NO_ISSUE: use osac-installer's built-in refresh and prepare scripts

[omer-vishlitzky]

Summary

Remove inline heredoc copies of refresh-after-snapshot.sh and prepare-fulfillment-service.sh from the CI boot step. These were temporary overrides added when the scripts hadn't been merged into osac-installer yet. Both are now merged (osac-installer PR #95, PR #99).

The osac-installer image's built-in scripts are now used directly, picking up improvements from PR #99:

• Keycloak realm sync via admin API (handles client renames, new users)
• Fulfillment controller credentials recreation from realm.json
• Keycloak and OSAC namespace route domain patching
• Parallel rollout waits after kustomize apply (prevents connection timeouts)
• User password setup via Keycloak admin API

Changes

• Removed 137 lines of inline heredoc scripts
• Removed 2 volume mount overrides (-v /root/refresh-after-snapshot.sh:... and -v /root/prepare-fulfillment-service.sh:...)

Test plan

• Rehearsal e2e-vmaas job passes

OSAC Cluster-Tool Boot Step: Eliminate Custom Script Injection

This PR updates the OSAC (OpenShift Advanced Cluster) CI infrastructure to use built-in scripts from the osac-installer container image rather than injecting custom script overrides.

What Changed

The PR modifies the cluster-tool boot step for the osac-project in the CI step registry. Previously, the boot workflow had to work around incomplete osac-installer functionality by:

1. Generating custom inline copies of refresh-after-snapshot.sh and prepare-fulfillment-service.sh
2. Mounting these custom versions into the osac-installer container, overriding the originals

Why This Matters

Both required scripts have now been merged into osac-installer itself (via osac-installer PRs #95 and #99), making the custom script injection unnecessary. By removing this workaround, the CI now benefits from improvements added to osac-installer, including:

• Keycloak realm sync via admin API (handling client renames and new users)
• Fulfillment controller credential recreation from realm.json
• Keycloak and OSAC namespace route domain patching
• Parallel rollout waits after kustomize apply to prevent connection timeouts
• User password setup via Keycloak admin API

Infrastructure Impact

The boot step now simplifies its container invocation by only mounting essential CI configuration (kubeconfig, pull-secret, AAP license) into the installer container, then calling the built-in scripts directly. This reduces script duplication from ~137 lines and removes the complexity of managing custom script overrides across the CI workflow.

Test Coverage

The change is expected to be validated by the rehearsal e2e-vmaas job.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: d4909b23-4fc2-48bc-8420-0a26ead27dc9

📥 Commits

Reviewing files that changed from the base of the PR and between e52fdcf and 2f5ab15.

📒 Files selected for processing (1)

• ci-operator/step-registry/osac-project/cluster-tool/boot/osac-project-cluster-tool-boot-commands.sh

💤 Files with no reviewable changes (1)

• ci-operator/step-registry/osac-project/cluster-tool/boot/osac-project-cluster-tool-boot-commands.sh

---

Walkthrough

This PR removes 137 lines from the boot commands script, eliminating the creation and SSH injection of two custom scripts (refresh-after-snapshot.sh and prepare-fulfillment-service.sh). The boot refresh phase now mounts only the kubeconfig, pull-secret overlay, and license into the installer container, relying on built-in container-side scripts instead of custom injection.

Changes

Cohort / File(s)	Summary
Script injection removal ci-operator/step-registry/osac-project/cluster-tool/boot/osac-project-cluster-tool-boot-commands.sh	Removed 137 lines of code that injected custom remote refresh/prepare scripts via SSH and eliminated corresponding container mount points. Boot environment now uses only built-in installer scripts with standard volume mounts (kubeconfig, pull-secret overlay, license).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Suggested labels

lgtm, approved, rehearsals-ack

Suggested reviewers

• danmanor
• jhernand
• droslean

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main change: removing custom script overrides in favor of using osac-installer's built-in refresh and prepare scripts, which is the primary objective of this PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@omer-vishlitzky: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-osac-project-fulfillment-service-main-e2e-vmaas	osac-project/fulfillment-service	presubmit	Registry content changed
pull-ci-osac-project-osac-installer-main-e2e-vmaas	osac-project/osac-installer	presubmit	Registry content changed
pull-ci-osac-project-osac-test-infra-main-e2e-vmaas	osac-project/osac-test-infra	presubmit	Registry content changed
pull-ci-osac-project-osac-operator-main-e2e-vmaas	osac-project/osac-operator	presubmit	Registry content changed

Prior to this PR being merged, you will need to either run and acknowledge or opt to skip these rehearsals.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: danmanor, omer-vishlitzky

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/step-registry/osac-project/cluster-tool/boot/OWNERS [danmanor,omer-vishlitzky]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[omer-vishlitzky]

/retest

[omer-vishlitzky]

/pj-rehearse pull-ci-osac-project-fulfillment-service-main-e2e-vmaas pull-ci-osac-project-osac-installer-main-e2e-vmaas pull-ci-osac-project-osac-test-infra-main-e2e-vmaas pull-ci-osac-project-osac-operator-main-e2e-vmaas

[openshift-merge-bot]

@omer-vishlitzky: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[omer-vishlitzky]

/pj-rehearse ack

[openshift-merge-bot]

@omer-vishlitzky: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@omer-vishlitzky: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.