[WIP] extend the baremetal-ove-compact-konflux job with CNV validation steps

[orenc1]

Add a connected baremetal-ove-compact-konflux periodic job that installs an OVE cluster using Konflux-built ISOs on a connected (non-disconnected) baremetal lab, then provisions LSO and ODF storage.

Four new step-registry steps are introduced and appended to the existing agent-qe-baremetal-install-ove-disconnected-konflux chain:

• create-catalogsource: disables default catalog sources and creates a version-pinned CatalogSource (redhat-operators-full) from registry.redhat.io/redhat/redhat-operator-index:v., auto-detecting the OCP version from the cluster.
• install-lso: subscribes and installs local-storage-operator from the new catalog source.
• configure-lso: labels nodes, creates a MachineConfig for Ceph MON loop devices, and provisions localblock-mon (Filesystem) and localblock (Block) LocalVolumeSets with the required PVs.
• install-odf: subscribes and installs odf-operator, then creates an ocs-storagecluster backed by the LSO-provisioned local storage.

The new job overrides DISCONNECTED=false so the firewall step is skipped and the cluster retains internet access for pulling the operator index directly from registry.redhat.io.

Summary by CodeRabbit

This PR extends the OpenShift CI infrastructure with a new connected periodic test job for OVE (OpenShift Virtualization Engine) cluster deployments that includes storage provisioning capabilities.

Key Changes

The PR adds four new step-registry steps to the agent-qe-baremetal-install-ove-disconnected chain:

1. create-catalogsource: Disables default OLM catalog sources and provisions a version-pinned CatalogSource pointing to the Red Hat operator index. It auto-detects the cluster's OCP version and handles OLMv1 clustercatalog resources for newer cluster versions.

2. install-lso: Installs the Local Storage Operator (LSO) from the newly created CatalogSource with polling to ensure the operator CSV reaches a "Succeeded" state.

3. configure-lso: Configures local storage by labeling nodes, applying a MachineConfig to create loop devices for Ceph MON storage, and provisioning two LocalVolumeSets—one for MON storage (filesystem) and one for block storage (XFS)—with comprehensive polling and diagnostics to verify PV creation.

4. install-odf: Installs the OpenShift Data Foundation (ODF) operator and creates an OCS StorageCluster backed by the LSO-provisioned local volumes, with error handling to gather ODF-related diagnostics on failure.

These steps are integrated into the existing chain workflow, and the job configuration overrides DISCONNECTED=false to allow the cluster to retain internet connectivity for pulling operator images directly from registry.redhat.io—contrasting with the disconnected variant.

Additionally, the SNAPSHOT environment variable is updated to reference a specific Konflux-built ISO, and OWNERS files are established for the new step directories with approvers and reviewers designated.

Infrastructure Impact

This addition enables a new CI validation pathway for OVE clusters with integrated storage operator deployment on connected baremetal infrastructure, extending the existing agent-based installer test coverage to include LSO and ODF provisioning workflows.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 1584d080-d4b5-4de5-b9ee-927587f7d362

📥 Commits

Reviewing files that changed from the base of the PR and between d10c542 and 354035b.

📒 Files selected for processing (19)

• ci-operator/config/openshift-eng/agent-qe-infra/openshift-eng-agent-qe-infra-release-4.21__amd64-nightly.yaml
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/configure-lso/OWNERS
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/configure-lso/agent-qe-baremetal-install-ove-disconnected-configure-lso-commands.sh
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/configure-lso/agent-qe-baremetal-install-ove-disconnected-configure-lso-ref.metadata.json
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/configure-lso/agent-qe-baremetal-install-ove-disconnected-configure-lso-ref.yaml
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/create-catalogsource/OWNERS
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/create-catalogsource/agent-qe-baremetal-install-ove-disconnected-create-catalogsource-commands.sh
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/create-catalogsource/agent-qe-baremetal-install-ove-disconnected-create-catalogsource-ref.metadata.json
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/create-catalogsource/agent-qe-baremetal-install-ove-disconnected-create-catalogsource-ref.yaml
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/install-lso/OWNERS
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/install-lso/agent-qe-baremetal-install-ove-disconnected-install-lso-commands.sh
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/install-lso/agent-qe-baremetal-install-ove-disconnected-install-lso-ref.metadata.json
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/install-lso/agent-qe-baremetal-install-ove-disconnected-install-lso-ref.yaml
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/install-odf/OWNERS
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/install-odf/agent-qe-baremetal-install-ove-disconnected-install-odf-commands.sh
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/install-odf/agent-qe-baremetal-install-ove-disconnected-install-odf-ref.metadata.json
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/install-odf/agent-qe-baremetal-install-ove-disconnected-install-odf-ref.yaml
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/konflux/agent-qe-baremetal-install-ove-disconnected-konflux-chain.yaml
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/konflux/agent-qe-baremetal-install-ove-disconnected-konflux-workflow.yaml

