Replace operator-sdk run bundle with catalog-based OLM deployment

[kaovilai]

The operator-sdk run bundle command has limitations and a pending PR (#7040)
that is not getting merged. This replaces it with a catalog-based approach
using opm and direct OLM resource creation.

Changes:

• Add CATALOG_SOURCE_NAME variable for configurability
• Update deploy-olm to build catalog using existing catalog-build/catalog-push
• Create CatalogSource with grpcPodConfig.securityContextConfig: restricted
• Create OperatorGroup and Subscription directly via oc apply
• Wait for CatalogSource READY, InstallPlan, and CSV Succeeded states
• Simplify undeploy-olm to remove operator-sdk cleanup dependency
• Update create-sts-subscription helper to use variables
• Update deploy-olm-stsflow console URL to use BUNDLE_CHANNEL variable

Co-Authored-By: Claude Opus 4.5 noreply@anthropic.com

Why the changes were made

#2067 mentioned some issues with catalogsource pod creation by operator-sdk cli

How to test the changes made

make deploy-olm

[coderabbitai]

Walkthrough

Adds a catalog-based OLM deployment flow: new public variable CATALOG_SOURCE_NAME, builds/pushes operator, bundle, and catalog images, creates/manages CatalogSource, OperatorGroup, and Subscription, polls InstallPlan/CSV readiness, and updates undeploy and environment-specific stsflow targets to use the catalog-based workflow.

Changes

Cohort / File(s)	Summary
OLM variables & core deploy flow Makefile	Adds CATALOG_SOURCE_NAME (default oadp-operator-catalog) and BUNDLE_CHANNEL; rewrites deploy-olm to build/push operator, bundle, and catalog images, create CatalogSource, wait for readiness, ensure OperatorGroup, create Subscription (dynamic channel/catalog), poll InstallPlan and CSV, and validate CSV readiness
Undeploy & cleanup Makefile	Reworks undeploy-olm to clean up Subscriptions tied to the catalog source, and to delete CatalogSource and OperatorGroup when present
Environment-specific stsflow targets Makefile	Updates deploy-olm-stsflow, deploy-olm-stsflow-aws, deploy-olm-stsflow-azure, deploy-olm-stsflow-gcp to reference CATALOG_SOURCE_NAME and default channel, generate subscription manifests using the catalog source, and adjust console URL generation
Helper targets & messaging Makefile	Adds/updates helpers for creating/applying subscription YAML (create-sts-subscription, apply-sts-subscription), dynamic channel selection, messaging, and auxiliary variables to reflect the catalog-based approach

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR replaces the deprecated operator-sdk run bundle command with a catalog-based OLM deployment approach. The change addresses limitations with the operator-sdk tooling and provides more control over the deployment process through direct OLM resource management.

Changes:

• Introduces catalog-based deployment using opm and direct OLM resource creation
• Adds configurable CATALOG_SOURCE_NAME and BUNDLE_CHANNEL variables for deployment flexibility
• Implements comprehensive wait logic for CatalogSource, InstallPlan, and CSV readiness states
• Simplifies cleanup by removing dependency on operator-sdk cleanup command

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

When the InstallPlan timeout is reached, there's no diagnostic information printed to help troubleshoot the issue. Consider adding diagnostic output similar to the CatalogSource timeout handling (line 572) to display the Subscription status or relevant resources that could help identify why the InstallPlan wasn't created.

Suggested change

	@echo "Waiting for CSV to exist..."
	echo "Timeout waiting for InstallPlan"; \
	echo "Subscription details (oadp-operator in namespace $(OADP_TEST_NAMESPACE)):"; \
	$(OC_CLI) get subscription oadp-operator -n $(OADP_TEST_NAMESPACE) -o yaml || true; \
	echo "Existing InstallPlans in namespace $(OADP_TEST_NAMESPACE):"; \
	$(OC_CLI) get installplan -n $(OADP_TEST_NAMESPACE) || true; \

[Copilot]

Similar to the InstallPlan timeout, when the CSV existence timeout is reached, there's no diagnostic information printed. Consider adding diagnostic output to show the Subscription status or other relevant information to help troubleshoot why the CSV wasn't created.

