NE-2488: Add OpenShift router tools to NetworkEdge toolset

[alebedev87]

This PR introduces new tools for inspecting OpenShift router pods through the Kubernetes MCP Server.

Added tools:

• get_router_config: View the router's configuration
• get_router_info: Get router runtime information and statistics
• get_router_sessions: View all active sessions in the router

Documentation: Added NETEDGE.md covering the NetworkEdge toolset, including both router and CoreDNS tools.

Tests: Added evaluation tasks for the added tools.

Summary by CodeRabbit

• New Features

  • Added Network Ingress & DNS (netedge) toolset with three OpenShift router inspection tools to retrieve HAProxy config, runtime info, and active sessions; each tool accepts an optional pod parameter and will auto-select a running router pod if none is provided.

• Documentation

  • New guide describing the netedge toolset, parameters, and end-to-end usage examples (includes a CoreDNS fetch example).

• Tests

  • Added evaluation tasks validating the three router inspection tools.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[swghosh]

#51 (comment)

Should we consider having this as a part of the "openshift" toolgroup?

[alebedev87]

Should we consider having this as a part of the "openshift" toolgroup?

@swghosh : That crossed my mind too. In my case "router" doesn't make much sense in Kubernetes context. However I didn't want to complicate things at this stage either.

[bentito]

Wherever this ends up we'll likely end up using it as part of our NIDS MCP tooling. https://issues.redhat.com/browse/NE-2278 inspect_route likely can just call one of these or be replaced by one or more of these. Also we might want to support all of these such that we have richer router data. cc @rikatz @Thealisyed

[matzew]

can just call one of these or be replaced by one or more of these

@bentito @alebedev87 any updates on this? or still on discussion.

[bentito]

@bentito @alebedev87 any updates on this? or still on discussion.
@alebedev87 When you can, please rebase and move to the ./pkg/toolsets/netedge dir

[openshift-ci-robot]

@alebedev87: This pull request references NE-2488 which is a valid jira issue.

Details

In response to this:

This PR introduces new tools for inspecting OpenShift router pods through the Kubernetes MCP Server.

Added tools:

• get_router_config: View the router's configuration
• get_router_info: Get router runtime information and statistics
• get_router_sessions: View all active sessions in the router

Documentation: Added NETEDGE.md covering the NetworkEdge toolset, including both router and CoreDNS tools.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@alebedev87: This pull request references NE-2488 which is a valid jira issue.

Details

In response to this:

This PR introduces new tools for inspecting OpenShift router pods through the Kubernetes MCP Server.

Added tools:

• get_router_config: View the router's configuration
• get_router_info: Get router runtime information and statistics
• get_router_sessions: View all active sessions in the router

Documentation: Added NETEDGE.md covering the NetworkEdge toolset, including both router and CoreDNS tools.

Tests: Added evaluation tasks for the added tools.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[alebedev87]

@bentito : I used false here before but then I copied true as in get_coredns_config tool. I'm not quite sure whether it's a good decision for router configs/sessions/info. Can you please advice?

[bentito]

Yes true is correct for all three tools, since all three router tools exec into a live, running router pod on the cluster. False would be for a tool that had all the data locally already, not the case here.

(Sorry I missed this comment for quite awhile)

[bentito]

I've reviewed this PR in the context of the NIDS MCP strategy and found a few critical areas for improvement, particularly regarding offline analysis.

Review Summary: Router Tools vs Offline Strategy

Context:

• Comparing against PR #115 (CoreDNS) and PR #131 (Prometheus).
• Goal: Align with the Offline Data Access Strategy to support must-gather workflows.

1. Critical Refactoring Required: Offline Compatibility

The current implementation of get_router_config relies on PodsExec (effectively oc exec), which will not work with offline must-gather archives.
Refactoring Recommendation:
Adopt the Client Abstraction Pattern demonstrated in ovn-kubernetes-mcp.

