From 275962c01c0bf70fc2ec568b12d31699a05eca41 Mon Sep 17 00:00:00 2001 From: Tiger Kaovilai Date: Thu, 14 May 2026 17:02:57 -0400 Subject: [PATCH 1/8] feat: add FBC catalog Dockerfile for CI operator installation Add build/Dockerfile.catalog that renders a bundle image into an FBC (File-Based Catalog) catalog image servable via gRPC CatalogSource. This enables CI to install the operator without operator-sdk, using only opm (actively maintained by OLM team). The Dockerfile uses opm render to generate FBC content from a bundle image passed as BUNDLE_IMG build arg, appends OLM package/channel metadata, validates with opm validate, and serves via opm serve. Pattern follows networking-incubator/coraza-kubernetes-operator and migrationqe/oadp-release-info ROSA_HCP tooling. Closes: https://github.com/openshift/oadp-operator/issues/2203 Generated with [Claude Code](https://claude.ai/code) via [Happy](https://happy.engineering) Co-Authored-By: Claude Co-Authored-By: Happy Signed-off-by: Tiger Kaovilai --- build/Dockerfile.catalog | 54 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 build/Dockerfile.catalog diff --git a/build/Dockerfile.catalog b/build/Dockerfile.catalog new file mode 100644 index 00000000000..dcabcbc97d6 --- /dev/null +++ b/build/Dockerfile.catalog @@ -0,0 +1,54 @@ +# FBC (File-Based Catalog) image for OLM operator installation. +# Renders a bundle image into an FBC catalog servable via gRPC CatalogSource. +# +# Usage: +# podman build -f build/Dockerfile.catalog \ +# --build-arg BUNDLE_IMG= \ +# -t . +# +# ci-operator: set BUNDLE_IMG via build_args in the ci-operator config. +# The bundle image must be pushed to a registry accessible during the build. +# +# Reference: networking-incubator/coraza-kubernetes-operator catalog/Dockerfile + +ARG OPM_VERSION=v1.23.0 + +FROM quay.io/operator-framework/opm:${OPM_VERSION} AS opm + +FROM registry.access.redhat.com/ubi9/ubi-minimal AS builder + +COPY --from=opm /bin/opm /bin/opm + +# Allow opm to pull bundle images from CI registries without signature verification +RUN mkdir -p /etc/containers && \ + echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /etc/containers/policy.json + +ARG BUNDLE_IMG +ARG VERSION=99.0.0 +ARG DEFAULT_CHANNEL=dev + +RUN mkdir -p /configs/oadp-operator && \ + /bin/opm render ${BUNDLE_IMG} -o yaml > /configs/oadp-operator/index.yaml && \ + echo '---' >> /configs/oadp-operator/index.yaml && \ + echo 'schema: olm.package' >> /configs/oadp-operator/index.yaml && \ + echo 'name: oadp-operator' >> /configs/oadp-operator/index.yaml && \ + echo "defaultChannel: ${DEFAULT_CHANNEL}" >> /configs/oadp-operator/index.yaml && \ + echo '---' >> /configs/oadp-operator/index.yaml && \ + echo 'schema: olm.channel' >> /configs/oadp-operator/index.yaml && \ + echo "name: ${DEFAULT_CHANNEL}" >> /configs/oadp-operator/index.yaml && \ + echo 'package: oadp-operator' >> /configs/oadp-operator/index.yaml && \ + echo 'entries:' >> /configs/oadp-operator/index.yaml && \ + echo " - name: oadp-operator.v${VERSION}" >> /configs/oadp-operator/index.yaml && \ + /bin/opm validate /configs/ + +FROM opm + +COPY --from=builder /configs /configs + +RUN ["/bin/opm", "serve", "/configs", "--cache-dir=/tmp/cache", "--cache-only"] + +LABEL operators.operatorframework.io.index.configs.v1=/configs + +EXPOSE 50051 +ENTRYPOINT ["/bin/opm"] +CMD ["serve", "/configs", "--cache-dir=/tmp/cache"] From ba95d8e2feb4deaecc735e92a6293d6574794c3a Mon Sep 17 00:00:00 2001 From: Tiger Kaovilai Date: Thu, 14 May 2026 17:06:21 -0400 Subject: [PATCH 2/8] chore: bump OPM_VERSION from v1.23.0 to v1.68.0 Reviewed all 45 releases between v1.23.0 and v1.68.0. No breaking changes affect the opm render, opm validate, or opm generate dockerfile commands used in the Makefile catalog-build target. Notable changes