Skip to content

Add central config/ folder with sync-to-canonical#92

Open
fonta-rh wants to merge 10 commits into
openshift-eng:mainfrom
fonta-rh:config-folder
Open

Add central config/ folder with sync-to-canonical#92
fonta-rh wants to merge 10 commits into
openshift-eng:mainfrom
fonta-rh:config-folder

Conversation

@fonta-rh

@fonta-rh fonta-rh commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Add a central config/ folder at the repository root where users create configuration files. Every make target syncs config/ files to their canonical locations before doing anything else (newer-wins, never deletes), so the playbooks and roles keep reading from the canonical locations unchanged.
  • Move all templates and example configs into config/ (instance.env.template, config_*_example.sh, kcli.yml.template, assisted.yml.template) with a README map and a .gitignore that prevents real config files from being committed.
  • Move common.sh from deploy/aws-hypervisor/scripts/ to deploy/ so all deploy paths (AWS and baremetal) can source it without reaching into aws-hypervisor/ internals. Update all 21 scripts that source it.
  • Add sync_config_files() to common.sh with a manifest of src→dest entries; the pull secret fans out to both the dev-scripts and kcli role locations. Skip syncing 0-byte source files to prevent accidental credential blanking.
  • Add config_baremetal_fencing.sh to the sync manifest and have baremetal-adopt generate it into config/.
  • Add make sync-config for users who invoke ansible-playbook directly.
  • Add make ansible-lint / make verify integration with ansible-lint and playbook syntax checks (hack/ansible-lint.sh), with pre-existing findings baselined in .ansible-lint.
  • Add topology and method validation to setup.yml pre_tasks (regardless of interactive_mode).

Motivation

New contributors currently need to know which of several deeply nested directories to place their config files in (pull secret, topology config, instance.env, etc.), and there's no protection against accidentally committing credentials. This PR introduces a single, gitignored config/ folder as the entry point — the sync mechanism is backwards compatible (no-op until the user creates a file there, and direct edits to canonical locations are preserved).

The common.sh relocation (commit 3) removes a coupling where OC scripts and baremetal scripts had to reach into aws-hypervisor/ to source shared code.

Test plan

  • Verify make sync-config copies files from config/ to canonical locations
  • Verify newer-wins: edit a file in config/, run any make target, confirm the canonical location is updated
  • Verify backwards compatibility: edit a canonical location directly (e.g. roles/dev-scripts/install-dev/files/config_fencing.sh), confirm it is NOT overwritten by an older config/ copy
  • Verify .gitignore prevents committing real config files in config/
  • Verify make ansible-lint runs cleanly on the current playbooks
  • Verify make verify includes the ansible-lint checks
  • Verify setup.yml rejects invalid -e topology=bogus with a clear error
  • Verify 0-byte source files are skipped with a warning during sync
  • Verify common.sh relocation: all 19 make targets that source common.sh run successfully (full EC2 instance lifecycle exercised — create, init, inventory, info, ssh, force-stop, start, destroy; cluster operation targets confirmed common.sh sources correctly)
  • Verify config sync fires automatically before targets (instance.env and config_fencing.sh both synced from config/ to canonical locations)

🤖 Generated with Claude Code

Summary by CodeRabbit

  • New Features
    • Added a centralized config/ source-of-truth workflow, including automatic syncing into canonical deployment locations via make sync-config.
    • Expanded validation with make ansible-lint and broader make verify checks.
  • Bug Fixes
    • Improved fail-fast validation for setup parameters and continued fixes to make/config sourcing for more consistent runs.
  • Documentation
    • Updated setup/deployment/development guides and READMEs to reflect the new config/ layout, syncing behavior, and updated lint/validation commands.

fonta-rh and others added 2 commits July 8, 2026 17:30
Add hack/ansible-lint.sh following the containerized pattern of the
existing hack scripts. It runs ansible-lint (configured by the new
.ansible-lint, with pre-existing findings baselined in a skip list) and
ansible-playbook --syntax-check for every playbook, caching the required
collections in ~/.cache/tnt-ansible-collections.

Also validate topology and method in setup.yml pre_tasks regardless of
interactive_mode, so bad -e values fail fast instead of erroring deep
inside a role.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01AUa6KmTHSMNx9SibfQrLNm
Add a single config/ folder at the repository root where users create
their configuration files. Every make-accessible script syncs config/
files to their canonical locations (newer-wins, never deletes) before
doing anything else; the playbooks and roles keep reading from the
canonical locations unchanged.

