NE-2391: Add progressive disclosure AI agent context

[bentito]

This PR adds a progressive disclosure architecture for AI agents, anchored by AGENTS.md and containing deep-dive context in the .agents/ directory.

See NE-2391

[PR and code changes generated with Gemini LLM and geminii-cli coding agent]

Summary by CodeRabbit

• Documentation
  • Added comprehensive DNS architecture docs, operator/controller design and reconciliation guidance, operand/CoreDNS behavior and plugin-chain overview, testing instructions, and repository contribution/CI rules.
  • Added agent guidance and context docs with task checklists and repository orientation for contributors.

[openshift-ci-robot]

@bentito: This pull request references NE-2391 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

This PR adds a progressive disclosure architecture for AI agents, anchored by AGENTS.md and containing deep-dive context in the .agents/ directory.

Fixes NE-2391

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c6ce42a9-4b4d-4aab-bb6e-a6c9c4cf2c42

📥 Commits

Reviewing files that changed from the base of the PR and between 2fa1fac and d4284dc.

📒 Files selected for processing (1)

• .agents/controllers.md

✅ Files skipped from review due to trivial changes (1)

• .agents/controllers.md

---

Walkthrough

Adds six .agents/* documentation files and AGENTS.md describing cluster-dns-operator architecture, controller reconciliation (DNS CR → dns-default ConfigMap → CoreDNS reload), CoreDNS operand details, repository rules, and testing guidance.

Changes

Agent Docs

Layer / File(s)	Summary
Controller reconciliation and ConfigMap/Corefile flow .agents/controllers.md	Documents controller structure under pkg/operator/controller/, the reconciliation path from the default DNS CR to the dns-default ConfigMap, CoreDNS DaemonSet/Service, reload behavior, ManagementState semantics (Managed/Unmanaged/Removed/Force), and idempotency requirements for ensure* functions.
Architecture and context .agents/architecture.md, .agents/context.md	Describes overall DNS lifecycle, CoreDNS as per-node DaemonSet, ClusterIP service for pod DNS, Kubelet /etc/resolv.conf injection, OVN-Kubernetes routing to local CoreDNS, node resolver DaemonSet, and MCO-managed static CoreDNS layer.
Operand and plugin chain .agents/operand.md	Explains CoreDNS as the external operand, points to OpenShift's customized CoreDNS repo, and lists the default CoreDNS plugin chain used in the generated Corefile.
Contribution and CI rules .agents/rules.md	Specifies repository rules: idempotent reconciliation, no hardcoded namespaces/secrets, OpenAPI v3 for CRDs, least-privilege RBAC, and Prow/ci-operator workflow constraints.
Testing guidance .agents/testing.md	Describes unit test placement and expectations (validate generated resources/YAML) and E2E test location/requirements and Prow integration.
Root Agent Guide AGENTS.md	Adds a repository-level guide directing AI agents to the .agents/ documents and prescribing progressive-disclosure task workflows.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Microshift Test Compatibility	⚠️ Warning	New test file test/e2e/operator_test.go adds 13 e2e tests that use ClusterOperator API (config.openshift.io/v1), which is unavailable on MicroShift. Tests lack required protection mechanisms.	Add [apigroup:config.openshift.io] tags to test names or [Skipped:MicroShift] labels, or wrap tests with IsMicroShiftCluster() skip guard. See custom check for recommended options and CI job details.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'NE-2391: Add progressive disclosure AI agent context' directly matches the main changeset: new AGENTS.md and .agents/ directory with progressive disclosure documentation for AI agents.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR uses standard Go testing, not Ginkgo. All test files contain only static test names (e.g., TestManifests) and subtest names from predefined arrays. No dynamic patterns detected.
Test Structure And Quality	✅ Passed	This PR adds only documentation files (.agents/*.md and AGENTS.md) with no test code changes. The custom check for Ginkgo test structure and quality is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR adds only documentation files (AGENTS.md and .agents/*.md). No new Ginkgo e2e tests are added, so the SNO compatibility check does not apply.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds only documentation files (.agents/*.md and AGENTS.md). No deployment manifests, operator code, or controllers are modified. No scheduling constraints introduced.
Ote Binary Stdout Contract	✅ Passed	PR complies with OTE Binary Stdout Contract. main.go contains no fmt.Print calls, uses logrus (writes to stderr) and zap logger. No process-level stdout writes detected that would corrupt OTE JSON.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds only documentation files (.md). No Ginkgo e2e tests or Go test code are added. The custom check is not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.agents/controllers.md:
- Line 28: Update the documentation string that currently references
desiredDNSConfigmap (lowercase "m") to the correct exported function name
desiredDNSConfigMap so it matches the actual symbol in the codebase (referenced
in pkg/operator/controller/controller_dns_configmap.go); locate the Reconciler
flow sentence that lists ensureDNSConfigMap → desiredDNSConfigmap →
desiredCorefile and change desiredDNSConfigmap to desiredDNSConfigMap to avoid
the typo and ensure exact symbol matching.