absorbed: - v1.53.0: requires policy.json for registry access (Dockerfile already sets insecureAcceptAnything for CI registries) - v1.58.0: stricter opm validate (no impact on single-bundle catalog) - v1.51.0: file permissions ratcheted to o600 (Makefile deletes generated files after build anyway) Generated with [Claude Code](https://claude.ai/code) via [Happy](https://happy.engineering) Co-Authored-By: Claude Co-Authored-By: Happy Signed-off-by: Tiger Kaovilai --- Makefile | 2 +- build/Dockerfile.catalog | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index dd482c054c8..ad6a0c6d92f 100644 --- a/Makefile +++ b/Makefile @@ -7,7 +7,7 @@ ENVTEST_K8S_VERSION = 1.32 #refers to the version of kubebuilder assets to be do GOLANGCI_LINT_VERSION ?= v2.9.0 KUSTOMIZE_VERSION ?= v5.2.1 CONTROLLER_TOOLS_VERSION ?= v0.16.5 -OPM_VERSION ?= v1.23.0 +OPM_VERSION ?= v1.68.0 BRANCH_VERSION = oadp-dev PREVIOUS_CHANNEL ?= oadp-1.5 PREVIOUS_CHANNEL_GO_VERSION ?= 1.23 diff --git a/build/Dockerfile.catalog b/build/Dockerfile.catalog index dcabcbc97d6..b718e97ff56 100644 --- a/build/Dockerfile.catalog +++ b/build/Dockerfile.catalog @@ -11,7 +11,7 @@ # # Reference: networking-incubator/coraza-kubernetes-operator catalog/Dockerfile -ARG OPM_VERSION=v1.23.0 +ARG OPM_VERSION=v1.68.0 FROM quay.io/operator-framework/opm:${OPM_VERSION} AS opm From be69539bfa5719160bd22199f40c0d16431ce032 Mon Sep 17 00:00:00 2001 From: Tiger Kaovilai Date: Thu, 14 May 2026 17:14:15 -0400 Subject: [PATCH 3/8] fix: address PR review feedback on Dockerfile.catalog - Replace echo chains with heredoc for OLM metadata (cleaner) - Add fail-fast guard for missing BUNDLE_IMG build arg - Quote BUNDLE_IMG in opm render to prevent word-splitting - Add explicit non-root USER 65532 in final stage - Ensure /tmp/cache is writable for non-root user Generated with [Claude Code](https://claude.ai/code) via [Happy](https://happy.engineering) Co-Authored-By: Claude Co-Authored-By: Happy Signed-off-by: Tiger Kaovilai --- build/Dockerfile.catalog | 30 +++++++++++++++++------------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/build/Dockerfile.catalog b/build/Dockerfile.catalog index b718e97ff56..c3f0d3e860a 100644 --- a/build/Dockerfile.catalog +++ b/build/Dockerfile.catalog @@ -27,19 +27,23 @@ ARG BUNDLE_IMG ARG VERSION=99.0.0 ARG DEFAULT_CHANNEL=dev -RUN mkdir -p /configs/oadp-operator && \ - /bin/opm render ${BUNDLE_IMG} -o yaml > /configs/oadp-operator/index.yaml && \ - echo '---' >> /configs/oadp-operator/index.yaml && \ - echo 'schema: olm.package' >> /configs/oadp-operator/index.yaml && \ - echo 'name: oadp-operator' >> /configs/oadp-operator/index.yaml && \ - echo "defaultChannel: ${DEFAULT_CHANNEL}" >> /configs/oadp-operator/index.yaml && \ - echo '---' >> /configs/oadp-operator/index.yaml && \ - echo 'schema: olm.channel' >> /configs/oadp-operator/index.yaml && \ - echo "name: ${DEFAULT_CHANNEL}" >> /configs/oadp-operator/index.yaml && \ - echo 'package: oadp-operator' >> /configs/oadp-operator/index.yaml && \ - echo 'entries:' >> /configs/oadp-operator/index.yaml && \ - echo " - name: oadp-operator.v${VERSION}" >> /configs/oadp-operator/index.yaml && \ - /bin/opm validate /configs/ +RUN test -n "${BUNDLE_IMG}" || (echo "BUNDLE_IMG build-arg is required" >&2; exit 1) && \ + mkdir -p /configs/oadp-operator && \ + /bin/opm render "${BUNDLE_IMG}" -o yaml > /configs/oadp-operator/index.yaml && \ + cat >> /configs/oadp-operator/index.yaml < Date: Mon, 18 May 2026 16:36:23 -0400 Subject: [PATCH 4/8] fix: add cross-references and Makefile target for OPM_VERSION sync Add comments cross-pointing between Makefile and Dockerfile.catalog to prevent OPM_VERSION drift. Add catalog-fbc-build target that passes OPM_VERSION as --build-arg for single-source-of-truth builds. Generated with [Claude Code](https://claude.ai/code) via [Happy](https://happy.engineering) Co-Authored-By: Claude Co-Authored-By: Happy Signed-off-by: Tiger Kaovilai --- Makefile | 14 +++++++++++++- build/Dockerfile.catalog | 1 + 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index ad6a0c6d92f..53859afcb12 100644 --- a/Makefile +++ b/Makefile @@ -7,7 +7,7 @@ ENVTEST_K8S_VERSION = 1.32 #refers to the version of kubebuilder assets to be do GOLANGCI_LINT_VERSION ?