CORENET-7266: Add path-specific review instructions to CodeRabbit config

[kyrtapz]

Teach CodeRabbit about CNO-specific pitfalls drawn from past bugs and reviewer experience: managed/self-hosted manifest drift, missing release.openshift.io/version annotations, cluster-name annotation for HyperShift, OVN-K rollout sequencing, SSA merge gotchas, missing controller watches, and namespace node-selector requirements.

[coderabbitai]

Walkthrough

Expands .coderabbit.yaml with path-scoped review instructions for CNO manifests, bindata templates, OVN-Kubernetes rollout behavior, network/package code paths, apply semantics, and HyperShift handling, plus added global guidance for HyperShift and dual-stack checks.

Changes

CodeRabbit Review Instruction Expansion

Layer / File(s)	Summary
Global and manifests guidance .coderabbit.yaml	Adds top-level HyperShift and dual-stack review bullets, config-to-operator overwrite notes, and SSA merge reminders; adds manifests/** rules for CVO application timing, required release annotations, resource placement limits, and deployment variant consistency.
Bindata runtime rules .coderabbit.yaml	Adds bindata/** instructions for runtime template rendering, annotation checks, namespace scheduling expectations, and container coverage requirements.
OVN-Kubernetes rollout and variants .coderabbit.yaml	Adds bindata/network/ovn-kubernetes/** guidance for managed/self-hosted alignment, rollout and stuck-progress behavior, hash-triggered restart behavior, and CLI-flag audits; adds bindata/network/node-identity/** alignment guidance.
Package-level behavior checks .coderabbit.yaml	Adds pkg/network/*.go checks for ReleaseVersion and progress logic, pkg/apply/** SSA semantics, and pkg/hypershift/** integration and mode-detection guidance.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description directly matches the configuration guidance added in the pull request and its CNO-focused review concerns.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR only updates .coderabbit.yaml guidance; no test titles or Ginkgo specs are changed.
Test Structure And Quality	✅ Passed	PR only updates CodeRabbit path instructions in .coderabbit.yaml; no Ginkgo test code is modified, so these test-quality checks are not applicable.
Microshift Test Compatibility	✅ Passed	Only .coderabbit.yaml changed; no Go/e2e test files or Ginkgo specs were added, so the MicroShift check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR only updates .coderabbit.yaml; no new Ginkgo e2e tests or SNO-sensitive test code were added, so the check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PASS: The PR only updates .coderabbit.yaml review guidance; no deployment manifests, operator code, or controllers were changed, so topology-aware scheduling checks are not applicable.
Ote Binary Stdout Contract	✅ Passed	PR only updates .coderabbit.yaml review instructions; no process-level code or stdout behavior changed.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR only edits .coderabbit.yaml path instructions; no Ginkgo e2e tests or connectivity code were added, so the IPv6/disconnected check is not applicable.
No-Weak-Crypto	✅ Passed	PR only updates .coderabbit.yaml review guidance; it adds no weak-crypto primitives, custom crypto, or secret comparisons.
Container-Privileges	✅ Passed	PR only updates .coderabbit.yaml review instructions; no changed K8s/container manifests or privilege fields are present in the patch.
No-Sensitive-Data-In-Logs	✅ Passed	Only .coderabbit.yaml review instructions changed; no logging code or sensitive-data output was added.
Title check	✅ Passed	The title accurately describes the main change: adding path-specific review instructions to the CodeRabbit config.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kyrtapz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [kyrtapz]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.coderabbit.yaml:
- Around line 58-71: The
`networkoperator.openshift.io/generates-operator-status` entry is documented
under the wrong metadata type in `.coderabbit.yaml`; it should be described as a
label, not an annotation. Update the guidance to match `pkg/names/names.go`, and
call out that `StatusController` only recognizes it when the label has a
non-empty value, so reviewers know to verify both the label placement and its
value.
- Around line 190-195: The guidance in the configuration comment is reversed for
non-pointer booleans: `false` only becomes ambiguous when `omitempty` can drop
the zero value, not when the field is always serialized. Update the wording near
the SSA/merge explanation to say that non-pointer booleans need special handling
when `omitempty` is present, and keep `managementState` called out separately as
a special case that is always serialized but still requires preserving the live
value via merge logic.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 0e8043da-19f1-402b-a7ab-4b88792c185e

📥 Commits

Reviewing files that changed from the base of the PR and between 7b341b4 and 5aa5c6b.

