HYPERFLEET-1186 - docs: restructure documentation into focused guides

[sherine-k]

Summary

Slim down README to a concise overview with link tables pointing to
dedicated guides, and reorganize scattered content into topic-specific
documents with clear audience headers.

• Extract development setup into docs/development.md
• Extract Helm deployment and broker/monitoring setup into docs/deployment.md
• Restructure docs/config.md from prose into table-based reference format
• Rename docs/running-sentinel.md to sentinel-for-gke-dev.md, and narrow to GKE-only scope (local dev moved out)
• Remove duplicated configuration examples and observability sections from README
• Update cross-references in AGENTS.md, CONTRIBUTING.md, charts/, and all docs/

HYPERFLEET-1186

Test Plan

• [-] Unit tests added/updated
• make test-all passes
• make lint passes
• Helm chart changes validated with make test-helm (if applicable)
• [-] Deployed to a development cluster and verified (if Helm/config changes)
• [-] E2E tests passed (if cross-component or major changes)

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign tirthct for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[hyperfleet-ci-bot]

Risk Score: 2 — risk/medium

Signal	Detail	Points
PR size	2109 lines (>500)	+2
Sensitive paths	none	+0

_{Computed by hyperfleet-risk-scorer}

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 96ac75e6-6a71-49de-96f8-386a79db4939

📥 Commits

Reviewing files that changed from the base of the PR and between f187c86 and 7ceb712.

📒 Files selected for processing (16)

• AGENTS.md
• CONTRIBUTING.md
• README.md
• charts/README.md
• charts/README.md.gotmpl
• docs/alerts.md
• docs/config.md
• docs/deployment.md
• docs/development.md
• docs/metrics.md
• docs/multi-instance-deployment.md
• docs/resource-profiling.md
• docs/runbook.md
• docs/running-sentinel.md
• docs/sentinel-for-gke-dev.md
• docs/sentinel-operator-guide.md

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)

💤 Files with no reviewable changes (1)

• docs/running-sentinel.md

✅ Files skipped from review due to trivial changes (11)

• docs/runbook.md
• CONTRIBUTING.md
• AGENTS.md
• charts/README.md.gotmpl
• docs/development.md
• docs/alerts.md
• charts/README.md
• docs/deployment.md
• README.md
• docs/multi-instance-deployment.md
• docs/resource-profiling.md

🚧 Files skipped from review as they are similar to previous changes (3)

• docs/metrics.md
• docs/sentinel-operator-guide.md
• docs/config.md

---

📝 Walkthrough

Summary by CodeRabbit

• Documentation
  • Added comprehensive deployment and local development guides with step-by-step instructions.
  • Restructured main README with new Quick Start section and reorganized documentation by audience (Operators, SREs, Developers).
  • Updated documentation navigation links and references across guides.
  • Added GKE development deployment guide with troubleshooting and verification steps.
  • Enhanced configuration reference documentation with expanded examples and setup details.

Walkthrough

docs/running-sentinel.md (674 lines) is deleted entirely. Content is split into three specialized guides: docs/development.md covers local build/test workflow with make targets and broker setup; docs/deployment.md covers Kubernetes Helm deployment, broker selection, Workload Identity for Pub/Sub using principal:// IAM bindings, PodMonitoring/ServiceMonitor selection, and verification steps; docs/sentinel-for-gke-dev.md covers GKE shared environment integration testing with AMD64 image builds, GCR authentication, Workload Identity setup, and troubleshooting (architecture mismatches, broker connectivity, missing metrics, credential configuration, API endpoints, OpenAPI generation prerequisites). docs/config.md rewritten as structured reference with configuration precedence tables, file-location table, required/optional YAML fields tables, CEL feature sections (resource_selector, message_decision, message_data), environment variable mapping table, startup validation checklist, and three worked examples. All existing docs update cross-references from running-sentinel.md to the three new files. All Helm installation commands changed from local ./charts paths to OCI registry URLs (oci://quay.io/redhat-services-prod/...). Metadata blocks (Status/Owner/Last Updated) removed from multiple docs; sentinel-operator-guide.md condition() example changed to "Reconciled" and Workload Identity link updated to deployment.md anchor.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name	Status	Explanation	Resolution
Sec-02: Secrets In Log Output	❌ Error	test/integration/testcontainer.go logs amqpURL containing credentials via log.Extra("amqp_url", amqpURL). AMQP URLs contain credentials in format amqp://username:password@host (CWE-532).	Redact or exclude the amqpURL from log output; log only connection details without embedded credentials (host:port, username without password).
No Pii Or Sensitive Data In Logs	⚠️ Warning	The RedactedCopy() function doesn't actually redact sensitive fields. When debug_config is enabled, the full SentinelConfig (including BaseURL with internal hostnames like hyperfleet-api.hyperfleet...	Modify RedactedCopy() to redact sensitive fields: replace BaseURL value with placeholder like "REDACTED" before config is marshaled and logged when debug_config is true.

✅ Passed checks (9 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically summarizes the primary change: restructuring documentation into focused guides.
Description check	✅ Passed	The description is directly related to the changeset, detailing the documentation reorganization, new files created, and cross-reference updates.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
No Hardcoded Secrets	✅ Passed	No hardcoded secrets detected. RabbitMQ guest:guest credentials only appear in dev-example.yaml with localhost. Helm values use placeholders (:, your-gcp-project-id). No AWS/GCP/Azu...
No Weak Cryptography	✅ Passed	Comprehensive scan of all Go files in the PR found zero banned cryptographic primitives (crypto/md5, crypto/des, crypto/rc4, SHA1 for security), no ECB mode, no custom crypto implementations, and n...
No Injection Vectors	✅ Passed	No injection vectors detected. CWE-89 (SQL): no database imports/queries. CWE-78 (exec): no command execution. CWE-79 (HTML): no template.HTML(). CWE-502: strict UnmarshalExact() used for config. L...
No Privileged Containers	✅ Passed	PR contains only documentation changes; no Kubernetes manifests, Helm templates, or Dockerfiles were modified. Check not applicable.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

AGENTS.md (1)

64-64: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Fix redundant table cell text that was previously flagged.

Line 64 repeats "GKE dev deployment" in both the label and description, causing Markdown table rendering issues (as noted in a prior review). The description should contain only the link:

| GKE dev deployment | [docs/sentinel-for-gke-dev.md](docs/sentinel-for-gke-dev.md) |

✂️ Proposed fix

- | GKE dev deployment | [docs/sentinel-for-gke-dev.md](docs/sentinel-for-gke-dev.md) for GKE dev deployment |
+ | GKE dev deployment | [docs/sentinel-for-gke-dev.md](docs/sentinel-for-gke-dev.md) |

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@AGENTS.md` at line 64, The GKE dev deployment table row in AGENTS.md contains
redundant text where "GKE dev deployment" is repeated in both the label column
and in the description column. Remove the text "for GKE dev deployment" from the
second column of this table row, keeping only the markdown link
[docs/sentinel-for-gke-dev.md](docs/sentinel-for-gke-dev.md) in the second
column. This eliminates the redundancy that causes Markdown table rendering
issues.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/sentinel-for-gke-dev.md`:
- Line 197: The kubectl port-forward command for sentinel-test service is
incomplete and only forwards port 8080, but the metrics endpoint runs on port
9090. Update the port-forward command to include both ports (8080:8080
9090:9090) to match the pattern in deployment.md. Additionally, update the curl
command that queries the metrics endpoint to use localhost:9090/metrics instead
of localhost:8080/metrics to correctly access the metrics endpoint. Check line
308 in the troubleshooting section and apply the same fixes if the incomplete
port-forward command appears there as well.

---

Duplicate comments:
In `@AGENTS.md`:
- Line 64: The GKE dev deployment table row in AGENTS.md contains redundant text
where "GKE dev deployment" is repeated in both the label column and in the
description column. Remove the text "for GKE dev deployment" from the second
column of this table row, keeping only the markdown link
[docs/sentinel-for-gke-dev.md](docs/sentinel-for-gke-dev.md) in the second
column. This eliminates the redundancy that causes Markdown table rendering
issues.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 3bdb56b4-4f7e-44c8-8634-106588d6ede2

📥 Commits

Reviewing files that changed from the base of the PR and between b4a5c43 and f187c86.

📒 Files selected for processing (16)

• AGENTS.md
• CONTRIBUTING.md
• README.md
• charts/README.md
• charts/README.md.gotmpl
• docs/alerts.md
• docs/config.md
• docs/deployment.md
• docs/development.md
• docs/metrics.md
• docs/multi-instance-deployment.md
• docs/resource-profiling.md
• docs/runbook.md
• docs/running-sentinel.md
• docs/sentinel-for-gke-dev.md
• docs/sentinel-operator-guide.md

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)

💤 Files with no reviewable changes (1)

• docs/running-sentinel.md