USHIFT-7058: Build and use small OLM catalog

[pmtk]

redhat-operator-index is almost 5GiB in size which might have been causing flakiness

Summary by CodeRabbit

• Tests
  • Updated OLM test assets and Robot suite to target the hello-microshift operator catalog and subscription.
• Chores
  • Added a script to build and optionally push file-based OLM catalog images for testing.
• New Features
  • Added operator bundle metadata, CSV manifest, catalog entries, and subscription configurations to enable catalog-based operator testing.

[openshift-ci-robot]

@pmtk: This pull request references USHIFT-7058 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "5.0.0" version, but no target version was set.

Details

In response to this:

redhat-operator-index is almost 5GiB in size which might have been causing flakiness

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: b11d150b-ca0c-4b6b-a14a-64c4bbd37912

📥 Commits

Reviewing files that changed from the base of the PR and between 3f090e6 and 02d864c.

📒 Files selected for processing (1)

• test/assets/olm/hello-microshift-operator/build-catalog.sh

🚧 Files skipped from review as they are similar to previous changes (1)

• test/assets/olm/hello-microshift-operator/build-catalog.sh

---

Walkthrough

This PR adds a hello-microshift OLM bundle and metadata, a script to build/push a file-based OLM catalog image, updates CatalogSource and Subscription test assets to use the new catalog/operator, and adjusts the Robot Framework OLM test suite accordingly.

Changes

OLM Operator Integration

Layer / File(s)	Summary
Operator bundle and metadata test/assets/olm/hello-microshift-operator/manifests/hello-microshift-operator.clusterserviceversion.yaml, test/assets/olm/hello-microshift-operator/metadata/annotations.yaml, test/assets/olm/hello-microshift-operator/catalog-extra.yaml	Defines the hello-microshift operator bundle: CSV with deployment (BusyBox HTTP responder on port 8080) and restrictive container security, plus bundle annotations and a catalog-extra declaring the alpha channel entry.
Catalog image build script test/assets/olm/hello-microshift-operator/build-catalog.sh	Adds a Bash script that parses --image/--push, ensures opm is available (fetches if needed), renders the bundle to a file-based catalog.json, appends catalog-extra.yaml, validates, generates a Dockerfile, builds amd64/arm64 images into a manifest with podman, and optionally pushes the manifest.
Test asset configuration test/assets/olm/catalog-source.yaml, test/assets/olm/subscription.yaml	Updates CatalogSource to point to hello-microshift-catalog and adjusts Subscription to install hello-microshift-operator from the alpha channel with installPlanApproval: Automatic.
Test suite updates test/suites/optional/olm.robot	Updates ${SUBSCRIPTION_NAME}, test case names, keyword docs, and readiness assertions to target hello-microshift-operator and hello-microshift-catalog instead of the previous AMQ Broker catalog.

---

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: building and using a smaller OLM catalog instead of the large redhat-operator-index.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR contains no Ginkgo test files—only YAML assets, a bash script, and Robot Framework tests. Check doesn't apply.
Test Structure And Quality	✅ Passed	No Ginkgo test code exists in this PR or repository. The changes are YAML assets and Robot Framework test files. The check does not apply.
Microshift Test Compatibility	✅ Passed	This PR adds no Ginkgo e2e tests. It modifies Robot Framework tests and YAML test assets. The custom check for Ginkgo compatibility is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR does not add any new Ginkgo e2e tests. Changes are YAML assets, a shell script, and Robot Framework test updates—the SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	No scheduling constraints that assume 3+ control-plane nodes. Single-replica deployment with no affinity, nodeSelector, or topology constraints works on SNO, TNF, TNA, HyperShift.
Ote Binary Stdout Contract	✅ Passed	PR modifies only test assets (YAML), a Bash script, and a Robot Framework test file. No Go source code changes that could violate the OTE Binary Stdout Contract.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR contains no new Ginkgo e2e tests—only Robot Framework tests and YAML/Bash assets. The check applies only to Ginkgo tests, which are absent here.
No-Weak-Crypto	✅ Passed	No weak cryptographic algorithms (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or insecure secret comparisons detected in any modified files.
Container-Privileges	✅ Passed	No privileged container configurations found. ClusterServiceVersion explicitly disables privilege escalation, drops all capabilities, runs as non-root, and enforces RuntimeDefault seccomp.
No-Sensitive-Data-In-Logs	✅ Passed	No sensitive data (passwords, tokens, API keys, PII, credentials) found in logging statements or configuration files across all modified OLM-related test assets and scripts.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[pmtk]

/test ?