- Move all templates and example configs into config/ (single source):
  instance.env.template, config_*_example.sh, kcli.yml.template,
  assisted.yml.template, plus a README map and a .gitignore that
  prevents real config files (including the pull secret) from ever
  being committed
- Add sync_config_files() to aws-hypervisor/scripts/common.sh with a
  manifest of src:dest[:dest2] entries; the pull secret fans out to
  both the dev-scripts and kcli role locations
- Restructure common.sh so the sync runs before instance.env is
  sourced, and replace the raw missing-file source error with an
  actionable hint
- Add 'make sync-config' for users who invoke ansible-playbook
  directly, and register init-host.yml.local in the manifest (it is
  consumed by init-host.yml)
- Source common.sh from get-tnf-logs.sh and helpers/keep-instance.sh
  so every make target inherits the sync
- Gitignore vars/assisted.yml (contains credentials, was not ignored)
- Update all docs and the /setup command to point at config/, keeping
  a note that editing canonical locations directly still works

Backwards compatible: config/ ships with templates only, so the sync
is a no-op until the user explicitly creates a file there.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Mk1uuxv3YkApKm8w55Kxjd
@openshift-ci openshift-ci Bot requested review from clobrano and qJkee July 8, 2026 15:31
@openshift-ci

openshift-ci Bot commented Jul 8, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: fonta-rh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 8, 2026
@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Walkthrough

This PR centralizes configuration under config/, adds automatic sync plumbing in deploy tooling, updates deployment/setup documentation, repoints scripts to shared deploy helpers, and introduces ansible-lint into verification.

Changes

Central config, shared helpers, and validation

Layer / File(s) Summary
Config sync and canonical files
config/.gitignore, config/README.md, deploy/common.sh, deploy/Makefile, deploy/openshift-clusters/setup.yml
Adds root config tracking, sync behavior, canonical file mapping, and validation for supported topology/method values.
Configuration guidance updates
README.md, deploy/README.md, deploy/aws-hypervisor/README.md, deploy/openshift-clusters/*.md, .claude/commands/setup*.md, CLAUDE.md
Moves setup and workflow instructions to the new config/ sources and make sync-config flow across AWS, kcli, dev-scripts, assisted install, and external-host paths.
Shared deploy helpers and script sourcing
deploy/common.sh, helpers/keep-instance.sh, deploy/aws-hypervisor/scripts/*.sh, deploy/openshift-clusters/scripts/*.sh, deploy/openshift-clusters/scripts/baremetal-adopt.sh
Updates shared helper resolution, switches scripts to the deploy-level common file, and changes baremetal adoption output paths to the central config directory.
Ansible lint and verification
.ansible-lint, hack/ansible-lint.sh, Makefile, hack/pre-commit, CLAUDE.md
Adds ansible-lint configuration and runner support, wires it into verify, and updates the failure guidance.

Estimated code review effort: 4 (Complex) | ~45 minutes

Possibly related PRs

Suggested reviewers: jaypoulz, slintes


Caution

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

  • Ignore

❌ Failed checks (1 error, 2 warnings)

Check name Status Explanation Resolution
No-Hardcoded-Secrets ❌ Error New config/kcli.yml.template adds bmc_password: admin123, a hardcoded password literal in a tracked template. Replace it with a non-secret placeholder (e.g. empty string or <set-in-config>) and require users to supply their own password.
Docstring Coverage ⚠️ Warning Docstring coverage is 22.22% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
Ai-Attribution ⚠️ Warning PR/commits mention Claude/Coderabbit, but recent history has 0 Assisted-by/Generated-by trailers and 21 Co-Authored-By AI trailers. Replace AI Co-Authored-By trailers with Red Hat Assisted-by or Generated-by trailers; reserve Co-Authored-By for human co-authors.
✅ Passed checks (8 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: introducing a central config/ directory with sync-to-canonical behavior.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
No-Weak-Crypto ✅ Passed No modified file introduces MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret/token comparisons; changes are config/make/docs/shell only.
Container-Privileges ✅ Passed PASS: The diff only changes docs, Makefile, and deploy/common.sh; no container/K8s manifests or privilege-related fields were added.
No-Sensitive-Data-In-Logs ✅ Passed No new logging of secrets/PII appears in the actual diff; this commit only removes an auto-sync call and updates docs/Makefile.
No-Injection-Vectors ✅ Passed No edited file adds SQL concatenation, shell=True, eval/exec, yaml.load, os.system, or dangerous DOM insertion; shell vars are quoted and YAML uses asserts.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot added the ready-for-human-review Indicates a PR has been reviewed by automated tools and is ready for human review label Jul 8, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 8

🧹 Nitpick comments (1)
hack/ansible-lint.sh (1)

19-33: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚖️ Poor tradeoff

Overloading OPENSHIFT_CI as a "skip containerization" flag is confusing.