[Copilot]

The cleanup pipeline here passes OADP_TEST_NAMESPACE and CATALOG_SOURCE_NAME into $(OC_CLI) and grep without quoting or escaping (e.g. $(OC_CLI) get subscription -n $(OADP_TEST_NAMESPACE) ... | grep "$(CATALOG_SOURCE_NAME)" | ...). If these values are ever derived from environment variables or other untrusted inputs, an attacker could inject shell metacharacters or command substitutions to execute arbitrary commands during undeploy, potentially impacting the CI runner or cluster resources. To mitigate this, treat these variables as untrusted and quote/escape them appropriately in all shell and grep invocations so that their contents cannot be interpreted as part of the shell syntax or options.

[Copilot]

The create-sts-subscription helper echoes a Subscription YAML that directly injects BUNDLE_CHANNEL and CATALOG_SOURCE_NAME into a double-quoted shell string (e.g. echo " channel: $(BUNDLE_CHANNEL)" >> $(1)), which allows shell command substitution/backtick expansion if these values are influenced by environment variables or other untrusted input. This can be abused to run arbitrary commands in the shell used to generate the YAML, even before the manifest is applied to the cluster. To reduce this risk, ensure these variables are safely quoted/escaped in the shell context or written via safer mechanisms (such as here-documents) so that their contents are treated as data only.

[Copilot]

In deploy-olm-stsflow, both the subscription deletion pipeline and the final echo of the console URL interpolate OADP_TEST_NAMESPACE, CATALOG_SOURCE_NAME, and BUNDLE_CHANNEL directly into shell commands without quoting or escaping. If any of these values are sourced from environment variables or other untrusted inputs, an attacker could inject shell metacharacters or command substitutions (e.g. via backticks or $(...)) to execute arbitrary commands when this target is run. To harden this path, treat these variables as untrusted and ensure they are safely quoted/escaped in shell invocations so they cannot alter the command structure.

[Copilot]

Several shell commands in this block interpolate OADP_TEST_NAMESPACE, CATALOG_SOURCE_NAME, and BUNDLE_CHANNEL directly into the shell without quoting or escaping, for example in the echo -e ... | $(OC_CLI) apply -f - lines and $(OC_CLI) get catalogsource $(CATALOG_SOURCE_NAME) -n $(OADP_TEST_NAMESPACE) loop. If any of these values can be influenced via environment variables or other untrusted inputs, an attacker could inject shell metacharacters or command substitutions (e.g. backticks or $(...)) to execute arbitrary commands in the developer/CI environment or against the cluster. To harden this, ensure these variables are safely quoted/escaped in shell context (or constructed via safer mechanisms like here-documents) so their contents cannot change the shell command structure.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@Makefile`:
- Around line 716-726: The console URL printed by the deploy-olm-stsflow target
uses DEFAULT_CHANNEL which may include surrounding quotes and thus yields
channel="dev"; update the URL construction to strip any double quotes from
DEFAULT_CHANNEL before embedding it. Modify the shell snippet that sets
CONSOLE_URL and echoes the final URL (the lines assigning CONSOLE_URL and the
echo that includes $(DEFAULT_CHANNEL)) so that you run a tiny shell substitution
to remove " characters from DEFAULT_CHANNEL (for example via tr or shell
parameter expansion) and use that cleaned value for the channel parameter.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Strip quotes from DEFAULT_CHANNEL in the console URL.

Line 726 will emit channel="dev" because DEFAULT_CHANNEL includes quotes, which can break the OperatorHub URL parsing.

