Add medik8s disconnected CatalogSource step for air-gapped operator testing

[ugreener]

Summary

Adds a reusable Prow step medik8s-disconnected-catalogsource that mirrors medik8s FBC catalog and operator images to the CI mirror registry via oc-mirror v2, creates IDMS pointing to the mirror, and provisions a CatalogSource for air-gapped operator testing. Complements the existing medik8s-catalogsource step which handles connected environments.

What this step does

1. Resolves the latest FBC commit from dragonfly/rhwa-fbc via GitLab API
2. Verifies the FBC image exists on Quay (with fallback tag resolution for non-pinned SHAs)
3. Downloads the IDMS from that commit and converts it to registries.conf for oc-mirror (maps registry.redhat.io to Quay mirrors)
4. Mirrors FBC catalog + all operator images via oc-mirror v2 to the CI mirror registry
5. Creates IDMS pointing to the mirror registry (not Quay)
6. Creates CatalogSource from the mirrored FBC image
7. Waits for CatalogSource READY with diagnostic collection on failures

Proven pattern

Based on the file-integrity-konflux-catalogsource step. Uses openshift-custom-mirror-registry credential (same as kueue, file-integrity disconnected steps). IDMS source mappings are parsed from the rhwa-fbc repo using awk.

Files

ci-operator/step-registry/medik8s/disconnected-catalogsource/
├── OWNERS
├── medik8s-disconnected-catalogsource-commands.sh
├── medik8s-disconnected-catalogsource-ref.metadata.json
└── medik8s-disconnected-catalogsource-ref.yaml

Dependencies

This step will be used by future disconnected periodic job configs (RHWA-1038, RHWA-1039).
Requires cucushift-installer-rehearse-aws-ipi-disconnected-private workflow for cluster provisioning.

Jira: RHWA-840

[ugreener]

/pj-rehearse auto-ack

[openshift-merge-bot]

@ugreener: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[coderabbitai]

Walkthrough

Adds a CI step-ref, metadata/OWNERS, and a Bash orchestration that resolves an FBC commit, optionally runs oc-mirror to mirror catalogs/operators, applies an ImageDigestMirrorSet, creates an openshift-marketplace CatalogSource, and waits for readiness while emitting diagnostics on failure.

Changes

medik8s disconnected CatalogSource

Layer / File(s)	Summary
Metadata and OWNERS ci-operator/step-registry/medik8s/disconnected-catalogsource/OWNERS, ci-operator/step-registry/medik8s/disconnected-catalogsource/medik8s-disconnected-catalogsource-ref.metadata.json, ci-operator/step-registry/medik8s/disconnected-catalogsource/medik8s-disconnected-catalogsource-ref.yaml	Adds owners/approvers/reviewers arrays and a new step-ref YAML referencing the command script.
Script: configuration and helpers ci-operator/step-registry/medik8s/disconnected-catalogsource/medik8s-disconnected-catalogsource-commands.sh	Top-level variables for GitLab/FBC, helper functions (log, run, collect_artifacts), proxy sourcing, and oc-mirror install helper; EXIT trap for artifact collection.
Script: commit resolution and FBC verification .../medik8s-disconnected-catalogsource-commands.sh	Resolve FBC commit SHA from input or GitLab and verify corresponding Quay image; optionally fall back to an active tag when not pinned.
Script: mirror registry auth / host pull-secret .../medik8s-disconnected-catalogsource-commands.sh	Extract cluster pull-secret, read vault mirror creds, merge auth for registry.redhat.io and mirror registry, and write containers/auth.json.
Script: oc-mirror install and registries.conf .../medik8s-disconnected-catalogsource-commands.sh	Download/install oc-mirror, fetch IDMS YAML for the resolved commit, and generate registries.conf mirror entries for the runtime.
Script: run oc-mirror and create mirror output .../medik8s-disconnected-catalogsource-commands.sh	Build ImageSetConfiguration for FBC catalog and packages, run oc-mirror, capture debug artifacts on failure, and produce mirror tarball.
Script: ImageDigestMirrorSet and MCP rollout .../medik8s-disconnected-catalogsource-commands.sh	Generate/apply ImageDigestMirrorSet (adds extra quay mapping) and wait for MachineConfigPool rendered config + Updated condition with timeouts and diagnostics.
Script: ensure marketplace and CatalogSource .../medik8s-disconnected-catalogsource-commands.sh	Ensure openshift-marketplace namespace labels, create grpc CatalogSource referencing mirrored catalog image, and poll for READY with diagnostics on timeout.
Script: main orchestration and outputs .../medik8s-disconnected-catalogsource-commands.sh	Orchestrates validation, workspace init, mirroring steps, CatalogSource creation/wait, and writes commit/catalog names to ${SHARED_DIR}.

