Add medik8s-catalogsource Prow step with dual catalog modes

[ugreener]

Summary

• Adds a new Prow step medik8s-catalogsource that creates an OLM CatalogSource for medik8s/RHWA operator testing
• Two modes: konflux (default) resolves FBC from Quay with IDMS; direct creates CatalogSource from any provided image reference
• Supports commit SHA pinning via FBC_COMMIT_SHA for reproducible Konflux test runs
• No credentials needed — GitLab API and Quay repos are publicly accessible

What this step does

Konflux mode (default, CATALOG_MODE=konflux):

1. Resolves the latest commit SHA from dragonfly/rhwa-fbc via GitLab API (branch configurable via GIT_REF, defaults to main)
2. Verifies the FBC catalog image exists on Quay for the resolved commit
3. Fetches images-mirror-set.yaml from that commit, applies it as IDMS, and waits for MachineConfigPool rollout
4. Creates a CatalogSource pointing to the Konflux FBC catalog image tagged with the same commit SHA
5. Waits up to 600 seconds for the CatalogSource to become READY

Direct mode (CATALOG_MODE=direct):

1. Takes a full catalog image reference via CATALOG_IMAGE_REF (e.g., IIB, FBC, or registry.redhat.io index)
2. Creates a CatalogSource pointing directly to the provided image (no IDMS, no MCP wait needed)
3. Waits for the CatalogSource to become READY

Files

ci-operator/step-registry/medik8s/
├── OWNERS
└── catalogsource/
    ├── OWNERS
    ├── medik8s-catalogsource-commands.sh
    ├── medik8s-catalogsource-ref.metadata.json
    └── medik8s-catalogsource-ref.yaml

Test plan

• Rehearsal jobs pass (YAML, metadata, OWNERS validation)
• Step is visible in step registry after merge
• Downstream: periodic job config will be added via follow-up PR (RHWA-839)

Jira: RHWA-990

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds a medik8s konflux-catalogsource step: ownership metadata and step definition, plus a new bash script that resolves a GitLab commit, verifies a Quay rhwa-fbc image, applies the matching ImageDigestMirrorSet, creates an OLM CatalogSource in openshift-marketplace, and waits with debug on failure.

Changes

Medik8s Konflux CatalogSource Step Registry

Layer / File(s)	Summary
Step Registry Definition and Ownership ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-ref.yaml, ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-ref.metadata.json, ci-operator/step-registry/medik8s/konflux-catalogsource/OWNERS, ci-operator/step-registry/medik8s/OWNERS	Adds the step registry YAML that defines medik8s-konflux-catalogsource, installer image selection, resources, grace period and environment variables (OCP_VERSION, RHWA_FBC_COMMIT_SHA, CATALOG_SOURCE_NAME, IDMS_NAME), plus metadata and OWNERS with approvers/reviewers.
Script Initialization and Utility Functions ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-commands.sh (lines 1–27)	Introduces the bash entrypoint, strict mode, environment-derived constants (GitLab/Quay endpoints, defaults, required OCP_VERSION, pin behavior), and helper functions run() and set_proxy() that source proxy config when available.
Commit resolution and image verification ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-commands.sh (lines 28–76)	Implements resolve_commit_sha (use provided SHA or query GitLab) and verify_fbc_image (skopeo check and optional fallback to latest 40-hex tag).
Apply IDMS and marketplace setup ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-commands.sh (lines 77–117)	Implements apply_idms (download and oc apply IDMS YAML) and ensure_marketplace (create namespace with pod-security labels).
CatalogSource creation, wait, and orchestration ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-commands.sh (lines 119–199)	Implements create_catalogsource (render/apply CatalogSource), wait_for_catalogsource (poll readiness, emit debug, node podman pull on timeout), and main orchestration that writes resolved SHA to ${SHARED_DIR}/rhwa_fbc_commit_sha.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Suggested labels

