-generate: ## Generate component kustomizations from controller-gen output
@echo "Generating Kustomize components..."
@./hack/generate-components.sh

.PHONY: components-validate
components-validate: kustomize ## Validate all components build correctly
@./hack/validate-components.sh

.PHONY: list-overlays
list-overlays: ## List available overlays
@echo "Available overlays:"
@echo " base - Core operator only (no controllers)"
@for overlay in config/overlays/*; do \
if [ -d "$$overlay" ]; then \
name=$$(basename $$overlay); \
echo " $$name"; \
fi \
done

.PHONY: generate
generate: controller-gen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations.
Expand Down Expand Up @@ -187,7 +208,7 @@ CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen
ENVTEST ?= $(LOCALBIN)/setup-envtest

## Tool Versions
KUSTOMIZE_VERSION ?= v3.8.7
KUSTOMIZE_VERSION ?= v5.7.0
CONTROLLER_TOOLS_VERSION ?= v0.20.0

KUSTOMIZE_INSTALL_SCRIPT ?= "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh"
Expand Down Expand Up @@ -278,10 +299,35 @@ catalog-push: ## Push a catalog image.
# Generate the full set of manifests to deploy the TrustyAI operator, with a customizable deployment namespace and operator image
OPERATOR_IMAGE ?= quay.io/trustyai/trustyai-service-operator:latest
.PHONY: manifest-gen
manifest-gen: kustomize
@echo "Usage: make manifest-gen NAMESPACE=<namespace> OPERATOR_IMAGE=<image>"
@echo "Example: make manifest-gen NAMESPACE=my-namespace OPERATOR_IMAGE=quay.io/myorg/trustyai-service-operator:latest"
mkdir -p release
@if [ -z "$(NAMESPACE)" ]; then echo "Error: NAMESPACE argument is required"; exit 1; fi
$(KUSTOMIZE) build config/base | sed "s|namespace: system|namespace: $(NAMESPACE)|g" | sed "s|quay.io/trustyai/trustyai-service-operator:latest|$(OPERATOR_IMAGE)|g" > release/trustyai_bundle.yaml
@echo "Release manifest generated at release/trustyai_bundle.yaml with namespace '$(NAMESPACE)' and operator image '$(OPERATOR_IMAGE)'"
manifest-gen: kustomize ## Generate deployment manifests. Usage: make manifest-gen NAMESPACE=<namespace> [OVERLAY=<overlay>] [OPERATOR_IMAGE=<image>]
@if [ -z "$(NAMESPACE)" ]; then \
echo "Error: NAMESPACE argument is required"; \
echo ""; \
echo "Usage: make manifest-gen NAMESPACE=<namespace> [OVERLAY=<overlay>] [OPERATOR_IMAGE=<image>]"; \
echo "Example: make manifest-gen NAMESPACE=my-namespace OVERLAY=odh"; \
echo ""; \
echo "Available overlays (use 'make list-overlays' for descriptions):"; \
echo " base (default)"; \
ls -1 config/overlays/ 2>/dev/null | sed 's/^/ /'; \
exit 1; \
fi
@if [ ! -z "$(OVERLAY)" ] && [ "$(OVERLAY)" != "base" ] && [ ! -d "config/overlays/$(OVERLAY)" ]; then \
echo "Error: Overlay '$(OVERLAY)' not found"; \
echo "Available overlays:"; \
echo " base"; \
ls -1 config/overlays/ 2>/dev/null | sed 's/^/ /' || echo " (no overlays found)"; \
exit 1; \
fi
@mkdir -p release
@if [ -z "$(OVERLAY)" ]; then \
echo "Building from config/overlays/testing..."; \
$(KUSTOMIZE) build config/overlays/testing | sed "s|namespace: system|namespace: $(NAMESPACE)|g" | sed "s|quay.io/trustyai/trustyai-service-operator:latest|$(OPERATOR_IMAGE)|g" > release/trustyai_bundle.yaml; \
echo "✓ Release manifest generated at release/trustyai_bundle.yaml"; \
else \
echo "Building from config/overlays/$(OVERLAY)..."; \
$(KUSTOMIZE) build config/overlays/$(OVERLAY) | sed "s|namespace: system|namespace: $(NAMESPACE)|g" | sed "s|quay.io/trustyai/trustyai-service-operator:latest|$(OPERATOR_IMAGE)|g" > release/trustyai_$(OVERLAY)_bundle.yaml; \
echo "✓ Release manifest generated at release/trustyai_$(OVERLAY)_bundle.yaml"; \
fi
Comment on lines +302 to +330
Copy link
Contributor

@coderabbitai coderabbitai bot Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Usage text says base is default but code defaults to odh.
When OVERLAY is unset, the build uses config/overlays/odh, but the usage/error message says “base (default)”. Update the text to avoid confusion.

