Skip to content

Add Konflux override snapshot generation script and slash command#2879

Open
jeff-roche wants to merge 2 commits into
openshift:release-managementfrom
jeff-roche:add-konflux-override-snapshot-tooling
Open

Add Konflux override snapshot generation script and slash command#2879
jeff-roche wants to merge 2 commits into
openshift:release-managementfrom
jeff-roche:add-konflux-override-snapshot-tooling

Conversation

@jeff-roche

@jeff-roche jeff-roche commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Add hack/generate_override_snapshot_yaml.sh, which derives an override Snapshot manifest from a bundle image by pulling related image digests and git revisions.
  • Add a /lvms:konflux:create_snapshot command that drives the generate → save → apply → monitor workflow for creating and applying an override snapshot in Konflux.

Test plan

  • Ran hack/generate_override_snapshot_yaml.sh against a bundle image and confirmed the generated YAML matched the expected Snapshot structure.
  • Applied the generated snapshot to the logical-volume-manag-tenant namespace and confirmed it was created and began integration testing.

Summary by CodeRabbit

  • New Features
    • Added a command guide for creating and optionally applying LVM Operator override snapshots from a bundle image.
    • Added a utility that generates Snapshot YAML by extracting bundle metadata, image digests, and source revisions.
    • Added readiness monitoring with status reporting when applying snapshots.
    • Supports optional TopoLVM CSI component details when available.

Adds hack/generate_override_snapshot_yaml.sh to derive an override
Snapshot manifest from a bundle image (pulling related image refs and
git revisions), plus a /lvms:konflux:create_snapshot command that
drives the generate -> save -> apply -> monitor workflow end to end.
@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 812c66cf-de24-499e-9225-1f0d0ea7fcf3

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • ✅ Review completed - (🔄 Check again to review again)
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Jul 16, 2026
@openshift-ci
openshift-ci Bot requested review from brandisher and mmakwana30 July 16, 2026 17:46
@openshift-ci

openshift-ci Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jeff-roche

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 16, 2026
@jeff-roche

Copy link
Copy Markdown
Contributor Author

Example Output:

apiVersion: appstudio.redhat.com/v1alpha1
kind: Snapshot
metadata:
  name: lvm-operator-4-21-1-override
  namespace: logical-volume-manag-tenant
  labels:
    test.appstudio.openshift.io/type: override
spec:
  application: lvm-operator-4-21
  components:
    - name: lvm-operator-4-21
      containerImage: quay.io/redhat-user-workloads/logical-volume-manag-tenant/lvm-operator@sha256:cefc215d0e811849dcad97d6ea3f1179c9755e04a4394cdc483b1b28570d3fe8
      source:
        git:
          url: https://github.com/openshift/lvm-operator
          revision: 47c284ae7fdc66dfe65e58e18828b1a747f6db44
    - name: lvms-must-gather-4-21
      containerImage: quay.io/redhat-user-workloads/logical-volume-manag-tenant/lvms-must-gather@sha256:760a62a1ea3c326df44c0b96bbf4f66c88204dbec42a96dba7704504c5dca4bd
      source:
        git:
          url: https://github.com/openshift/lvm-operator
          revision: 47c284ae7fdc66dfe65e58e18828b1a747f6db44
    - name: lvm-operator-bundle-4-21
      containerImage: quay.io/redhat-user-workloads/logical-volume-manag-tenant/lvm-operator-bundle@sha256:7dfe7320f96cb7b2202d434524dd7c3545bb9c53ac2671e77f97f3e250bb4e35
      source:
        git:
          url: https://github.com/openshift/lvm-operator
          revision: fb6b7833a21ad2afc2def392e2b1ffbc4edb3fa4

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🧹 Nitpick comments (1)
hack/generate_override_snapshot_yaml.sh (1)

202-217: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Simplify YAML generation by appending text directly instead of using yq.

Using yq to parse and append to the YAML introduces a third-party dependency that often suffers from incompatible implementations (e.g., mikefarah/yq vs kislyuk/yq). For example, running this on a system with Python yq installed will evaluate the expression but output JSON instead of YAML, breaking the manifest.

Since the appended component structure is simple and static, you can safely append it as a plain string, matching the existing indentation.

