Replace individual FORGE params with FJOB_NAME + FOURNOS_NAMESPACE

[avasilevskii]

Instead of extracting forge-project, forge-config, and env from the FournosJob spec and passing them as separate PipelineRun/resolve Job params, Fournos now passes only FJOB_NAME and FOURNOS_NAMESPACE. FORGE looks up the full FournosJob spec via the K8s API, giving it access to all configuration in one go.

This also drops job-name, gpu-count, and secret-refs as pipeline params since FORGE can read those from the spec directly if required. The only params remaining on the PipelineRun are fjob-name, fournos-namespace, and kubeconfig-secret.

Closes #61

Summary by CodeRabbit

• Refactor
  • Operator now supplies only job name and namespace; pipelines and runtime components resolve full job specs from Kubernetes, simplifying parameter contracts across workflows.
• Documentation
  • Design doc and README updated to describe the new lookup-based configuration flow.
• Tests
  • Test suites and helpers adjusted to reflect the narrowed pipeline parameter surface and removed legacy parameter assertions.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6e950084-f957-4659-b2a9-ebb8a9c9a6f8

📥 Commits

Reviewing files that changed from the base of the PR and between b2a1089 and 34478c3.

📒 Files selected for processing (1)

• config/forge/workflows/tasks.yaml

---

📝 Walkthrough

Walkthrough

This PR changes how FORGE receives job configuration: the operator and Tekton pipelines now pass only fjob-name / FJOB_NAME and fournos-namespace / FOURNOS_NAMESPACE. FORGE/resolve tasks read the full FournosJob spec from the Kubernetes API at runtime instead of receiving serialized forge/env parameters.

Changes

Cohort / File(s)	Summary
Docs Fournos_Design_Document.md, README.md	Docs updated to describe that spec.env, spec.displayName, and forge config are read from the FournosJob CR via K8s API rather than passed as serialized pipeline params.
Tekton Pipelines config/forge/workflows/pipeline-full.yaml, config/forge/workflows/pipeline-test-only.yaml, config/fournos-validation/workflows/pipeline-validate-only.yaml, dev/mock-pipelines/pipeline-full.yaml, dev/mock-pipelines/pipeline-run-only.yaml	Pipeline params removed (job-name, forge-project, forge-config, env, gpu-count, secret-refs); new params fjob-name and fournos-namespace added; task wiring updated.
Tekton Tasks / Scripts config/forge/workflows/tasks.yaml, dev/mock-pipelines/tasks.yaml, dev/mock-resolve/resolve.sh	Task step scripts changed to fetch the FournosJob YAML (via oc/kubectl) and extract fields with yq; env var contracts renamed/removed (FOURNOS_JOB_NAME→FJOB_NAME, removed FORGE_PROJECT/FORGE_CONFIG/FOURNOS_ENV).
Resolve Job Manifests config/forge/resolve_job.yaml, dev/mock-resolve/resolve_job.yaml	Job templates updated to set FJOB_NAME and FOURNOS_NAMESPACE and to stop injecting serialized forge/env env vars.
Operator / Core Python fournos/core/resolve.py, fournos/core/tekton.py	API signatures narrowed: ResolveClient.create_job() drops forge_project/forge_config/env; TektonClient.create_pipeline_run() drops display_name, forge_project, forge_config, env, gpu_count; PipelineRun payload now only includes fjob-name and fournos-namespace (plus kubeconfig).
Handlers fournos/handlers/execution.py, fournos/handlers/resolving.py	Handler reconciliation stops extracting/passing forge/env/display/gpu fields; create_job/create_pipeline_run invoked with only job name/owner_ref (and pipeline/kubeconfig as applicable).
Tests / Mocks tests/conftest.py, tests/test_scheduling.py, tests/test_secret_refs.py, dev/mock-pipelines/*	Test helpers and mock pipelines updated to use fjob-name/fournos-namespace; removed tests/assertions that validated serialized forge/env/secret-refs parameters.

Sequence Diagram(s)

sequenceDiagram
    participant Operator
    participant API as K8s API
    participant Controller as Fournos Operator
    participant Tekton as Tekton (PipelineRun)
    participant Resolve as Resolve Job / FORGE

    Operator->>Controller: create FournosJob CR (spec + forge/env)
    Controller->>Tekton: create PipelineRun (params: fjob-name, fournos-namespace, kubeconfig-secret)
    Tekton->>Resolve: start resolve task / container (env: FJOB_NAME, FOURNOS_NAMESPACE)
    Resolve->>API: GET FournosJob/<FJOB_NAME> in <FOURNOS_NAMESPACE>
    API-->>Resolve: FournosJob YAML
    Resolve->>Resolve: extract .spec.forge, .spec.env, etc. (yq)
    Resolve->>FORGE: invoke bin/run_ci with derived FORGE_PROJECT / env / artifacts
    Resolve-->>Tekton: task completes (status)
    Tekton-->>Controller: PipelineRun status updates

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Add Resolving Phase #55 — Related changes to resolve/resolve-job templates and ResolveClient wiring that intersect this PR’s removal of serialized forge/env parameters.
• Update to make it work with Forge #26 — Modifies the same Tekton task scripts (bash safety, env handling, FOURNOS_CI/ARTIFACT_DIR) adjusted here.
• Introduce cluster pinning and use Kueue for both hardware and cluster requests #2 — Changes TektonClient.create_pipeline_run signature and PipelineRun payload construction, directly related to this PR’s API surface updates.

Suggested labels

lgtm

Poem

🐰 I hopped through YAML and shell tonight,
I swapped env blobs for a name in plain sight,
"Just FJOB and NS," I quietly cheer,
FORGE fetches the spec when the job draws near,
Hooray — the cluster holds the truth, neat and bright! 🥕✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately and concisely summarizes the main change: replacing individual FORGE parameters with two consolidated identifiers (FJOB_NAME and FOURNOS_NAMESPACE) to enable FORGE to fetch the full job specification.
Linked Issues check	✅ Passed	The PR fully implements issue #61's objective: replacing individual extracted fields (spec.env, spec.forge.project, spec.forge.args) with a lookup mechanism using FJOB_NAME and FOURNOS_NAMESPACE, enabling FORGE to access the complete FournosJob spec via Kubernetes API.
Out of Scope Changes check	✅ Passed	All changes are directly aligned with the linked issue #61 objective. The PR consistently replaces individual parameter passing with the two-identifier lookup mechanism across all relevant files (pipelines, tasks, handlers, tests, and mock utilities).

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

fournos/core/resolve.py (1)

71-79: Fail fast when required resolve env placeholders are missing.

This loop silently skips absent keys in the job template. A template drift will fail later in-container instead of at job creation time.

♻️ Proposed hardening

         env_values = {
             "FJOB_NAME": name,
             "FOURNOS_NAMESPACE": settings.namespace,
         }
+        required = set(env_values)
+        present = {e.get("name") for e in container.get("env", [])}
+        missing = required - present
+        if missing:
+            raise ValueError(
+                f"Resolve job template is missing required env entries: {sorted(missing)}"
+            )
+
         for env_var in container["env"]:
             if env_var["name"] not in env_values:
                 continue
             env_var["value"] = env_values[env_var["name"]]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@fournos/core/resolve.py` around lines 71 - 79, The loop that patches
container["env"] using env_values currently skips missing keys, causing template
drift to surface later; change it to fail fast by verifying that each required
key from env_values is present in the container's env list and raising a clear
exception (e.g., ValueError) that includes the job name and missing env var(s).
Specifically, iterate over keys of env_values (or build a set of expected names)
and for each expected name ensure there's a matching dict in container["env"];
if not found, raise an error referencing env_values, container["env"], name and
settings.namespace so the caller sees which placeholder is missing. Ensure you
still set env_var["value"] for matches as the current code does.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@config/forge/workflows/tasks.yaml`:
- Line 52: The task uses an undefined variable FOURNOS_NAME in the oc get
command; replace it with the correctly defined FJOB_NAME (and likewise replace
any other occurrences such as the one around line 81) so the command becomes oc
get "fjob/$FJOB_NAME" -n "$FOURNOS_NAMESPACE" ...; update both occurrences to
consistently use FJOB_NAME (leave FOURNOS_NAMESPACE as-is if that variable is
defined) to avoid set -o nounset failures and ensure the step reaches run_ci.
- Around line 20-25: The task is using the mounted workload KUBECONFIG when
running the forge-step which causes `oc get fjob/...` to query the target
cluster instead of the hub; update the task so the forge-step fetches the
FournosJob from the hub context (same approach used in resolve_job.yaml).
Concretely, remove or stop setting KUBECONFIG to "$(params.kubeconfig-secret)"
for the step that runs `oc get fjob/...` (refer to the KUBECONFIG env and the
forge-step that executes `oc get fjob`), or explicitly point KUBECONFIG there to
the hub kubeconfig secret instead of the workload mount; ensure FJOB_NAME and
FOURNOS_NAMESPACE are still passed through and that only the hub cluster context
is used for the FournosJob lookup.

---

Nitpick comments:
In `@fournos/core/resolve.py`:
- Around line 71-79: The loop that patches container["env"] using env_values
currently skips missing keys, causing template drift to surface later; change it
to fail fast by verifying that each required key from env_values is present in
the container's env list and raising a clear exception (e.g., ValueError) that
includes the job name and missing env var(s). Specifically, iterate over keys of
env_values (or build a set of expected names) and for each expected name ensure
there's a matching dict in container["env"]; if not found, raise an error
referencing env_values, container["env"], name and settings.namespace so the
caller sees which placeholder is missing. Ensure you still set env_var["value"]
for matches as the current code does.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 36921227-4c14-404b-b481-a656038fa6c4

📥 Commits

Reviewing files that changed from the base of the PR and between 566ff8a and b2a1089.

📒 Files selected for processing (20)

• Fournos_Design_Document.md
• README.md
• config/forge/resolve_job.yaml
• config/forge/workflows/pipeline-full.yaml
• config/forge/workflows/pipeline-test-only.yaml
• config/forge/workflows/tasks.yaml
• config/fournos-validation/workflows/pipeline-validate-only.yaml
• config/fournos-validation/workflows/tasks.yaml
• dev/mock-pipelines/pipeline-full.yaml
• dev/mock-pipelines/pipeline-run-only.yaml
• dev/mock-pipelines/tasks.yaml
• dev/mock-resolve/resolve.sh
• dev/mock-resolve/resolve_job.yaml
• fournos/core/resolve.py
• fournos/core/tekton.py
• fournos/handlers/execution.py
• fournos/handlers/resolving.py
• tests/conftest.py
• tests/test_scheduling.py
• tests/test_secret_refs.py

💤 Files with no reviewable changes (5)

• config/fournos-validation/workflows/tasks.yaml
• fournos/handlers/resolving.py
• tests/test_scheduling.py
• tests/test_secret_refs.py
• fournos/handlers/execution.py

[kpouget]

thanks, looks good!

/lgtm

[openshift-ci]

New changes are detected. LGTM label has been removed.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from kpouget. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[avasilevskii]

/test deploy-fournos-wip

[psap-forge-bot]

🟢 Test of 'fournos_deploy --project-source' succeeded after 00 hours 10 minutes 54 seconds 🟢

• Link to the test results.

• No reports index generated...

Test configuration:

/test deploy-fournos-wip

• Execution logs