HYPERFLEET-1186 - docs: Use the OCI artifact for the release chart

[sherine-k]

Summary

Updates the references to images and charts to the (konflux) registry references for released artifacts

• HYPERFLEET-1186

Test Plan

• Unit tests added/updated
• make test-all passes
• make lint passes
• Helm chart changes validated with make test-helm (if applicable)
• Deployed to a development cluster and verified (if Helm/config changes)
• E2E tests passed (if cross-component or major changes)

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign mischulee for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

Release Notes

• Documentation
  • Updated quick-start installation commands for full-stack deployment
  • Updated container registry and image repository references
  • Updated Helm chart deployment documentation with new OCI release location and image paths

Walkthrough

README.md renames the Quick Start make target from make install-hyperfleet-adapters to make install-adapters and updates the REGISTRY environment variable value to quay.io/redhat-services-prod/hyperfleet-tenant/hyperfleet. docs/deployment.md updates the Helm chart OCI pull URL, the adapter image repository field, and the tag placeholder in both the minimal and full Helm values examples; the full example also changes the inline adapter.version placeholder to <version-no-v-prefix>.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

---

Registry hardcoding note — no CWE, but flag it: Both files now hardcode quay.io/redhat-services-prod/hyperfleet-tenant/hyperfleet as the authoritative pull location. If that namespace moves or is compromised, operators copying these docs will pull from the wrong or malicious source with no checksum verification documented (CWE-494: Download of Code Without Integrity Check). The docs should reference a digest-pinned pull or at minimum point to a checksum verification step.

🚥 Pre-merge checks | ✅ 11

✅ Passed checks (11 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly references the main change: updating documentation to use OCI artifact references for the release chart, which aligns with the README.md and docs/deployment.md modifications.
Description check	✅ Passed	The description accurately relates to the changeset, describing updates to image and chart registry references for released artifacts, matching the documented changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output	✅ Passed	PR modifies only documentation files (README.md, docs/deployment.md). No Go source code files were added or modified, therefore no new logging statements exist that could expose secrets.
No Hardcoded Secrets	✅ Passed	PR changes (registry URLs, make targets, version placeholders) contain no hardcoded secrets, API keys, tokens, or credentials. Documentation examples with placeholder 'user:password' are clearly ma...
No Weak Cryptography	✅ Passed	PR contains only documentation changes (README.md and docs/deployment.md) with no modifications to source code or cryptographic implementations. No banned crypto primitives detected.
No Injection Vectors	✅ Passed	No injection vectors detected. CWE-89 (SQL injection), CWE-78 (command injection), CWE-79 (template injection) patterns absent. CWE-502 YAML deserialization properly secured with KnownFields(true)...
No Privileged Containers	✅ Passed	PR modifies only documentation files (README.md, docs/deployment.md). No Kubernetes manifests, Helm templates, or Dockerfiles were changed. Check not applicable.
No Pii Or Sensitive Data In Logs	✅ Passed	Debug logging of API payloads is protected by debug log level disabled by default per check instructions. Adapter config logging is guarded by DebugConfig feature flag (disabled by default). No unp...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[hyperfleet-ci-bot]

Risk Score: 0 — risk/low

Signal	Detail	Points
PR size	16 lines	+0
Sensitive paths	none	+0

_{Computed by hyperfleet-risk-scorer}

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/deployment.md`:
- Line 9: Update line 9 in docs/deployment.md to reflect the actual registry
where the HyperFleet Adapter Helm chart is currently published. Replace the
registry path from
`oci://quay.io/redhat-services-prod/hyperfleet-tenant/hyperfleet/hyperfleet-adapter-chart`
with the correct current registry
`oci://quay.io/redhat-user-workloads/hyperfleet-tenant/hyperfleet/hyperfleet-adapter-chart`
where the Tekton build pipeline actually publishes the chart, or add a
clarifying note indicating that the production registry path is pending
availability from the Konflux team and provide the working development registry
path that users should currently use.