Sequence Diagram

sequenceDiagram
  participant Script as medik8s-disconnected-catalogsource script
  participant GitLab as GitLab Raw/API
  participant ocMirror as oc-mirror
  participant MirrorReg as Mirror Registry
  participant Cluster as OpenShift Cluster

  Script->>GitLab: fetch IDMS YAML / resolve FBC commit SHA
  Script->>ocMirror: generate ImageSetConfiguration + run oc-mirror
  ocMirror->>MirrorReg: push mirrored catalog & operator images
  Script->>Cluster: apply ImageDigestMirrorSet and namespace/CatalogSource manifests
  Cluster->>Cluster: MachineConfigPool rollout (Rendered config -> Updated)
  Script->>Cluster: poll CatalogSource for READY and collect diagnostics on timeout

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• openshift/release#79820: Adds a similar disconnected-catalogsource script and mirroring/diagnostic patterns.

Suggested labels

lgtm

Suggested reviewers

• beekhof
• maximunited
• clobrano

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	Multiple instances of internal mirror registry hostname (MIRROR_REGISTRY_HOST) logged to CI logs: lines 113, 189, 217-221, 330, and 384, exposing internal infrastructure details.	Remove MIRROR_REGISTRY_HOST from log statements and the run() wrapper on line 384; sanitize logging in mirror_catalog_and_operators() and create_catalogsource() functions.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and specifically describes the main change: adding a new Prow step for medik8s operator testing in disconnected environments. It is concise, clear, and highlights the primary functionality without being vague or overly broad.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR contains no Ginkgo tests; custom check for test name stability is not applicable to this CI infrastructure code.
Test Structure And Quality	✅ Passed	Pull request contains no Ginkgo test code—only bash script and config files for CI step registry. Custom check for test structure is not applicable.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests added in this PR. The PR adds CI step registry configuration files (YAML, JSON) and a Bash shell script for disconnected CatalogSource setup, not test files.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. The new files are CI infrastructure (bash script, YAML metadata, OWNERS) for a disconnected CatalogSource step, not test code.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds a CI step creating CatalogSource, ImageDigestMirrorSet, and Namespace resources without topology-specific scheduling constraints (anti-affinity, nodeSelector, replicas, topology spread).
Ote Binary Stdout Contract	✅ Passed	PR adds Prow step registry configuration (bash script, YAML, JSON, OWNERS). Contains no Go test binaries, TestMain(), BeforeSuite(), or OTE-related code subject to OTE Binary Stdout Contract.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR adds CI infrastructure (OWNERS, YAML step reference, JSON metadata, bash script) but no Ginkgo e2e tests. Custom check for test IPv6/disconnected compatibility does not apply.
No-Weak-Crypto	✅ Passed	No weak cryptographic algorithms (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or non-constant-time secret comparisons found in the added PR files.
Container-Privileges	✅ Passed	No Kubernetes container privilege configurations found: no privileged: true, hostPID/hostNetwork/hostIPC, SYS_ADMIN capabilities, or allowPrivilegeEscalation: true in the step YAML manifest.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-merge-bot]

@ugreener: no rehearsable tests are affected by this change

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/medik8s/disconnected-catalogsource/medik8s-disconnected-catalogsource-commands.sh`:
- Around line 169-173: The tar commands that create
"${ARTIFACT_DIR}/mirror-debug.tar.gz" and "${ARTIFACT_DIR}/mirror-output.tar.gz"
currently archive the entire "${TMP_DIR}", which can include sensitive files
like run/containers/auth.json; modify the archive step(s) in the script so they
explicitly exclude credentials (for example exclude patterns for
run/containers/auth.json and any kubeconfig or token files) or instead package
only known-safe subpaths under "${TMP_DIR}"; update the two tar invocations that
reference TMP_DIR and ARTIFACT_DIR to use exclusion patterns or a whitelist of
safe files to ensure no registry auth, kubeconfigs, tokens, or vault-derived
secrets are included.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: a9974eaf-bbb7-4192-a937-9765caf27d90

📥 Commits

Reviewing files that changed from the base of the PR and between 7becb35 and 94c76bb.