✅ Files skipped from review due to trivial changes (6)

• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/configure-lso/OWNERS
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/configure-lso/agent-qe-baremetal-install-ove-disconnected-configure-lso-ref.metadata.json
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/install-odf/OWNERS
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/install-lso/OWNERS
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/konflux/agent-qe-baremetal-install-ove-disconnected-konflux-workflow.yaml
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/create-catalogsource/agent-qe-baremetal-install-ove-disconnected-create-catalogsource-ref.metadata.json

🚧 Files skipped from review as they are similar to previous changes (11)

• ci-operator/config/openshift-eng/agent-qe-infra/openshift-eng-agent-qe-infra-release-4.21__amd64-nightly.yaml
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/create-catalogsource/OWNERS
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/create-catalogsource/agent-qe-baremetal-install-ove-disconnected-create-catalogsource-ref.yaml
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/install-odf/agent-qe-baremetal-install-ove-disconnected-install-odf-ref.yaml
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/install-odf/agent-qe-baremetal-install-ove-disconnected-install-odf-ref.metadata.json
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/install-lso/agent-qe-baremetal-install-ove-disconnected-install-lso-ref.yaml
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/konflux/agent-qe-baremetal-install-ove-disconnected-konflux-chain.yaml
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/configure-lso/agent-qe-baremetal-install-ove-disconnected-configure-lso-ref.yaml
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/configure-lso/agent-qe-baremetal-install-ove-disconnected-configure-lso-commands.sh
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/install-lso/agent-qe-baremetal-install-ove-disconnected-install-lso-commands.sh
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/install-odf/agent-qe-baremetal-install-ove-disconnected-install-odf-commands.sh

---

Walkthrough

Adds a disconnected OVE bare-metal CI flow: creates a CatalogSource, installs Local Storage Operator, configures local storage with loopback and block LocalVolumeSets, deploys ODF StorageCluster, integrates steps into the Konflux workflow, and pins a nightly job SNAPSHOT to a specific OVE ISO tag.

Changes

Disconnected OVE LSO and ODF Infrastructure

Layer / File(s)	Summary
CatalogSource creation for disconnected operators ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/create-catalogsource/*	Defines helpers for cluster version detection and OLM capability checks, creates the marketplace namespace, patches operatorhub to disable defaults, and polls for CatalogSource readiness with timeout diagnostics and version-aware OLMv1 handling.
Local Storage Operator installation ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/install-lso/*	Creates the openshift-local-storage namespace, OperatorGroup, and Subscription referencing the CatalogSource, then polls for operator CSV creation and waits for Succeeded phase with timeout error handling.
Local Storage configuration with loop devices and volumes ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/configure-lso/*	Applies MachineConfig for systemd loop-device creation, labels nodes for local storage, creates two LocalVolumeSets (MON loopback and block disk), and polls for required PV availability with jq-based counting and failure diagnostics.
ODF storage cluster provisioning ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/install-odf/*	Deploys ODF by labeling nodes, creating operator namespace and OperatorGroup, installing odf-operator Subscription, verifying StorageCluster CRD readiness, creating a StorageCluster with 50Gi MON and 100Gi OSD device sets on localblock storage, and waiting up to 1 hour for availability with error trapping and artifact collection.
Konflux chain and workflow orchestration ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/konflux/..., ci-operator/config/openshift-eng/agent-qe-infra/...	Updates the Konflux chain to include the four new refs, revises workflow documentation to mention LSO and ODF, and pins the nightly job SNAPSHOT to a specific ove-ui-iso-4-21 image tag.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• openshift/release#79826: Sets the initial empty SNAPSHOT: "" value in the same nightly config file that this PR updates with a specific image tag.

