NO-JIRA: Fix HCCO deployment location in AGENTS.md

[enxebre]

Summary

• Corrects HCCO description in control-plane-operator/AGENTS.md: HCCO runs as a Deployment in the control plane namespace on the management cluster, not "in the guest cluster"
• It reconciles guest-side resources by talking to the guest API server, but the pod itself lives in the HCP namespace

Test plan

• Documentation-only change, no code impact

🤖 Generated with Claude Code

Summary by CodeRabbit

• Documentation
  • Clarified that HCCO runs as a Deployment in the control plane namespace rather than inside the guest cluster. Documentation also reiterates that HCCO continues to reconcile guest-side resources (pull secrets, node configuration, in-place upgrades, global pull secret handling, and node draining) so users can expect the same guest-facing behaviors.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci-robot]

@enxebre: This pull request explicitly references no jira issue.

Details

In response to this:

Summary

• Corrects HCCO description in control-plane-operator/AGENTS.md: HCCO runs as a Deployment in the control plane namespace on the management cluster, not "in the guest cluster"
• It reconciles guest-side resources by talking to the guest API server, but the pod itself lives in the HCP namespace

Test plan

• Documentation-only change, no code impact

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: dc752c9d-2d9b-4ef3-9df6-85a33c5f7af4

📥 Commits

Reviewing files that changed from the base of the PR and between 89e2a78 and 8ae7e79.

📒 Files selected for processing (1)

• control-plane-operator/AGENTS.md

✅ Files skipped from review due to trivial changes (1)

• control-plane-operator/AGENTS.md

---

📝 Walkthrough

Walkthrough

This pull request updates the AGENTS.md documentation in the control-plane-operator directory. The change clarifies the runtime location of HCCO (Hosted Cluster Control Operator), specifying that it runs as a Deployment in the control plane namespace rather than in the guest cluster. The documented list of reconciled guest-side resources—including pull secrets, node configuration, in-place upgrades, global pull secret, and draining—remains unchanged.

🚥 Pre-merge checks | ✅ 11

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: fixing HCCO deployment location documentation in AGENTS.md, which matches the changeset.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This is a documentation-only PR with no test code changes. The custom check targets Ginkgo test names; since no tests are modified, the check is not applicable.
Test Structure And Quality	✅ Passed	Ginkgo tests use single responsibility, proper setup/cleanup with BeforeEach/DeferCleanup, timeouts via EventuallyObject and WithTimeout, and meaningful assertion messages.
Topology-Aware Scheduling Compatibility	✅ Passed	Documentation-only change to AGENTS.md clarifying HCCO deployment location. No deployment manifests, operator code, or controllers modified, so topology check not applicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR is documentation-only (AGENTS.md update). No new Ginkgo e2e tests are present, so IPv6/disconnected network check is not applicable.
No-Weak-Crypto	✅ Passed	Documentation-only change with no code. File contains only architectural descriptions with no weak crypto, custom crypto implementations, or non-constant-time secret comparisons.
Container-Privileges	✅ Passed	The new HCCO deployment manifest contains no privileged settings: no privileged: true, hostPID/hostNetwork/hostIPC, SYS_ADMIN capability, allowPrivilegeEscalation, or root user configurations.
No-Sensitive-Data-In-Logs	✅ Passed	Documentation-only change in AGENTS.md clarifying HCCO deployment location; no code changes, logging statements, or sensitive data exposure detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

control-plane-operator/AGENTS.md (1)

37-37: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Update this table entry to match the corrected HCCO location.

Line 24 now correctly states that HCCO runs as a Deployment in the control plane namespace, but this table entry still says "(runs in guest cluster)". This creates a documentation inconsistency.

📝 Proposed fix to align with line 24

-| `hostedclusterconfigoperator/` | HCCO binary and its controllers (runs in guest cluster) |
+| `hostedclusterconfigoperator/` | HCCO binary and its controllers (runs in control plane namespace, reconciles guest-side resources) |

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@control-plane-operator/AGENTS.md` at line 37, Update the table row for
`hostedclusterconfigoperator/` so it matches the corrected description on line
24: change the parenthetical note from "(runs in guest cluster)" to indicate
HCCO runs as a Deployment in the control plane namespace (e.g., "(runs as a
Deployment in the control plane namespace)"). Ensure the entry continues to
reference HCCO binary and its controllers and uses the exact identifier
`hostedclusterconfigoperator/` so the docs remain consistent.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@control-plane-operator/AGENTS.md`:
- Line 37: Update the table row for `hostedclusterconfigoperator/` so it matches
the corrected description on line 24: change the parenthetical note from "(runs
in guest cluster)" to indicate HCCO runs as a Deployment in the control plane
namespace (e.g., "(runs as a Deployment in the control plane namespace)").
Ensure the entry continues to reference HCCO binary and its controllers and uses
the exact identifier `hostedclusterconfigoperator/` so the docs remain
consistent.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: dd0d9a47-368d-401d-859f-affd30290139

📥 Commits

Reviewing files that changed from the base of the PR and between 9b67f7b and 89e2a78.

📒 Files selected for processing (1)

• control-plane-operator/AGENTS.md

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 40.68%. Comparing base (9b67f7b) to head (8ae7e79).
⚠️ Report is 15 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8635      +/-   ##
==========================================
- Coverage   45.84%   40.68%   -5.17%     
==========================================
  Files         440      755     +315     
  Lines       52824    93363   +40539     
==========================================
+ Hits        24218    37985   +13767     
- Misses      26816    52645   +25829     
- Partials     1790     2733     +943     

see 315 files with indirect coverage changes

Flag	Coverage Δ
cmd-support	34.70% <ø> (?)
cpo-hostedcontrolplane	41.80% <ø> (ø)
cpo-other	41.39% <ø> (ø)
hypershift-operator	50.82% <ø> (ø)
other	31.61% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[bryan-cox]

/lgtm

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-v2-gke

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bryan-cox, enxebre

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [bryan-cox,enxebre]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[bryan-cox]

/retest

[bryan-cox]

/verified bypass

[openshift-ci-robot]

@bryan-cox: The verified label has been added.

Details

In response to this:

/verified bypass

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-bot]

/retest-required

Remaining retests: 0 against base HEAD 988f2be and 2 for PR HEAD 8ae7e79 in total

[bryan-cox]

/override codecov/project

[bryan-cox]

/override ci/prow/e2e-v2-gke

[openshift-ci]

@bryan-cox: Overrode contexts on behalf of bryan-cox: codecov/project

Details

In response to this:

/override codecov/project

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@bryan-cox: Overrode contexts on behalf of bryan-cox: ci/prow/e2e-v2-gke

Details

In response to this:

/override ci/prow/e2e-v2-gke

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[hypershift-jira-solve-ci]

I now have the complete root cause analysis. Here is the report:

Test Failure Analysis Complete

Job Information

• Prow Job: codecov/project
• Build ID: check-run 78566032289
• PR: NO-JIRA: Fix HCCO deployment location in AGENTS.md #8635 (NO-JIRA: Fix HCCO deployment location in AGENTS.md)
• Check URL: https://app.codecov.io/gh/openshift/hypershift/pull/8635

Test Failure Analysis

Error

codecov/project: 40.68% (-5.17%) compared to 9b67f7b
Project coverage dropped from 45.84% (base) to 40.68% (head).
Files: 440 → 755 (+315), Lines: 52824 → 93363 (+40,539)
⚠ Report is 13 commits behind head on main.

Summary

The codecov/project check failed due to a stale Codecov base coverage report, not due to any change introduced by PR #8635. This PR only modifies a single Markdown documentation file (control-plane-operator/AGENTS.md) — a one-line wording correction. Codecov itself acknowledges "All modified and coverable lines are covered by tests" and the companion codecov/patch check passed. The failure has already been overridden via Prow (Prow override - codecov/project), and the same -5.17% false regression is visible on other concurrent PRs (e.g., #8638, #8640).

Root Cause

The root cause is a Codecov base report staleness / report comparison anomaly, not a real coverage regression.

1. Stale base: Codecov's coverage report for main at commit 9b67f7b was 13 commits behind the actual main HEAD. This stale report measured 440 files / 52,824 lines at 45.84% coverage.

2. Expanded file set on PR head: The PR's unit test shards (5 parallel shards: cpo-hostedcontrolplane, cpo-other, hypershift-operator, cmd-support, other) ran and uploaded coverage reports that collectively measured 755 files / 93,363 lines at 40.68%. This is +315 files and +40,539 lines more than the stale base — none of which were introduced by this PR's single .md file change.

3. File-set drift: Between the stale base snapshot and current main, the repository's coverage configuration, package list, or test shard definitions likely changed (e.g., new packages added to shard matrices, files moved between ignore/include patterns). This caused the PR head's coverage upload to include substantially more files than the base snapshot knew about, producing an artificial coverage drop.

4. No threshold configured: The codecov.yml has no explicit coverage.status.project.default.target setting. Codecov's default behavior is to fail the check when coverage decreases relative to the base — even when the decrease is caused entirely by a stale comparison baseline.

5. Doc-only PR: The PR changes exactly one line in control-plane-operator/AGENTS.md. The codecov.yml ignore section includes "**/*.md", so this file is excluded from coverage calculation. The PR cannot have caused any real coverage change.

Recommendations

1. No action needed for this PR — the failure is a false positive and has already been correctly overridden via Prow.

2. To prevent recurrence across PRs, consider adding an explicit project coverage target with a threshold tolerance to codecov.yml:

   coverage:
     status:
       project:
         default:
           threshold: 1%  # Allow up to 1% decrease

3. Ensure Codecov base reports stay current — the "13 commits behind head on main" warning indicates delayed or missing coverage uploads on main branch pushes. Verify the push trigger in .github/workflows/test-reusable.yaml is reliably uploading coverage on every merge to main.

4. Consider skipping Codecov for doc-only PRs — since the changes job already detects non-code changes but still runs tests for .md-only PRs (the grep -qvE '^(contrib|\.github|docs)/' filter doesn't exclude root-level .md files in subdirectories), the test shards run unnecessarily and upload coverage that gets compared against stale baselines.

Evidence

Evidence	Detail
PR diff	Single file changed: control-plane-operator/AGENTS.md (1 line wording fix)
Codecov report	"All modified and coverable lines are covered by tests" ✅
codecov/patch check	Passed ✅ — confirming no coverage impact from changed lines
Base coverage	45.84% (440 files, 52,824 lines) at commit 9b67f7b
Head coverage	40.68% (755 files, 93,363 lines) at commit 8ae7e79
File delta	+315 files, +40,539 lines — impossible from a 1-line .md change
Staleness warning	"Report is 13 commits behind head on main"
codecov.yml ignore	"**/*.md" is in the ignore list — .md files excluded from coverage
codecov.yml thresholds	No coverage.status.project target configured — uses default (no decrease allowed)
Prow override	Already applied: "Prow override - codecov/project" with conclusion success
Other PRs affected	PR #8638 and #8640 show identical -5.17% false failure, confirming repo-wide issue

---

[openshift-ci]

@enxebre: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.