Add medik8s Konflux CatalogSource step for RHWA FBC testing

[ugreener]

Summary

• Adds a new Prow step medik8s-konflux-catalogsource that dynamically creates an OLM CatalogSource from Konflux FBC artifacts
• Resolves the latest commit SHA from dragonfly/rhwa-fbc GitLab repo and fetches the matching IDMS and FBC catalog image from Quay
• Supports commit SHA pinning via RHWA_FBC_COMMIT_SHA for reproducible test runs
• No credentials needed — GitLab API and Quay repos are publicly accessible

What this step does

1. Resolves the latest commit SHA from dragonfly/rhwa-fbc main branch via GitLab API
2. Verifies the FBC catalog image exists on Quay for the resolved commit
3. Fetches images-mirror-set.yaml from that commit and applies it as IDMS
4. Creates a CatalogSource pointing to the Konflux FBC catalog image tagged with the same commit SHA
5. Waits up to 600 seconds for the CatalogSource to become READY

Files

ci-operator/step-registry/medik8s/konflux-catalogsource/
├── OWNERS
├── medik8s-konflux-catalogsource-commands.sh
├── medik8s-konflux-catalogsource-ref.metadata.json
└── medik8s-konflux-catalogsource-ref.yaml

Test plan

• Rehearsal jobs pass (YAML, metadata, OWNERS validation)
• Step is visible in step registry after merge
• Downstream: periodic job config will be added via follow-up PR (RHWA-839)

Jira: RHWA-990

Add medik8s-konflux-catalogsource step for Konflux FBC testing

This PR adds a new reusable Prow step to the OpenShift CI (openshift/release) step registry that enables RHWA testing against medik8s operators built with Konflux. The step dynamically creates an OLM CatalogSource that points at a Konflux File-based Catalog (FBC) image tagged with a commit SHA, and ensures the cluster can pull the catalog by applying the matching image mirror set.

What it does (practical effect)

• Adds a step that can be used in job definitions to provision an OLM CatalogSource from Konflux FBC artifacts for the target OCP version used in RHWA tests.
• The step resolves a commit SHA from dragonfly/rhwa-fbc (via the public GitLab API) or uses RHWA_FBC_COMMIT_SHA when supplied to pin a reproducible catalog.
• Verifies the commit-tagged Konflux FBC catalog image exists on Quay (uses skopeo), falling back to a discovered 40-hex tag when not pinned.
• Downloads .tekton/images-mirror-set.yaml from the resolved commit and applies it as an ImageDigestMirrorSet (IDMS) so cluster pulls are satisfied.
• Creates a CatalogSource in openshift-marketplace pointing to the verified Konflux FBC image and waits up to 600s for READY, emitting detailed oc debug output and attempting node-side pulls if readiness times out.
• Requires no credentials because the GitLab API and Quay repos accessed are public.

Implementation details (files and logic)

• New step files under ci-operator/step-registry/medik8s/konflux-catalogsource/:
  • medik8s-konflux-catalogsource-commands.sh — main script (~200 LOC) implementing: commit resolution, Quay image verification, IDMS download/apply, marketplace namespace ensure, CatalogSource creation and readiness wait/debug, and writing resolved SHA to SHARED_DIR.
  • medik8s-konflux-catalogsource-ref.yaml — step registry reference configuring the runner image (upi-installer), env vars (OCP_VERSION, RHWA_FBC_COMMIT_SHA, CATALOG_SOURCE_NAME, IDMS_NAME), resource requests (100m/100Mi) and a 10m grace period.
  • medik8s-konflux-catalogsource-ref.metadata.json — metadata for step discovery.
  • OWNERS (and ci-operator/step-registry/medik8s/OWNERS) — approvers/reviewers lists (beekhof, clobrano, maximunited, mshitrit, razo7, slintes, ugreener).

Testing and rollout

• Rehearsal jobs will validate YAML, metadata and OWNERS. After merge the step will appear in the step registry.
• A downstream periodic job that exercises this step will be added in a follow-up PR (tracked as RHWA-839).

Notes for reviewers

• The script performs network calls to public GitLab and Quay and runs oc commands; pay attention to error handling and timeouts (600s CatalogSource readiness wait).
• The step writes the resolved commit SHA to SHARED_DIR for downstream reproducibility and CI visibility.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ugreener

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

Adds a medik8s konflux-catalogsource step: ownership metadata and step definition, plus a new bash script that resolves a GitLab commit, verifies a Quay rhwa-fbc image, applies the matching ImageDigestMirrorSet, creates an OLM CatalogSource in openshift-marketplace, and waits with debug on failure.

Changes

Medik8s Konflux CatalogSource Step Registry

Layer / File(s)	Summary
Step Registry Definition and Ownership ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-ref.yaml, ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-ref.metadata.json, ci-operator/step-registry/medik8s/konflux-catalogsource/OWNERS, ci-operator/step-registry/medik8s/OWNERS	Adds the step registry YAML that defines medik8s-konflux-catalogsource, installer image selection, resources, grace period and environment variables (OCP_VERSION, RHWA_FBC_COMMIT_SHA, CATALOG_SOURCE_NAME, IDMS_NAME), plus metadata and OWNERS with approvers/reviewers.
Script Initialization and Utility Functions ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-commands.sh (lines 1–27)	Introduces the bash entrypoint, strict mode, environment-derived constants (GitLab/Quay endpoints, defaults, required OCP_VERSION, pin behavior), and helper functions run() and set_proxy() that source proxy config when available.
Commit resolution and image verification ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-commands.sh (lines 28–76)	Implements resolve_commit_sha (use provided SHA or query GitLab) and verify_fbc_image (skopeo check and optional fallback to latest 40-hex tag).
Apply IDMS and marketplace setup ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-commands.sh (lines 77–117)	Implements apply_idms (download and oc apply IDMS YAML) and ensure_marketplace (create namespace with pod-security labels).
CatalogSource creation, wait, and orchestration ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-commands.sh (lines 119–199)	Implements create_catalogsource (render/apply CatalogSource), wait_for_catalogsource (poll readiness, emit debug, node podman pull on timeout), and main orchestration that writes resolved SHA to ${SHARED_DIR}/rhwa_fbc_commit_sha.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Suggested labels

lgtm

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: adding a new Prow step for creating a CatalogSource from Konflux FBC artifacts, which aligns with all the files added.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR contains no Ginkgo tests or Go files. It only adds CI/CD step registry configuration (OWNERS, YAML, JSON, Bash script). The test name stability check does not apply.
Test Structure And Quality	✅ Passed	PR contains no Ginkgo test code. It adds OWNERS configs, a Bash script, JSON metadata, and YAML step registry definitions. The check for test quality is not applicable.
Microshift Test Compatibility	✅ Passed	PR adds no Ginkgo e2e tests—only CI/CD infrastructure (Prow step, Bash script, OWNERS, YAML). The MicroShift check is for new Ginkgo tests (It, Describe, etc.), which are not present here.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	The PR does not add any Ginkgo e2e tests. All changes are CI infrastructure (OWNERS files, step registry YAML/JSON configs, and a bash script). The SNO compatibility check does not apply.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds a Prow step that creates a CatalogSource. No workloads with topology-specific scheduling constraints are introduced. Manifests are topology-agnostic and suitable for all OpenShift topologies.
Ote Binary Stdout Contract	✅ Passed	OTE stdout contract check not applicable. PR adds Prow step registry with bash scripts, not Go test binaries that need JSON stdout for openshift-tests.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	The custom check is for Ginkgo e2e tests. This PR adds a Prow step with bash script, YAML, JSON, and OWNERS configuration files—no Ginkgo tests or Go code. Check not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-commands.sh`:
- Around line 11-12: The declaration for OCP_VERSION uses an unguarded expansion
which triggers set -u before main() can validate it; change the declaration to
use a defaulting expansion like RHWA_FBC_COMMIT_SHA (e.g., declare
OCP_VERSION="${OCP_VERSION:-}") so the script does not exit with "unbound
variable" and allow the explicit validation in main() to produce the intended
error message; update the declaration near the top (identifier OCP_VERSION) and
leave main()'s validation intact.
- Around line 14-18: The run() helper currently uses eval which enables shell
injection; change run() to accept positional args (replace eval "$cmd" with exec
of the passed arguments using "$@") and update every caller that currently
builds a single interpolated command string to call run with separate arguments
(e.g., run oc create catalogsource "$CATALOG_SOURCE_NAME" --from-latest and
similarly for commands that include "$OCP_VERSION", "$RHWA_FBC_COMMIT_SHA", and
"$node_name") so all variables are passed as safe separate parameters rather
than interpolated into one string.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 6ad2bf92-429b-425c-b398-eb81ce3f66d4

📥 Commits

Reviewing files that changed from the base of the PR and between b9ec3ec and ab49550.

📒 Files selected for processing (4)

• ci-operator/step-registry/medik8s/konflux-catalogsource/OWNERS
• ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-commands.sh
• ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-ref.metadata.json
• ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-ref.yaml

[coderabbitai]

🧹 Nitpick comments (1)

ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-commands.sh (1)

61-64: 💤 Low value

Fallback tag selection may not retrieve the chronologically latest image.

The tail -1 on skopeo list-tags output selects the last tag in an arbitrary order (typically lexicographic), not the most recently pushed. For 40-character hex commit SHAs, this is effectively random.

Since this is fallback behavior when the resolved commit lacks an image, picking any valid tag is acceptable. Consider updating the echo on line 67 from "latest" to "fallback" to avoid confusion:

-            echo "Using fallback tag: $latest_tag"
+            echo "Using fallback tag (arbitrary valid commit): $latest_tag"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-commands.sh`
around lines 61 - 64, The fallback tag selection uses latest_tag (set by the
skopeo/jq/grep/tail pipeline) but the script still echoes "latest" on failure;
update the fallback wording to avoid confusion: change the echo that references
"latest" to "fallback" (or similar) so it reads that a fallback tag was selected
when latest_tag is used, keeping the existing latest_tag logic intact; locate
references to the latest_tag variable and the echo statement near its assignment
(the skopeo/jq/grep/tail pipeline and the subsequent echo) and only change the
message text.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In
`@ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-commands.sh`:
- Around line 61-64: The fallback tag selection uses latest_tag (set by the
skopeo/jq/grep/tail pipeline) but the script still echoes "latest" on failure;
update the fallback wording to avoid confusion: change the echo that references
"latest" to "fallback" (or similar) so it reads that a fallback tag was selected
when latest_tag is used, keeping the existing latest_tag logic intact; locate
references to the latest_tag variable and the echo statement near its assignment
(the skopeo/jq/grep/tail pipeline and the subsequent echo) and only change the
message text.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 472b2409-db5d-4fb3-908b-a4e5a41738b9

📥 Commits

Reviewing files that changed from the base of the PR and between ab49550 and 3e31b72.

📒 Files selected for processing (4)

• ci-operator/step-registry/medik8s/konflux-catalogsource/OWNERS
• ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-commands.sh
• ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-ref.metadata.json
• ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-ref.yaml

✅ Files skipped from review due to trivial changes (2)

• ci-operator/step-registry/medik8s/konflux-catalogsource/OWNERS
• ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-ref.metadata.json

🚧 Files skipped from review as they are similar to previous changes (1)

• ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-ref.yaml

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@ugreener: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-commands.sh`:
- Around line 99-117: The ensure_marketplace() function currently returns
immediately if the openshift-marketplace namespace exists, so the pod-security
label keys (security.openshift.io/scc.podSecurityLabelSync,
pod-security.kubernetes.io/enforce, pod-security.kubernetes.io/audit,
pod-security.kubernetes.io/warn) are never applied on the pre-existing path;
change ensure_marketplace to always apply those labels: keep the existing
create-via-heredoc branch for when the namespace is missing, but after creation
(or if it already exists) run an idempotent operation to set/update the labels
(for example by applying the same Namespace manifest via oc apply -f - or by
running oc patch/label with --type=merge to add the four keys), ensuring the
labels are enforced regardless of whether the namespace was newly created or
pre-existing.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: d52338c3-7ff1-4397-b3bc-b2c4fe7766f0

📥 Commits

Reviewing files that changed from the base of the PR and between ac0d097 and 4a8b5bd.

📒 Files selected for processing (5)

• ci-operator/step-registry/medik8s/OWNERS
• ci-operator/step-registry/medik8s/konflux-catalogsource/OWNERS
• ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-commands.sh
• ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-ref.metadata.json
• ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-ref.yaml

✅ Files skipped from review due to trivial changes (1)

• ci-operator/step-registry/medik8s/OWNERS

🚧 Files skipped from review as they are similar to previous changes (2)

• ci-operator/step-registry/medik8s/konflux-catalogsource/OWNERS
• ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-ref.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Apply the marketplace labels even when the namespace already exists.

ensure_marketplace() returns as soon as openshift-marketplace is present, so the pod-security labels in Lines 110-114 are never enforced on the common pre-existing-namespace path. That means this step does not actually "ensure" the namespace state it depends on.

Suggested fix

 ensure_marketplace() {
-    if oc get ns openshift-marketplace > /dev/null 2>&1; then
-        echo "openshift-marketplace namespace exists"
-        return 0
-    fi
-
-    echo "Creating openshift-marketplace namespace..."
+    echo "Ensuring openshift-marketplace namespace and labels..."
     cat <<EOF | oc apply -f -
 apiVersion: v1
 kind: Namespace
 metadata:
   labels:

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-commands.sh`
around lines 99 - 117, The ensure_marketplace() function currently returns
immediately if the openshift-marketplace namespace exists, so the pod-security
label keys (security.openshift.io/scc.podSecurityLabelSync,
pod-security.kubernetes.io/enforce, pod-security.kubernetes.io/audit,
pod-security.kubernetes.io/warn) are never applied on the pre-existing path;
change ensure_marketplace to always apply those labels: keep the existing
create-via-heredoc branch for when the namespace is missing, but after creation
(or if it already exists) run an idempotent operation to set/update the labels
(for example by applying the same Namespace manifest via oc apply -f - or by
running oc patch/label with --type=merge to add the four keys), ensuring the
labels are enforced regardless of whether the namespace was newly created or
pre-existing.

[openshift-ci]

@ugreener: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.