• Abstract the Data Source: Use a helper that switches behavior based on the context (live cluster vs. file dump).
• Implementation for get_router_config:
  • Live Mode: Continue using exec cat /var/lib/haproxy/conf/haproxy.config.
  • Offline Mode: Read the file directly from the filesystem. I confirmed that standard must-gather archives do contain this file at paths like .../ingress_controllers/default/router-*/haproxy.config.

2. Scope Clarification: "Live Only" Tools

The tools get_router_info and get_router_sessions rely on active HAProxy socket commands (show info, show sess).

• Finding: These outputs are not present in standard must-gather dumps.
• Action: These must be explicitly documented and marked as Live Only to set correct expectations for the agent and users, as they will fail in offline triage scenarios.

3. Consistency: Client Usage

PR #98 uses kubernetes.NewCore(params).PodsExec. For consistency with PR #115, request that the author switch to the controller-runtime client pattern where applicable (e.g., for listing pods), as it simplifies testing and mocking.

[alebedev87]

Regarding the first 2 points (Critical Refactoring Required: Offline Compatibility, Scope Clarification: "Live Only" Tools). As discussed in Slack, currently the router tools cannot work in "offline mode" because must-gather doesn't have HAProxy specific data. I added a comment about "live only" nature of the tools.

[alebedev87]

/assign @bentito

[bentito]

I

Regarding the first 2 points (Critical Refactoring Required: Offline Compatibility, Scope Clarification: "Live Only" Tools). As discussed in Slack, currently the router tools cannot work in "offline mode" because must-gather doesn't have HAProxy specific data. I added a comment about "live only" nature of the tools.

I've added haproxy-gather to the list of offline artifacts. So then it might make sense, right?

[bentito]

/assign @matzew

[bentito]

@matzew I think this can merge, I will track for any refactoring these tools might need with a follow-up PR if that's okay?

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: alebedev87
Once this PR has been reviewed and has the lgtm label, please ask for approval from matzew. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a NetEdge documentation page, three evaluation tasks, and implements three new netedge router tools that query HAProxy data from OpenShift router pods and are registered into the netedge toolset.

Changes

Cohort / File(s)	Summary
Documentation docs/openshift/NETEDGE.md	New docs describing Network Ingress & DNS (netedge) tools, parameters (optional pod), default ingress controller name hard-coded as default, and end-to-end examples for router config, runtime info, and sessions.
Router Tools Implementation pkg/toolsets/netedge/router.go	New file adding three read-only server tools: get_router_config, get_router_info, get_router_sessions. Each accepts an optional pod param, resolves a router pod (lists pods in openshift-ingress filtered by deployment-ingresscontroller=default and status.phase=Running), execs commands in the router container to fetch HAProxy config, info, or sessions, and returns output wrapped in fenced code blocks. Errors during discovery/exec are returned inside formatted output rather than propagated.
Toolset Integration pkg/toolsets/netedge/toolset.go	Appends initRouter() to the netedge GetTools() tool list to register the new router tools.
Evaluation Tasks evals/tasks/netedge/get-router-config/task.yaml, evals/tasks/netedge/get-router-info/task.yaml, evals/tasks/netedge/get-router-sessions/task.yaml	Adds three tasks validating tool usage and output: get-router-config verifies presence of "frontend public", get-router-info verifies presence of "Name: HAProxy", and get-router-sessions verifies presence of frontend=GLOBAL. Each asserts expected toolsUsed patterns for the corresponding netedge__* tool.

Sequence Diagram(s)

sequenceDiagram
    participant Client as MCP Client
    participant Server as MCP Server
    participant K8sAPI as Kubernetes API
    participant RouterPod as OpenShift Router Pod

    Client->>Server: Invoke router tool (optional pod param)
    alt pod provided
        Server->>RouterPod: Exec command in specified pod's router container
    else pod omitted
        Server->>K8sAPI: List pods in openshift-ingress with deployment-ingresscontroller=default and status.phase=Running
        K8sAPI-->>Server: Return pod list
        Server->>Server: Select first running router pod
        Server->>RouterPod: Exec command in selected pod's router container
    end
    RouterPod-->>Server: Command output
    Server->>Server: Wrap output in fenced code block
    Server-->>Client: Return tool result with formatted output

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 I hopped through pods beneath the net,
I listened where HAProxy met,
Configs and sessions, all in view,
NetEdge hums — a network revue,
A tiny rabbit says, "Well done!" 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 60.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely describes the main change: adding OpenShift router tools to the NetworkEdge toolset. It matches the changeset which adds three router tools (get_router_config, get_router_info, get_router_sessions), documentation, and evaluation tasks.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@alebedev87: This pull request references NE-2488 which is a valid jira issue.

Details

In response to this:

This PR introduces new tools for inspecting OpenShift router pods through the Kubernetes MCP Server.

Added tools:

• get_router_config: View the router's configuration
• get_router_info: Get router runtime information and statistics
• get_router_sessions: View all active sessions in the router

Documentation: Added NETEDGE.md covering the NetworkEdge toolset, including both router and CoreDNS tools.

Tests: Added evaluation tasks for the added tools.

Summary by CodeRabbit

• New Features

• Added Network Ingress & DNS (netedge) toolset for Kubernetes MCP Server with three new tools for OpenShift router inspection: retrieve HAProxy configuration, runtime information, and active sessions.

• Documentation

• New comprehensive guide documenting netedge toolset capabilities, tool parameters, and end-to-end usage examples.

• Tests

• Added evaluation tasks validating the three new router inspection tools.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/openshift/NETEDGE.md`:
- Line 37: The code fences in NETEDGE.md are missing language identifiers
causing markdownlint warnings; update each opening triple-backtick fence at the
four example blocks to include the "text" language tag (i.e., change ``` to
```text) so the blocks at the mentioned example locations render and lint
cleanly.
- Around line 27-29: The note claiming "All tools have an optional `pod`
parameter" is too broad; update the text to state that the optional `pod`
parameter applies only to the router-related tools (e.g., the router command
group / functions) and not to DNS commands like get_coredns_config which have no
parameters; revise the sentence to explicitly mention "router tools" (or list
the router commands) and remove or clarify the implication that
get_coredns_config accepts a `pod` argument so readers won't expect `pod` on DNS
commands.

In `@evals/tasks/netedge/get-router-info/task.yaml`:
- Around line 5-6: The verify step asserts the prose string "HAProxy Version"
but pkg/toolsets/netedge/router.go returns raw "show info" output (fields like
"Name: HAProxy" and "Version:"), so update the task verification to match the
tool contract—replace or broaden the contains check to assert for the raw fields
such as "Name: HAProxy" and/or "Version:" (or a regex that matches
"Name:\s*HAProxy" and "Version:") so valid raw responses are accepted.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 368622e6-27f5-4fde-ac33-c34624214f7c

📥 Commits

Reviewing files that changed from the base of the PR and between 46c45a9 and f62a70b.

📒 Files selected for processing (6)

• docs/openshift/NETEDGE.md
• evals/tasks/netedge/get-router-config/task.yaml
• evals/tasks/netedge/get-router-info/task.yaml
• evals/tasks/netedge/get-router-sessions/task.yaml
• pkg/toolsets/netedge/router.go
• pkg/toolsets/netedge/toolset.go

[openshift-ci-robot]

@alebedev87: This pull request references NE-2488 which is a valid jira issue.

Details

In response to this:

This PR introduces new tools for inspecting OpenShift router pods through the Kubernetes MCP Server.

Added tools:

• get_router_config: View the router's configuration
• get_router_info: Get router runtime information and statistics
• get_router_sessions: View all active sessions in the router

Documentation: Added NETEDGE.md covering the NetworkEdge toolset, including both router and CoreDNS tools.

Tests: Added evaluation tasks for the added tools.

Summary by CodeRabbit

• New Features

• Added Network Ingress & DNS (netedge) toolset with three OpenShift router inspection tools to retrieve HAProxy config, runtime info, and active sessions; each tool accepts an optional pod parameter and will auto-select a running router pod if none is provided.

• Documentation

• New guide describing the netedge toolset, parameters, and end-to-end usage examples (includes a CoreDNS fetch example).

• Tests

• Added evaluation tasks validating the three router inspection tools.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

🧹 Nitpick comments (1)

pkg/toolsets/netedge/router.go (1)

104-129: Consider extracting common handler logic.

All three handlers share an identical pattern: extract pod argument → resolve pod → exec command → format result. A helper function could reduce duplication:

func execRouterCommand(params api.ToolHandlerParams, header string, command []string) (*api.ToolCallResult, error) {
    pod, ok := params.GetArguments()["pod"].(string)
    if !ok || pod == "" {
        p, err := getAnyRouterPod(params, defaultIngressControllerName)
        if err != nil {
            return api.NewToolCallResult(fmt.Sprintf("# %s\nError getting router pod: %v", header, err), nil), nil
        }
        pod = p
    }
    out, err := kubernetes.NewCore(params).PodsExec(params.Context, ingressNamespace, pod, routerContainerName, command)
    if err != nil {
        return api.NewToolCallResult(fmt.Sprintf("# %s (pod: %s)\nError: %v", header, pod, err), nil), nil
    }
    return api.NewToolCallResult(fmt.Sprintf("# %s (pod: %s)\n```\n%s\n```", header, pod, out), nil), nil
}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/toolsets/netedge/router.go` around lines 104 - 129, The getRouterConfig
handler duplicates the common pattern of resolving a pod arg, falling back to
getAnyRouterPod, running kubernetes.NewCore(...).PodsExec and formatting the
output; extract that shared logic into a helper (e.g., execRouterCommand) that
accepts params, a header string and command []string, calls
params.GetArguments() to resolve "pod" (using
getAnyRouterPod(defaultIngressControllerName) when empty), executes the command
via kubernetes.NewCore(params).PodsExec(params.Context, ingressNamespace, pod,
routerContainerName, command), and returns an api.ToolCallResult with either an
error block or a fenced output block; then simplify getRouterConfig to call this
helper with the header "Router configuration" and the command ["cat",
"/var/lib/haproxy/conf/haproxy.config"].

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pkg/toolsets/netedge/router.go`:
- Around line 104-129: The getRouterConfig handler duplicates the common pattern
of resolving a pod arg, falling back to getAnyRouterPod, running
kubernetes.NewCore(...).PodsExec and formatting the output; extract that shared
logic into a helper (e.g., execRouterCommand) that accepts params, a header
string and command []string, calls params.GetArguments() to resolve "pod" (using
getAnyRouterPod(defaultIngressControllerName) when empty), executes the command
via kubernetes.NewCore(params).PodsExec(params.Context, ingressNamespace, pod,
routerContainerName, command), and returns an api.ToolCallResult with either an
error block or a fenced output block; then simplify getRouterConfig to call this
helper with the header "Router configuration" and the command ["cat",
"/var/lib/haproxy/conf/haproxy.config"].

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 3a50b86a-a3bc-40ee-b1b7-965ea2a701c9

📥 Commits

Reviewing files that changed from the base of the PR and between f62a70b and eb2e6d7.

📒 Files selected for processing (6)

• docs/openshift/NETEDGE.md
• evals/tasks/netedge/get-router-config/task.yaml
• evals/tasks/netedge/get-router-info/task.yaml
• evals/tasks/netedge/get-router-sessions/task.yaml
• pkg/toolsets/netedge/router.go
• pkg/toolsets/netedge/toolset.go

✅ Files skipped from review due to trivial changes (4)

• evals/tasks/netedge/get-router-sessions/task.yaml
• evals/tasks/netedge/get-router-config/task.yaml
• docs/openshift/NETEDGE.md
• evals/tasks/netedge/get-router-info/task.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/toolsets/netedge/toolset.go

[alebedev87]

/retest

[openshift-ci]

@alebedev87: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.