[pmtk]

/test e2e-aws-tests-bootc-el9

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/assets/olm/hello-microshift-operator/build-catalog.sh`:
- Around line 24-27: The --image) case unconditionally assigns IMAGE="$2" and
shift 2 which under set -u will blow up if the caller passed --image without a
value; update the --image) branch in the script to first verify a value exists
(e.g. check $# -lt 2 or test -z "${2-}") and if missing print a clear
usage/error and exit non‑zero, otherwise set IMAGE="$2" and shift 2 as before;
reference the --image) case, IMAGE variable, shift 2, and account for set -u
when implementing the guard.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 6458ed7a-ea3d-404e-80e0-cc0e29479e26

📥 Commits

Reviewing files that changed from the base of the PR and between 6eaeac9 and ab0023a.

📒 Files selected for processing (7)

• test/assets/olm/catalog-source.yaml
• test/assets/olm/hello-microshift-operator/build-catalog.sh
• test/assets/olm/hello-microshift-operator/catalog-extra.yaml
• test/assets/olm/hello-microshift-operator/manifests/hello-microshift-operator.clusterserviceversion.yaml
• test/assets/olm/hello-microshift-operator/metadata/annotations.yaml
• test/assets/olm/subscription.yaml
• test/suites/optional/olm.robot

[coderabbitai]

🧹 Nitpick comments (1)

test/assets/olm/hello-microshift-operator/build-catalog.sh (1)

64-64: ⚡ Quick win

Pin the opm base image to an immutable digest in the generated catalog.Dockerfile.

build-catalog.sh emits FROM quay.io/operator-framework/opm:latest, which makes catalog builds non-deterministic; pin to quay.io/operator-framework/opm@sha256:... instead. (No Operator Framework docs were found that specify a single “recommended” digest, so the digest should be resolved/pinned by the repo/CI policy.)

Proposed change

-FROM quay.io/operator-framework/opm:latest
+FROM quay.io/operator-framework/opm@sha256:<resolved-digest>

Which pinned `quay.io/operator-framework/opm` digest should we standardize on for this repo/CI (since docs don’t provide one), and can we store it in a variable so the generated `catalog.Dockerfile` is fully immutable?

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/assets/olm/hello-microshift-operator/build-catalog.sh` at line 64,
build-catalog.sh currently emits an unpinned base image line ("FROM
quay.io/operator-framework/opm:latest") into the generated catalog.Dockerfile
which makes builds non-deterministic; update build-catalog.sh to resolve and pin
a specific quay.io/operator-framework/opm@sha256:<digest> (choose the digest
your repo/CI policy approves) and emit that digested reference into
catalog.Dockerfile instead of ":latest", and store the chosen digest in a
variable (e.g., OPM_IMAGE_DIGEST or OPM_BASE) inside build-catalog.sh so the
generated catalog.Dockerfile is fully immutable and easy to update in the
future.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@test/assets/olm/hello-microshift-operator/build-catalog.sh`:
- Line 64: build-catalog.sh currently emits an unpinned base image line ("FROM
quay.io/operator-framework/opm:latest") into the generated catalog.Dockerfile
which makes builds non-deterministic; update build-catalog.sh to resolve and pin
a specific quay.io/operator-framework/opm@sha256:<digest> (choose the digest
your repo/CI policy approves) and emit that digested reference into
catalog.Dockerfile instead of ":latest", and store the chosen digest in a
variable (e.g., OPM_IMAGE_DIGEST or OPM_BASE) inside build-catalog.sh so the
generated catalog.Dockerfile is fully immutable and easy to update in the
future.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: fdfb100c-fbca-40b9-a8ab-268e5de204bc

📥 Commits

Reviewing files that changed from the base of the PR and between ab0023a and 3f090e6.

📒 Files selected for processing (7)

• test/assets/olm/catalog-source.yaml
• test/assets/olm/hello-microshift-operator/build-catalog.sh
• test/assets/olm/hello-microshift-operator/catalog-extra.yaml
• test/assets/olm/hello-microshift-operator/manifests/hello-microshift-operator.clusterserviceversion.yaml
• test/assets/olm/hello-microshift-operator/metadata/annotations.yaml
• test/assets/olm/subscription.yaml
• test/suites/optional/olm.robot

✅ Files skipped from review due to trivial changes (3)

• test/assets/olm/hello-microshift-operator/metadata/annotations.yaml
• test/assets/olm/subscription.yaml
• test/assets/olm/hello-microshift-operator/catalog-extra.yaml

🚧 Files skipped from review as they are similar to previous changes (3)

• test/assets/olm/hello-microshift-operator/manifests/hello-microshift-operator.clusterserviceversion.yaml
• test/suites/optional/olm.robot
• test/assets/olm/catalog-source.yaml

[coderabbitai]

Actionable comments posted: 0

[pmtk]

/retest

[copejon]

/lgtm

[copejon]

/verified by ci

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: copejon, pmtk

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [copejon,pmtk]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@copejon: This PR has been marked as verified by ci.

Details

In response to this:

/verified by ci

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@pmtk: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.