📒 Files selected for processing (4)

• ci-operator/step-registry/medik8s/disconnected-catalogsource/OWNERS
• ci-operator/step-registry/medik8s/disconnected-catalogsource/medik8s-disconnected-catalogsource-commands.sh
• ci-operator/step-registry/medik8s/disconnected-catalogsource/medik8s-disconnected-catalogsource-ref.metadata.json
• ci-operator/step-registry/medik8s/disconnected-catalogsource/medik8s-disconnected-catalogsource-ref.yaml

[coderabbitai]

🧹 Nitpick comments (1)

ci-operator/step-registry/medik8s/disconnected-catalogsource/medik8s-disconnected-catalogsource-commands.sh (1)

236-238: 💤 Low value

Use parameter expansion instead of sed for prefix removal.

This avoids spawning a subshell and is more idiomatic Bash.

✏️ Suggested fix

     local original_image="${FBC_IMAGE_REPO}/${FBC_IMAGE_PREFIX}-${OCP_VERSION}:${FBC_COMMIT_SHA}"
-    local image_path
-    image_path=$(echo "$original_image" | sed 's|^quay.io/||')
+    local image_path="${original_image#quay.io/}"
     local catalog_image="${MIRROR_REGISTRY_HOST}/${image_path}"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/medik8s/disconnected-catalogsource/medik8s-disconnected-catalogsource-commands.sh`
around lines 236 - 238, The code uses sed to strip the quay.io prefix from
original_image (image_path=$(echo "$original_image" | sed 's|^quay.io/||')),
which spawns a subshell; replace that with Bash parameter expansion to remove
the prefix in-place (assign image_path="${original_image#quay.io/}") and keep
the subsequent catalog_image="${MIRROR_REGISTRY_HOST}/${image_path}" unchanged
so no external process is invoked.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In
`@ci-operator/step-registry/medik8s/disconnected-catalogsource/medik8s-disconnected-catalogsource-commands.sh`:
- Around line 236-238: The code uses sed to strip the quay.io prefix from
original_image (image_path=$(echo "$original_image" | sed 's|^quay.io/||')),
which spawns a subshell; replace that with Bash parameter expansion to remove
the prefix in-place (assign image_path="${original_image#quay.io/}") and keep
the subsequent catalog_image="${MIRROR_REGISTRY_HOST}/${image_path}" unchanged
so no external process is invoked.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 5deb82da-cdc2-42d3-9195-5ea957706b5a

📥 Commits

Reviewing files that changed from the base of the PR and between 94c76bb and 43979aa.

📒 Files selected for processing (2)

• ci-operator/step-registry/medik8s/disconnected-catalogsource/medik8s-disconnected-catalogsource-commands.sh
• ci-operator/step-registry/medik8s/disconnected-catalogsource/medik8s-disconnected-catalogsource-ref.yaml

[coderabbitai]

🧹 Nitpick comments (1)

ci-operator/step-registry/medik8s/disconnected-catalogsource/medik8s-disconnected-catalogsource-commands.sh (1)

237-239: 💤 Low value

Use parameter expansion instead of sed.

Replace the sed command with bash parameter expansion for stripping the prefix.

♻️ Proposed fix

     local original_image="${FBC_IMAGE_REPO}/${FBC_IMAGE_PREFIX}-${OCP_VERSION}:${FBC_COMMIT_SHA}"
-    local image_path
-    image_path=$(echo "$original_image" | sed 's|^quay.io/||')
+    local image_path="${original_image#quay.io/}"
     local catalog_image="${MIRROR_REGISTRY_HOST}/${image_path}"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/medik8s/disconnected-catalogsource/medik8s-disconnected-catalogsource-commands.sh`
around lines 237 - 239, Replace the sed invocation used to strip the quay.io
prefix with bash parameter expansion: set image_path using
image_path="${original_image#quay.io/}" (preserving the existing local
image_path declaration) and leave
catalog_image="${MIRROR_REGISTRY_HOST}/${image_path}" unchanged; this removes
the external sed call and achieves the same prefix removal using shell
expansion.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In
`@ci-operator/step-registry/medik8s/disconnected-catalogsource/medik8s-disconnected-catalogsource-commands.sh`:
- Around line 237-239: Replace the sed invocation used to strip the quay.io
prefix with bash parameter expansion: set image_path using
image_path="${original_image#quay.io/}" (preserving the existing local
image_path declaration) and leave
catalog_image="${MIRROR_REGISTRY_HOST}/${image_path}" unchanged; this removes
the external sed call and achieves the same prefix removal using shell
expansion.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 2abb77b0-4329-4f0e-aa8d-1c45f252f8f9

📥 Commits

Reviewing files that changed from the base of the PR and between 43979aa and 46cb286.