🛠️ Proposed fix

@@
-DEFAULT_CHANNEL = "dev"
+DEFAULT_CHANNEL = "dev"
+DEFAULT_CHANNEL_VALUE := $(subst ",,$(DEFAULT_CHANNEL))

@@
-echo "https://$$CONSOLE_URL/operatorhub/ns/$(OADP_TEST_NAMESPACE)?keyword=oadp-operator&details-item=oadp-operator-$(CATALOG_SOURCE_NAME)-$(OADP_TEST_NAMESPACE)&channel=$(DEFAULT_CHANNEL)&version=$(VERSION)"
+echo "https://$$CONSOLE_URL/operatorhub/ns/$(OADP_TEST_NAMESPACE)?keyword=oadp-operator&details-item=oadp-operator-$(CATALOG_SOURCE_NAME)-$(OADP_TEST_NAMESPACE)&channel=$(DEFAULT_CHANNEL_VALUE)&version=$(VERSION)"

🤖 Prompt for AI Agents

In `@Makefile` around lines 716 - 726, The console URL printed by the
deploy-olm-stsflow target uses DEFAULT_CHANNEL which may include surrounding
quotes and thus yields channel="dev"; update the URL construction to strip any
double quotes from DEFAULT_CHANNEL before embedding it. Modify the shell snippet
that sets CONSOLE_URL and echoes the final URL (the lines assigning CONSOLE_URL
and the echo that includes $(DEFAULT_CHANNEL)) so that you run a tiny shell
substitution to remove " characters from DEFAULT_CHANNEL (for example via tr or
shell parameter expansion) and use that cleaned value for the channel parameter.

[kaovilai]

STEP 7/12: RUN curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/${TARGETARCH}/kubectl" &&     chmod +x kubectl &&     mv kubectl /usr/local/bin/
curl: (3) Illegal characters found in URL

well that is a new error..
https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_oadp-operator/2078/pull-ci-openshift-oadp-operator-oadp-dev-4.21-e2e-test-aws/2016642121133461504#1:build-log.txt%3A82-83

[kaovilai]

#itworksonmypc

podman build -f build/ci-Dockerfile .
STEP 1/9: FROM quay.io/konveyor/builder AS builder
WARNING: image platform (linux/amd64) does not match the expected platform (linux/arm64)
STEP 2/9: WORKDIR /go/src/github.com/openshift/oadp-operator
--> Using cache e012581b1232e9de59e0bb5914b3c4e9a2a31ed2755f2ab12686178d12597cc3
--> e012581b1232
STEP 3/9: COPY ./ .
--> c54a9ca3cc73
STEP 4/9: RUN chmod +x tests/e2e/scripts/analyze_failures.sh
--> 0bbc3746f660
STEP 5/9: ARG TARGETARCH
--> 60b42dca67a0
STEP 6/9: RUN curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/${TARGETARCH}/kubectl" &&     chmod +x kubectl &&     mv kubectl /usr/local/bin/
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   138  100   138    0     0   1104      0 --:--:-- --:--:-- --:--:--  1131
100 52.6M  100 52.6M    0     0  45.5M      0  0:00:01  0:00:01 --:--:-- 78.0M
--> f24129c3161e
STEP 7/9: RUN curl -fsSL https://rpm.nodesource.com/setup_20.x | bash - &&     dnf install -y nodejs &&     npm install -g @anthropic-ai/claude-code &&     dnf clean all
2026-01-29 14:02:49 - Cleaning up old repositories...
2026-01-29 14:02:49 - Old repositories removed
2026-01-29 14:02:49 - Supported architecture: x86_64
2026-01-29 14:02:49 - Added N|Solid repository for LTS version: 20.x
2026-01-29 14:02:49 - dnf available, updating...
Updating Subscription Management repositories.
Unable to read consumer identity

This system is not registered with an entitlement server. You can use subscription-manager to register.

Node.js Packages for Linux RPM based distros -  2.7 MB/s | 1.1 MB     00:00    
Last metadata expiration check: 0:00:01 ago on Thu Jan 29 14:02:50 2026.
Metadata cache created.
Updating Subscription Management repositories.
Unable to read consumer identity

This system is not registered with an entitlement server. You can use subscription-manager to register.

N|Solid Packages for Linux RPM based distros -  2.4 MB/s | 950 kB     00:00    
Last metadata expiration check: 0:00:01 ago on Thu Jan 29 14:02:51 2026.
Metadata cache created.
2026-01-29 14:02:52 - Repository is configured and updated.
2026-01-29 14:02:52 - You can use N|solid Runtime as a node.js alternative
2026-01-29 14:02:52 - To install N|solid Runtime, run: dnf install nsolid -y
2026-01-29 14:02:52 - Run 'dnf install nodejs -y' to complete the installation.
Updating Subscription Management repositories.
Unable to read consumer identity

This system is not registered with an entitlement server. You can use subscription-manager to register.

Red Hat Universal Base Image 8 (RPMs) - BaseOS  2.0 MB/s | 735 kB     00:00    
Red Hat Universal Base Image 8 (RPMs) - AppStre  18 MB/s | 3.7 MB     00:00    
Red Hat Universal Base Image 8 (RPMs) - CodeRea 1.3 MB/s | 188 kB     00:00    
Dependencies resolved.
==================================================================================================
 Package               Arch    Version                                 Repository             Size
==================================================================================================
Installing:
 nodejs                x86_64  2:20.20.0-1nodesource                   nodesource-nodejs      37 M
Installing dependencies:
 platform-python-pip   noarch  9.0.3-24.el8                            ubi-8-baseos-rpms     1.6 M
 python3-pip           noarch  9.0.3-24.el8                            ubi-8-appstream-rpms   20 k
 python3-setuptools    noarch  39.2.0-9.el8_10                         ubi-8-baseos-rpms     163 k
 python36              x86_64  3.6.8-39.module+el8.10.0+20784+edafcd43 ubi-8-appstream-rpms   20 k
Enabling module streams:
 python36                      3.6                                                                

Transaction Summary
==================================================================================================
Install  5 Packages

Total download size: 38 M
Installed size: 111 M
Downloading Packages:
(1/5): python3-setuptools-39.2.0-9.el8_10.noarc 1.8 MB/s | 163 kB     00:00    
(2/5): python3-pip-9.0.3-24.el8.noarch.rpm      904 kB/s |  20 kB     00:00    
(3/5): python36-3.6.8-39.module+el8.10.0+20784+ 1.6 MB/s |  20 kB     00:00    
(4/5): platform-python-pip-9.0.3-24.el8.noarch.  11 MB/s | 1.6 MB     00:00    
(5/5): nodejs-20.20.0-1nodesource.x86_64.rpm     56 MB/s |  37 MB     00:00    
--------------------------------------------------------------------------------
Total                                            58 MB/s |  38 MB     00:00     
Node.js Packages for Linux RPM based distros -   26 kB/s | 3.1 kB     00:00    
Importing GPG key 0x3AF28A14:
 Userid     : "Nodesource Operations <operations@nodesource.com>"
 Fingerprint: 242B 8138 31AF 0956 2B6C 46F7 6B88 DA4E 3AF2 8A14
 From       : https://rpm.nodesource.com/gpgkey/ns-operations-public.key
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Installing       : python3-setuptools-39.2.0-9.el8_10.noarch              1/5 
  Installing       : platform-python-pip-9.0.3-24.el8.noarch                2/5 
  Installing       : python36-3.6.8-39.module+el8.10.0+20784+edafcd43.x86   3/5 
  Running scriptlet: python36-3.6.8-39.module+el8.10.0+20784+edafcd43.x86   3/5 
  Installing       : python3-pip-9.0.3-24.el8.noarch                        4/5 
  Running scriptlet: nodejs-2:20.20.0-1nodesource.x86_64                    5/5 
  Installing       : nodejs-2:20.20.0-1nodesource.x86_64                    5/5 
  Running scriptlet: nodejs-2:20.20.0-1nodesource.x86_64                    5/5 
  Verifying        : nodejs-2:20.20.0-1nodesource.x86_64                    1/5 
  Verifying        : platform-python-pip-9.0.3-24.el8.noarch                2/5 
  Verifying        : python3-setuptools-39.2.0-9.el8_10.noarch              3/5 
  Verifying        : python3-pip-9.0.3-24.el8.noarch                        4/5 
  Verifying        : python36-3.6.8-39.module+el8.10.0+20784+edafcd43.x86   5/5 
Installed products updated.

Installed:
  nodejs-2:20.20.0-1nodesource.x86_64                                           
  platform-python-pip-9.0.3-24.el8.noarch                                       
  python3-pip-9.0.3-24.el8.noarch                                               
  python3-setuptools-39.2.0-9.el8_10.noarch                                     
  python36-3.6.8-39.module+el8.10.0+20784+edafcd43.x86_64                       

Complete!

added 3 packages in 2s

2 packages are looking for funding
  run `npm fund` for details
npm notice
npm notice New major version of npm available! 10.8.2 -> 11.8.0
npm notice Changelog: https://github.com/npm/cli/releases/tag/v11.8.0
npm notice To update run: npm install -g npm@11.8.0
npm notice
Updating Subscription Management repositories.
Unable to read consumer identity

This system is not registered with an entitlement server. You can use subscription-manager to register.

35 files removed
--> de9252b8a84c
STEP 8/9: RUN git clone --depth 1 --branch oadp-dev     https://github.com/openshift/velero.git     /go/src/github.com/openshift/velero
Cloning into '/go/src/github.com/openshift/velero'...
--> 22c82c929d27
STEP 9/9: RUN go mod download &&     mkdir -p $(go env GOCACHE) &&     chmod -R 777 ./ $(go env GOCACHE) $(go env GOPATH)
warning: both GOPATH and GOROOT are the same directory (/opt/app-root/src/go); see https://go.dev/wiki/InstallTroubleshooting
warning: both GOPATH and GOROOT are the same directory (/opt/app-root/src/go); see https://go.dev/wiki/InstallTroubleshooting
warning: both GOPATH and GOROOT are the same directory (/opt/app-root/src/go); see https://go.dev/wiki/InstallTroubleshooting
warning: both GOPATH and GOROOT are the same directory (/opt/app-root/src/go); see https://go.dev/wiki/InstallTroubleshooting
COMMIT
--> 9a9bc727674c
9a9bc727674cf89418f1dcf80cdcf4a0ffecf73ab7e9eb2f5b777efd36c492d1

Go another round prow.

/retest-required

[weshayutin]

................InstallPlan install-8w8sm found
Waiting for CSV to exist...
CSV oadp-operator.v99.0.0 found
Waiting for CSV to be ready...
clusterserviceversion.operators.coreos.com/oadp-operator.v99.0.0 condition met
Operator is ready!
NAME            PACKAGE         SOURCE                  CHANNEL
oadp-operator   oadp-operator   oadp-operator-catalog   dev
NAME                    DISPLAY         VERSION   REPLACES   PHASE
oadp-operator.v99.0.0   OADP Operator   99.0.0               Succeeded
whayutin@fedora:~/OPENSHIFT/git/OADP/oadp-operator$ oc get csv -n openshift-adp 
NAME                    DISPLAY         VERSION   REPLACES   PHASE
oadp-operator.v99.0.0   OADP Operator   99.0.0               Succeeded
whayutin@fedora:~/OPENSHIFT/git/OADP/oadp-operator$ git log -n 1
commit 4f6a2c61578b21e97c0b362cf38608014294f758 (HEAD -> deploy-olm-opm-edition)
Author: Tiger Kaovilai <tkaovila@redhat.com>
Date:   Wed Jan 28 17:28:23 2026 -0500

    Replace operator-sdk run bundle with catalog-based OLM deployment
    
    The operator-sdk run bundle command has limitations and a pending PR (#7040)
    that is not getting merged. This replaces it with a catalog-based approach
    using opm and direct OLM resource creation.
    
    Changes:
    - Add CATALOG_SOURCE_NAME variable for configurability
    - Update deploy-olm to build catalog using existing catalog-build/catalog-push
    - Create CatalogSource with grpcPodConfig.securityContextConfig: restricted
    - Create OperatorGroup and Subscription directly via oc apply
    - Wait for CatalogSource READY, InstallPlan, and CSV Succeeded states
    - Simplify undeploy-olm to remove operator-sdk cleanup dependency
    - Update create-sts-subscription helper to use DEFAULT_CHANNEL variable
    - Update deploy-olm-stsflow console URL to use DEFAULT_CHANNEL variable
    - ```

[kaovilai]

/test 4.21-e2e-test-kubevirt-aws

HCO timeout

[weshayutin]

whayutin@fedora:~/OADP/SETUP/OADP_1.6$ oc create -f dpa.yaml 
dataprotectionapplication.oadp.openshift.io/dpa-sample created
whayutin@fedora:~/OADP/SETUP/OADP_1.6$ oc get all -n openshift-adp 
Warning: apps.openshift.io/v1 DeploymentConfig is deprecated in v4.14+, unavailable in v4.10000+
Warning: kubevirt.io/v1 VirtualMachineInstancePresets is now deprecated and will be removed in v2.
NAME                                                                  READY   STATUS      RESTARTS   AGE
pod/72c1f751f93048fc2770ece02783ad3d8a8695ff06eac5e1b5fa4cd02cgwtxb   0/1     Completed   0          5m9s
pod/node-agent-57hpq                                                  1/1     Running     0          26s
pod/node-agent-mwz6n                                                  1/1     Running     0          26s
pod/node-agent-zx6hj                                                  1/1     Running     0          26s
pod/oadp-operator-catalog-bqbkv                                       1/1     Running     0          5m54s
pod/openshift-adp-controller-manager-745b67978b-npnjk                 1/1     Running     0          4m53s
pod/velero-55b5b69b-qmfvw                                             1/1     Running     0          27s

NAME                                                       TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)     AGE
service/oadp-operator-catalog                              ClusterIP   172.30.74.173    <none>        50051/TCP   5m53s

[weshayutin]

/LGTM

[weshayutin]

/retest

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kaovilai, weshayutin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [kaovilai]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@kaovilai: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/4.21-e2e-test-cli-aws	4f6a2c6	link	false	/test 4.21-e2e-test-cli-aws
ci/prow/4.22-e2e-test-aws	4f6a2c6	link	false	/test 4.22-e2e-test-aws

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[kaovilai]

2026/01/29 18:19:58 Pod todolist-6f687678dd-prfs9 condition:
v1.PodCondition{Type:"ContainersReady", ObservedGeneration:1, Status:"False", LastProbeTime:time.Date(1, time.January, 1, 0, 0, 0, 0, time.UTC), LastTransitionTime:time.Date(2026, time.January, 29, 18, 3, 43, 0, time.Local), Reason:"ContainersNotReady", Message:"containers with unready status: [todolist]"}
2026/01/29 18:19:58 Pod todolist-6f687678dd-prfs9 not yet succeeded: condition is: False
  [FAILED] Timed out after 900.002s.
  The function passed to Eventually returned the following error:
      <*errors.errorString | 0xc000be4030>: 
      Pod not yet succeeded
      {
          s: "Pod not yet succeeded",
      }

https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_oadp-operator/2078/pull-ci-openshift-oadp-operator-oadp-dev-4.22-e2e-test-aws/2016910207870832640#1:build-log.txt%3A6858

/retest-required

[kaovilai]

guess 4.22 is optional. need one more ack