In `@README.md`:
- Line 37: The README.md documents the REGISTRY as
quay.io/redhat-services-prod/hyperfleet-tenant/hyperfleet, but the Makefile's
test-helm target hardcodes the old registry path
openshift-hyperfleet/hyperfleet-adapter in the --set image.repository argument.
Update the test-helm target (lines 105-150) to replace the hardcoded
image.repository value with the documented registry path from README.md to
ensure consistency between documentation and test validation, preventing users
from using undocumented or untested image references.
- Line 31: The README.md documentation at line 31 references a make target
`install-adapters` that does not exist in the Makefile. Either add the missing
`install-adapters` target to the Makefile (following the pattern of existing
targets like `install` and `install-hooks`), or update the documentation in
README.md line 31 to reference an actual existing make target from the Makefile.
Ensure consistency between documented make targets and those actually defined in
the Makefile.
- Around line 31-40: The README.md documentation specifies a registry namespace
for deployments that does not match the hardcoded registry values in the
Makefile for the hyperfleet-api and hyperfleet-sentinel components. Update the
REGISTRY environment variable documentation in README.md (around line 36) to
accurately reflect the actual registry namespaces used in the Makefile by the
hyperfleet-api, hyperfleet-sentinel, and hyperfleet-adapter components, ensuring
consistency across all component deployments to prevent image pull/push
failures.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: b155f908-9929-4fa9-a586-5c4c23cfff6a

📥 Commits

Reviewing files that changed from the base of the PR and between 259accf and 40f8307.

📒 Files selected for processing (2)

• README.md
• docs/deployment.md

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check for Makefile and CI/CD configuration
echo "=== Makefile targets ===" 
cat -n Makefile | grep -i "chart\|helm" || echo "No chart/helm targets found"

echo -e "\n=== Repository structure ===" 
find . -type f -name "Makefile" -o -name ".konfluxci.yaml" -o -name ".tekton*" | head -20

echo -e "\n=== Tekton/Konflux pipeline files ===" 
if [ -d ".tekton" ]; then ls -la .tekton/; fi
if [ -f ".konfluxci.yaml" ]; then cat .konfluxci.yaml; fi

echo -e "\n=== Chart directory ===" 
if [ -d "charts" ] || [ -d "helm" ]; then find . -type d \( -name "charts" -o -name "helm" \) -exec ls -la {} \;; fi

echo -e "\n=== Build/push targets in Makefile ===" 
cat Makefile | grep -A 5 "\.PHONY.*push\|\.PHONY.*build" | head -50

Repository: openshift-hyperfleet/hyperfleet-adapter

Length of output: 3839

---

🏁 Script executed:

#!/bin/bash
echo "=== hyperfleet-adapter-chart-push.yaml ===" 
cat -n .tekton/hyperfleet-adapter-chart-push.yaml | head -200

echo -e "\n=== Checking for registry/image configuration in pipeline ===" 
grep -n "quay.io\|registry\|IMAGE\|ARTIFACT" .tekton/hyperfleet-adapter-chart-push.yaml | head -30

Repository: openshift-hyperfleet/hyperfleet-adapter

Length of output: 11067

---

🏁 Script executed:

#!/bin/bash
echo "=== hyperfleet-adapter-tag.yaml (check for promotion logic) ===" 
cat -n .tekton/hyperfleet-adapter-tag.yaml | grep -A 5 -B 5 "quay.io\|services-prod\|user-workloads" | head -100

echo -e "\n=== docs/deployment.md context around line 9 ===" 
cat -n docs/deployment.md | sed -n '1,30p'

echo -e "\n=== Checking for any promotion/release documentation ===" 
find . -type f \( -name "*.md" -o -name "*.yaml" \) | xargs grep -l "services-prod\|user-workloads" 2>/dev/null

Repository: openshift-hyperfleet/hyperfleet-adapter

Length of output: 6818

---

🏁 Script executed:

#!/bin/bash
echo "=== README.md (check for release/registry info) ===" 
cat README.md | grep -A 10 -B 2 "services-prod\|user-workloads\|registry\|release\|chart" | head -80

Repository: openshift-hyperfleet/hyperfleet-adapter

Length of output: 1606

---

🏁 Script executed:

#!/bin/bash
echo "=== Searching architecture repo for registry promotion/release patterns ===" 
grep -r "services-prod\|user-workloads" --include="*.md" hyperfleet/ 2>/dev/null | head -30

echo -e "\n=== Release process documentation ===" 
cat -n hyperfleet/docs/release/hyperfleet-release-process.md 2>/dev/null | grep -A 5 -B 5 "services-prod\|chart" | head -100

Repository: openshift-hyperfleet/architecture

Length of output: 11113

---

Line 9: Helm chart not published to documented registry — deployment will fail.