Suggested labels

area/pipelines, rehearsals-ack

Suggested reviewers

• bmanzari

---

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 3 warnings)

Check name	Status	Explanation	Resolution
No-Sensitive-Data-In-Logs	❌ Error	The create-catalogsource script logs full commands including oc whoami, oc version -o yaml, and diagnostics commands via unredacted echo statements, exposing user info and system details.	Remove or redact the echo "Running Command: ${CMD}" line in the run_command function to prevent logging sensitive command outputs.
Title check	⚠️ Warning	The PR title mentions CNV validation steps, but the actual changes implement LSO and ODF storage setup with catalogsource and operator installation, not CNV validation.	Update the title to accurately reflect the main changes: consider 'Extend baremetal-ove-compact-konflux with storage operator steps (LSO/ODF)' or similar to match the actual implementation.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Topology-Aware Scheduling Compatibility	⚠️ Warning	PR introduces scheduling constraints that break non-HA topologies: configure-lso requires 3 PVs (line 95), install-odf has replica: 3 (line 180), and MachineConfig targets only master nodes (line 14).	Check ControlPlaneTopology before enforcing 3 replicas/PVs; use dynamic scaling based on node count; apply MachineConfig to all nodes or use feature gates for topology-specific behavior.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR does not add any Ginkgo tests or Go test files. Files added are CI operator configuration (YAML, shell scripts, JSON metadata, OWNERS files). Check is not applicable.
Test Structure And Quality	✅ Passed	This PR contains no Ginkgo test code. It consists of CI/operator configuration files (.yaml), shell scripts (.sh), OWNERS files, and metadata JSON files. The test code quality check is not applicable.
Microshift Test Compatibility	✅ Passed	This PR contains no Ginkgo e2e tests—it only adds CI/operator infrastructure (YAML configs, bash scripts, metadata files). The check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR adds CI operator infrastructure (YAML configs, Bash scripts) but no Ginkgo e2e tests. Check not applicable as it specifically targets new e2e test additions.
Ote Binary Stdout Contract	✅ Passed	PR contains only YAML configs, bash scripts, and OWNERS files for CI/CD pipeline setup. No OTE binary Go code is present or modified.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. The check is designed for Go test files with Ginkgo patterns and is not applicable to this CI infrastructure and bash script additions.
No-Weak-Crypto	✅ Passed	No weak cryptography patterns (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB, custom implementations, or insecure comparisons) detected in any files modified by this PR.
Container-Privileges	✅ Passed	No privileged container settings found. Searched all K8s manifests, test configs, and shell scripts added/modified in PR for privilege-escalation patterns. None present.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: orenc1
Once this PR has been reviewed and has the lgtm label, please assign pamoedom for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift-eng/agent-qe-infra/OWNERS
• ci-operator/step-registry/agent-qe/baremetal/install/ove/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-bot]

@orenc1, pj-rehearse: unable to determine affected jobs. This could be due to a branch that needs to be rebased. ERROR:

could not determine changed registry steps: could not load step registry: workflow/agent-qe-baremetal-install-ove-disconnected-konflux: parameter "TIMEOUT" is overridden in [workflow/agent-qe-baremetal-install-ove-disconnected-konflux] but not declared in any step

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/configure-lso/agent-qe-baremetal-install-ove-disconnected-configure-lso-commands.sh`:
- Around line 40-44: The early oc wait for Updating can spuriously fail; make
the first wait best-effort so it won't abort the step if the pool never enters
Updating. Modify the oc wait mcp/master --for=condition=Updating --timeout=5m
invocation (the first of the two waits) so its non-zero exit is ignored (e.g.,
run it in a subshell or append a no-op like "|| true" or otherwise catch and
ignore errors), but keep the oc wait mcp/master --for=condition=Updated
--timeout=1h (the second wait) as the real, fatal success gate.

In
`@ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/create-catalogsource/agent-qe-baremetal-install-ove-disconnected-create-catalogsource-commands.sh`:
- Around line 23-58: The check_marketplace invocation is being masked by "||
exit 0" which turns real failures from check_marketplace into successes; change
the call site to invoke check_marketplace directly (remove the "|| exit 0"
fallback) so a non-zero return from the check_marketplace function propagates
and fails the job (rely on set -e or standard error handling), leaving the
existing check_olm_capability || exit 0 behavior unchanged.

In
`@ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/install-odf/agent-qe-baremetal-install-ove-disconnected-install-odf-commands.sh`:
- Around line 183-184: The oc wait against StorageCluster/ocs-storagecluster is
using a non-existent condition=Available; update the wait to check status.phase
== "Ready" instead (use oc wait with --for=jsonpath to target .status.phase) and
adjust the echo message accordingly so the script waits for the StorageCluster
to report status.phase: Ready (locate the oc wait call for
StorageCluster/ocs-storagecluster in the script).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 3b039384-5160-4480-978c-53be058ef0a4

📥 Commits

Reviewing files that changed from the base of the PR and between 63ca5bb and af46cf0.

📒 Files selected for processing (19)

• ci-operator/config/openshift-eng/agent-qe-infra/openshift-eng-agent-qe-infra-release-4.21__amd64-nightly.yaml
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/configure-lso/OWNERS
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/configure-lso/agent-qe-baremetal-install-ove-disconnected-configure-lso-commands.sh
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/configure-lso/agent-qe-baremetal-install-ove-disconnected-configure-lso-ref.metadata.json
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/configure-lso/agent-qe-baremetal-install-ove-disconnected-configure-lso-ref.yaml
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/create-catalogsource/OWNERS
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/create-catalogsource/agent-qe-baremetal-install-ove-disconnected-create-catalogsource-commands.sh
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/create-catalogsource/agent-qe-baremetal-install-ove-disconnected-create-catalogsource-ref.metadata.json
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/create-catalogsource/agent-qe-baremetal-install-ove-disconnected-create-catalogsource-ref.yaml
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/install-lso/OWNERS
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/install-lso/agent-qe-baremetal-install-ove-disconnected-install-lso-commands.sh
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/install-lso/agent-qe-baremetal-install-ove-disconnected-install-lso-ref.metadata.json
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/install-lso/agent-qe-baremetal-install-ove-disconnected-install-lso-ref.yaml
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/install-odf/OWNERS
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/install-odf/agent-qe-baremetal-install-ove-disconnected-install-odf-commands.sh
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/install-odf/agent-qe-baremetal-install-ove-disconnected-install-odf-ref.metadata.json
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/install-odf/agent-qe-baremetal-install-ove-disconnected-install-odf-ref.yaml
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/konflux/agent-qe-baremetal-install-ove-disconnected-konflux-chain.yaml
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/konflux/agent-qe-baremetal-install-ove-disconnected-konflux-workflow.yaml

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/create-catalogsource/agent-qe-baremetal-install-ove-disconnected-create-catalogsource-commands.sh (1)

58-58: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Propagate check_marketplace failures instead of exiting successfully.

Line 58 still converts a real marketplace setup failure into success, which hides the root cause and defers breakage to later steps.

Suggested fix

-check_marketplace || exit 0
+check_marketplace

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/create-catalogsource/agent-qe-baremetal-install-ove-disconnected-create-catalogsource-commands.sh`
at line 58, The line currently swallows failures by using "check_marketplace ||
exit 0"; update the call to let errors propagate (remove the "|| exit 0" or
replace it with a non-zero exit) so that a failing check_marketplace returns
failure to the pipeline; locate the invocation of check_marketplace (the
"check_marketplace || exit 0" command) and either call it directly or use
"check_marketplace || exit 1" so the script fails fast on marketplace setup
errors.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/create-catalogsource/agent-qe-baremetal-install-ove-disconnected-create-catalogsource-commands.sh`:
- Line 45: The step currently calls run_command "oc version -o yaml" which
prints full cluster/version YAML (may include cluster URL/token); replace that
invocation so it only reveals safe client version info (for example call
run_command "oc version --client" or an equivalent that does not output
cluster/kubeconfig details). Update the call site where run_command is invoked
with the "oc version -o yaml" argument and ensure no other step in this script
echoes full cluster/version YAML, tokens, or kubeconfig contents.

---

Duplicate comments:
In
`@ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/create-catalogsource/agent-qe-baremetal-install-ove-disconnected-create-catalogsource-commands.sh`:
- Line 58: The line currently swallows failures by using "check_marketplace ||
exit 0"; update the call to let errors propagate (remove the "|| exit 0" or
replace it with a non-zero exit) so that a failing check_marketplace returns
failure to the pipeline; locate the invocation of check_marketplace (the
"check_marketplace || exit 0" command) and either call it directly or use
"check_marketplace || exit 1" so the script fails fast on marketplace setup
errors.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: e02087fe-7f4b-4a52-9197-8e5ca07e339e

📥 Commits

Reviewing files that changed from the base of the PR and between af46cf0 and d10c542.

📒 Files selected for processing (19)