📒 Files selected for processing (2)

• ci-operator/step-registry/medik8s/disconnected-catalogsource/medik8s-disconnected-catalogsource-commands.sh
• ci-operator/step-registry/medik8s/disconnected-catalogsource/medik8s-disconnected-catalogsource-ref.yaml

[coderabbitai]

🧹 Nitpick comments (1)

ci-operator/step-registry/medik8s/disconnected-catalogsource/medik8s-disconnected-catalogsource-commands.sh (1)

239-241: 💤 Low value

Use bash parameter expansion instead of sed.

Per shellcheck SC2001, bash parameter expansion is more efficient and idiomatic here.

♻️ Suggested fix

     local original_image="${FBC_IMAGE_REPO}/${FBC_IMAGE_PREFIX}-${OCP_VERSION}:${FBC_COMMIT_SHA}"
-    local image_path
-    image_path=$(echo "$original_image" | sed 's|^quay.io/||')
+    local image_path="${original_image#quay.io/}"
     local catalog_image="${MIRROR_REGISTRY_HOST}/${image_path}"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/medik8s/disconnected-catalogsource/medik8s-disconnected-catalogsource-commands.sh`
around lines 239 - 241, Replace the sed call that strips the "quay.io/" prefix
with bash parameter expansion: instead of using image_path=$(echo
"$original_image" | sed 's|^quay.io/||'), assign image_path using parameter
expansion to remove the leading "quay.io/" (e.g., use the
${original_image#quay.io/} form) and then construct catalog_image with
"${MIRROR_REGISTRY_HOST}/${image_path}"; keep the local declarations (local
image_path) or combine declaration+assignment but ensure you reference
original_image and MIRROR_REGISTRY_HOST exactly as in the diff.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In
`@ci-operator/step-registry/medik8s/disconnected-catalogsource/medik8s-disconnected-catalogsource-commands.sh`:
- Around line 239-241: Replace the sed call that strips the "quay.io/" prefix
with bash parameter expansion: instead of using image_path=$(echo
"$original_image" | sed 's|^quay.io/||'), assign image_path using parameter
expansion to remove the leading "quay.io/" (e.g., use the
${original_image#quay.io/} form) and then construct catalog_image with
"${MIRROR_REGISTRY_HOST}/${image_path}"; keep the local declarations (local
image_path) or combine declaration+assignment but ensure you reference
original_image and MIRROR_REGISTRY_HOST exactly as in the diff.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 8915c108-394a-4c93-8f7b-e01884d42e10

📥 Commits

Reviewing files that changed from the base of the PR and between 46cb286 and cf18458.

📒 Files selected for processing (2)

• ci-operator/step-registry/medik8s/disconnected-catalogsource/medik8s-disconnected-catalogsource-commands.sh
• ci-operator/step-registry/medik8s/disconnected-catalogsource/medik8s-disconnected-catalogsource-ref.yaml

[ugreener]

Fixed in the latest push — both tar invocations now exclude ./run/containers (which contains auth.json) and ./.dockerconfigjson (the extracted cluster pull secret).

[razo7]

Good PR, but it is missing fixes from #79820 for consistency that was merged today.
I've flagged these as inline comments below.

[razo7]

Looks good, and after it gets merged, we can do some refactoring to avoid creating similar functions in multiple places #79896.

Keeping it for QE review as they are much more familiar with the disconnected setup than me for the final approval. You may unhold if you think the other way...
/hold

[maximunited]

@coderabbitai resume

[coderabbitai]

✅ Actions performed

Reviews resumed.

[mhabashrh]

did you add the nexus? , i am not sure i find this step
in the disconnected env , it differs than the connected
have you tried it manually?

[ugreener]

This step does not use Nexus. Nexus is a registry proxy used in Jenkins-based CI pipelines (e.g., ocp-edge lab); this is a Prow step-registry step, which uses a different infrastructure. In Prow, disconnected steps mirror images to the CI mirror registry using vault-mounted openshift-custom-mirror-registry credentials and oc-mirror v2.

This follows the same pattern as file-integrity-konflux-catalogsource (same credential, same oc-mirror workflow, same CI mirror registry).