= v2.9.0 KUSTOMIZE_VERSION ?= v5.2.1 CONTROLLER_TOOLS_VERSION ?= v0.16.5 -OPM_VERSION ?= v1.68.0 +OPM_VERSION ?= v1.68.0 # also defined in build/Dockerfile.catalog — keep in sync BRANCH_VERSION = oadp-dev PREVIOUS_CHANNEL ?= oadp-1.5 PREVIOUS_CHANNEL_GO_VERSION ?= 1.23 @@ -417,6 +417,18 @@ catalog-build: opm ## Build a catalog image. $(CONTAINER_TOOL) build --load $(DOCKER_BUILD_ARGS) -f catalog.Dockerfile -t $(CATALOG_IMG) . rm -rf catalog.Dockerfile catalog/ +# Build a catalog image using build/Dockerfile.catalog (self-contained, used by CI). +# Passes OPM_VERSION from this Makefile to keep the two in sync. +.PHONY: catalog-fbc-build +catalog-fbc-build: ## Build a catalog image from build/Dockerfile.catalog. + $(CONTAINER_TOOL) build --load $(DOCKER_BUILD_ARGS) \ + -f build/Dockerfile.catalog \ + --build-arg BUNDLE_IMG=$(BUNDLE_IMG) \ + --build-arg OPM_VERSION=$(OPM_VERSION) \ + --build-arg VERSION=$(VERSION) \ + --build-arg DEFAULT_CHANNEL=$(DEFAULT_CHANNEL) \ + -t $(CATALOG_IMG) . + # Push the catalog image. .PHONY: catalog-push catalog-push: ## Push a catalog image. diff --git a/build/Dockerfile.catalog b/build/Dockerfile.catalog index c3f0d3e860a..09375cc62cd 100644 --- a/build/Dockerfile.catalog +++ b/build/Dockerfile.catalog @@ -11,6 +11,7 @@ # # Reference: networking-incubator/coraza-kubernetes-operator catalog/Dockerfile +# Keep OPM_VERSION in sync with Makefile. Override via --build-arg or `make catalog-fbc-build`. ARG OPM_VERSION=v1.68.0 FROM quay.io/operator-framework/opm:${OPM_VERSION} AS opm From 49b9f2f52b294e341de1890a1f28e1ee55140cde Mon Sep 17 00:00:00 2001 From: Tiger Kaovilai Date: Mon, 18 May 2026 16:36:47 -0400 Subject: [PATCH 5/8] docs: add usage example for catalog-fbc-build target Generated with [Claude Code](https://claude.ai/code) via [Happy](https://happy.engineering) Co-Authored-By: Claude Co-Authored-By: Happy Signed-off-by: Tiger Kaovilai --- Makefile | 2 ++ build/Dockerfile.catalog | 3 +++ 2 files changed, 5 insertions(+) diff --git a/Makefile b/Makefile index 53859afcb12..01d2655e348 100644 --- a/Makefile +++ b/Makefile @@ -419,6 +419,8 @@ catalog-build: opm ## Build a catalog image. # Build a catalog image using build/Dockerfile.catalog (self-contained, used by CI). # Passes OPM_VERSION from this Makefile to keep the two in sync. +# Use case: test the same Dockerfile that CI uses, locally. +# make catalog-fbc-build BUNDLE_IMG=quay.io/konveyor/oadp-operator-bundle:latest .PHONY: catalog-fbc-build catalog-fbc-build: ## Build a catalog image from build/Dockerfile.catalog. $(CONTAINER_TOOL) build --load $(DOCKER_BUILD_ARGS) \ diff --git a/build/Dockerfile.catalog b/build/Dockerfile.catalog index 09375cc62cd..be86910cac2 100644 --- a/build/Dockerfile.catalog +++ b/build/Dockerfile.catalog @@ -2,6 +2,9 @@ # Renders a bundle image into an FBC catalog servable via gRPC CatalogSource. # # Usage: +# make catalog-fbc-build BUNDLE_IMG= +# +# Or directly: # podman build -f build/Dockerfile.catalog \ # --build-arg BUNDLE_IMG= \ # -t . From 5997aa029e314fdb8049ccfd818cf22c882281f4 Mon Sep 17 00:00:00 2001 From: Tiger Kaovilai Date: Mon, 18 May 2026 16:45:44 -0400 Subject: [PATCH 6/8] docs: add on-cluster install instructions for catalog-fbc-build Show how to use the built catalog image with both OLMv0 (CatalogSource + deploy-olm) and OLMv1 (ClusterExtension). Generated with [Claude Code](https://claude.ai/code) via [Happy](https://happy.engineering) Co-Authored-By: Claude Co-Authored-By: Happy Signed-off-by: Tiger Kaovilai --- Makefile | 22 ++++++++++++++++++++++ build/Dockerfile.catalog | 6 ++++++ 2 files changed, 28 insertions(+) diff --git a/Makefile b/Makefile index 01d2655e348..40f91bf7b3b 100644 --- a/Makefile +++ b/Makefile @@ -419,8 +419,30 @@ catalog-build: opm ## Build a catalog image. # Build a catalog image using build/Dockerfile.catalog (self-contained, used by CI). # Passes OPM_VERSION from this Makefile to keep the two in sync. +# # Use case: test the same Dockerfile that CI uses, locally. # make catalog-fbc-build BUNDLE_IMG=quay.io/konveyor/oadp-operator-bundle:latest +# make catalog-push +# +# Then install on-cluster: +# OLMv0 (CatalogSource + Subscription): +# make deploy-olm CATALOG_IMG=$(CATALOG_IMG) +# OLMv1 (ClusterExtension): +# kubectl apply -f - < \ # -t . # +# After building, push and install on-cluster: +# make catalog-push +# OLMv0: make deploy-olm CATALOG_IMG= +# OLMv1: create a ClusterExtension referencing the oadp-operator package +# (see Makefile catalog-fbc-build comments for full example) +# # ci-operator: set BUNDLE_IMG via build_args in the ci-operator config. # The bundle image must be pushed to a registry accessible during the build. # From b41a7df0127c5d13af6c9fe17db1c7a9c9bbe6ca Mon Sep 17 00:00:00 2001 From: Tiger Kaovilai Date: Mon, 18 May 2026 16:46:52 -0400 Subject: [PATCH 7/8] docs: clarify OLMv0 vs OLMv1 usage in Dockerfile.catalog OLMv0 uses gRPC serving (ENTRYPOINT/CMD/cache). OLMv1 reads /configs directly and does not need the serve entrypoint. Generated with [Claude Code](https://claude.ai/code) via [Happy](https://happy.engineering) Co-Authored-By: Claude Co-Authored-By: Happy Signed-off-by: Tiger Kaovilai --- build/Dockerfile.catalog | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/build/Dockerfile.catalog b/build/Dockerfile.catalog index 303d380143f..51728078834 100644 --- a/build/Dockerfile.catalog +++ b/build/Dockerfile.catalog @@ -1,5 +1,6 @@ # FBC (File-Based Catalog) image for OLM operator installation. -# Renders a bundle image into an FBC catalog servable via gRPC CatalogSource. +# Renders a bundle image into an FBC catalog with gRPC serving for OLMv0. +# OLMv1 only needs the /configs content (no serving required). # # Usage: # make catalog-fbc-build BUNDLE_IMG= @@ -59,6 +60,8 @@ FROM opm COPY --from=builder /configs /configs +# OLMv0: pre-warm the serve cache and configure gRPC serving. +# OLMv1 reads /configs directly from the image and does not use the serve entrypoint. RUN ["/bin/opm", "serve", "/configs", "--cache-dir=/tmp/cache", "--cache-only"] LABEL operators.operatorframework.io.index.configs.v1=/configs From 29bcf340e1e8250a4e2a98f210ca87dbd42614f6 Mon Sep 17 00:00:00 2001 From: Tiger Kaovilai Date: Mon, 18 May 2026 16:54:55 -0400 Subject: [PATCH 8/8] fix: move OPM_VERSION comment to separate line Inline comment after ?= caused trailing space in variable value, breaking the opm download URL in CI. Generated with [Claude Code](https://claude.ai/code) via [Happy](https://happy.engineering) Co-Authored-By: Claude Co-Authored-By: Happy Signed-off-by: Tiger Kaovilai --- Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 40f91bf7b3b..e220788c9b5 100644 --- a/Makefile +++ b/Makefile @@ -7,7 +7,8 @@ ENVTEST_K8S_VERSION = 1.32 #refers to the version of kubebuilder assets to be do GOLANGCI_LINT_VERSION ?= v2.9.0 KUSTOMIZE_VERSION ?= v5.2.1 CONTROLLER_TOOLS_VERSION ?= v0.16.5 -OPM_VERSION ?= v1.68.0 # also defined in build/Dockerfile.catalog — keep in sync +# Also defined in build/Dockerfile.catalog — keep in sync +OPM_VERSION ?= v1.68.0 BRANCH_VERSION = oadp-dev PREVIOUS_CHANNEL ?= oadp-1.5 PREVIOUS_CHANNEL_GO_VERSION ?= 1.23