The Tekton build pipeline publishes the chart to quay.io/redhat-user-workloads/hyperfleet-tenant/hyperfleet/hyperfleet-adapter-chart (development registry), but docs/deployment.md directs users to oci://quay.io/redhat-services-prod/hyperfleet-tenant/hyperfleet/hyperfleet-adapter-chart (production registry). Architecture documentation confirms charts should land at services-prod, but notes this is "pending a managed release pipeline for external registries from the Konflux team." Update docs/deployment.md to reflect the actual current registry, or add a note that the production registry path is not yet available. Operators following this guide will encounter artifact-not-found errors.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/deployment.md` at line 9, Update line 9 in docs/deployment.md to reflect
the actual registry where the HyperFleet Adapter Helm chart is currently
published. Replace the registry path from
`oci://quay.io/redhat-services-prod/hyperfleet-tenant/hyperfleet/hyperfleet-adapter-chart`
with the correct current registry
`oci://quay.io/redhat-user-workloads/hyperfleet-tenant/hyperfleet/hyperfleet-adapter-chart`
where the Tekton build pipeline actually publishes the chart, or add a
clarifying note indicating that the production registry path is pending
availability from the Konflux team and provide the working development registry
path that users should currently use.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check what changed in README.md in this PR (get file size first)
wc -l README.md
head -50 README.md

Repository: openshift-hyperfleet/hyperfleet-adapter

Length of output: 2814

---

🏁 Script executed:

#!/bin/bash
# Verify hyperfleet-api Makefile still uses old registry
grep -n "IMAGE_REGISTRY" Makefile | head -5

Repository: openshift-hyperfleet/hyperfleet-api

Length of output: 417

---

🏁 Script executed:

#!/bin/bash
# Verify hyperfleet-sentinel Makefile still uses old registry
grep -n "IMAGE_REGISTRY" Makefile | head -5

Repository: openshift-hyperfleet/hyperfleet-sentinel

Length of output: 414

---

Supply chain inconsistency: Registry namespace mismatch across components will cause image pull/push failures post-merge.

Adapter documentation (line 39) instructs deployments to use quay.io/redhat-services-prod/hyperfleet-tenant/hyperfleet, but hyperfleet-api (Makefile:43) and hyperfleet-sentinel (Makefile:36) retain hardcoded IMAGE_REGISTRY ?= quay.io/openshift-hyperfleet. Adapters will deploy from the new registry while API and Sentinel default to building/pushing from the old registry. Coordinate Makefile updates in both components or explicitly document the staggered migration timeline to prevent inconsistent registry access across the platform.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@README.md` around lines 31 - 40, The README.md documentation specifies a
registry namespace for deployments that does not match the hardcoded registry
values in the Makefile for the hyperfleet-api and hyperfleet-sentinel
components. Update the REGISTRY environment variable documentation in README.md
(around line 36) to accurately reflect the actual registry namespaces used in
the Makefile by the hyperfleet-api, hyperfleet-sentinel, and hyperfleet-adapter
components, ensuring consistency across all component deployments to prevent
image pull/push failures.

Source: Linked repositories

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚖️ Poor tradeoff

Line 37: Registry mismatch between documented environment variable and Makefile test harness.

README documents REGISTRY: quay.io/redhat-services-prod/hyperfleet-tenant/hyperfleet, but the Makefile's test-helm target (lines 105–150) hardcodes --set image.repository=openshift-hyperfleet/hyperfleet-adapter (old registry path). This creates a contract violation: users following the new registry docs will use image references that the build pipeline never validated. Coordinate the Makefile test targets to use the documented registry.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@README.md` at line 37, The README.md documents the REGISTRY as
quay.io/redhat-services-prod/hyperfleet-tenant/hyperfleet, but the Makefile's
test-helm target hardcodes the old registry path
openshift-hyperfleet/hyperfleet-adapter in the --set image.repository argument.
Update the test-helm target (lines 105-150) to replace the hardcoded
image.repository value with the documented registry path from README.md to
ensure consistency between documentation and test validation, preventing users
from using undocumented or untested image references.