HIVE-2862: Build containers without python deps

[suhanime]

This change allows building the container images without the python dependencies that are getting harder to get by.

As a part of this change, version2.py is faithfully converted to a shell script of the same name.

Co-authored-by: Antoni Segura Puimedon antoni@redhat.com
Co-authored-by: Mark Old mold@redhat.com

Assisted-by: Claude Sonnet 4.5

Summary by CodeRabbit

• Chores
  • Removed Python 3 bootstrap/install steps from the build environment.
  • Replaced the Python-based version generator with a new shell-script implementation, preserving version output format.
  • Switched build targets to invoke the new shell-based version resolver and added a yq requirement for template generation.
  • Replaced the Python saas-template generator with a shell-based generator and updated template comments.

[openshift-ci-robot]

@suhanime: This pull request references HIVE-2862 which is a valid jira issue.

Details

In response to this:

This change allows building the container images without the python dependencies that are getting harder to get by.

As a part of this change, version2.py is faithfully converted to a shell script of the same name.

Co-authored-by: Antoni Segura Puimedon antoni@redhat.com
Co-authored-by: Mark Old mold@redhat.com

Assisted-by: Claude Sonnet 4.5

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Replaced Python-based utilities with Bash equivalents: removed hack/version2.py and hack/app-sre/generate-saas-template.py, added hack/version2.sh and hack/app-sre/generate-saas-template.sh, removed python3/ensurepip from Docker and boot dependency scripts, and updated Makefile to call the new shell scripts and require yq.

Changes

Cohort / File(s)	Summary
Docker / build deps Dockerfile, hack/ubi-build-deps.sh	Removed Python/ensurepip bootstrap steps; python3 removed from dnf install in hack/ubi-build-deps.sh. Remaining build/setup steps unchanged.
Makefile Makefile	Replaced Python-based SOURCE_GIT_TAG pipeline with hack/version2.sh; build-app-sre-template now depends on ensure-yq and invokes hack/app-sre/generate-saas-template.sh prefixed by YQ=$(YQ).
Versioning scripts hack/version2.py, hack/version2.sh	Deleted Python hack/version2.py; added hack/version2.sh implementing Git-aware version construction (branch prefix detection, branch validation, commit resolution/counting, outputs v{PREFIX}.{COUNT}-{shortsha}).
App-SRE template generator hack/app-sre/generate-saas-template.py, hack/app-sre/generate-saas-template.sh, hack/app-sre/saas-template-stub.yaml	Removed Python generator; added shell generate-saas-template.sh that validates inputs, counts objects via yq, merges objects into the template stub, and writes out_file; updated stub comments to reference the new shell script.

Sequence Diagram(s)

sequenceDiagram
    participant Makefile
    participant VersionScript as hack/version2.sh
    participant GitRepo as Git
    participant YQ as yq
    participant TemplateScript as hack/app-sre/generate-saas-template.sh
    participant Build as Docker/Build

    Makefile->>VersionScript: compute SOURCE_GIT_TAG
    VersionScript->>GitRepo: resolve COMMIT, BRANCH, COMMIT_COUNT, short SHA
    VersionScript-->>Makefile: return version string
    Makefile->>TemplateScript: invoke (YQ=$(YQ)) to build saas template
    TemplateScript->>YQ: count & extract objects from saas_object_file
    TemplateScript->>TemplateScript: merge objects into template stub, write out_file
    Makefile->>Build: pass SOURCE_GIT_TAG into build
    Build-->>Makefile: produce artifacts

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

"A rabbit hopped through the build and bash,
swapped Python seedlings for a shell-made stash.
I counted commits and shaped a tag,
stitched YAML petals from a small brown bag.
Hooray for simpler hops and a lighter cache!" 🐇

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the primary change: removing Python dependencies from the container build process.
Docstring Coverage	✅ Passed	Docstring coverage is 83.33% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@suhanime: This pull request references HIVE-2862 which is a valid jira issue.

Details

In response to this:

This change allows building the container images without the python dependencies that are getting harder to get by.

As a part of this change, version2.py is faithfully converted to a shell script of the same name.

Co-authored-by: Antoni Segura Puimedon antoni@redhat.com
Co-authored-by: Mark Old mold@redhat.com

Assisted-by: Claude Sonnet 4.5

Summary by CodeRabbit

• Chores
• Removed Python 3 dependency from build process, including ensurepip bootstrap steps and Python package installations.
• Migrated version generation logic from Python to shell script implementation, reducing external dependencies while maintaining version computation functionality.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

hack/version2.sh (1)

29-44: Consider adding level prefix to log messages.