✏️ Suggested wording fix 
-		echo "  base (default)"; \
+		echo "  odh (default)"; \
...
-		echo "  base"; \
+		echo "  odh (default)"; \
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
manifest-gen: kustomize ## Generate deployment manifests. Usage: make manifest-gen NAMESPACE=<namespace> [OVERLAY=<overlay>] [OPERATOR_IMAGE=<image>]
@if [ -z "$(NAMESPACE)" ]; then \
echo "Error: NAMESPACE argument is required"; \
echo ""; \
echo "Usage: make manifest-gen NAMESPACE=<namespace> [OVERLAY=<overlay>] [OPERATOR_IMAGE=<image>]"; \
echo "Example: make manifest-gen NAMESPACE=my-namespace OVERLAY=odh"; \
echo ""; \
echo "Available overlays (use 'make list-overlays' for descriptions):"; \
echo " base (default)"; \
ls -1 config/overlays/ 2>/dev/null | sed 's/^/ /'; \
exit 1; \
fi
@if [ ! -z "$(OVERLAY)" ] && [ "$(OVERLAY)" != "base" ] && [ ! -d "config/overlays/$(OVERLAY)" ]; then \
echo "Error: Overlay '$(OVERLAY)' not found"; \
echo "Available overlays:"; \
echo " base"; \
ls -1 config/overlays/ 2>/dev/null | sed 's/^/ /' || echo " (no overlays found)"; \
exit 1; \
fi
@mkdir -p release
@if [ -z "$(OVERLAY)" ]; then \
echo "Building from config/overlays/odh..."; \
$(KUSTOMIZE) build config/overlays/odh | sed "s|namespace: system|namespace: $(NAMESPACE)|g" | sed "s|quay.io/trustyai/trustyai-service-operator:latest|$(OPERATOR_IMAGE)|g" > release/trustyai_bundle.yaml; \
echo "✓ Release manifest generated at release/trustyai_bundle.yaml"; \
else \
echo "Building from config/overlays/$(OVERLAY)..."; \
$(KUSTOMIZE) build config/overlays/$(OVERLAY) | sed "s|namespace: system|namespace: $(NAMESPACE)|g" | sed "s|quay.io/trustyai/trustyai-service-operator:latest|$(OPERATOR_IMAGE)|g" > release/trustyai_$(OVERLAY)_bundle.yaml; \
echo "✓ Release manifest generated at release/trustyai_$(OVERLAY)_bundle.yaml"; \
fi
manifest-gen: kustomize ## Generate deployment manifests. Usage: make manifest-gen NAMESPACE=<namespace> [OVERLAY=<overlay>] [OPERATOR_IMAGE=<image>]
`@if` [ -z "$(NAMESPACE)" ]; then \
echo "Error: NAMESPACE argument is required"; \
echo ""; \
echo "Usage: make manifest-gen NAMESPACE=<namespace> [OVERLAY=<overlay>] [OPERATOR_IMAGE=<image>]"; \
echo "Example: make manifest-gen NAMESPACE=my-namespace OVERLAY=odh"; \
echo ""; \
echo "Available overlays (use 'make list-overlays' for descriptions):"; \
echo " odh (default)"; \
ls -1 config/overlays/ 2>/dev/null | sed 's/^/ /'; \
exit 1; \
fi
`@if` [ ! -z "$(OVERLAY)" ] && [ "$(OVERLAY)" != "base" ] && [ ! -d "config/overlays/$(OVERLAY)" ]; then \
echo "Error: Overlay '$(OVERLAY)' not found"; \
echo "Available overlays:"; \
echo " odh (default)"; \
ls -1 config/overlays/ 2>/dev/null | sed 's/^/ /' || echo " (no overlays found)"; \
exit 1; \
fi
`@mkdir` -p release
`@if` [ -z "$(OVERLAY)" ]; then \
echo "Building from config/overlays/odh..."; \
$(KUSTOMIZE) build config/overlays/odh | sed "s|namespace: system|namespace: $(NAMESPACE)|g" | sed "s|quay.io/trustyai/trustyai-service-operator:latest|$(OPERATOR_IMAGE)|g" > release/trustyai_bundle.yaml; \
echo "✓ Release manifest generated at release/trustyai_bundle.yaml"; \
else \
echo "Building from config/overlays/$(OVERLAY)..."; \
$(KUSTOMIZE) build config/overlays/$(OVERLAY) | sed "s|namespace: system|namespace: $(NAMESPACE)|g" | sed "s|quay.io/trustyai/trustyai-service-operator:latest|$(OPERATOR_IMAGE)|g" > release/trustyai_$(OVERLAY)_bundle.yaml; \
echo "✓ Release manifest generated at release/trustyai_$(OVERLAY)_bundle.yaml"; \
fi
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@Makefile` around lines 309 - 337, The manifest-gen target's usage text
incorrectly states that "base" is the default while the implementation uses
config/overlays/odh when OVERLAY is unset; update the messaging in the
manifest-gen recipe so the help/usage and the available-overlays list reflect
the actual default (change any mention of "base (default)" to "odh (default)"
and adjust the echo that prints "Building from config/overlays/odh..." only if
OVERLAY is unset). Ensure references to the OVERLAY variable, the manifest-gen
target, and the two echo lines that print available overlays and the build
source are updated consistently to avoid the mismatch.

@echo " Namespace: $(NAMESPACE)"
@echo " Overlay: $(OVERLAY)"
@echo " Image: $(OPERATOR_IMAGE)"
2 changes: 1 addition & 1 deletion api/evalhub/v1alpha1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion api/gorch/v1alpha1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion api/lmes/v1alpha1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion api/nemo_guardrails/v1alpha1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion api/tas/v1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion api/tas/v1alpha1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 1 addition & 7 deletions config/base/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,16 +1,10 @@
---
namePrefix: trustyai-service-operator-

resources:
- ../crd
- ../rbac
- ../manager
- ../rbac-base
- ../prometheus
- ../configmaps

commonLabels:
app.kubernetes.io/part-of: trustyai

configMapGenerator:
- env: params.env
name: config
Expand Down
1 change: 1 addition & 0 deletions ...ses/trustyai.opendatahub.io_evalhubs.yaml → ...crd/trustyai.opendatahub.io_evalhubs.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
# YAML generated by controller-gen. DO NOT EDIT.
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
Expand Down
17 changes: 17 additions & 0 deletions config/components/evalhub/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
---
apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component

resources:
- crd/trustyai.opendatahub.io_evalhubs.yaml
- rbac/evalhub_auth_reviewer_role.yaml
- rbac/evalhub_job_config_binding.yaml
- rbac/evalhub_job_config_role.yaml
- rbac/evalhub_jobs_writer_binding.yaml
- rbac/evalhub_jobs_writer_role.yaml
- rbac/evalhub_mlflow_access_binding.yaml
- rbac/evalhub_mlflow_access_role.yaml
- rbac/evalhub_mlflow_jobs_binding.yaml
- rbac/evalhub_mlflow_jobs_role.yaml
- rbac/manager-rbac.yaml
- rbac/manager-rolebinding.yaml
0 ...c/evalhub/evalhub_auth_reviewer_role.yaml → ...lhub/rbac/evalhub_auth_reviewer_role.yaml
View file
Open in desktop
File renamed without changes.
0 ...c/evalhub/evalhub_job_config_binding.yaml → ...lhub/rbac/evalhub_job_config_binding.yaml
View file
Open in desktop
File renamed without changes.
0 ...rbac/evalhub/evalhub_job_config_role.yaml → ...evalhub/rbac/evalhub_job_config_role.yaml
View file
Open in desktop
File renamed without changes.
0 .../evalhub/evalhub_jobs_writer_binding.yaml → ...hub/rbac/evalhub_jobs_writer_binding.yaml
View file
Open in desktop
File renamed without changes.
0 ...bac/evalhub/evalhub_jobs_writer_role.yaml → ...valhub/rbac/evalhub_jobs_writer_role.yaml
View file
Open in desktop
File renamed without changes.
0 ...valhub/evalhub_mlflow_access_binding.yaml → ...b/rbac/evalhub_mlflow_access_binding.yaml
View file
Open in desktop
File renamed without changes.
0 ...c/evalhub/evalhub_mlflow_access_role.yaml → ...lhub/rbac/evalhub_mlflow_access_role.yaml
View file
Open in desktop
File renamed without changes.
0 .../evalhub/evalhub_mlflow_jobs_binding.yaml → ...hub/rbac/evalhub_mlflow_jobs_binding.yaml
View file
Open in desktop
File renamed without changes.
0 ...bac/evalhub/evalhub_mlflow_jobs_role.yaml → ...valhub/rbac/evalhub_mlflow_jobs_role.yaml
View file
Open in desktop
File renamed without changes.
149 changes: 149 additions & 0 deletions config/components/evalhub/rbac/manager-rbac.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,149 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: evalhub-manager-role
rules:
- apiGroups:
- trustyai.opendatahub.io
resources:
- evalhubs
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- trustyai.opendatahub.io
resources:
- evalhubs/proxy
verbs:
- get
- create
- apiGroups:
- trustyai.opendatahub.io
resources:
- evalhubs/status
verbs:
- get
- update
- patch
- apiGroups:
- trustyai.opendatahub.io
resources:
- evalhubs/finalizers
verbs:
- update
- apiGroups:
- apps
resources:
- deployments
verbs:
- list
- watch
- get
- create
- update
- patch
- delete
- apiGroups:
- apps
resources:
- deployments/status
verbs:
- get
- update
- patch
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- route.openshift.io
resources:
- routes
verbs:
- list
- watch
- get
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- update
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
Comment on lines +96 to +149
Copy link
Contributor

@coderabbitai coderabbitai bot Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Re-evaluate RBAC write access to Role/RoleBinding/ClusterRoleBinding.

Granting create/update/delete on RBAC objects is a high-privilege capability. If EvalHub only needs namespaced access for jobs, prefer Role/RoleBinding in the target namespace and drop cluster-scoped bindings.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@config/components/evalhub/rbac/manager-rbac.yaml` around lines 96 - 149, The
RBAC manifest currently grants high-privilege cluster-scoped write access
(ClusterRoleBinding and rbac.authorization.k8s.io resources with
create/update/delete) which is excessive; update manager-rbac.yaml to remove
cluster-scoped ClusterRoleBinding permissions and drop create/update/delete on
cluster-scoped RBAC resources, instead define a namespaced Role and
corresponding RoleBinding that only grants the exact verbs needed for jobs
(e.g., get/list/watch/create/patch on resources in the target namespace) and
remove or narrow apiGroups entries for rbac.authorization.k8s.io and
cluster-scoped resources; specifically, replace references to
clusterrolebindings and cluster-level verbs and the entries for resources: -
clusterrolebindings with a namespaced Role/RoleBinding scope and ensure
roles/rolebindings permissions in the diff only include the minimal verbs
required.

8 changes: 4 additions & 4 deletions config/rbac/role_binding.yaml → ...nts/evalhub/rbac/manager-rolebinding.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,18 +1,18 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/name: clusterrolebinding
app.kubernetes.io/instance: manager-rolebinding
app.kubernetes.io/instance: evalhub-manager-rolebinding
app.kubernetes.io/component: rbac
app.kubernetes.io/created-by: trustyai-service-operator
app.kubernetes.io/part-of: trustyai-service-operator
app.kubernetes.io/managed-by: kustomize
name: manager-rolebinding
name: evalhub-manager-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: manager-role
name: trustyai-service-operator-evalhub-manager-role
Copy link
Contributor

@coderabbitai coderabbitai bot Feb 25, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check namePrefix and other settings in the evalhub component kustomization
echo "=== config/components/evalhub/kustomization.yaml ==="
if [ -f "config/components/evalhub/kustomization.yaml" ]; then
  cat -n config/components/evalhub/kustomization.yaml
else
  echo "File not found"
fi

echo -e "\n=== ClusterRole name in manager-rbac.yaml ==="
if [ -f "config/components/evalhub/rbac/manager-rbac.yaml" ]; then
  cat -n config/components/evalhub/rbac/manager-rbac.yaml
else
  echo "File not found"
fi

echo -e "\n=== RoleBinding file for reference ==="
if [ -f "config/components/evalhub/rbac/manager-rolebinding.yaml" ]; then
  cat -n config/components/evalhub/rbac/manager-rolebinding.yaml
else
  echo "File not found"
fi

Repository: trustyai-explainability/trustyai-service-operator

Length of output: 4497

roleRef.name should use the short name to align with kustomize namePrefix pattern.

The ClusterRole in manager-rbac.yaml is correctly defined with the short name evalhub-manager-role. The roleRef.name at line 15 should match this short name so that kustomize's nameReference transformer can automatically rewrite it to the fully-qualified name when namePrefix: trustyai-service-operator- is applied. Hardcoding the already-prefixed value trustyai-service-operator-evalhub-manager-role breaks this transformation and creates a mismatch between the role and its reference.

Proposed fix 
-  name: trustyai-service-operator-evalhub-manager-role
+  name: evalhub-manager-role
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
name: trustyai-service-operator-evalhub-manager-role
name: evalhub-manager-role
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@config/components/evalhub/rbac/manager-rolebinding.yaml` at line 15, Change
the hardcoded prefixed value in roleRef.name to the short ClusterRole name so
kustomize can rewrite it; specifically replace roleRef.name:
trustyai-service-operator-evalhub-manager-role with roleRef.name:
evalhub-manager-role to match the ClusterRole named evalhub-manager-role (in the
manager RoleBinding/ClusterRoleBinding resource) and allow the namePrefix
transformer to apply the trustyai-service-operator- prefix automatically.

Copy link
Contributor Author

@RobGeada RobGeada Feb 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See #651 (comment)

Copy link
Contributor

@coderabbitai coderabbitai bot Feb 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Fetch the specific discussion comment that was referenced
gh api /repos/trustyai-explainability/trustyai-service-operator/pulls/651/comments/2858807923 --jq '{body: .body, user: .user.login, path: .path, line: .line}'

Length of output: 130

🏁 Script executed:

#!/bin/bash
# Fetch review comments from PR 651 and look for discussions about naming/roleRef
gh api "/repos/trustyai-explainability/trustyai-service-operator/pulls/651/comments" \
  --paginate \
  --jq '.[] | select(.body | contains("roleRef") or contains("namePrefix") or contains("short name")) | {id: .id, user: .user.login, path: .path, line: .line, body: .body}' | head -20

echo "---"
echo "Also checking for comments around evalhub naming:"
gh api "/repos/trustyai-explainability/trustyai-service-operator/pulls/651/comments" \
  --paginate \
  --jq '.[] | select(.path | contains("evalhub")) | select(.body | contains("name")) | {id: .id, user: .user.login, path: .path, body: .body[:200]}' | head -20

Length of output: 30146

@RobGeada, thanks for pointing me to that discussion! I see the context now. In the gorch component thread, you explained that using short names in roleRef broke the ClusterRoleBindings because kustomize couldn't properly correlate them with the fully-qualified names created on the cluster, and that the hardcoded full prefix approach was the only working solution.

That same pattern applies here in the evalhub component (and across all the other components: lmes, tas, nemo-guardrails, job-mgr). The hardcoded trustyai-service-operator-{component}-manager-role names in the roleRef fields are intentional and necessary based on your testing.

I should note there's a learning in my context that suggests short names should be used with kustomize's namePrefix, but your actual experience shows that doesn't work without additional NameReference transformer configuration (which isn't currently in the repo).

Would you like me to update that learning to reflect that in this repository, the roleRef names in component rolebindings intentionally use the full prefixed form because the short-name approach didn't work in practice?

🧠 Learnings used 
Learnt from: scheruku-rh
Repo: trustyai-explainability/trustyai-service-operator PR: 652
File: config/rbac/evalhub/evalhub_secrets_reader_role.yaml:1-13
Timestamp: 2026-02-25T12:57:09.782Z
Learning: In the trustyai-service-operator repository, RBAC resources in config/rbac/ are deployed through config/base/kustomization.yaml which applies namePrefix: trustyai-service-operator-. ClusterRole names in YAML manifests should use short names (e.g., evalhub-secrets-reader) as kustomize automatically prefixes them at deployment time to match Go constants (e.g., trustyai-service-operator-evalhub-secrets-reader).

Learnt from: tarilabs
Repo: trustyai-explainability/trustyai-service-operator PR: 650
File: config/configmaps/evalhub/provider-garak.yaml:24-26
Timestamp: 2026-02-18T18:07:47.424Z
Learning: In the trustyai-service-operator EvalHub provider ConfigMaps (config/configmaps/evalhub/provider-*.yaml), the provider configurations are sourced from the upstream eval-hub repository via hack/sync-evalhub-providers.py script. The project policy is to preserve the upstream provider configs as-is, including any placeholder environment variables or template content, to maintain consistency with the upstream source.

subjects:
- kind: ServiceAccount
name: controller-manager
Expand Down
1 change: 1 addition & 0 deletions ...endatahub.io_guardrailsorchestrators.yaml → ...endatahub.io_guardrailsorchestrators.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
# YAML generated by controller-gen. DO NOT EDIT.
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
Expand Down
8 changes: 8 additions & 0 deletions config/components/gorch/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
---
apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component

resources:
- crd/trustyai.opendatahub.io_guardrailsorchestrators.yaml
- rbac/manager-rbac.yaml
- rbac/manager-rolebinding.yaml
Loading
Loading