OPENSHIFT_CI is normally a real environment signal set by Prow/OpenShift CI. Here it's repurposed to mean "ansible-lint/ansible-playbook are already installed, run natively." If a future CI runner sets OPENSHIFT_CI for unrelated reasons without those tools present, this branch will run natively and fail. Consider a dedicated variable (e.g. SKIP_CONTAINER/NATIVE_RUN) decoupled from the CI-detection semantics of OPENSHIFT_CI.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hack/ansible-lint.sh` around lines 19 - 33, The current ansible-lint
native-execution branch is keyed off OPENSHIFT_CI, which mixes CI detection with
the decision to skip containerization. Update the logic in ansible-lint.sh to
use a dedicated flag such as SKIP_CONTAINER or NATIVE_RUN for the native path,
and keep OPENSHIFT_CI only as a real CI environment signal. Make sure the
condition around the ansible-galaxy install and ansible-lint invocation uses the
new flag so future CI environments won’t accidentally trigger the native branch.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.claude/commands/setup.md:
- Around line 211-212: The markdown list under the numbered setup step has
inconsistent nested bullet indentation, causing MD005. Update the bullet items
in the setup instructions so they are aligned consistently with the other
sibling list items in this section, keeping the existing content but fixing the
nested list structure.
- Around line 145-147: Update the validation example to match the documented
fallback behavior by checking whichever config file exists instead of always
sourcing config/instance.env. Use the existing setup guidance and referenced
paths in the validation block to either source the available file from
config/instance.env or deploy/aws-hypervisor/instance.env, or explicitly state
that the validation step assumes make sync-config has already run.
- Around line 73-75: The pull-secret validation guidance is hardcoded to
config/pull-secret.json, which ignores the supported fallback location and can
mislead users. Update the validation examples in the setup instructions to
either reference the actual existing pull secret path used by the workflow or
explicitly instruct users to sync/copy the secret first; keep the validation
steps aligned with the path handling in the setup process.

In `@deploy/aws-hypervisor/README.md`:
- Around line 8-16: The README wording overstates the sync behavior for all make
targets; narrow the guarantee to the AWS/deployment workflow or the make
sync-config target. Update the guidance around the config/instance.env.template
to config/instance.env flow so it only claims synchronization where it actually
happens, and keep the description aligned with the current make targets used by
the deploy/aws-hypervisor setup.

In `@deploy/openshift-clusters/README-kcli.md`:
- Around line 56-65: The pull-secret example in README-kcli.md is generating
invalid JSON and may alter pasted secret contents. Update the instructions
around the config/pull-secret.json example to use a verbatim copy workflow or a
properly quoted heredoc so the `auths` payload is preserved exactly, and keep
the guidance aligned with the `make sync-config` / `ansible-playbook` flow
described nearby.

In `@deploy/openshift-clusters/roles/kcli/kcli-install/README.md`:
- Around line 135-143: The pull-secret example in the README currently shows an
invalid JSON heredoc, which will create a broken config file if copied verbatim.
Update the instructions around the pull secret step to use a verbatim copy/paste
approach or a clearly valid JSON example, and ensure the guidance in the
pull-secret section is consistent with the `config/pull-secret.json` file and
the `make sync-config` flow.

In `@deploy/README.md`:
- Line 43: The deployment README wording overstates that every make target syncs
config files, but only the config-aware deploy targets do so. Update the
guidance around instance.env and make sync-config in deploy/README.md to clarify
that utility targets like verify do not copy config/ into place, and reference
the existing deploy target behavior so users know when explicit syncing is still
required.

In `@README.md`:
- Around line 9-10: The README wording is too broad because not every make
target performs config syncing. Update the sentence in the documentation around
the config-sync description to scope it to the deploy targets/scripts that
source common.sh, or explicitly call out make sync-config, so the claim matches
the behavior of the relevant make targets.

