windows-machine-config-operator/.coderabbit.yaml at master · openshift/windows-machine-config-operator · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
# yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

# see https://docs.coderabbit.ai/reference/configuration for details
language: en-US
early_access: false

tone_instructions: "Principal Staff Engineer: Kubernetes/OpenShift/Windows Containers. Focus: Go operators, Windows/PowerShell, build tags, reconciliation, security (SSH/certs), cross-platform (AWS/Azure/GCP/vSphere), error handling, services, reboots."

chat:
  # no emoji
  art: false
  # do no require mention/tag to reply
  auto_reply: true

knowledge_base:
  learnings:
    scope: local

  code_guidelines:
    enabled: true
    filePatterns:
      - "AGENTS.md"
      - "CONTRIBUTION.md"
      - "README.md"
      - "docs/**/*.md"

  issues:
    scope: local

  jira:
    usage: enabled
    project_keys:
      - "WINC"
      - "OCPBUGS"

  pull_requests:
    # use organization-wide
    scope: global

inheritance: true

reviews:
  # professional settings
  in_progress_fortune: false
  poem: false
  profile: chill
  request_changes_workflow: false

  # summary and status settings
  high_level_summary: true
  review_status: true
  commit_status: true
  fail_commit_status: false
  collapse_walkthrough: true
  changed_files_summary: false
  sequence_diagrams: false
  estimate_code_review_effort: false

  # use linked issues for context
  assess_linked_issues: true
  related_issues: false
  related_prs: false
  suggested_labels: false

  auto_review:
    enabled: true
    # also review drafts
    drafts: true
    # prevent spam on every commit
    auto_incremental_review: false
    ignore_title_keywords:
      - WIP
      - '[WIP]'
      - DO NOT MERGE
      - do-not-merge
      - work-in-progress
    labels:
      - '!do-not-merge/work-in-progress'
      - '!do-not-merge/hold'

  path_instructions:
    - path: "pkg/**/*.go"
      instructions: |
        Review Go code following WMCO operator patterns from AGENTS.md:
        - Verify correct build tags (//go:build windows or !windows)
        - Check controller reconciliation logic and error handling
        - Validate SSH connection handling and cleanup
        - Ensure proper secret handling (never log credentials)
        - Check for goroutine leaks and proper context usage
        - Verify Windows service definitions and priorities
        - Validate CSR approval logic and security checks

    - path: "pkg/daemon/**/*.go"
      instructions: |
        Review Windows daemon (WICD) code:
        - Must have //go:build windows tag
        - Check Windows-specific APIs (Service Control Manager, Registry)
        - Validate certificate management and rotation
        - Check reboot handling and state persistence
        - Verify environment variable management
        - Ensure proper cleanup on errors

    - path: "controllers/**/*.go"
      instructions: |
        Review Kubernetes controllers:
        - Must have //go:build !windows tag
        - Check reconciliation loop logic and idempotency
        - Validate watch predicates and event filtering
        - Check for proper status updates and conditions
        - Verify error handling and requeue logic
        - Ensure proper RBAC markers for kubebuilder

    - path: "**/*.ps1"
      instructions: |
        Review PowerShell scripts:
        - Check error handling ($ErrorActionPreference)
        - Validate path handling (backslashes vs forward slashes)
        - Check for proper escaping in commands
        - Verify service management commands
        - Check for idempotency
        - Validate Windows-specific commands

    - path: "**/*.sh"
      instructions: |
        Review bash scripts:
        - Check for proper error handling (set -e, set -u)
        - Validate shellcheck compliance
        - Check for proper quoting
        - Verify platform-specific logic
        - Check for proper cleanup on errors

    - path: "test/**/*.go"
      instructions: |
        Review test code:
        - Check test coverage for edge cases
        - Validate mock usage and interfaces
        - Check for proper cleanup in tests
        - Verify test isolation and parallelization
        - Check for flaky test patterns

    - path: "hack/**/*"
      instructions: |
        Review development and build scripts:
        - Check for proper error handling
        - Validate platform-specific logic
        - Check for proper documentation
        - Verify MachineSet generation logic

    - path: "manifests/**/*.yaml"
      instructions: |
        Review OLM manifests:
        - Validate CSV (ClusterServiceVersion) correctness
        - Check RBAC permissions (ClusterRole, Role)
        - Verify CRD definitions and OpenAPI validation
        - Check deployment specifications
        - Validate upgrade paths and version constraints

    - path: "pkg/servicescm/**/*.go"
      instructions: |
        Review services ConfigMap handling:
        - Validate schema parsing and validation
        - Check service priority ordering
        - Verify dependency management
        - Check for proper error messages

  # exclude generated, vendor, and submodules
  path_filters:
    - "!vendor/**"
    - "!**/vendor/**"
    - "!go.sum"
    - "!**/zz_generated.*.go"
    - "!**/zz_generated.*/**"
    - "!cloud-provider-aws/**"
    - "!cloud-provider-azure/**"
    - "!containerd/**"
    - "!windows_exporter/**"
    - "!promu/**"
    - "!ovn-kubernetes/**"
    - "!kubelet/**"
    - "!hcsshim/**"
    - "!csi-proxy/**"
    - "!containernetworking-plugins/**"

  tools:
    golangci-lint:
      enabled: true
    shellcheck:
      enabled: true
    markdownlint:
      enabled: true
    yamllint:
      enabled: true

  pre_merge_checks:
    # max 5 custom checks
    custom_checks:
      - name: "Go Best Practices & Build Tags"
        mode: warning
        instructions: |
          Go error handling:
          - Never ignore errors with `_` without justification
          - Wrap errors with context using fmt.Errorf with %w
          - Avoid panic() except in init() or fatal conditions
          - Check for nil before dereferencing pointers

          Build tags (critical for cross-platform):
          - Windows-only code MUST have //go:build windows
          - Linux-only code (operator) MUST have //go:build !windows
          - Platform-agnostic code should not have build tags
          - Daemon code must be Windows-only
          - Controller code must be Linux-only

      - name: "Security: Secrets, SSH & CSR"
        mode: warning
        instructions: |
          Credential handling:
          - NEVER log secret content or private keys
          - Use PGP encryption for username annotations
          - Validate cloud-private-key Secret access
          - Verify certificate handling and storage
          - Ensure credentials are not in error messages

          SSH connections:
          - Ensure SSH sessions are properly closed
          - Check for connection leaks
          - Verify timeout handling
          - Validate SFTP file transfer cleanup

          CSR approval security:
          - Check node identity validation
          - Verify certificate type and key usages
          - Validate against windows-instances ConfigMap or Machine
          - Verify no unauthorized CSR approvals

      - name: "Kubernetes Controller Patterns"
        mode: warning
        instructions: |
          Validate controller best practices:
          - Check for proper requeue on errors
          - Verify idempotent reconciliation logic
          - Check for proper status condition updates
          - Verify watch predicates filter correctly
          - Check for proper finalizer handling
          - Validate owner references

      - name: "Windows Service Management"
        mode: warning
        instructions: |
          Validate Windows service handling:
          - Check service priority ordering
          - Verify service dependencies
          - Validate service descriptions
          - Check for proper service cleanup
          - Verify reboot requirements are documented
          - Check Service Control Manager interactions

      - name: "Platform-Specific Requirements"
        mode: warning
        instructions: |
          Review platform-specific considerations:
          - vSphere: Machine name max 15 chars, MachineSet max 9
          - AWS: Check EC2LaunchV2 version requirements
          - Azure: Verify cloud-node-manager service
          - GCP: Check custom hostname script usage
          - Document platform-specific limitations