📒 Files selected for processing (1)

• .coderabbit.yaml

[openshift-ci-robot]

@kyrtapz: This pull request references CORENET-7266 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Teach CodeRabbit about CNO-specific pitfalls drawn from past bugs and reviewer experience: managed/self-hosted manifest drift, missing release.openshift.io/version annotations, cluster-name annotation for HyperShift, OVN-K rollout sequencing, SSA merge gotchas, missing controller watches, and namespace node-selector requirements.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[danwinship]

This isn't quite correct; we deploy the CNO default-deny NetworkPolicy from manifests/.

A better rule would be that you need to be very careful when deploying things to the openshift-network-operator namespace from bindata/, or to anything except the openshift-network-operator namespace from manifests/

[danwinship]

I don't know whether coderabbit will understand what "all HyperShift-aware resources" means, but I don't.

[danwinship]

Suggested change

	- `networkoperator.openshift.io/non-critical` — marks non-critical resources
	that don't block upgrades.
	- `networkoperator.openshift.io/non-critical` — marks resources that should
	not block the operator from becoming `Available` during cluster install,
	because they depend on other operators.

[danwinship]

There are no "upstream OVN-K rebases" in this repo

[danwinship]

No, we should just not add any more such fields. If coderabbit sees us trying to work around this problem in a new API, it should tell us that the API is wrong and we need to fix it.

[openshift-ci]

@kyrtapz: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-azure-ovn-upgrade	28f6449	link	true	/test e2e-azure-ovn-upgrade
ci/prow/5.0-upgrade-from-stable-4.22-e2e-azure-ovn-upgrade	28f6449	link	false	/test 5.0-upgrade-from-stable-4.22-e2e-azure-ovn-upgrade
ci/prow/e2e-metal-ipi-ovn-dualstack-bgp	28f6449	link	true	/test e2e-metal-ipi-ovn-dualstack-bgp
ci/prow/5.0-upgrade-from-stable-4.22-e2e-gcp-ovn-upgrade	28f6449	link	false	/test 5.0-upgrade-from-stable-4.22-e2e-gcp-ovn-upgrade
ci/prow/e2e-ovn-ipsec-step-registry	28f6449	link	true	/test e2e-ovn-ipsec-step-registry
ci/prow/e2e-metal-ipi-ovn-dualstack-bgp-local-gw	28f6449	link	true	/test e2e-metal-ipi-ovn-dualstack-bgp-local-gw
ci/prow/e2e-aws-ovn-upgrade-ipsec	28f6449	link	true	/test e2e-aws-ovn-upgrade-ipsec
ci/prow/e2e-metal-ipi-ovn-ipv6-ipsec	28f6449	link	true	/test e2e-metal-ipi-ovn-ipv6-ipsec
ci/prow/e2e-aws-ovn-hypershift-conformance	28f6449	link	true	/test e2e-aws-ovn-hypershift-conformance
ci/prow/e2e-aws-ovn-rhcos10-techpreview	28f6449	link	false	/test e2e-aws-ovn-rhcos10-techpreview
ci/prow/5.0-upgrade-from-stable-4.22-e2e-aws-ovn-upgrade	28f6449	link	false	/test 5.0-upgrade-from-stable-4.22-e2e-aws-ovn-upgrade
ci/prow/e2e-gcp-ovn	28f6449	link	true	/test e2e-gcp-ovn

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.