The flow: resolve FBC commit from GitLab, verify image on Quay, mirror catalog + operator images via oc-mirror v2 to the CI mirror registry, create IDMS pointing to the mirror, create CatalogSource from the mirrored image.

Not yet tested in a live disconnected cluster (waiting for the periodic job configs in RHWA-1038/RHWA-1039 to be created). The step logic is adapted from the file-integrity step which runs successfully in CI.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@ugreener: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

ci-operator/step-registry/medik8s/disconnected-catalogsource/medik8s-disconnected-catalogsource-commands.sh (1)

356-362: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Log CatalogSource wait elapsed time, not shell uptime.

Line 362 uses the shell-global SECONDS, so after the earlier mirroring/setup work this log no longer reflects how long wait_for_catalogsource() has actually been polling. Capture a start timestamp for the wait loop and log SECONDS - start_seconds instead.

Suggested fix

 wait_for_catalogsource() {
     log "Waiting for CatalogSource ${CATALOG_SOURCE_NAME} to be READY..."
-    local -i deadline=$(( SECONDS + 600 ))
+    local -i start_seconds=$SECONDS
+    local -i deadline=$(( start_seconds + 600 ))
     local status=""

     while (( SECONDS < deadline )); do
         status=$(oc -n openshift-marketplace get catalogsource "$CATALOG_SOURCE_NAME" \
             -o=jsonpath="{.status.connectionState.lastObservedState}" 2>/dev/null || true)
-        log "  $(( SECONDS ))s - status: ${status:-pending}"
+        log "  $(( SECONDS - start_seconds ))s - status: ${status:-pending}"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/medik8s/disconnected-catalogsource/medik8s-disconnected-catalogsource-commands.sh`
around lines 356 - 362, The log in wait_for_catalogsource() currently uses the
global SECONDS, which yields shell uptime rather than the function's polling
duration; capture a start timestamp at the top of wait_for_catalogsource()
(e.g., start_seconds=$(date +%s) or start_seconds=$SECONDS) and change the log
line to print elapsed time using SECONDS - start_seconds (or $(($(date +%s) -
start_seconds)) when using date) so the message reflects how long the function
has been polling the CatalogSource.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/medik8s/disconnected-catalogsource/medik8s-disconnected-catalogsource-commands.sh`:
- Around line 382-384: The current call uses run() which echoes the full oc
debug/podman pull command (including the MIRROR_REGISTRY host) into CI logs;
replace the run invocation for the node-side probe by invoking the oc debug
command directly (not via run) so it is not printed, redirect stdout/stderr to
/dev/null (e.g. >/dev/null 2>&1), capture its exit code, and then use log to
emit only a success or failure message referencing node_name (but do NOT include
catalog_image or the registry host). Specifically, remove run(...) around the oc
debug invocation that uses catalog_image, perform the oc debug "node/$node_name"
-- chroot /host podman pull --authfile /var/lib/kubelet/config.json
"${catalog_image}" quietly, check the command's exit status, and call log
"node-side pull succeeded on ${node_name}" or log "node-side pull failed on
${node_name}" accordingly.

---

Outside diff comments:
In
`@ci-operator/step-registry/medik8s/disconnected-catalogsource/medik8s-disconnected-catalogsource-commands.sh`:
- Around line 356-362: The log in wait_for_catalogsource() currently uses the
global SECONDS, which yields shell uptime rather than the function's polling
duration; capture a start timestamp at the top of wait_for_catalogsource()
(e.g., start_seconds=$(date +%s) or start_seconds=$SECONDS) and change the log
line to print elapsed time using SECONDS - start_seconds (or $(($(date +%s) -
start_seconds)) when using date) so the message reflects how long the function
has been polling the CatalogSource.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: c0518644-2ac2-48bf-b0ff-fe33fac22263

📥 Commits

Reviewing files that changed from the base of the PR and between 032099f and 624948c.

📒 Files selected for processing (1)

• ci-operator/step-registry/medik8s/disconnected-catalogsource/medik8s-disconnected-catalogsource-commands.sh

[maximunited]

/lgtm from my side

[ugreener]

/unhold

[maximunited]

/lgtm

[lyfofvipin]

LGTM 👍

[ugreener]

/retest

[ugreener]

/retest

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: maximunited, razo7, ugreener

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/step-registry/medik8s/OWNERS [maximunited,razo7,ugreener]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment