operator: update from operatorhub feedback

[mangelajo]

feedback, warning and fixes contributed here k8s-operatorhub/community-operators#7140 but we keep our csv locally for generating the bundle.

Summary by CodeRabbit

• New Features

  • Added enhanced operator metadata including descriptions for managed resources.
  • Introduced sample configurations for core resources.
  • Added operator icon to the operator manifest.
  • Set minimum Kubernetes version requirement to 1.28.0.

• Bug Fixes

  • Corrected image repository reference.

• Chores

  • Updated build process to publish resource definitions.
  • Expanded maintainer list.
  • Added contribution workflow automation script.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Changes enhance operator metadata with expanded CRD descriptions and maintainer information, introduce sample resource manifests for Client, Exporter, ExporterAccessPolicy, and Lease resources, add a Makefile step to copy generated CRDs to operator configuration directories, document the Client resource, update manager image references, and provide a community contribution automation script.

Changes

Cohort / File(s)	Summary
Makefile CRD Publishing Makefile	Added step to copy generated CRDs from deploy/helm/jumpstarter/crds/ into deploy/operator/config/crd/bases/ during manifests generation phase.
API Documentation api/v1alpha1/client_types.go	Added three documentation comment lines describing the Client struct's role in Jumpstarter and its linkage to external OIDC identity providers.
ClusterServiceVersion Metadata deploy/operator/bundle/manifests/jumpstarter-operator.clusterserviceversion.yaml, deploy/operator/config/manifests/bases/jumpstarter-operator.clusterserviceversion.yaml	Expanded CRD declarations with rich descriptions (displayName, kind, name, version) for Client, ExporterAccessPolicy, Exporter, and Lease; added minKubeVersion: 1.28.0; extended maintainers list; populated alm-examples with resource samples; updated operator icon with inline SVG.
Manager Configuration deploy/operator/config/manager/kustomization.yaml	Changed image reference from quay.io/jumpstarter-dev/jumpstarter-operator to quay.io/jumpstarte-dev/jumpstarter-operator.
Sample Resources deploy/operator/config/samples/jumpstarter.dev_v1alpha1_client.yaml, deploy/operator/config/samples/jumpstarter.dev_v1alpha1_exporter.yaml, deploy/operator/config/samples/jumpstarter.dev_v1alpha1_exporteraccesspolicy.yaml, deploy/operator/config/samples/jumpstarter.dev_v1alpha1_lease.yaml	Added four new sample YAML manifests demonstrating Client, Exporter, ExporterAccessPolicy, and Lease resource configurations with example metadata and specifications.
Sample Configuration deploy/operator/config/samples/kustomization.yaml	Registered four new sample resource entries alongside existing jumpstarter operator sample.
Contribution Automation deploy/operator/contribute/update-contributions.sh	Added Bash script automating community-operators repository updates: clones repository if needed, manages branching, extracts version from ClusterServiceVersion, copies bundle contents to versioned operator directory, and prompts for review and commit.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Manager image reference typo: Verify whether jumpstarte-dev is intentional or should be jumpstarter-dev
• Shell script robustness: Review update-contributions.sh for error handling and path correctness, particularly the VERSION extraction regex and directory creation logic
• CRD metadata consistency: Cross-check descriptions and displayNames across both ClusterServiceVersion files to ensure alignment
• Sample manifest completeness: Confirm all sample resources align with their corresponding CRD definitions and represent realistic configurations

Possibly related PRs

• Fix crd generation to put files in the right directory #171: Redirects controller-gen to output CRDs into deploy/helm/jumpstarter/crds/, which this PR consumes via the new Makefile copy step.
• Add the operator in deploy/operator #169: Introduced the operator directory layout and the Helm CRD output path that this PR integrates with.

Suggested reviewers

• bennyz
• bkhizgiy

Poem

🐰 Hops through manifests with glee,
Sample resources for all to see,
CRDs now described so fine,
Operators shine, the config's divine!
A contribution script to share,
With love and automation care. 💫

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main purpose of the changeset: updating the operator bundle, manifests, samples, and documentation based on operatorhub feedback.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch contribute-operator

Tip

📝 Customizable high-level summaries are now available in beta!

You can now customize how CodeRabbit generates the high-level summary in your pull requests — including its content, structure, tone, and formatting.