The log function accepts a level parameter but doesn't include it in the output. This makes it harder to distinguish debug, info, warning, and fatal messages when reading logs.

♻️ Optional: Add level prefix to log output

 log() {
     local level="$1"
     shift
     local message="$*"
 
     if [[ "$MODE" == "standalone" ]]; then
-        echo "$message" >&2
+        echo "[$level] $message" >&2
     else
-        echo "$message"
+        echo "[$level] $message"
     fi
 
     if [[ "$level" == "fatal" ]]; then
         exit 1
     fi
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@hack/version2.sh` around lines 29 - 44, The log function currently accepts a
level parameter but prints only the message; update the log() function to prefix
printed output with the level (e.g., "[level] message") so callers can
distinguish debug/info/warn/fatal; preserve existing MODE logic (when
MODE=="standalone" write to stderr, otherwise stdout) and keep the exit behavior
when level == "fatal". Ensure you modify the log() implementation (references:
function name log, parameter level, variable MODE) to build and echo the
prefixed string rather than echoing just "$message".

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@hack/version2.sh`:
- Around line 291-294: The version_string() function currently echoes
"v$(semver)" which duplicates the 'v' because the Makefile's SOURCE_GIT_TAG :=
v$(shell hack/version2.sh) also prepends a 'v'; fix by removing the leading 'v'
from version_string() so it echoes "$(semver)" (leave semver() behavior
unchanged), or alternatively remove the extra 'v' in the Makefile assignment to
avoid producing "vv..."—preferably update version_string() to return the raw
semver value to keep tag formatting centralized.

In `@Makefile`:
- Around line 83-85: SOURCE_GIT_TAG is being set to v$(shell hack/version2.sh)
which causes a double "v" when version_string() already emits a leading "v"; fix
by ensuring only one source of the "v" prefix: either remove the hardcoded "v"
in SOURCE_GIT_TAG or (preferred) change version_string() in hack/version2.sh to
return the version without a leading "v" so SOURCE_GIT_TAG remains v<version>.
Update the version_string() implementation accordingly and keep SOURCE_GIT_TAG
as-is to preserve the existing Makefile pattern.

---

Nitpick comments:
In `@hack/version2.sh`:
- Around line 29-44: The log function currently accepts a level parameter but
prints only the message; update the log() function to prefix printed output with
the level (e.g., "[level] message") so callers can distinguish
debug/info/warn/fatal; preserve existing MODE logic (when MODE=="standalone"
write to stderr, otherwise stdout) and keep the exit behavior when level ==
"fatal". Ensure you modify the log() implementation (references: function name
log, parameter level, variable MODE) to build and echo the prefixed string
rather than echoing just "$message".

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: d1df7309-73af-414c-9abb-ca8841a1c1a4

📥 Commits

Reviewing files that changed from the base of the PR and between a5d0850 and 1bccef7.

📒 Files selected for processing (5)

• Dockerfile
• Makefile
• hack/ubi-build-deps.sh
• hack/version2.py
• hack/version2.sh

💤 Files with no reviewable changes (2)

• Dockerfile
• hack/version2.py

[openshift-ci-robot]

@suhanime: This pull request references HIVE-2862 which is a valid jira issue.

Details

In response to this:

This change allows building the container images without the python dependencies that are getting harder to get by.

As a part of this change, version2.py is faithfully converted to a shell script of the same name.

Co-authored-by: Antoni Segura Puimedon antoni@redhat.com
Co-authored-by: Mark Old mold@redhat.com

Assisted-by: Claude Sonnet 4.5

Summary by CodeRabbit

• Chores
• Removed Python 3 and its bootstrap/install steps from the build/install sequence.
• Replaced the Python-based version generation with a shell-script implementation, preserving version output format.
• Updated build invocation to use the new shell-based version resolver while keeping other build behavior unchanged.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@suhanime: This pull request references HIVE-2862 which is a valid jira issue.

Details

In response to this:

This change allows building the container images without the python dependencies that are getting harder to get by.

As a part of this change, version2.py is faithfully converted to a shell script of the same name.

Co-authored-by: Antoni Segura Puimedon antoni@redhat.com
Co-authored-by: Mark Old mold@redhat.com

Assisted-by: Claude Sonnet 4.5

Summary by CodeRabbit

• Chores
• Removed Python 3 bootstrap/install steps from the build environment.
• Replaced the Python-based version generator with a new shell-script implementation, preserving version output format.
• Switched build targets to invoke the new shell-based version resolver.
• Replaced the Python saas-template generator with a shell-based generator and updated the saas template comments.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@hack/app-sre/generate-saas-template.sh`:
- Around line 23-33: Move the help-flag detection to run before the strict
arg-count validation and match only exact help flags (e.g., "-h" or "--help")
instead of the broad pattern "*-h*"; in practice, run the existing for-loop that
calls usage and exits prior to the `if [ $# -ne 3 ]; then ...` block and update
the condition to test exact equality (for example `[[ "$arg" == "-h" || "$arg"
== "--help" ]]`) so legitimate file paths containing "-h" are not treated as
help requests.

In `@hack/version2.sh`:
- Around line 35-39: The log() implementation currently writes to stdout when
MODE="library", which contaminates command-substitution outputs; update the
branch that handles MODE="library" so it writes logs to stderr instead (use the
same stderr redirection used for the standalone branch), ensuring all calls to
log() (and any helper that echoes messages) do not emit to stdout and thus won't
corrupt function return values like branch/commit resolution.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 0264e957-fb96-4366-8fda-a6b1e18ceb73

📥 Commits

Reviewing files that changed from the base of the PR and between 9b27aa8 and ff45756.

📒 Files selected for processing (8)

• Dockerfile
• Makefile
• hack/app-sre/generate-saas-template.py
• hack/app-sre/generate-saas-template.sh
• hack/app-sre/saas-template-stub.yaml
• hack/ubi-build-deps.sh
• hack/version2.py
• hack/version2.sh

💤 Files with no reviewable changes (3)

• Dockerfile
• hack/version2.py
• hack/app-sre/generate-saas-template.py

✅ Files skipped from review due to trivial changes (1)

• hack/app-sre/saas-template-stub.yaml

🚧 Files skipped from review as they are similar to previous changes (2)

• Makefile
• hack/ubi-build-deps.sh

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Help flag detection is too broad and can reject valid file paths.

The check on Line 29 (*-h*) matches any argument containing -h, so legitimate paths can trigger help mode. Please match only exact help flags and handle help before strict arg-count validation.

💡 Suggested fix

-# Check for help flag or incorrect number of arguments
-if [ $# -ne 3 ]; then
-    usage
-    exit 1
-fi
-
-for arg in "$@"; do
-    if [[ "$arg" == *"-h"* ]]; then
-        usage
-        exit 1
-    fi
-done
+# Check for help flag first
+if [[ "${1:-}" == "-h" || "${1:-}" == "--help" ]]; then
+    usage
+    exit 0
+fi
+
+# Validate argument count
+if [ $# -ne 3 ]; then
+    usage
+    exit 1
+fi

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@hack/app-sre/generate-saas-template.sh` around lines 23 - 33, Move the
help-flag detection to run before the strict arg-count validation and match only
exact help flags (e.g., "-h" or "--help") instead of the broad pattern "*-h*";
in practice, run the existing for-loop that calls usage and exits prior to the
`if [ $# -ne 3 ]; then ...` block and update the condition to test exact
equality (for example `[[ "$arg" == "-h" || "$arg" == "--help" ]]`) so
legitimate file paths containing "-h" are not treated as help requests.

[2uasimojo]

The rabbit isn't wrong here. Right now this will work... but only because none of the paths we're actually passing in have -h as a substring. If some day one of the files is renamed to something like saas-template-for-hive it'll blow up and it'll be pretty hard to figure out why.

That said, I see where this is a faithful port of the same mistake from the python script. If you'd like to argue that this PR should be limited to an exact port and we'll fix things like this later, I can buy it.

[coderabbitai]

@2uasimojo, agreed on the risk — a path like saas-template-for-hive or anything with -h as a substring would silently trigger help mode and exit 1, which would be genuinely confusing to debug.

Given that the fix is already outlined and amounts to just a few lines (move the check, tighten the pattern, and flip the help-exit to exit 0), fixing it in this PR seems like the lower-friction path rather than carrying forward a known footgun. But ultimately that's the author's call!

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Library-mode logging can corrupt function return values.

When MODE="library", log() writes to stdout, but multiple helpers also return data via stdout and are used in command substitutions. This can contaminate parsed values (e.g., branch commit resolution) and cause incorrect behavior when sourced as a library.

💡 Suggested fix

-    if [[ "$MODE" == "standalone" ]]; then
-        echo "$message" >&2
-    else
-        echo "$message"
-    fi
+    echo "$message" >&2

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if [[ "$MODE" == "standalone" ]]; then
	echo "$message" >&2
	else
	echo "$message"
	fi
	echo "$message" >&2

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@hack/version2.sh` around lines 35 - 39, The log() implementation currently
writes to stdout when MODE="library", which contaminates command-substitution
outputs; update the branch that handles MODE="library" so it writes logs to
stderr instead (use the same stderr redirection used for the standalone branch),
ensuring all calls to log() (and any helper that echoes messages) do not emit to
stdout and thus won't corrupt function return values like branch/commit
resolution.

[openshift-ci-robot]

@suhanime: This pull request references HIVE-2862 which is a valid jira issue.

Details

In response to this:

This change allows building the container images without the python dependencies that are getting harder to get by.

As a part of this change, version2.py is faithfully converted to a shell script of the same name.

Co-authored-by: Antoni Segura Puimedon antoni@redhat.com
Co-authored-by: Mark Old mold@redhat.com

Assisted-by: Claude Sonnet 4.5

Summary by CodeRabbit

• Chores
• Removed Python 3 bootstrap/install steps from the build environment.
• Replaced the Python-based version generator with a new shell-script implementation, preserving version output format.
• Switched build targets to invoke the new shell-based version resolver and added a yq requirement for template generation.
• Replaced the Python saas-template generator with a shell-based generator and updated template comments.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[suhanime]

Note for the reviewer: Please hide whitespaces when reviewing. yq vs yaml has ended up in the following changes from what I can tell

• comments from the script are preserved now
• entries are more deterministic because yq preserves order
• added indentation at a few place that - specifically for description field
• string entries are interpreted better and are more readable now

[2uasimojo]

Cool. Here's how I reviewed this:

Changes to description fields are not significantly functional, so after I glanced through several pages to validate that the changes weren't crazy-looking, I removed all description fields from both copies (yq-v4.47.1 -i 'del(.. | .description?)' $file)

The remaining delta comprised:

• New version has comments at the top. You mentioned this... but they're not comments from the script -- they're the comments that originated in the input template file. Adding | .. comments="" eliminates, uhh, the first comment block but not the second?? But that ends up making the result make more sense.
• String values are double- rather than single-quoted where quotes are required; and not quoted at all where not required. This is fine.
• The parameters: section stays at the top in the new version, vs being shoved to the bottom in the old. This is goodness 👍

So nit/followup, add that comment scrubber.

[2uasimojo]

/lgtm

A few small issues noted inline, but I'm happy to see them addressed in a fup.

Note that this still isn't producing the version string we want:

efried@efried-thinkpadp16vgen1:~/go/src/github.com/openshift/hive$ podman run quay.io/redhat-user-workloads/crt-redhat-acm-tenant/hive-operator/hive:on-pr-aebbfa253c77130b2b5305e632df14a6929b64ef
time="2026-03-20T23:02:12.13Z" level=info msg="Enabling pprof" pprof_host_port="localhost:6060"
time="2026-03-20T23:02:12.13Z" level=info msg="Version: openshift/hive "   <==== L@@K
time="2026-03-20T23:02:12.13Z" level=fatal msg="invalid configuration: no configuration has been provided, try setting KUBERNETES_MASTER environment variable"

...which may or may not resolve when this is built on-push. If not, we'll still have something to tackle via HIVE-3045.

[2uasimojo]

The rabbit isn't wrong here. Right now this will work... but only because none of the paths we're actually passing in have -h as a substring. If some day one of the files is renamed to something like saas-template-for-hive it'll blow up and it'll be pretty hard to figure out why.

That said, I see where this is a faithful port of the same mistake from the python script. If you'd like to argue that this PR should be limited to an exact port and we'll fix things like this later, I can buy it.

[2uasimojo]

So yeah, I'm not going to bother reviewing this thoroughly. I did test it against version2.py for three scenarios:

• master
• mce-2.8
• an uncommitted branch

...and it produces the same output, so I'm gonna call it good.

Very soon, I want to simplify it so it only operates on master and uncommitted, which should make it a much smaller thing.

[2uasimojo]

Cool. Here's how I reviewed this:

Changes to description fields are not significantly functional, so after I glanced through several pages to validate that the changes weren't crazy-looking, I removed all description fields from both copies (yq-v4.47.1 -i 'del(.. | .description?)' $file)

The remaining delta comprised:

• New version has comments at the top. You mentioned this... but they're not comments from the script -- they're the comments that originated in the input template file. Adding | .. comments="" eliminates, uhh, the first comment block but not the second?? But that ends up making the result make more sense.
• String values are double- rather than single-quoted where quotes are required; and not quoted at all where not required. This is fine.
• The parameters: section stays at the top in the new version, vs being shoved to the bottom in the old. This is goodness 👍

So nit/followup, add that comment scrubber.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: 2uasimojo, suhanime

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [2uasimojo,suhanime]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@suhanime: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/security	aebbfa2	link	unknown	/test security

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.