• ci-operator/config/openshift-eng/agent-qe-infra/openshift-eng-agent-qe-infra-release-4.21__amd64-nightly.yaml
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/configure-lso/OWNERS
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/configure-lso/agent-qe-baremetal-install-ove-disconnected-configure-lso-commands.sh
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/configure-lso/agent-qe-baremetal-install-ove-disconnected-configure-lso-ref.metadata.json
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/configure-lso/agent-qe-baremetal-install-ove-disconnected-configure-lso-ref.yaml
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/create-catalogsource/OWNERS
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/create-catalogsource/agent-qe-baremetal-install-ove-disconnected-create-catalogsource-commands.sh
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/create-catalogsource/agent-qe-baremetal-install-ove-disconnected-create-catalogsource-ref.metadata.json
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/create-catalogsource/agent-qe-baremetal-install-ove-disconnected-create-catalogsource-ref.yaml
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/install-lso/OWNERS
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/install-lso/agent-qe-baremetal-install-ove-disconnected-install-lso-commands.sh
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/install-lso/agent-qe-baremetal-install-ove-disconnected-install-lso-ref.metadata.json
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/install-lso/agent-qe-baremetal-install-ove-disconnected-install-lso-ref.yaml
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/install-odf/OWNERS
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/install-odf/agent-qe-baremetal-install-ove-disconnected-install-odf-commands.sh
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/install-odf/agent-qe-baremetal-install-ove-disconnected-install-odf-ref.metadata.json
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/install-odf/agent-qe-baremetal-install-ove-disconnected-install-odf-ref.yaml
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/konflux/agent-qe-baremetal-install-ove-disconnected-konflux-chain.yaml
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/konflux/agent-qe-baremetal-install-ove-disconnected-konflux-workflow.yaml

✅ Files skipped from review due to trivial changes (7)

• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/install-lso/OWNERS
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/install-lso/agent-qe-baremetal-install-ove-disconnected-install-lso-ref.metadata.json
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/konflux/agent-qe-baremetal-install-ove-disconnected-konflux-workflow.yaml
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/create-catalogsource/agent-qe-baremetal-install-ove-disconnected-create-catalogsource-ref.metadata.json
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/configure-lso/agent-qe-baremetal-install-ove-disconnected-configure-lso-ref.metadata.json
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/install-odf/OWNERS
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/create-catalogsource/OWNERS

🚧 Files skipped from review as they are similar to previous changes (8)

• ci-operator/config/openshift-eng/agent-qe-infra/openshift-eng-agent-qe-infra-release-4.21__amd64-nightly.yaml
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/install-odf/agent-qe-baremetal-install-ove-disconnected-install-odf-ref.metadata.json
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/konflux/agent-qe-baremetal-install-ove-disconnected-konflux-chain.yaml
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/configure-lso/agent-qe-baremetal-install-ove-disconnected-configure-lso-ref.yaml
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/configure-lso/OWNERS
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/configure-lso/agent-qe-baremetal-install-ove-disconnected-configure-lso-commands.sh
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/install-odf/agent-qe-baremetal-install-ove-disconnected-install-odf-commands.sh
• ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/install-lso/agent-qe-baremetal-install-ove-disconnected-install-lso-commands.sh

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Avoid logging full cluster/version YAML in CI output.

Line 45 prints full oc version -o yaml, which can include cluster URL/details that should not be emitted in step-registry logs.

Suggested fix

-run_command "oc version -o yaml"
+run_command "oc version --client"

As per coding guidelines: in ci-operator/step-registry/**/*-commands.sh, never echo or print passwords, tokens, API keys, cluster URLs, or kubeconfig contents.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	run_command "oc version -o yaml"
	run_command "oc version --client"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/agent-qe/baremetal/install/ove/disconnected/create-catalogsource/agent-qe-baremetal-install-ove-disconnected-create-catalogsource-commands.sh`
at line 45, The step currently calls run_command "oc version -o yaml" which
prints full cluster/version YAML (may include cluster URL/token); replace that
invocation so it only reveals safe client version info (for example call
run_command "oc version --client" or an equivalent that does not output
cluster/kubeconfig details). Update the call site where run_command is invoked
with the "oc version -o yaml" argument and ensure no other step in this script
echoes full cluster/version YAML, tokens, or kubeconfig contents.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@orenc1: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
periodic-ci-openshift-eng-agent-qe-infra-release-4.21-amd64-nightly-baremetal-ove-compact-konflux	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-eng-agent-qe-infra-release-4.21-amd64-nightly-baremetal-ove-compact-disc-konflux	N/A	periodic	Registry content changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[openshift-merge-bot]

@orenc1: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[orenc1]

/pj-rehearse periodic-ci-openshift-eng-agent-qe-infra-release-4.21-amd64-nightly-baremetal-ove-compact-konflux

[openshift-merge-bot]

@orenc1: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[orenc1]

/pj-rehearse periodic-ci-openshift-eng-agent-qe-infra-release-4.21-amd64-nightly-baremetal-ove-compact-konflux

[openshift-merge-bot]

@orenc1: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@orenc1: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/periodic-ci-openshift-eng-agent-qe-infra-release-4.21-amd64-nightly-baremetal-ove-compact-konflux	354035b	link	unknown	/pj-rehearse periodic-ci-openshift-eng-agent-qe-infra-release-4.21-amd64-nightly-baremetal-ove-compact-konflux

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.