RHIDP-14785: Add OLM v1 code path to prepare-restricted-environment.sh#3046
Conversation
PR Summary by QodoAdd OLM v1 support to install-rhdh-catalog-source.sh with auto-detection Description
Diagram
High-Level Assessment
Files changed (1)
|
Code Review by Qodo
Context used✅ Compliance rules (platform):
18 rules 1.
|
Add OLM version detection and branching to the airgap script so it generates the correct manifests for both OLM v0 and OLM v1 clusters. When OLM v1 is detected (or forced via --olm-version), the script produces ClusterCatalog, ClusterExtension, ServiceAccount, and ClusterRoleBinding instead of CatalogSource, OperatorGroup, and Subscription. The oc-mirror path converts CatalogSource output to ClusterCatalog. Export-only mode generates both manifest sets. Signed-off-by: Fortune-Ndlovu <fndlovu@redhat.com> Assisted-by: Claude (Opus 4.6)
0137c0e to
c860d35
Compare
|
/agentic_review |
|
Code review by qodo was updated up to the latest commit c860d35 |
…m-v-1-path-to-prepare-restricted-environment-sh
…nt.sh - Introduced functions to determine whether to generate v1 or v0 manifests based on the resolved OLM version and registry settings. - Simplified conditional checks for OLM v1 and v0 manifest generation, improving code readability and maintainability. - Updated error handling for OLM installation checks to reflect the new logic.
- Introduced a variable CATALOG_PULL_SECRET to dynamically set the pull secret based on the TO_REGISTRY value. - Updated manifest generation logic to use the new CATALOG_PULL_SECRET variable, enhancing flexibility for different registry configurations. - Improved code readability by consolidating pull secret assignments.
- Updated the buildRegistryUrl function to directly execute the oc command for retrieving the default route, improving clarity. - Added a shellcheck directive to suppress warnings for the catalogImage variable assignment, enhancing code quality and maintainability.
|
/agentic_review |
|
Code review by qodo was updated up to the latest commit 5cb6ebd |
…environment.sh - Introduced a new ClusterRole for the rhdh-operator-installer, defining permissions for various Kubernetes resources. - Updated the manifest generation logic to include the new ClusterRole and adjusted the ClusterRoleBinding to reference it. - Enhanced the script to apply the ClusterRole during the installation process, improving operator functionality and security.
OLM v1 auto-detection is now platform-agnostic, based solely on CRD presence and catalogd deployment status regardless of cluster type. Signed-off-by: Fortune Ndlovu <fndlovu@redhat.com>
Explain when each function returns true: either the resolved OLM version matches, or we are exporting to disk with auto-detect mode and need to generate both sets of manifests. Signed-off-by: Fortune Ndlovu <fndlovu@redhat.com>
…type Replace hardcoded kubectl references in the OLM v1 manual install instructions with the appropriate CLI tool for the detected cluster. Signed-off-by: Fortune Ndlovu <fndlovu@redhat.com>
oc-mirror v2 already generates ClusterCatalog resources natively with the cc-*.yaml naming pattern. Use those directly instead of manually converting CatalogSource manifests, applying our name override, image URL rewrite, and pullSecret on top. Fall back to the CatalogSource conversion only if no cc-*.yaml files are found. Signed-off-by: Fortune Ndlovu <fndlovu@redhat.com>
|
/agentic_review |
'local' is only valid inside functions. These variables are in the top-level script body, so drop the local qualifier. Signed-off-by: Fortune Ndlovu <fndlovu@redhat.com>
|
/agentic_review |
This update grants the image-puller role to both the default and catalogd service accounts in the catalogd namespace, allowing them to pull images from the internal registry. This change enhances the permissions necessary for OLM v1 deployments. Signed-off-by: Fortune Ndlovu <fndlovu@redhat.com>
|
/agentic_review |
…etes When RESOLVED_OLM_VERSION is v1 on a non-OpenShift cluster, the CatalogSource CRD check is irrelevant and would incorrectly fail. Guard it behind a v1 check so --olm-version v1 works on Kubernetes clusters that have OLM v1 installed. Signed-off-by: Fortune Ndlovu <fndlovu@redhat.com>
The script already sets -euo pipefail at the top level (line 8). Functions run in the same shell, so repeating it inside resolve_olm_version and prepare_olm_v1_secrets is a no-op. Signed-off-by: Fortune Ndlovu <fndlovu@redhat.com>
detect_olm_v1_catalogd and prepare_olm_v1_secrets both queried the cluster for the catalogd deployment namespace. Move the result into the global NAMESPACE_CATALOGD variable during detection so prepare_olm_v1_secrets can reuse it without a redundant API call. Signed-off-by: Fortune Ndlovu <fndlovu@redhat.com>
|
Code review by qodo was updated up to the latest commit 3ef9065 |
CATALOG_PULL_SECRET is already set in the main flow before the oc-mirror/non-oc-mirror split (when TO_REGISTRY is set). The identical assignment inside the non-oc-mirror path was redundant. Signed-off-by: Fortune Ndlovu <fndlovu@redhat.com>
Reference RHIDP-8656 in the generated ClusterExtension manifest so users inspecting the YAML understand why enforcement is set to None. Signed-off-by: Fortune Ndlovu <fndlovu@redhat.com>
RHIDP-8656 was the spike investigation, not a blocker. The actual reason for disabling CRD upgrade safety preflight is upstream OLM v1 bug OCPBUGS-60693, which is fixed in OCP 4.22. Signed-off-by: Fortune Ndlovu <fndlovu@redhat.com>
The upstream OLM v1 bug (OCPBUGS-60693) that required disabling CRD upgrade safety validation is fixed in OCP 4.22. Remove the workaround so the default Strict enforcement applies. Signed-off-by: Fortune Ndlovu <fndlovu@redhat.com>
The template-mode code at line 1270 overwrites CATALOG_PULL_SECRET with a literal '$CATALOG_PULL_SECRET' placeholder for export-to-dir. When TO_REGISTRY is set, this must be re-assigned to the actual secret name so the generated ClusterCatalog manifest has a valid pullSecret reference. Without this, catalogd gets 'authentication required' errors pulling from the internal registry. Signed-off-by: Fortune Ndlovu <fndlovu@redhat.com>
The olm.operatorframework.io/v1 ClusterCatalog CRD does not have a pullSecret field — it was silently dropped, causing 'authentication required' errors when catalogd tried to pull from the internal registry. OLM v1 catalogd and operator-controller both authenticate via the global pull secret (openshift-config/pull-secret). Merge internal registry credentials there instead of relying on a per-resource pullSecret field that does not exist in the CRD schema. Signed-off-by: Fortune Ndlovu <fndlovu@redhat.com>
…-element loop Remove all CATALOG_PULL_SECRET assignments since the variable is no longer used after switching OLM v1 to global pull secret authentication. Also replace single-element for loop with direct variable usage (SC2066). Signed-off-by: Fortune Ndlovu <fndlovu@redhat.com>
|
/agentic_review |
|
Code review by qodo was updated up to the latest commit eaeaec4 |
The image-puller role bindings were being created in the catalogd SA's own namespace instead of the namespace where mirrored images are stored (e.g. rhdh). This caused authentication failures when catalogd and operator-controller tried to pull catalog and bundle images from the internal registry. Also add image-puller grants for the operator-controller service account, which needs to pull bundle images during ClusterExtension installation. Signed-off-by: Fortune Ndlovu <fndlovu@redhat.com>
|





Adds an
--olm-version v0|v1|autoCLI flag (default:auto) toprepare-restricted-environment.shwith CRD-based OLM v1 detection. When OLM v1 is detected (or forced), the script creates a ClusterCatalog and ClusterExtension with a ServiceAccount and ClusterRoleBinding, instead of the OLM v0 CatalogSource, Subscription, and OperatorGroup. Resolution is pinned to the custom catalog viaselector.matchLabels, and CRD upgrade safety preflight is disabled (enforcement: None) per the known blocker RHIDP-8656. The OLM v0 path is fully preserved for backward compatibility on older clusters.Which issue(s) does this PR fix or relate to
Resolves: https://redhat.atlassian.net/browse/RHIDP-14785
PR acceptance criteria
How to test changes / Special notes to the reviewer
Signed-off-by: Fortune-Ndlovu fndlovu@redhat.com
Assisted-by: Claude (claude-opus-4-6)