---

Nitpick comments:
In `@hack/ansible-lint.sh`:
- Around line 19-33: The current ansible-lint native-execution branch is keyed
off OPENSHIFT_CI, which mixes CI detection with the decision to skip
containerization. Update the logic in ansible-lint.sh to use a dedicated flag
such as SKIP_CONTAINER or NATIVE_RUN for the native path, and keep OPENSHIFT_CI
only as a real CI environment signal. Make sure the condition around the
ansible-galaxy install and ansible-lint invocation uses the new flag so future
CI environments won’t accidentally trigger the native branch.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: b7c71480-a2a0-4701-97ee-786786d1f01b

📥 Commits

Reviewing files that changed from the base of the PR and between 5ecce91 and f152d1e.

📒 Files selected for processing (31)
  • .ansible-lint
  • .claude/commands/setup.md
  • .claude/commands/setup/README.md
  • CLAUDE.md
  • Makefile
  • README.md
  • config/.gitignore
  • config/README.md
  • config/assisted.yml.template
  • config/config_arbiter_example.sh
  • config/config_fencing_example.sh
  • config/config_sno_example.sh
  • config/instance.env.template
  • config/kcli.yml.template
  • deploy/Makefile
  • deploy/README.md
  • deploy/aws-hypervisor/README.md
  • deploy/aws-hypervisor/scripts/common.sh
  • deploy/openshift-clusters/.gitignore
  • deploy/openshift-clusters/README-external-host.md
  • deploy/openshift-clusters/README-kcli.md
  • deploy/openshift-clusters/README.md
  • deploy/openshift-clusters/assisted-install.yml
  • deploy/openshift-clusters/roles/assisted/assisted-spoke/README.md
  • deploy/openshift-clusters/roles/kcli/kcli-install/README.md
  • deploy/openshift-clusters/scripts/deploy-fencing-assisted.sh
  • deploy/openshift-clusters/scripts/get-tnf-logs.sh
  • deploy/openshift-clusters/setup.yml
  • hack/ansible-lint.sh
  • hack/pre-commit
  • helpers/keep-instance.sh

Comment thread .claude/commands/setup.md
Comment thread .claude/commands/setup.md
Comment thread .claude/commands/setup.md
Comment on lines +211 to 212
- The sync distributes these to `deploy/openshift-clusters/roles/dev-scripts/install-dev/files/`; suggest `cd deploy && make sync-config` before running the playbook directly
- **Config reference**: https://github.com/openshift-metal3/dev-scripts/blob/master/config_example.sh

@coderabbitai coderabbitai Bot Jul 8, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Fix the nested list indentation.

The bullet indentation under the numbered item is inconsistent here and triggers MD005. Based on static analysis, align it with the sibling list items.

🧰 Tools
🪛 markdownlint-cli2 (0.22.1)

[warning] 211-211: Inconsistent indentation for list items at the same level
Expected: 6; Actual: 3

(MD005, list-indent)


[warning] 212-212: Inconsistent indentation for list items at the same level
Expected: 6; Actual: 3

(MD005, list-indent)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.claude/commands/setup.md around lines 211 - 212, The markdown list under
the numbered setup step has inconsistent nested bullet indentation, causing
MD005. Update the bullet items in the setup instructions so they are aligned
consistently with the other sibling list items in this section, keeping the
existing content but fixing the nested list structure.

Source: Linters/SAST tools

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Won't fix — this is a Claude Code prompt file, not rendered documentation.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@fonta-rh, understood — thanks for the context. Since this file is consumed as a Claude Code prompt rather than rendered Markdown, the indentation styling isn't functionally important. I'll skip flagging this going forward.

Comment thread deploy/aws-hypervisor/README.md Outdated
Comment thread deploy/openshift-clusters/README-kcli.md
Comment on lines +135 to +143
2. Download OpenShift pull secret and place it in the central `config/` folder:
```bash
# Navigate to the kcli-install files directory
cd roles/kcli/kcli-install/files/

# Create pull secret file (paste your pull secret content)
cat > pull-secret.json << EOF
# From the repository root, create the pull secret file (paste your pull secret content)
cat > config/pull-secret.json << EOF
{"auths":{"your-pull-secret-content-here"}}
EOF

# Distribute it to the role files directory (or let any make target do it)
cd deploy/ && make sync-config && cd ../

@coderabbitai coderabbitai Bot Jul 8, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Fix the pull-secret example.

This heredoc writes invalid JSON as shown, so a user copying it verbatim will create a broken file. Please switch to a verbatim copy instruction or otherwise show valid JSON.

🔧 Suggested fix
- cat > config/pull-secret.json << EOF
- {"auths":{"your-pull-secret-content-here"}}
- EOF
+ cp /path/to/downloaded/pull-secret.json config/pull-secret.json
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
2. Download OpenShift pull secret and place it in the central `config/` folder:
```bash
# Navigate to the kcli-install files directory
cd roles/kcli/kcli-install/files/
# Create pull secret file (paste your pull secret content)
cat > pull-secret.json << EOF
# From the repository root, create the pull secret file (paste your pull secret content)
cat > config/pull-secret.json << EOF
{"auths":{"your-pull-secret-content-here"}}
EOF
# Distribute it to the role files directory (or let any make target do it)
cd deploy/ && make sync-config && cd ../
2. Download OpenShift pull secret and place it in the central `config/` folder:
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deploy/openshift-clusters/roles/kcli/kcli-install/README.md` around lines 135
- 143, The pull-secret example in the README currently shows an invalid JSON
heredoc, which will create a broken config file if copied verbatim. Update the
instructions around the pull secret step to use a verbatim copy/paste approach
or a clearly valid JSON example, and ensure the guidance in the pull-secret
section is consistent with the `config/pull-secret.json` file and the `make
sync-config` flow.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Won't fix — same reasoning as the README-kcli.md finding above.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@fonta-rh, understood — acknowledged, and I'll leave this as-is consistent with the decision on the README-kcli.md finding.

Comment thread deploy/README.md Outdated
Comment thread README.md
… guard

Move common.sh from deploy/aws-hypervisor/scripts/ to deploy/ so all
deploy paths (AWS and baremetal) can source it without reaching into
aws-hypervisor internals. Add config_baremetal_fencing.sh to the sync
manifest and have baremetal-adopt generate it into config/. Skip syncing
0-byte source files to prevent accidental credential blanking.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
deploy/openshift-clusters/scripts/deploy-baremetal.sh (1)

13-21: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick win

Inconsistent ordering: common.sh sourced after strict mode is enabled.

Every other script in this cohort sources common.sh before set -o nounset/errexit/pipefail. Here the order is reversed, so common.sh's side effects (e.g. sync_config_files) run under strict mode uniquely in this script — any future unset-variable reference or non-fatal-but-nonzero command there would abort this script differently than its siblings.

🔧 Suggested fix: match sibling script ordering
-set -o nounset
-set -o errexit
-set -o pipefail
-
 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 OC_DIR="$(cd "${SCRIPT_DIR}/.." && pwd)"
 DEPLOY_DIR="$(cd "${OC_DIR}/.." && pwd)"
 # shellcheck source=/dev/null
 source "${DEPLOY_DIR}/common.sh"
+
+set -o nounset
+set -o errexit
+set -o pipefail
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deploy/openshift-clusters/scripts/deploy-baremetal.sh` around lines 13 - 21,
The script initialization order is inconsistent with its sibling deploy scripts:
`common.sh` is sourced after `set -o nounset`, `set -o errexit`, and `set -o
pipefail`, so its side effects run under strict mode only here. Update
`deploy-baremetal.sh` to match the cohort by moving the `source
"${DEPLOY_DIR}/common.sh"` step before enabling strict mode, keeping the
existing `SCRIPT_DIR`, `OC_DIR`, and `DEPLOY_DIR` setup intact.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@deploy/openshift-clusters/scripts/baremetal-adopt.sh`:
- Around line 511-525: The baremetal adoption flow overwrites the generated
config file unconditionally, which can silently erase user edits to
config_baremetal_fencing.sh. Update generate_baremetal_config to detect an
existing output_file before writing and either back it up, refuse to overwrite,
or prompt/warn the user; keep the behavior aligned with baremetal-adopt and the
sync-config workflow so manual edits to CI_TOKEN and OPENSHIFT_RELEASE_IMAGE are
preserved.

---

Nitpick comments:
In `@deploy/openshift-clusters/scripts/deploy-baremetal.sh`:
- Around line 13-21: The script initialization order is inconsistent with its
sibling deploy scripts: `common.sh` is sourced after `set -o nounset`, `set -o
errexit`, and `set -o pipefail`, so its side effects run under strict mode only
here. Update `deploy-baremetal.sh` to match the cohort by moving the `source
"${DEPLOY_DIR}/common.sh"` step before enabling strict mode, keeping the
existing `SCRIPT_DIR`, `OC_DIR`, and `DEPLOY_DIR` setup intact.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 44ba54d8-b931-42d7-8374-f660c61d9a3b

📥 Commits

Reviewing files that changed from the base of the PR and between f152d1e and 114df4a.