Note: If you apply this change, you can also safely remove yq from the check_dependencies list on line 45.

♻️ Proposed refactor
-		topolvm_obj=$(cat <<-EOF
-		{
-		  "name": "topolvm-${X}-${Y}",
-		  "containerImage": "${TOPOLVM_IMG}",
-		  "source": {
-		    "git": {
-		      "url": "https://github.com/openshift/topolvm",
-		      "revision": "${TOPOLVM_GIT_REF}"
-		    }
-		  }
-		}
-		EOF
-		)
-
-		output_yaml=$(echo "${output_yaml}" | yq ".spec.components += [${topolvm_obj}]")
+		output_yaml="${output_yaml}
+    - name: topolvm-${X}-${Y}
+      containerImage: ${TOPOLVM_IMG}
+      source:
+        git:
+          url: https://github.com/openshift/topolvm
+          revision: ${TOPOLVM_GIT_REF}"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hack/generate_override_snapshot_yaml.sh` around lines 202 - 217, Replace the
yq-based update in the topolvm_obj generation block with direct text appending
to output_yaml using the existing YAML indentation and component structure.
Preserve the generated topolvm-${X}-${Y}, TOPOLVM_IMG, and TOPOLVM_GIT_REF
values, and remove yq from the check_dependencies list since it is no longer
required.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.claude/commands/lvms/konflux/create_snapshot.md:
- Around line 31-34: Add a final cluster-context validation immediately before
the apply and polling steps using oc whoami --show-server and oc project -q,
confirming the expected cluster and project. Ensure the background poller
inherits and uses this validated context, preventing later kubeconfig changes
from targeting or monitoring a different cluster.
- Around line 4-8: Restrict the allowed-tools entry in the create_snapshot
command so it no longer grants unrestricted Bash access. Permit only the
specific oc and snapshot-generator operations required by the workflow, or route
them through a dedicated script and allow that script instead; preserve the
existing Read and AskUserQuestion permissions.

In `@hack/generate_override_snapshot_yaml.sh`:
- Around line 57-66: Quote the image_ref expansions in get_image_sha, and
replace the echo-wrapped command substitution in get_image_git_ref with the
direct skopeo-to-jq pipeline. In hack/generate_override_snapshot_yaml.sh lines
126-132, quote the docker image argument and bundle_image passed to
get_image_git_ref; in lines 148-150, quote each command substitution passed to
get_image_sha.
- Line 16: Replace the predictable TEMP_DIR construction with a directory
created atomically via mktemp, preserving the existing temporary-directory usage
and ensuring cleanup continues to target the created path.

---

Nitpick comments:
In `@hack/generate_override_snapshot_yaml.sh`:
- Around line 202-217: Replace the yq-based update in the topolvm_obj generation
block with direct text appending to output_yaml using the existing YAML
indentation and component structure. Preserve the generated topolvm-${X}-${Y},
TOPOLVM_IMG, and TOPOLVM_GIT_REF values, and remove yq from the
check_dependencies list since it is no longer required.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 9390a82b-aa9c-43bd-9d68-5606c7199762

📥 Commits

Reviewing files that changed from the base of the PR and between 38cb5f2 and b31099e.

📒 Files selected for processing (2)
  • .claude/commands/lvms/konflux/create_snapshot.md
  • hack/generate_override_snapshot_yaml.sh

Comment thread .claude/commands/lvms/konflux/create_snapshot.md
Comment thread .claude/commands/lvms/konflux/create_snapshot.md Outdated
Comment thread hack/generate_override_snapshot_yaml.sh Outdated
Comment thread hack/generate_override_snapshot_yaml.sh
- Use mktemp for the script's temp directory instead of a predictable
  path, and quote command substitutions/variable expansions to avoid
  word splitting and glob expansion.
- Drop the yq dependency by appending the topolvm component as plain
  YAML text instead of merging JSON into the document.
- Restrict the slash command's allowed-tools to the specific oc/script
  invocations it needs, and validate the oc cluster context right
  before applying and polling the snapshot.

Assisted-by: Claude <noreply@anthropic.com>
@openshift-ci

openshift-ci Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

@jeff-roche: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant