From 275962c01c0bf70fc2ec568b12d31699a05eca41 Mon Sep 17 00:00:00 2001 From: Tiger Kaovilai Date: Thu, 14 May 2026 17:02:57 -0400 Subject: [PATCH 1/3] feat: add FBC catalog Dockerfile for CI operator installation Add build/Dockerfile.catalog that renders a bundle image into an FBC (File-Based Catalog) catalog image servable via gRPC CatalogSource. This enables CI to install the operator without operator-sdk, using only opm (actively maintained by OLM team). The Dockerfile uses opm render to generate FBC content from a bundle image passed as BUNDLE_IMG build arg, appends OLM package/channel metadata, validates with opm validate, and serves via opm serve. Pattern follows networking-incubator/coraza-kubernetes-operator and migrationqe/oadp-release-info ROSA_HCP tooling. Closes: https://github.com/openshift/oadp-operator/issues/2203 Generated with [Claude Code](https://claude.ai/code) via [Happy](https://happy.engineering) Co-Authored-By: Claude Co-Authored-By: Happy Signed-off-by: Tiger Kaovilai --- build/Dockerfile.catalog | 54 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 build/Dockerfile.catalog diff --git a/build/Dockerfile.catalog b/build/Dockerfile.catalog new file mode 100644 index 00000000000..dcabcbc97d6 --- /dev/null +++ b/build/Dockerfile.catalog @@ -0,0 +1,54 @@ +# FBC (File-Based Catalog) image for OLM operator installation. +# Renders a bundle image into an FBC catalog servable via gRPC CatalogSource. +# +# Usage: +# podman build -f build/Dockerfile.catalog \ +# --build-arg BUNDLE_IMG= \ +# -t . +# +# ci-operator: set BUNDLE_IMG via build_args in the ci-operator config. +# The bundle image must be pushed to a registry accessible during the build. +# +# Reference: networking-incubator/coraza-kubernetes-operator catalog/Dockerfile + +ARG OPM_VERSION=v1.23.0 + +FROM quay.io/operator-framework/opm:${OPM_VERSION} AS opm + +FROM registry.access.redhat.com/ubi9/ubi-minimal AS builder + +COPY --from=opm /bin/opm /bin/opm + +# Allow opm to pull bundle images from CI registries without signature verification +RUN mkdir -p /etc/containers && \ + echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /etc/containers/policy.json + +ARG BUNDLE_IMG +ARG VERSION=99.0.0 +ARG DEFAULT_CHANNEL=dev + +RUN mkdir -p /configs/oadp-operator && \ + /bin/opm render ${BUNDLE_IMG} -o yaml > /configs/oadp-operator/index.yaml && \ + echo '---' >> /configs/oadp-operator/index.yaml && \ + echo 'schema: olm.package' >> /configs/oadp-operator/index.yaml && \ + echo 'name: oadp-operator' >> /configs/oadp-operator/index.yaml && \ + echo "defaultChannel: ${DEFAULT_CHANNEL}" >> /configs/oadp-operator/index.yaml && \ + echo '---' >> /configs/oadp-operator/index.yaml && \ + echo 'schema: olm.channel' >> /configs/oadp-operator/index.yaml && \ + echo "name: ${DEFAULT_CHANNEL}" >> /configs/oadp-operator/index.yaml && \ + echo 'package: oadp-operator' >> /configs/oadp-operator/index.yaml && \ + echo 'entries:' >> /configs/oadp-operator/index.yaml && \ + echo " - name: oadp-operator.v${VERSION}" >> /configs/oadp-operator/index.yaml && \ + /bin/opm validate /configs/ + +FROM opm + +COPY --from=builder /configs /configs + +RUN ["/bin/opm", "serve", "/configs", "--cache-dir=/tmp/cache", "--cache-only"] + +LABEL operators.operatorframework.io.index.configs.v1=/configs + +EXPOSE 50051 +ENTRYPOINT ["/bin/opm"] +CMD ["serve", "/configs", "--cache-dir=/tmp/cache"] From ba95d8e2feb4deaecc735e92a6293d6574794c3a Mon Sep 17 00:00:00 2001 From: Tiger Kaovilai Date: Thu, 14 May 2026 17:06:21 -0400 Subject: [PATCH 2/3] chore: bump OPM_VERSION from v1.23.0 to v1.68.0 Reviewed all 45 releases between v1.23.0 and v1.68.0. No breaking changes affect the opm render, opm validate, or opm generate dockerfile commands used in the Makefile catalog-build target. Notable changes absorbed: - v1.53.0: requires policy.json for registry access (Dockerfile already sets insecureAcceptAnything for CI registries) - v1.58.0: stricter opm validate (no impact on single-bundle catalog) - v1.51.0: file permissions ratcheted to o600 (Makefile deletes generated files after build anyway) Generated with [Claude Code](https://claude.ai/code) via [Happy](https://happy.engineering) Co-Authored-By: Claude Co-Authored-By: Happy Signed-off-by: Tiger Kaovilai --- Makefile | 2 +- build/Dockerfile.catalog | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index dd482c054c8..ad6a0c6d92f 100644 --- a/Makefile +++ b/Makefile @@ -7,7 +7,7 @@ ENVTEST_K8S_VERSION = 1.32 #refers to the version of kubebuilder assets to be do GOLANGCI_LINT_VERSION ?= v2.9.0 KUSTOMIZE_VERSION ?= v5.2.1 CONTROLLER_TOOLS_VERSION ?= v0.16.5 -OPM_VERSION ?= v1.23.0 +OPM_VERSION ?= v1.68.0 BRANCH_VERSION = oadp-dev PREVIOUS_CHANNEL ?= oadp-1.5 PREVIOUS_CHANNEL_GO_VERSION ?= 1.23 diff --git a/build/Dockerfile.catalog b/build/Dockerfile.catalog index dcabcbc97d6..b718e97ff56 100644 --- a/build/Dockerfile.catalog +++ b/build/Dockerfile.catalog @@ -11,7 +11,7 @@ # # Reference: networking-incubator/coraza-kubernetes-operator catalog/Dockerfile -ARG OPM_VERSION=v1.23.0 +ARG OPM_VERSION=v1.68.0 FROM quay.io/operator-framework/opm:${OPM_VERSION} AS opm From be69539bfa5719160bd22199f40c0d16431ce032 Mon Sep 17 00:00:00 2001 From: Tiger Kaovilai Date: Thu, 14 May 2026 17:14:15 -0400 Subject: [PATCH 3/3] fix: address PR review feedback on Dockerfile.catalog - Replace echo chains with heredoc for OLM metadata (cleaner) - Add fail-fast guard for missing BUNDLE_IMG build arg - Quote BUNDLE_IMG in opm render to prevent word-splitting - Add explicit non-root USER 65532 in final stage - Ensure /tmp/cache is writable for non-root user Generated with [Claude Code](https://claude.ai/code) via [Happy](https://happy.engineering) Co-Authored-By: Claude Co-Authored-By: Happy Signed-off-by: Tiger Kaovilai --- build/Dockerfile.catalog | 30 +++++++++++++++++------------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/build/Dockerfile.catalog b/build/Dockerfile.catalog index b718e97ff56..c3f0d3e860a 100644 --- a/build/Dockerfile.catalog +++ b/build/Dockerfile.catalog @@ -27,19 +27,23 @@ ARG BUNDLE_IMG ARG VERSION=99.0.0 ARG DEFAULT_CHANNEL=dev -RUN mkdir -p /configs/oadp-operator && \ - /bin/opm render ${BUNDLE_IMG} -o yaml > /configs/oadp-operator/index.yaml && \ - echo '---' >> /configs/oadp-operator/index.yaml && \ - echo 'schema: olm.package' >> /configs/oadp-operator/index.yaml && \ - echo 'name: oadp-operator' >> /configs/oadp-operator/index.yaml && \ - echo "defaultChannel: ${DEFAULT_CHANNEL}" >> /configs/oadp-operator/index.yaml && \ - echo '---' >> /configs/oadp-operator/index.yaml && \ - echo 'schema: olm.channel' >> /configs/oadp-operator/index.yaml && \ - echo "name: ${DEFAULT_CHANNEL}" >> /configs/oadp-operator/index.yaml && \ - echo 'package: oadp-operator' >> /configs/oadp-operator/index.yaml && \ - echo 'entries:' >> /configs/oadp-operator/index.yaml && \ - echo " - name: oadp-operator.v${VERSION}" >> /configs/oadp-operator/index.yaml && \ - /bin/opm validate /configs/ +RUN test -n "${BUNDLE_IMG}" || (echo "BUNDLE_IMG build-arg is required" >&2; exit 1) && \ + mkdir -p /configs/oadp-operator && \ + /bin/opm render "${BUNDLE_IMG}" -o yaml > /configs/oadp-operator/index.yaml && \ + cat >> /configs/oadp-operator/index.yaml <