📒 Files selected for processing (25)
  • CLAUDE.md
  • config/README.md
  • deploy/Makefile
  • deploy/aws-hypervisor/scripts/create.sh
  • deploy/aws-hypervisor/scripts/destroy.sh
  • deploy/aws-hypervisor/scripts/force-stop.sh
  • deploy/aws-hypervisor/scripts/init.sh
  • deploy/aws-hypervisor/scripts/inventory.sh
  • deploy/aws-hypervisor/scripts/print_instance_data.sh
  • deploy/aws-hypervisor/scripts/ssh.sh
  • deploy/aws-hypervisor/scripts/start.sh
  • deploy/aws-hypervisor/scripts/stop.sh
  • deploy/common.sh
  • deploy/openshift-clusters/scripts/baremetal-adopt.sh
  • deploy/openshift-clusters/scripts/clean-spoke.sh
  • deploy/openshift-clusters/scripts/clean.sh
  • deploy/openshift-clusters/scripts/deploy-baremetal.sh
  • deploy/openshift-clusters/scripts/deploy-cluster.sh
  • deploy/openshift-clusters/scripts/deploy-fencing-assisted.sh
  • deploy/openshift-clusters/scripts/full-clean.sh
  • deploy/openshift-clusters/scripts/get-tnf-logs.sh
  • deploy/openshift-clusters/scripts/patch-nodes.sh
  • deploy/openshift-clusters/scripts/redeploy-cluster.sh
  • deploy/openshift-clusters/scripts/shutdown-cluster.sh
  • deploy/openshift-clusters/scripts/startup-cluster.sh
✅ Files skipped from review due to trivial changes (7)
  • deploy/aws-hypervisor/scripts/init.sh
  • deploy/aws-hypervisor/scripts/ssh.sh
  • deploy/aws-hypervisor/scripts/destroy.sh
  • deploy/aws-hypervisor/scripts/print_instance_data.sh
  • deploy/aws-hypervisor/scripts/force-stop.sh
  • config/README.md
  • CLAUDE.md
🚧 Files skipped from review as they are similar to previous changes (2)
  • deploy/openshift-clusters/scripts/get-tnf-logs.sh
  • deploy/Makefile

Comment thread deploy/openshift-clusters/scripts/baremetal-adopt.sh
@lucaconsalvi

Copy link
Copy Markdown
Contributor

Code review

Found 2 issues:

  1. helpers/keep-instance.sh sources deploy/aws-hypervisor/scripts/common.sh, but this PR renames that file to deploy/common.sh. The old path no longer exists, so make keep-instance will fail at runtime with "No such file or directory." The correct path should be "${SCRIPT_DIR}/../deploy/common.sh". (bug: path references deleted file)

# common.sh syncs config/ files and sources instance.env (for REGION)
# shellcheck source=/dev/null
source "${SCRIPT_DIR}/../deploy/aws-hypervisor/scripts/common.sh"

  1. hack/ansible-lint.sh uses :latest for the container image tag. (CLAUDE.md says "Pin dependency versions in production configurations")

CONTAINER_ENGINE=${CONTAINER_ENGINE:-podman}
CONTAINER_IMAGE="ghcr.io/ansible/community-ansible-dev-tools:latest"
# Host-side cache so the collections download is a one-time cost

🤖 Generated with Claude Code

- If this code review was useful, please react with 👍. Otherwise, react with 👎.

@lucaconsalvi lucaconsalvi left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the excellent work here, Pablo! This is a really well-thought-out change — the backwards-compatible sync design (newer-wins, never deletes), the 0-byte file protection, and the thorough documentation updates across every README are all top-notch. The config/.gitignore setup cleanly prevents credential commits, and the ansible-lint integration with a baselined skip list is exactly the right approach for incremental adoption.

I found one critical bug and a few error-handling concerns detailed in the inline comments below.


Summary

Severity Count Key Findings
Critical 1 keep-instance.sh sources deleted path — will crash at runtime
High 2 cp failure silently ignored in sync, make sync-config masks errors
Medium 3 Spurious instance.env warning for non-AWS scripts, errexit ordering inconsistency, *.yml glob fragility

Minor (no inline comment)

  • deploy/openshift-clusters/.gitignore is still missing a trailing newline (pre-existing, extended by this PR)
  • CodeRabbit's finding about baremetal-adopt silently clobbering hand-edited config/config_baremetal_fencing.sh on re-run is worth considering

Comment thread helpers/keep-instance.sh Outdated
Comment thread deploy/common.sh Outdated
Comment thread deploy/Makefile Outdated
Comment thread deploy/common.sh
Comment thread deploy/openshift-clusters/scripts/deploy-baremetal.sh
Comment thread hack/ansible-lint.sh
Re-running `make baremetal-adopt` after editing config_baremetal_fencing.sh
(e.g. to set CI_TOKEN) would silently overwrite user edits. Back up the
existing file with a timestamped suffix before regenerating.

Co-Authored-By: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@fonta-rh

fonta-rh commented Jul 9, 2026

Copy link
Copy Markdown
Contributor Author

Addressed CodeRabbit review-body nitpick findings:

  • hack/ansible-lint.sh:19 (OPENSHIFT_CI flag confusing): Won't fix — standard dual-purpose pattern in the OpenShift CI ecosystem.
  • deploy/openshift-clusters/scripts/deploy-baremetal.sh:13 (errexit ordering): Won't fix — duplicate of the human review finding; will be addressed separately with that review.

- Fix broken common.sh path in keep-instance.sh after move to deploy/
- Handle cp failures in sync_config_files() so errors are reported
  instead of silently incrementing the sync count
- Add nullglob guard in ansible-lint.sh syntax-check loop

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)
deploy/openshift-clusters/scripts/clean-spoke.sh (1)

6-14: 🩺 Stability & Availability | 🟡 Minor | ⚡ Quick win

Set error-handling flags before sourcing common.sh.

set -o nounset/errexit/pipefail are set only after source "${DEPLOY_DIR}/common.sh". If the source fails (wrong path, missing file), the script won't fail fast and will continue with undefined functions/variables. This is the same source-then-set-flags pattern already acknowledged (but deferred) for deploy-baremetal.sh; worth applying the same fix consistently here.

🛠️ Proposed fix
 SCRIPT_DIR=$(dirname "$0")
 DEPLOY_DIR="$(cd "${SCRIPT_DIR}/../.." && pwd)"
 
+set -o nounset
+set -o errexit
+set -o pipefail
+
 # shellcheck source=/dev/null
 source "${DEPLOY_DIR}/common.sh"
 
-set -o nounset
-set -o errexit
-set -o pipefail
-
 NODE_DIR="$(get_node_dir)"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deploy/openshift-clusters/scripts/clean-spoke.sh` around lines 6 - 14, The
script currently sources common.sh before enabling nounset/errexit/pipefail, so
a missing or bad source can pass silently; move the set -o flags ahead of the
source step in clean-spoke.sh, matching the safer pattern used elsewhere and
keeping SCRIPT_DIR/DEPLOY_DIR resolution intact.
deploy/openshift-clusters/scripts/patch-nodes.sh (1)

4-13: 🩺 Stability & Availability | 🟡 Minor | ⚡ Quick win

Set error-handling flags before sourcing common.sh.

Same issue as in clean-spoke.sh: set -o nounset/errexit/pipefail are applied after source "${DEPLOY_DIR}/common.sh", so a failed source won't abort the script early.

🛠️ Proposed fix
 DEPLOY_DIR="$(cd "${SCRIPT_DIR}/../.." && pwd)"
 
+set -o nounset
+set -o errexit
+set -o pipefail
+
 # shellcheck source=/dev/null
 source "${DEPLOY_DIR}/common.sh"
 
-set -o nounset
-set -o errexit
-set -o pipefail
-
 # Check if instance data exists
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@deploy/openshift-clusters/scripts/patch-nodes.sh` around lines 4 - 13, The
script in patch-nodes.sh sets nounset/errexit/pipefail only after sourcing
common.sh, so a failed source may not stop execution. Move the set -o nounset,
set -o errexit, and set -o pipefail lines to run before the source
"${DEPLOY_DIR}/common.sh" statement, keeping SCRIPT_DIR/DEPLOY_DIR setup intact.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@deploy/openshift-clusters/scripts/clean-spoke.sh`:
- Around line 6-14: The script currently sources common.sh before enabling
nounset/errexit/pipefail, so a missing or bad source can pass silently; move the
set -o flags ahead of the source step in clean-spoke.sh, matching the safer
pattern used elsewhere and keeping SCRIPT_DIR/DEPLOY_DIR resolution intact.

In `@deploy/openshift-clusters/scripts/patch-nodes.sh`:
- Around line 4-13: The script in patch-nodes.sh sets nounset/errexit/pipefail
only after sourcing common.sh, so a failed source may not stop execution. Move
the set -o nounset, set -o errexit, and set -o pipefail lines to run before the
source "${DEPLOY_DIR}/common.sh" statement, keeping SCRIPT_DIR/DEPLOY_DIR setup
intact.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 01a87fb2-0b11-44a5-a2e5-eca3ba41835d

📥 Commits

Reviewing files that changed from the base of the PR and between 5ecce91 and 9801c85.