In @.agents/rules.md:
- Around line 7-10: Reword the three rule bullets titled "Never Hardcode",
"Structural Schemas", and "Principle of Least Privilege" to apply to "new or
modified code/manifests" (e.g., prefix with "For new/modified code:") and add a
short note acknowledging existing exceptions/technical debt (mention that
current manifests may contain hardcoded namespaces or wildcard RBAC verbs and
will be incrementally remediated) so reviewers don’t assume these rules are
already fully enforced.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 738bdc52-2818-48ea-a192-a5c9eb101efc

📥 Commits

Reviewing files that changed from the base of the PR and between 3d21411 and 75d5e62.

📒 Files selected for processing (7)

• .agents/architecture.md
• .agents/context.md
• .agents/controllers.md
• .agents/operand.md
• .agents/rules.md
• .agents/testing.md
• AGENTS.md

[bentito]

@coderabbitai do the autofix

[coderabbitai]

@bentito: I don't see any pending CodeRabbit review comments with suggested fixes to autofix on this PR. The only open warning is from the CI robot regarding the JIRA issue NE-2391 missing a target version ("5.0.0") — that requires updating the JIRA ticket directly and is outside my scope.

If you'd like, I can run a full review of the PR first, and then you can ask me to apply any suggested fixes afterward.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[bentito]

@coderabbitai do a full review

[coderabbitai]

@bentito: Sure! Triggering a full review of the PR now.

✅ Actions performed

Full review triggered.

[coderabbitai]

♻️ Duplicate comments (1)

.agents/controllers.md (1)

28-28: ⚠️ Potential issue | 🟡 Minor

Fix function name typo.

The function name should be desiredDNSConfigMap (capital M) to match the actual symbol in pkg/operator/controller/controller_dns_configmap.go.

📝 Proposed doc fix

-2. The Reconciler calls `ensureDNSConfigMap` → `desiredDNSConfigmap` → `desiredCorefile`.
+2. The Reconciler calls `ensureDNSConfigMap` → `desiredDNSConfigMap` → `desiredCorefile`.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.agents/controllers.md at line 28, Update the documentation to fix the
function name typo: replace `desiredDNSConfigmap` with the correct symbol
`desiredDNSConfigMap` (capital "M") so it matches the actual function declared
in `controller_dns_configmap.go` (the Reconciler call chain:
`ensureDNSConfigMap` → `desiredDNSConfigMap` → `desiredCorefile`).

🧹 Nitpick comments (1)

.agents/controllers.md (1)

35-38: Consider documenting the Force ManagementState for completeness.

The API definition includes a fourth ManagementState value: Force (actively manages resources but won't block upgrades if prerequisites are unmet). While the three states documented here cover the common cases, mentioning Force would provide complete coverage of the API.

📋 Suggested addition

 - **ManagementState**: OpenShift operators support a `ManagementState` field.
   - `Managed`: The operator actively reconciles and overwrites manual changes.
   - `Unmanaged`: The operator pauses reconciliation, allowing manual intervention or debugging.
   - `Removed`: The operator tears down the managed components.
+  - `Force`: (Advanced) The operator actively manages resources but will not block upgrades if prerequisites are unmet.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.agents/controllers.md around lines 35 - 38, Update the ManagementState docs
to include the missing fourth value "Force": mention ManagementState as the enum
and add an entry for Force describing that the operator actively manages
resources but will not block upgrades when prerequisites are unmet; reference
ManagementState and the new value Force so readers can map it to the API enum.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In @.agents/controllers.md:
- Line 28: Update the documentation to fix the function name typo: replace
`desiredDNSConfigmap` with the correct symbol `desiredDNSConfigMap` (capital
"M") so it matches the actual function declared in `controller_dns_configmap.go`
(the Reconciler call chain: `ensureDNSConfigMap` → `desiredDNSConfigMap` →
`desiredCorefile`).

---

Nitpick comments:
In @.agents/controllers.md:
- Around line 35-38: Update the ManagementState docs to include the missing
fourth value "Force": mention ManagementState as the enum and add an entry for
Force describing that the operator actively manages resources but will not block
upgrades when prerequisites are unmet; reference ManagementState and the new
value Force so readers can map it to the API enum.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 313f7593-979c-4607-88f5-0d373aebaec7

📥 Commits

Reviewing files that changed from the base of the PR and between 3d21411 and 75d5e62.

📒 Files selected for processing (7)

• .agents/architecture.md
• .agents/context.md
• .agents/controllers.md
• .agents/operand.md
• .agents/rules.md
• .agents/testing.md
• AGENTS.md

[bentito]

@coderabbitai autofix

[coderabbitai]

Note

Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it.

❌ Failed to clone repository into sandbox. Please try again.

[bentito]

/retest

[bentito]

/assign @davidesalerno @grzpiotrowski

[davidesalerno]

Just one doubt related to the ManagementState

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from davidesalerno. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@bentito: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.