• Provide your own instructions using the high_level_summary_instructions setting.
• Format the summary however you like (bullet lists, tables, multi-section layouts, contributor stats, etc.).
• Use high_level_summary_in_walkthrough to move the summary from the description to the walkthrough section.

Example instruction:

"Divide the high-level summary into five sections:

1. 📝 Description — Summarize the main change in 50–60 words, explaining what was done.
2. 📓 References — List relevant issues, discussions, documentation, or related PRs.
3. 📦 Dependencies & Requirements — Mention any new/updated dependencies, environment variable changes, or configuration updates.
4. 📊 Contributor Summary — Include a Markdown table showing contributions:
   | Contributor | Lines Added | Lines Removed | Files Changed |
5. ✔️ Additional Notes — Add any extra reviewer context.
   Keep each section concise (under 200 words) and use bullet or numbered lists for clarity."

Note: This feature is currently in beta for Pro-tier users, and pricing will be announced later.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

deploy/operator/config/manifests/bases/jumpstarter-operator.clusterserviceversion.yaml (1)

5-157: Add Jumpstarter example to alm-examples in base CSV to match bundle manifest.

The base CSV is missing the Jumpstarter example that exists in the bundle CSV. While other fields (minKubeVersion, CRD descriptions, maintainers, icon) are consistent, the alm-examples section differs:

• Base: 4 examples (Client, Exporter, ExporterAccessPolicy, Lease)
• Bundle: 5 examples (Client, Exporter, ExporterAccessPolicy, Lease, Jumpstarter)

Add the Jumpstarter example to the base's alm-examples to maintain full parity with the bundle manifest:

{
  "apiVersion": "operator.jumpstarter.dev/v1alpha1",
  "kind": "Jumpstarter",
  "metadata": {
    "name": "jumpstarter-sample"
  },
  "spec": null
}

🧹 Nitpick comments (3)

deploy/operator/contribute/update-contributions.sh (2)

16-16: Add error handling to cd command.

Per shellcheck warning SC2164, the cd command should include error handling to prevent the script from continuing in an unexpected directory if the change fails.

Apply this fix:

-cd community-operators
+cd community-operators || exit 1

---

18-18: Add error handling to VERSION extraction.

The VERSION extraction on line 18 could fail silently if the CSV file is missing or malformed, leaving VERSION empty and causing line 23 to create a directory with an empty name. Add validation to detect and report extraction failures.

Apply this fix:

 VERSION=$(grep "^  version:" ../../bundle/manifests/jumpstarter-operator.clusterserviceversion.yaml | awk '{print $2}')
+
+if [ -z "$VERSION" ]; then
+  echo "Error: Failed to extract VERSION from ClusterServiceVersion manifest"
+  exit 1
+fi

Makefile (1)

65-66: Consider adding defensive directory creation for the cp destination.

The cp command assumes deploy/operator/config/crd/bases/ exists. If the directory is missing, the copy will fail silently or produce an unclear error. Add mkdir -p to ensure the destination exists:

 	# copy the crds to the operator bases directory
+	mkdir -p deploy/operator/config/crd/bases/
 	cp deploy/helm/jumpstarter/crds/* deploy/operator/config/crd/bases/

Alternatively, verify this is a documented project setup requirement and that the directory is always present.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 751b099 and dfc2c94.

📒 Files selected for processing (11)

• Makefile (1 hunks)
• api/v1alpha1/client_types.go (1 hunks)
• deploy/operator/bundle/manifests/jumpstarter-operator.clusterserviceversion.yaml (5 hunks)
• deploy/operator/config/manager/kustomization.yaml (1 hunks)
• deploy/operator/config/manifests/bases/jumpstarter-operator.clusterserviceversion.yaml (3 hunks)
• deploy/operator/config/samples/jumpstarter.dev_v1alpha1_client.yaml (1 hunks)
• deploy/operator/config/samples/jumpstarter.dev_v1alpha1_exporter.yaml (1 hunks)
• deploy/operator/config/samples/jumpstarter.dev_v1alpha1_exporteraccesspolicy.yaml (1 hunks)
• deploy/operator/config/samples/jumpstarter.dev_v1alpha1_lease.yaml (1 hunks)
• deploy/operator/config/samples/kustomization.yaml (1 hunks)
• deploy/operator/contribute/update-contributions.sh (1 hunks)

🧰 Additional context used

🧠 Learnings (7)

📓 Common learnings

Learnt from: mangelajo
Repo: jumpstarter-dev/jumpstarter-controller PR: 170
File: deploy/operator/internal/controller/jumpstarter/jumpstarter_controller.go:328-333
Timestamp: 2025-10-24T11:57:23.796Z
Learning: In the jumpstarter-controller operator (deploy/operator/), the design allows only one Jumpstarter CR per namespace, which will be enforced by a validation webhook. This constraint eliminates concerns about resource name collisions within a namespace.

Learnt from: mangelajo
Repo: jumpstarter-dev/jumpstarter-controller PR: 169
File: deploy/operator/config/rbac/leader_election_role_binding.yaml:3-15
Timestamp: 2025-10-13T09:05:03.088Z
Learning: In Kubebuilder-generated Kubernetes operators, RBAC manifests (RoleBindings, Roles, etc.) under config/rbac/ typically do not include explicit `metadata.namespace` fields. The namespace is injected at build time by Kustomize via the `namespace` field in config/default/kustomization.yaml (or whichever kustomization file is used). This is intentional design to keep base manifests namespace-agnostic. Do not flag missing namespaces in such RBAC manifests as issues when they are part of a Kustomize-based operator deployment structure.

📚 Learning: 2025-10-24T11:57:23.796Z

Learnt from: mangelajo
Repo: jumpstarter-dev/jumpstarter-controller PR: 170
File: deploy/operator/internal/controller/jumpstarter/jumpstarter_controller.go:328-333
Timestamp: 2025-10-24T11:57:23.796Z
Learning: In the jumpstarter-controller operator (deploy/operator/), the design allows only one Jumpstarter CR per namespace, which will be enforced by a validation webhook. This constraint eliminates concerns about resource name collisions within a namespace.

Applied to files:

• Makefile
• deploy/operator/config/samples/jumpstarter.dev_v1alpha1_exporteraccesspolicy.yaml
• deploy/operator/config/manager/kustomization.yaml
• deploy/operator/config/samples/jumpstarter.dev_v1alpha1_lease.yaml
• deploy/operator/config/samples/kustomization.yaml
• deploy/operator/bundle/manifests/jumpstarter-operator.clusterserviceversion.yaml
• deploy/operator/config/manifests/bases/jumpstarter-operator.clusterserviceversion.yaml

📚 Learning: 2025-10-24T11:57:13.484Z

Learnt from: mangelajo
Repo: jumpstarter-dev/jumpstarter-controller PR: 170
File: deploy/operator/internal/controller/jumpstarter/rbac.go:193-196
Timestamp: 2025-10-24T11:57:13.484Z
Learning: In the Jumpstarter operator codebase (deploy/operator/internal/controller/jumpstarter/rbac.go), the Role created by `createRole()` defines RBAC permissions for the managed Jumpstarter controller application, not for the operator itself. The managed controller needs delete permissions on secrets for its runtime operations.

Applied to files:

• Makefile
• deploy/operator/config/samples/jumpstarter.dev_v1alpha1_exporteraccesspolicy.yaml
• deploy/operator/bundle/manifests/jumpstarter-operator.clusterserviceversion.yaml

📚 Learning: 2025-10-13T09:05:03.088Z

Learnt from: mangelajo
Repo: jumpstarter-dev/jumpstarter-controller PR: 169
File: deploy/operator/config/rbac/leader_election_role_binding.yaml:3-15
Timestamp: 2025-10-13T09:05:03.088Z
Learning: In Kubebuilder-generated Kubernetes operators, RBAC manifests (RoleBindings, Roles, etc.) under config/rbac/ typically do not include explicit `metadata.namespace` fields. The namespace is injected at build time by Kustomize via the `namespace` field in config/default/kustomization.yaml (or whichever kustomization file is used). This is intentional design to keep base manifests namespace-agnostic. Do not flag missing namespaces in such RBAC manifests as issues when they are part of a Kustomize-based operator deployment structure.

Applied to files:

• deploy/operator/config/samples/kustomization.yaml

📚 Learning: 2025-05-13T19:57:56.811Z

Learnt from: NickCao
Repo: jumpstarter-dev/jumpstarter-controller PR: 137
File: hack/deploy_with_helm.sh:26-34
Timestamp: 2025-05-13T19:57:56.811Z
Learning: The jumpstarter-dev repository uses a custom kind cluster configuration that allows NodePort services to use non-standard ports 5080 and 5443, outside the default Kubernetes NodePort range (30000-32767).

Applied to files:

• deploy/operator/config/samples/kustomization.yaml
• deploy/operator/bundle/manifests/jumpstarter-operator.clusterserviceversion.yaml
• deploy/operator/config/manifests/bases/jumpstarter-operator.clusterserviceversion.yaml

📚 Learning: 2025-05-13T19:57:56.811Z

Learnt from: NickCao
Repo: jumpstarter-dev/jumpstarter-controller PR: 137
File: hack/deploy_with_helm.sh:26-34
Timestamp: 2025-05-13T19:57:56.811Z
Learning: The jumpstarter project uses a custom kind cluster configuration with an expanded NodePort range (3000-32767) and explicit port mappings for ingress (5080/5443) and gRPC services (30010/30011 mapped to 8082/8083).

Applied to files:

• deploy/operator/config/samples/kustomization.yaml
• deploy/operator/bundle/manifests/jumpstarter-operator.clusterserviceversion.yaml
• deploy/operator/config/manifests/bases/jumpstarter-operator.clusterserviceversion.yaml

📚 Learning: 2025-11-14T15:47:36.325Z

Learnt from: mangelajo
Repo: jumpstarter-dev/jumpstarter-controller PR: 190
File: api/v1alpha1/exporter_helpers.go:16-24
Timestamp: 2025-11-14T15:47:36.325Z
Learning: In the jumpstarter-controller project, migration annotations (jumpstarter.dev/migrated-namespace and jumpstarter.dev/migrated-uid) that override namespace and UID values in authentication tokens are acceptable without additional validation webhooks because the security model assumes only administrators have write access to Exporter and Client resources via K8s RBAC.

Applied to files:

• deploy/operator/bundle/manifests/jumpstarter-operator.clusterserviceversion.yaml
• deploy/operator/config/manifests/bases/jumpstarter-operator.clusterserviceversion.yaml

🪛 Shellcheck (0.11.0)

deploy/operator/contribute/update-contributions.sh

[warning] 16-16: Use 'cd ... || exit' or 'cd ... || return' in case cd fails.

(SC2164)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)

• GitHub Check: deploy-kind
• GitHub Check: e2e-test-operator
• GitHub Check: e2e-tests (ubuntu-24.04)
• GitHub Check: e2e-tests (ubuntu-24.04-arm)
• GitHub Check: tests
• GitHub Check: lint-go
• GitHub Check: e2e-tests-release-0-7

🔇 Additional comments (8)

deploy/operator/config/samples/jumpstarter.dev_v1alpha1_lease.yaml (1)

1-11: Sample manifest is well-formed.

The Lease sample is properly structured with appropriate field types and cross-references to client-sample.

deploy/operator/config/samples/jumpstarter.dev_v1alpha1_exporteraccesspolicy.yaml (1)

1-13: Sample manifest is well-formed.

The ExporterAccessPolicy sample correctly demonstrates selector-based RBAC policy structure with proper metadata and policy rules.

deploy/operator/config/samples/jumpstarter.dev_v1alpha1_client.yaml (1)

1-8: Sample manifest is well-formed.

The Client sample demonstrates proper resource structure with metadata labels and authentication configuration.

deploy/operator/config/samples/jumpstarter.dev_v1alpha1_exporter.yaml (1)

1-7: Sample manifest is well-formed.

The Exporter sample correctly demonstrates resource creation with metadata labels and an empty spec (indicating no required configuration).

deploy/operator/config/samples/kustomization.yaml (1)

4-7: Sample resource references are complete and correct.

All four new sample resources are properly registered in the kustomization file and match the corresponding manifest files created in this PR.

deploy/operator/bundle/manifests/jumpstarter-operator.clusterserviceversion.yaml (3)

5-88: Well-structured sample resources in alm-examples.

The four new samples (Client, Exporter, ExporterAccessPolicy, Lease) provide clear examples for users and follow consistent formatting with the existing Jumpstarter sample. The Client sample correctly illustrates OIDC provider integration via username: "keycloak:user-name-in-keycloak", and the ExporterAccessPolicy sample demonstrates selector-based access control patterns.

---

99-129: Comprehensive CRD descriptions enhance operator discoverability.

The new descriptions for Client, ExporterAccessPolicy, Exporter, and Lease are informative and include relevant documentation links (e.g., Exporter and Lease descriptions reference the Jumpstarter docs). The descriptions will improve user experience in OLM (Operator Lifecycle Manager) catalogs and community marketplaces.

---

470-478: Verify minKubeVersion 1.28.0 reflects actual project requirements.

Two new maintainers have been added (Benny Zlotnik, Bella Khizgiyaev), and minKubeVersion is now set to 1.28.0. Confirm that this version constraint aligns with the minimum supported Kubernetes version across the codebase and CI/CD pipeline. Additionally, verify the base64-encoded SVG icon is valid when decoded (not critical but good practice).

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical: Typo in image registry organization name.

Line 7 contains a typo in the image repository path: quay.io/jumpstarte-dev/ is missing an 'r' and should be quay.io/jumpstarter-dev/. This will cause image pull failures at deployment time.

Apply this fix:

- newName: quay.io/jumpstarte-dev/jumpstarter-operator
+ newName: quay.io/jumpstarter-dev/jumpstarter-operator

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	newName: quay.io/jumpstarte-dev/jumpstarter-operator
	newName: quay.io/jumpstarter-dev/jumpstarter-operator

🤖 Prompt for AI Agents

In deploy/operator/config/manager/kustomization.yaml around line 7, the newName
image path contains a typo: "quay.io/jumpstarte-dev/jumpstarter-operator" is
missing an 'r' in the organization name; update the value to
"quay.io/jumpstarter-dev/jumpstarter-operator" so the image reference matches
the correct registry organization and prevents image pull failures.

[bkhizgiy]

I think the typo in the image may be related to the check-bundele failure.

[coderabbitai]

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Search for CI workflows and scripts related to bundle checking
echo "=== Searching for check-bundle related files ==="
fd -t f "check.*bundle|bundle.*check" -i

echo -e "\n=== Searching for GitHub workflow files ==="
fd -t f ".yml$|.yaml$" .github/workflows

echo -e "\n=== Searching for references to 'check-bundle' or 'check-bundele' in code ==="
rg -i "check.*bundle|bundle.*check" -A 2 -B 2

echo -e "\n=== Searching Makefile for bundle-related targets ==="
rg "^[a-zA-Z0-9_-]+.*bundle" Makefile -A 3

echo -e "\n=== Looking at deploy/operator directory structure ==="
fd -t f . deploy/operator -d 2

Length of output: 802

---

🏁 Script executed:

#!/bin/bash
# Examine the check-bundle workflow
echo "=== Contents of check-bundle.yaml ==="
cat .github/workflows/check-bundle.yaml

echo -e "\n=== Looking for operator-sdk or bundle validation commands ==="
rg "operator-sdk.*bundle|bundle.*validate" -A 2 -B 2

echo -e "\n=== Check the operator Makefile for bundle targets ==="
cat deploy/operator/Makefile | grep -A 10 "^bundle:"

Length of output: 5109

---

@bkhizgiy You're absolutely correct! 🎯

The typo is indeed causing the check-bundle failure. Here's what's happening:

1. The CI workflow runs make bundle IMG="quay.io/jumpstarter-dev/jumpstarter-operator:${TAG}" with the correct image name
2. The bundle generation includes a kustomize command that updates config/manager/kustomization.yaml with the provided IMG value
3. Since the file currently has the typo (jumpstarte-dev), the regeneration creates it with the correct name (jumpstarter-dev)
4. This produces a diff between what's committed and what's generated, causing the check to fail with "Uncommitted changes detected"

The fix is to revert the typo back to the correct image name as I suggested in my initial review comment. Once corrected, the check-bundle workflow will pass because there will be no diff between the committed file and the regenerated one.

---

🧠 Learnings used

Learnt from: mangelajo
Repo: jumpstarter-dev/jumpstarter-controller PR: 170
File: deploy/operator/internal/controller/jumpstarter/jumpstarter_controller.go:328-333
Timestamp: 2025-10-24T11:57:23.796Z
Learning: In the jumpstarter-controller operator (deploy/operator/), the design allows only one Jumpstarter CR per namespace, which will be enforced by a validation webhook. This constraint eliminates concerns about resource name collisions within a namespace.