📒 Files selected for processing (50)
  • .ansible-lint
  • .claude/commands/setup.md
  • .claude/commands/setup/README.md
  • CLAUDE.md
  • Makefile
  • README.md
  • config/.gitignore
  • config/README.md
  • config/assisted.yml.template
  • config/config_arbiter_example.sh
  • config/config_fencing_example.sh
  • config/config_sno_example.sh
  • config/instance.env.template
  • config/kcli.yml.template
  • deploy/Makefile
  • deploy/README.md
  • deploy/aws-hypervisor/README.md
  • deploy/aws-hypervisor/scripts/create.sh
  • deploy/aws-hypervisor/scripts/destroy.sh
  • deploy/aws-hypervisor/scripts/force-stop.sh
  • deploy/aws-hypervisor/scripts/init.sh
  • deploy/aws-hypervisor/scripts/inventory.sh
  • deploy/aws-hypervisor/scripts/print_instance_data.sh
  • deploy/aws-hypervisor/scripts/ssh.sh
  • deploy/aws-hypervisor/scripts/start.sh
  • deploy/aws-hypervisor/scripts/stop.sh
  • deploy/common.sh
  • deploy/openshift-clusters/.gitignore
  • deploy/openshift-clusters/README-external-host.md
  • deploy/openshift-clusters/README-kcli.md
  • deploy/openshift-clusters/README.md
  • deploy/openshift-clusters/assisted-install.yml
  • deploy/openshift-clusters/roles/assisted/assisted-spoke/README.md
  • deploy/openshift-clusters/roles/kcli/kcli-install/README.md
  • deploy/openshift-clusters/scripts/baremetal-adopt.sh
  • deploy/openshift-clusters/scripts/clean-spoke.sh
  • deploy/openshift-clusters/scripts/clean.sh
  • deploy/openshift-clusters/scripts/deploy-baremetal.sh
  • deploy/openshift-clusters/scripts/deploy-cluster.sh
  • deploy/openshift-clusters/scripts/deploy-fencing-assisted.sh
  • deploy/openshift-clusters/scripts/full-clean.sh
  • deploy/openshift-clusters/scripts/get-tnf-logs.sh
  • deploy/openshift-clusters/scripts/patch-nodes.sh
  • deploy/openshift-clusters/scripts/redeploy-cluster.sh
  • deploy/openshift-clusters/scripts/shutdown-cluster.sh
  • deploy/openshift-clusters/scripts/startup-cluster.sh
  • deploy/openshift-clusters/setup.yml
  • hack/ansible-lint.sh
  • hack/pre-commit
  • helpers/keep-instance.sh

fonta-rh and others added 4 commits July 9, 2026 17:31
- Makefile sync-config: add set -e so cp failures propagate
- deploy-baremetal.sh: source common.sh before strict flags for
  consistent sync error handling across scripts
- ansible-lint.sh: quote $CONTAINER_ENGINE and $CONTAINER_IMAGE

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Callers like doctor.sh that have their own instance.env validation
can suppress the generic warning without blanket stderr suppression.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Playbooks assisted-install.yml and kcli-install.yml reference roles
via the `role:` syntax that ansible-lint resolves at the repo root.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@fonta-rh

fonta-rh commented Jul 9, 2026

Copy link
Copy Markdown
Contributor Author

Re: CodeRabbit review-body findings (outside diff range)

  • clean-spoke.sh: "Set error-handling flags before sourcing common.sh" — Won't fix — source-then-set-flags is the intentional convention; common.sh expands variables that may be unset under nounset, and sync_config_files() manages its own errors internally.
  • patch-nodes.sh: Same finding — Won't fix — same reasoning.

…quisite

sync_config_files() was called at module scope whenever any script
sourced common.sh, making every import a side-effecting operation.
This forced callers like doctor.sh to opt out via SKIP_CONFIG_SYNC=1.

Move the sync to a Makefile prerequisite on deploy and cluster targets
only, keeping common.sh as a pure library. The sync-config target now
explicitly calls sync_config_files, and only targets that actually
consume synced config files depend on it.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@fonta-rh

fonta-rh commented Jul 9, 2026

Copy link
Copy Markdown
Contributor Author

/test images

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. ready-for-human-review Indicates a PR has been reviewed by automated tools and is ready for human review

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants