feat: add FBC catalog Dockerfile for CI without operator-sdk

[kaovilai]

Summary

Add build/Dockerfile.catalog that renders a bundle image into an FBC (File-Based Catalog) catalog image servable via gRPC CatalogSource. This enables CI to install the operator without operator-sdk, using only opm (actively maintained by OLM team).

• Multi-stage build: opm → ubi-minimal (builder) → opm (final)
• Takes BUNDLE_IMG as required build arg, runs opm render to generate FBC
• Sets /etc/containers/policy.json for pulling from CI registries without signature verification
• Pre-builds gRPC serving cache at build time (--cache-dir + --cache-only)
• Mirrors existing make catalog-build Makefile logic

Closes #2203

Reference implementations

• coraza-kubernetes-operator catalog/Dockerfile — same ARG BUNDLE_IMG + opm render pattern
• migrationqe/oadp-release-info MR !3 — ROSA HCP FBC rebuild tooling, validates --cache-dir/--cache-only pattern

---

Follow-up PRs needed

1. openshift/release CI config update (replaces #79152)

PR #79152 migrated to operator-sdk run bundle workflow. With this Dockerfile, we revert to the standard optional-operators-ci-aws workflow instead. Per-variant diff from current:

# Add to operator stanza:
operator:
  bundles:
  - as: oadp-operator-bundle              # ADD: name the bundle
    dockerfile_path: build/Dockerfile.bundle
    skip_building_index: true             # ADD: don't build deprecated ci-index

# Add catalog image build:
images:
- dockerfile_path: build/Dockerfile.catalog
  build_args:
  - name: BUNDLE_IMG
    value: pipeline:oadp-operator-bundle  # needs verification — see note below
  to: oadp-operator-catalog

# Change in each test's steps:
    dependencies:
      OO_INDEX: oadp-operator-catalog     # was: ci-index
    env:
      OO_CHANNEL: dev                     # KEEP
      OO_PACKAGE: oadp-operator           # KEEP
      OO_TARGET_NAMESPACES: '!install'    # KEEP
      FEATURE_SET: TechPreviewNoUpgrade   # ADD (4.22+ only, from #79152)
    workflow: optional-operators-ci-aws   # KEEP original (NOT operator-sdk variant)

# Remove:
# - base_images.cli-operator-sdk          # no longer needed

Open question: whether ci-operator's build_args resolves pipeline: image references. If not, alternatives: custom CI step that resolves the bundle ref and runs podman build --build-arg, or the Quay operator pattern (custom step-registry entry that creates CatalogSource directly). Details in PR #79152 comment.

2. OLMv1 tests PR #2160

Once the CI config switch lands, #2160 can be rebased. No code changes needed in #2160 itself — it just needs the CI infrastructure (this Dockerfile + the release config update) to be in place first.

Test plan

• Build bundle: make bundle-build BUNDLE_IMG=ttl.sh/oadp-bundle-test:1h
• Push bundle: make bundle-push BUNDLE_IMG=ttl.sh/oadp-bundle-test:1h
• Build catalog: podman build -f build/Dockerfile.catalog --build-arg BUNDLE_IMG=ttl.sh/oadp-bundle-test:1h -t localhost/oadp-catalog:test .
• Verify catalog serves: podman run --rm -p 50051:50051 localhost/oadp-catalog:test
• Verify CI config integration (follow-up PR in openshift/release)

Note

Responses generated with Claude

Summary by CodeRabbit

• New Features
  • Added capability to build and serve an Operator Lifecycle Manager catalog image with automated generation, validation, cache-only serving, and gRPC access on port 50051.
• Chores
  • Updated default OPM tool version to v1.68.0 for catalog-related build targets.

[coderabbitai]

Walkthrough

Adds build/Dockerfile.catalog to build a File-Based Catalog (FBC) image using opm: it renders a provided bundle into an index, injects package/channel YAML, validates the catalog, and produces a runtime image that serves the catalog over gRPC. Bumps Makefile OPM_VERSION default to v1.68.0.

Changes

OLM File-Based Catalog (FBC) image + OPM version bump

Layer / File(s)	Summary
Dockerfile header & build-stage tooling build/Dockerfile.catalog	Adds Dockerfile with usage notes; introduces OPM_VERSION build-arg, an opm builder stage and a ubi-minimal builder stage, copies opm binary, and writes /etc/containers/policy.json to allow pulling the provided bundle image without signature verification.
Index generation, package/channel injection, validation build/Dockerfile.catalog	Defines BUNDLE_IMG, VERSION, DEFAULT_CHANNEL; enforces BUNDLE_IMG presence; runs opm render to produce /configs/oadp-operator/index.yaml, appends olm.package and olm.channel YAML entries for the channel/version, and runs opm validate /configs/.
Runtime serve image build/Dockerfile.catalog	Creates final image from the opm runtime image, copies /configs from builder, runs opm serve in --cache-only mode with --cache-dir=/tmp/cache, labels the index config path, exposes gRPC port 50051, and sets ENTRYPOINT/CMD to run opm serve --cache-only.
Makefile: OPM version bump Makefile	Updates default OPM_VERSION from v1.23.0 to v1.68.0.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding an FBC catalog Dockerfile for CI without operator-sdk dependency.
Description check	✅ Passed	The description provides comprehensive details: why the changes matter, how the Dockerfile works, test plan, and follow-up guidance on CI config updates.
Linked Issues check	✅ Passed	The PR fully addresses issue #2203 by adding a static FBC catalog Dockerfile that consumes bundle images and uses opm (not operator-sdk) to generate gRPC-served catalog images for CI.
Out of Scope Changes check	✅ Passed	All changes are in scope: the new Dockerfile.catalog implements the FBC catalog build, and the OPM_VERSION update supports the Dockerfile's opm dependency.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	Custom check not applicable. PR modifies only build/Dockerfile.catalog and Makefile - neither are test files. No Ginkgo tests are added or modified.
Test Structure And Quality	✅ Passed	Custom check for Ginkgo test structure and quality does not apply to this PR. PR adds only Dockerfile.catalog and updates Makefile OPM_VERSION—no test code is modified or added.
Microshift Test Compatibility	✅ Passed	PR adds no Ginkgo e2e tests. Changes are limited to a new Dockerfile for FBC catalog builds and OPM_VERSION update in Makefile. MicroShift test compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR adds no Ginkgo e2e tests. Changes are limited to build/Dockerfile.catalog (new FBC build config) and Makefile (OPM_VERSION update). SNO compatibility check not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	Adds build/Dockerfile.catalog and updates OPM_VERSION in Makefile. These are build-time artifacts with no scheduling constraints affecting pod topology requirements.
Ote Binary Stdout Contract	✅ Passed	PR only modifies build/Dockerfile.catalog (new file) and Makefile (version bump). No Go code, test setup, or logging changes affect OTE Binary Stdout Contract.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. Changes are limited to: (1) new build/Dockerfile.catalog for FBC image building, and (2) Makefile OPM_VERSION update. The custom check does not apply.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kaovilai

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [kaovilai]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

🧹 Nitpick comments (2)

build/Dockerfile.catalog (2)

44-54: ⚡ Quick win

Consider adding a non-root USER directive.

The container runs as root by default. Adding a non-root user improves security posture, especially if this image is used outside CI contexts.

OPM catalog images typically support running as non-root. The cache directory /tmp/cache should remain writable for non-root users.

🔒 Proposed fix to run as non-root

 FROM opm
 
 COPY --from=builder /configs /configs
 
 RUN ["/bin/opm", "serve", "/configs", "--cache-dir=/tmp/cache", "--cache-only"]
 
 LABEL operators.operatorframework.io.index.configs.v1=/configs
 
 EXPOSE 50051
+
+USER 1001
+
 ENTRYPOINT ["/bin/opm"]
 CMD ["serve", "/configs", "--cache-dir=/tmp/cache"]

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@build/Dockerfile.catalog` around lines 44 - 54, Add a non-root USER and
ensure runtime dirs are writable: create or switch to a dedicated unprivileged
user (e.g., "opmuser") in the Dockerfile, chown /tmp/cache and any config
directories copied from builder (referenced by COPY --from=builder /configs
/configs and the /tmp/cache used by RUN and CMD/ENTRYPOINT) to that user's
UID:GID, and add a USER instruction before ENTRYPOINT so the container runs
non-root while preserving write access to /tmp/cache and /configs.

---

14-16: 💤 Low value

Consider updating OPM to a more recent version.

OPM v1.23.0 is significantly outdated; the latest available version is v1.66.0. Updating would include numerous bug fixes, security improvements, and feature enhancements released over the intervening versions.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@build/Dockerfile.catalog` around lines 14 - 16, Update the OPM base image
version by changing the ARG OPM_VERSION value from v1.23.0 to a more recent
stable release (e.g., v1.66.0) so the FROM
quay.io/operator-framework/opm:${OPM_VERSION} AS opm stage pulls the newer OPM;
ensure any downstream compatibility tests are run after bumping ARG OPM_VERSION
to confirm no breaking changes.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@build/Dockerfile.catalog`:
- Around line 44-54: Add a non-root USER and ensure runtime dirs are writable:
create or switch to a dedicated unprivileged user (e.g., "opmuser") in the
Dockerfile, chown /tmp/cache and any config directories copied from builder
(referenced by COPY --from=builder /configs /configs and the /tmp/cache used by
RUN and CMD/ENTRYPOINT) to that user's UID:GID, and add a USER instruction
before ENTRYPOINT so the container runs non-root while preserving write access
to /tmp/cache and /configs.
- Around line 14-16: Update the OPM base image version by changing the ARG
OPM_VERSION value from v1.23.0 to a more recent stable release (e.g., v1.66.0)
so the FROM quay.io/operator-framework/opm:${OPM_VERSION} AS opm stage pulls the
newer OPM; ensure any downstream compatibility tests are run after bumping ARG
OPM_VERSION to confirm no breaking changes.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 4b612c57-f06f-4173-a272-4fab17b35b17

📥 Commits

Reviewing files that changed from the base of the PR and between 57cc09e and 275962c.

📒 Files selected for processing (1)

• build/Dockerfile.catalog

[weshayutin]

line 30 - 42 seems pretty ugly to me.
alternatives?

[kaovilai]

one could create a yaml file outside then sed inside here.. etc.. either way.. up to you.. more moving parts.

[kaovilai]

https://github.com/networking-incubator/coraza-kubernetes-operator/blob/main/catalog/Dockerfile check this example.. if this is fine we can replicate

[kaovilai]

Ours vs coraza-kubernetes-operator catalog/Dockerfile

Aspect	Coraza	Ours
FBC metadata	Pre-committed in repo (coraza-kubernetes-operator/ dir with package/channel YAML). Dockerfile just copies it.	Generated inline via heredoc. No files to maintain in repo.
Bundle rendering	for img in ${BUNDLE_IMGS} loop — supports multiple bundles	Single BUNDLE_IMG — we only have one bundle
Fail-fast	None — silently fails if BUNDLE_IMGS empty	test -n "${BUNDLE_IMG}" guard with error message
Non-root USER	Not set	Explicit USER 65532
OPM version	v1.64.0	v1.68.0
Bundles dir	COPY bundles/ /tmp/bundles/ — copies local bundle content (unused by opm render though)	No local bundle content — purely image-based
Cache warmup	Yes (--cache-dir=/tmp/cache --cache-only)	Same
policy.json	Yes (insecureAcceptAnything)	Same
Multi-stage	opm → ubi-minimal → opm (3 stages)	Same pattern

Main difference: coraza pre-commits their FBC package/channel metadata as files, we generate it at build time. Theirs is cleaner if metadata changes rarely. Ours is zero-maintenance — no files to keep in sync with Makefile variables.

[kaovilai]

Replaced echo chains with a heredoc in the latest push. Much cleaner now. Also added fail-fast guard for missing BUNDLE_IMG and dropped the USER 65532 / chown lines (opm base image is distroless — no /bin/sh, and already runs as non-root USER 1001 since v1.23.2).

Tested locally — catalog builds, serves gRPC, and returns correct package/channel/bundle data. See test results comment above.

Note

Responses generated with Claude

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@build/Dockerfile.catalog`:
- Around line 26-31: The Dockerfile should fail fast and avoid word-splitting
when BUNDLE_IMG is empty: add a guard after ARG BUNDLE_IMG that checks the
variable is set and exits with a clear error if not, and quote the variable in
the opm render invocation (i.e., change the /bin/opm render ${BUNDLE_IMG} call
to use a quoted expansion) so the command uses a single argument and errors are
clearer while still writing to /configs/oadp-operator/index.yaml.
- Around line 44-54: Add an explicit non-root runtime user and make /tmp/cache
writable for it: in the final Dockerfile stage (the stage that contains COPY
--from=builder /configs, ENTRYPOINT ["/bin/opm"], and CMD ["serve", "/configs",
"--cache-dir=/tmp/cache"]) create or ensure /tmp/cache exists and is owned by a
pinned non-root UID (e.g., 65532) and then set USER 65532; specifically, add
commands to mkdir -p /tmp/cache and chown -R 65532:65532 /tmp/cache (and
/configs if needed) before setting USER 65532 so the opm serve process can run
as the non-root user.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 670b4c7e-91bf-4742-8264-aebdfd41a157

📥 Commits

Reviewing files that changed from the base of the PR and between 275962c and ba95d8e.

📒 Files selected for processing (2)

• Makefile
• build/Dockerfile.catalog

✅ Files skipped from review due to trivial changes (1)

• Makefile

[kaovilai]

Note

Responses generated with Claude

Local sanity check — catalog image builds and serves ✅

Build steps

$ make bundle-build BUNDLE_IMG=ttl.sh/oadp-bundle-14532d98:1h   # ✅
$ podman push ttl.sh/oadp-bundle-14532d98:1h                     # ✅
$ podman build -f build/Dockerfile.catalog \
    --build-arg BUNDLE_IMG=ttl.sh/oadp-bundle-14532d98:1h \
    -t localhost/oadp-catalog:test .                              # ✅

Build log shows opm render, opm validate, and cache warmup all succeed:

[2/3] STEP 7/8: RUN test -n "${BUNDLE_IMG}" ... /bin/opm render "${BUNDLE_IMG}" ...
--> d2310dde812e
[2/3] STEP 8/8: RUN /bin/opm validate /configs/
--> 47d154cec7e2
...
time="..." level=info msg="building cache" cache=/tmp/cache configs=/configs
Successfully tagged localhost/oadp-catalog:test

Runtime verification

$ podman run --rm -d -p 50051:50051 localhost/oadp-catalog:test
$ podman logs oadp-catalog-test
time="..." level=info msg="serving registry" cache=/tmp/cache configs=/configs port=50051

gRPC queries

$ grpcurl -plaintext localhost:50051 api.Registry/ListPackages
{ "name": "oadp-operator" }

$ grpcurl -plaintext -d '{"name":"oadp-operator"}' localhost:50051 api.Registry/GetPackage
{ "name": "oadp-operator", "channels": [{ "name": "dev", "csvName": "oadp-operator.v99.0.0" }], "defaultChannelName": "dev" }

$ grpcurl -plaintext -d '{"pkgName":"oadp-operator","channelName":"dev"}' localhost:50051 api.Registry/GetBundleForChannel
{ "csvName": "oadp-operator.v99.0.0", "packageName": "oadp-operator", "channelName": "dev", "csvJson": "...(full CSV)...", "bundlePath": "ttl.sh/oadp-bundle-14532d98:1h", ... }

All three gRPC APIs return valid data. The catalog correctly serves the oadp-operator package on the dev channel with the full CSV and CRD bundle.

Review feedback addressed

• Echo chains → heredoc (cleaner)
• Added BUNDLE_IMG fail-fast guard
• Quoted ${BUNDLE_IMG} in opm render
• Removed USER 65532 / mkdir / chown — opm base image has no /bin/sh (distroless-like), already runs as non-root (USER 1001 since v1.23.2)

[coderabbitai]

♻️ Duplicate comments (1)

build/Dockerfile.catalog (1)

48-58: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add explicit non-root USER in the final stage.

Trivy flags this image as running as root (DS-0002). The opm base image does not guarantee a non-root USER across versions. To harden the image, pin a non-root UID and ensure /tmp/cache is writable for that user before switching.

Note: A previous review suggested this fix and marked it as addressed, but the directive appears to be missing from the current code.

🔒 Suggested hardening patch

 FROM opm
 
 COPY --from=builder /configs /configs
+RUN mkdir -p /tmp/cache && chown -R 65532:0 /configs /tmp/cache
+USER 65532
 
 RUN ["/bin/opm", "serve", "/configs", "--cache-dir=/tmp/cache", "--cache-only"]
 
 LABEL operators.operatorframework.io.index.configs.v1=/configs

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@build/Dockerfile.catalog` around lines 48 - 58, Final Dockerfile stage
currently runs as root; add an explicit non-root user and ensure /tmp/cache is
writable before switching. In the final stage (the block that uses FROM opm,
COPY --from=builder, RUN ["/bin/opm", "serve", ...], ENTRYPOINT ["/bin/opm"],
CMD ["serve", ...]) create a dedicated user/group with a fixed UID/GID, mkdir
/tmp/cache and chown it to that user, and then add a USER instruction to switch
to that non-root account so the container runs non-root while preserving the
current ENTRYPOINT/CMD.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@build/Dockerfile.catalog`:
- Around line 48-58: Final Dockerfile stage currently runs as root; add an
explicit non-root user and ensure /tmp/cache is writable before switching. In
the final stage (the block that uses FROM opm, COPY --from=builder, RUN
["/bin/opm", "serve", ...], ENTRYPOINT ["/bin/opm"], CMD ["serve", ...]) create
a dedicated user/group with a fixed UID/GID, mkdir /tmp/cache and chown it to
that user, and then add a USER instruction to switch to that non-root account so
the container runs non-root while preserving the current ENTRYPOINT/CMD.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 109a4894-79b2-4323-a384-7ac866e1a500

📥 Commits

Reviewing files that changed from the base of the PR and between 14532d9 and be69539.

📒 Files selected for processing (1)

• build/Dockerfile.catalog

[weshayutin]

@rayfordj do you by chance have an example dockerfile for the FBC containers?

[kaovilai]

CI config PR updated: openshift/release#79327 replaces openshift/release#79152. Uses Dockerfile.catalog from this PR with build_args + optional-operators-ci-aws workflow (no operator-sdk).

Note

Responses generated with Claude

[kaovilai]

This needs to be cherry-picked to oadp-1.3, oadp-1.4, oadp-1.5, oadp-1.6, and oadp-dev branches. Index image building is deprecated and will be removed from ci-operator, so all branches need Dockerfile.catalog for the CI migration in openshift/release#79327.

Note

Responses generated with Claude

[openshift-ci]

@kaovilai: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.