lgtm

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR does not contain any Ginkgo tests. It adds Bash scripts, YAML config, JSON metadata, and OWNERS files—no Go test code. The check is not applicable.
Test Structure And Quality	✅ Passed	PR contains no Ginkgo test code. Files added are: bash script for step registry, YAML/JSON configuration, and OWNERS files. Check for Ginkgo test structure is not applicable.
Microshift Test Compatibility	✅ Passed	PR adds no Ginkgo e2e tests—only Bash/YAML/JSON configuration files for a Prow CI step. Check not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. The changes consist of CI operator configuration files (OWNERS, bash provisioning script, YAML step registry files) with no test code.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds a Prow step creating only Namespace and CatalogSource resources with no affinity, nodeSelector, topology constraints, or scheduling assumptions.
Ote Binary Stdout Contract	✅ Passed	PR adds only shell scripts and configuration files, not OTE test binaries; the check applies only to Go code with main() and similar entry points.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds no Ginkgo e2e tests; custom check applies only to new Ginkgo tests, not to Prow step scripts or configuration files.
Title check	✅ Passed	The title 'Add medik8s-catalogsource Prow step with dual catalog modes' is partially related to the changeset. It refers to adding a medik8s CatalogSource step, but the specific nature of the change is about adding a Konflux CatalogSource step for RHWA FBC testing, and the phrase 'dual catalog modes' does not accurately reflect the changeset content, which focuses on a single CatalogSource creation mechanism from Konflux FBC artifacts.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-commands.sh`:
- Around line 11-12: The declaration for OCP_VERSION uses an unguarded expansion
which triggers set -u before main() can validate it; change the declaration to
use a defaulting expansion like RHWA_FBC_COMMIT_SHA (e.g., declare
OCP_VERSION="${OCP_VERSION:-}") so the script does not exit with "unbound
variable" and allow the explicit validation in main() to produce the intended
error message; update the declaration near the top (identifier OCP_VERSION) and
leave main()'s validation intact.
- Around line 14-18: The run() helper currently uses eval which enables shell
injection; change run() to accept positional args (replace eval "$cmd" with exec
of the passed arguments using "$@") and update every caller that currently
builds a single interpolated command string to call run with separate arguments
(e.g., run oc create catalogsource "$CATALOG_SOURCE_NAME" --from-latest and
similarly for commands that include "$OCP_VERSION", "$RHWA_FBC_COMMIT_SHA", and
"$node_name") so all variables are passed as safe separate parameters rather
than interpolated into one string.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 6ad2bf92-429b-425c-b398-eb81ce3f66d4

📥 Commits

Reviewing files that changed from the base of the PR and between b9ec3ec and ab49550.

📒 Files selected for processing (4)

• ci-operator/step-registry/medik8s/konflux-catalogsource/OWNERS
• ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-commands.sh
• ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-ref.metadata.json
• ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-ref.yaml

[coderabbitai]

🧹 Nitpick comments (1)

ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-commands.sh (1)

61-64: 💤 Low value

Fallback tag selection may not retrieve the chronologically latest image.

The tail -1 on skopeo list-tags output selects the last tag in an arbitrary order (typically lexicographic), not the most recently pushed. For 40-character hex commit SHAs, this is effectively random.

Since this is fallback behavior when the resolved commit lacks an image, picking any valid tag is acceptable. Consider updating the echo on line 67 from "latest" to "fallback" to avoid confusion:

-            echo "Using fallback tag: $latest_tag"
+            echo "Using fallback tag (arbitrary valid commit): $latest_tag"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-commands.sh`
around lines 61 - 64, The fallback tag selection uses latest_tag (set by the
skopeo/jq/grep/tail pipeline) but the script still echoes "latest" on failure;
update the fallback wording to avoid confusion: change the echo that references
"latest" to "fallback" (or similar) so it reads that a fallback tag was selected
when latest_tag is used, keeping the existing latest_tag logic intact; locate
references to the latest_tag variable and the echo statement near its assignment
(the skopeo/jq/grep/tail pipeline and the subsequent echo) and only change the
message text.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In
`@ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-commands.sh`:
- Around line 61-64: The fallback tag selection uses latest_tag (set by the
skopeo/jq/grep/tail pipeline) but the script still echoes "latest" on failure;
update the fallback wording to avoid confusion: change the echo that references
"latest" to "fallback" (or similar) so it reads that a fallback tag was selected
when latest_tag is used, keeping the existing latest_tag logic intact; locate
references to the latest_tag variable and the echo statement near its assignment
(the skopeo/jq/grep/tail pipeline and the subsequent echo) and only change the
message text.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 472b2409-db5d-4fb3-908b-a4e5a41738b9

📥 Commits

Reviewing files that changed from the base of the PR and between ab49550 and 3e31b72.

📒 Files selected for processing (4)

• ci-operator/step-registry/medik8s/konflux-catalogsource/OWNERS
• ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-commands.sh
• ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-ref.metadata.json
• ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-ref.yaml

✅ Files skipped from review due to trivial changes (2)

• ci-operator/step-registry/medik8s/konflux-catalogsource/OWNERS
• ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-ref.metadata.json

🚧 Files skipped from review as they are similar to previous changes (1)

• ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-ref.yaml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-commands.sh`:
- Around line 99-117: The ensure_marketplace() function currently returns
immediately if the openshift-marketplace namespace exists, so the pod-security
label keys (security.openshift.io/scc.podSecurityLabelSync,
pod-security.kubernetes.io/enforce, pod-security.kubernetes.io/audit,
pod-security.kubernetes.io/warn) are never applied on the pre-existing path;
change ensure_marketplace to always apply those labels: keep the existing
create-via-heredoc branch for when the namespace is missing, but after creation
(or if it already exists) run an idempotent operation to set/update the labels
(for example by applying the same Namespace manifest via oc apply -f - or by
running oc patch/label with --type=merge to add the four keys), ensuring the
labels are enforced regardless of whether the namespace was newly created or
pre-existing.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: d52338c3-7ff1-4397-b3bc-b2c4fe7766f0

📥 Commits

Reviewing files that changed from the base of the PR and between ac0d097 and 4a8b5bd.

📒 Files selected for processing (5)

• ci-operator/step-registry/medik8s/OWNERS
• ci-operator/step-registry/medik8s/konflux-catalogsource/OWNERS
• ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-commands.sh
• ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-ref.metadata.json
• ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-ref.yaml

✅ Files skipped from review due to trivial changes (1)

• ci-operator/step-registry/medik8s/OWNERS

🚧 Files skipped from review as they are similar to previous changes (2)

• ci-operator/step-registry/medik8s/konflux-catalogsource/OWNERS
• ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-ref.yaml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-commands.sh`:
- Around line 38-39: The network curl calls that set RHWA_FBC_COMMIT_SHA and the
later curl block (lines referenced in the diff) need explicit retry and timeout
bounds to prevent flakes/hangs: update the two curl invocations used to fetch
from ${GITLAB_API} (the assignment to RHWA_FBC_COMMIT_SHA and the subsequent
fetch at lines ~85-88) to include curl retry flags (e.g., --retry and
--retry-delay or --retry-connrefused) and a global timeout (--max-time) so
transient failures are retried and calls cannot hang indefinitely; keep existing
flags like -s -f, preserve the trailing || true behavior where present, and
choose conservative values (for example --retry 5 --retry-delay 2 and --max-time
15) or project-preferred values.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 55b15ad0-a320-43d0-b688-4a98bada128f

📥 Commits

Reviewing files that changed from the base of the PR and between 4a8b5bd and a9010f8.

📒 Files selected for processing (5)

• ci-operator/step-registry/medik8s/OWNERS
• ci-operator/step-registry/medik8s/konflux-catalogsource/OWNERS
• ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-commands.sh
• ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-ref.metadata.json
• ci-operator/step-registry/medik8s/konflux-catalogsource/medik8s-konflux-catalogsource-ref.yaml

✅ Files skipped from review due to trivial changes (2)

• ci-operator/step-registry/medik8s/konflux-catalogsource/OWNERS
• ci-operator/step-registry/medik8s/OWNERS

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@ugreener: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[openshift-ci]

@ugreener: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[clobrano]

nitpick: you could use the SECONDS bash variable and decouple the counter from the sleep time

EXPIRED=$(( SECONDS + 5000 ))
while (( SECONDS < EXPIRED )); do
    #.. some repeated task.
    sleep 30
done

[maximunited]

/lgtm from me

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: maximunited, ugreener

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment