OCPQE-31277: Enable MetalLB operator installation via Konflux for HyperShift agent clusters (#73131)

* Use Konflux for installing metallb

This is not available in qe-app-registry for 4.21 anymore.

* Use combined image-content-sources for hosted cluster

Some steps running against the management cluster configure
the deprecated ImageContentSourcePolicy, some configure the newer ImageDigestMirrorSet.
This commit ensures that these ICSP/IDSM are combined and used
together in the hosted cluster.

* Add MetalLB CatalogSource step for HyperShift agent clusters

Create hypershift-agent-create-metallb-catalogsource step that sets up
the Konflux-based MetalLB operator catalog on nested clusters.
Supports both connected and disconnected environments.

This step is required because the hosted cluster needs its own
CatalogSource as the MetalLB operator is installed from it.
Similarly to steps enable-qe-catalogsource and cucushift-hypershift-extended-enable-qe-catalogsource,
there is a step deploy-konflux-operator
running on the management cluster that sets up cluster pull secrets and IDMS/ICSP for Konflux.
The pull secret and IDMS/ICSP are passed when creating a hosted cluster.
This new step hypershift-agent-create-metallb-catalogsource then only configures
the catalog source (secrets and IDMS/ICSP are already set up) on the
hosted cluster.

* Update related chains and workflows

Make sure Konflux is only used for 4.21

* Remove imain from hypershift/agent and add jparrill

Author: mgencur

ci-operator/config/openshift/hypershift/openshift-hypershift-release-4.21__periodics-mce.yaml

@@ -87,9 +87,12 @@ tests:
         NUM_EXTRA_WORKERS=3
         PROVISIONING_NETWORK_PROFILE=Disabled
         REDFISH_EMULATOR_IGNORE_BOOT_DEVICE=True
+      KONFLUX_DEPLOY_CATALOG_SOURCE: "true"
+      KONFLUX_DEPLOY_OPERATORS: "true"
       LVM_OPERATOR_SUB_CHANNEL: stable-4.21
       LVM_OPERATOR_SUB_SOURCE: lvm-catalogsource
       MCE_VERSION: "2.11"
+      METALLB_OPERATOR_SUB_SOURCE: metallb-konflux
       PACKET_METRO: dc
     workflow: hypershift-mce-agent-metal3-conformance
 - as: e2e-agent-connected-ovn-dualstack-metal-conformance
@@ -107,9 +110,12 @@ tests:
         PROVISIONING_NETWORK_PROFILE=Disabled
         REDFISH_EMULATOR_IGNORE_BOOT_DEVICE=True
       IP_STACK: v4v6
+      KONFLUX_DEPLOY_CATALOG_SOURCE: "true"
+      KONFLUX_DEPLOY_OPERATORS: "true"
       LVM_OPERATOR_SUB_CHANNEL: stable-4.21
       LVM_OPERATOR_SUB_SOURCE: lvm-catalogsource
       MCE_VERSION: "2.11"
+      METALLB_OPERATOR_SUB_SOURCE: metallb-konflux
       PACKET_METRO: dc
     workflow: hypershift-mce-agent-metal3-conformance
 - as: e2e-agent-connected-ovn-ipv4-metal-compact-conformance
@@ -130,9 +136,12 @@ tests:
         NUM_EXTRA_WORKERS=3
         PROVISIONING_NETWORK_PROFILE=Disabled
         REDFISH_EMULATOR_IGNORE_BOOT_DEVICE=True
+      KONFLUX_DEPLOY_CATALOG_SOURCE: "true"
+      KONFLUX_DEPLOY_OPERATORS: "true"
       LVM_OPERATOR_SUB_CHANNEL: stable-4.21
       LVM_OPERATOR_SUB_SOURCE: lvm-catalogsource
       MCE_VERSION: "2.11"
+      METALLB_OPERATOR_SUB_SOURCE: metallb-konflux
       PACKET_METRO: dc
     workflow: hypershift-mce-agent-metal3-conformance
 - as: e2e-agent-disconnected-ovn-ipv6-metal-conformance
@@ -189,9 +198,12 @@ tests:
         NUM_EXTRA_WORKERS=3
         PROVISIONING_NETWORK_PROFILE=Disabled
         REDFISH_EMULATOR_IGNORE_BOOT_DEVICE=True
+      KONFLUX_DEPLOY_CATALOG_SOURCE: "true"
+      KONFLUX_DEPLOY_OPERATORS: "true"
       LVM_OPERATOR_SUB_CHANNEL: stable-4.21
       LVM_OPERATOR_SUB_SOURCE: lvm-catalogsource
       MCE_VERSION: "2.11"
+      METALLB_OPERATOR_SUB_SOURCE: metallb-konflux
       OADP_OPERATOR_SUB_CHANNEL: stable-1.4
       OADP_OPERATOR_SUB_SOURCE: qe-app-registry
     test:
@@ -315,9 +327,12 @@ tests:
     dependencies:
       HOSTEDCLUSTER_RELEASE_IMAGE_LATEST: release:421-latest
     env:
+      KONFLUX_DEPLOY_CATALOG_SOURCE: "true"
+      KONFLUX_DEPLOY_OPERATORS: "true"
       LVM_OPERATOR_SUB_CHANNEL: stable-4.21
       LVM_OPERATOR_SUB_SOURCE: lvm-catalogsource
       MCE_VERSION: "2.11"
+      METALLB_OPERATOR_SUB_SOURCE: metallb-konflux
       TEST_SUITE: openshift/conformance/parallel/minimal
     test:
     - ref: hypershift-mce-multi-version-test-info

ci-operator/step-registry/hypershift/agent/OWNERS

@@ -2,18 +2,18 @@ approvers:
 - csrwng
 - enxebre
 - sjenning
-- imain
 - LiangquanLi930
 - heliubj18
 - eranco74
 - avishayt
+- jparrill
 options: {}
 reviewers:
 - csrwng
 - enxebre
 - sjenning
-- imain
 - LiangquanLi930
 - heliubj18
 - eranco74
 - avishayt
+- jparrill

ci-operator/step-registry/hypershift/agent/conformance/hypershift-agent-conformance-workflow.metadata.json

@@ -5,21 +5,21 @@
 			"csrwng",
 			"enxebre",
 			"sjenning",
-			"imain",
 			"LiangquanLi930",
 			"heliubj18",
 			"eranco74",
-			"avishayt"
+			"avishayt",
+			"jparrill"
 		],
 		"reviewers": [
 			"csrwng",
 			"enxebre",
 			"sjenning",
-			"imain",
 			"LiangquanLi930",
 			"heliubj18",
 			"eranco74",
-			"avishayt"
+			"avishayt",
+			"jparrill"
 		]
 	}
 }

ci-operator/step-registry/hypershift/agent/create/add-worker-manual/hypershift-agent-create-add-worker-manual-ref.metadata.json

@@ -5,21 +5,21 @@
 			"csrwng",
 			"enxebre",
 			"sjenning",
-			"imain",
 			"LiangquanLi930",
 			"heliubj18",
 			"eranco74",
-			"avishayt"
+			"avishayt",
+			"jparrill"
 		],
 		"reviewers": [
 			"csrwng",
 			"enxebre",
 			"sjenning",
-			"imain",
 			"LiangquanLi930",
 			"heliubj18",
 			"eranco74",
-			"avishayt"
+			"avishayt",
+			"jparrill"
 		]
 	}
 }

ci-operator/step-registry/hypershift/agent/create/config-dns/hypershift-agent-create-config-dns-ref.metadata.json

@@ -5,21 +5,21 @@
 			"csrwng",
 			"enxebre",
 			"sjenning",
-			"imain",
 			"LiangquanLi930",
 			"heliubj18",
 			"eranco74",
-			"avishayt"
+			"avishayt",
+			"jparrill"
 		],
 		"reviewers": [
 			"csrwng",
 			"enxebre",
 			"sjenning",
-			"imain",
 			"LiangquanLi930",
 			"heliubj18",
 			"eranco74",
-			"avishayt"
+			"avishayt",
+			"jparrill"
 		]
 	}
 }

ci-operator/step-registry/hypershift/agent/create/hostedcluster/hypershift-agent-create-hostedcluster-ref.metadata.json

@@ -5,21 +5,21 @@
 			"csrwng",
 			"enxebre",
 			"sjenning",
-			"imain",
 			"LiangquanLi930",
 			"heliubj18",
 			"eranco74",
-			"avishayt"
+			"avishayt",
+			"jparrill"
 		],
 		"reviewers": [
 			"csrwng",
 			"enxebre",
 			"sjenning",
-			"imain",
 			"LiangquanLi930",
 			"heliubj18",
 			"eranco74",
-			"avishayt"
+			"avishayt",
+			"jparrill"
 		]
 	}
 }

ci-operator/step-registry/hypershift/agent/create/hypershift-agent-create-chain.metadata.json

@@ -5,21 +5,21 @@
 			"csrwng",
 			"enxebre",
 			"sjenning",
-			"imain",
 			"LiangquanLi930",
 			"heliubj18",
 			"eranco74",
-			"avishayt"
+			"avishayt",
+			"jparrill"
 		],
 		"reviewers": [
 			"csrwng",
 			"enxebre",
 			"sjenning",
-			"imain",
 			"LiangquanLi930",
 			"heliubj18",
 			"eranco74",
-			"avishayt"
+			"avishayt",
+			"jparrill"
 		]
 	}
 }

ci-operator/step-registry/hypershift/agent/create/ingress-nodeport/hypershift-agent-create-ingress-nodeport-ref.metadata.json

@@ -5,21 +5,21 @@
 			"csrwng",
 			"enxebre",
 			"sjenning",
-			"imain",
 			"LiangquanLi930",
 			"heliubj18",
 			"eranco74",
-			"avishayt"
+			"avishayt",
+			"jparrill"
 		],
 		"reviewers": [
 			"csrwng",
 			"enxebre",
 			"sjenning",
-			"imain",
 			"LiangquanLi930",
 			"heliubj18",
 			"eranco74",
-			"avishayt"
+			"avishayt",
+			"jparrill"
 		]
 	}
 }

ci-operator/step-registry/hypershift/agent/create/metallb/catalogsource/OWNERS

@@ -0,0 +1 @@
+../OWNERS

ci-operator/step-registry/hypershift/agent/create/metallb/catalogsource/hypershift-agent-create-metallb-catalogsource-commands.sh

@@ -0,0 +1,97 @@
+#!/bin/bash
+
+set -eoux pipefail
+
+function create_marketplace_namespace () {
+    # Since OCP 4.11, the marketplace is optional. If it is not installed, we need to create the namespace manually.
+    if ! oc get ns openshift-marketplace; then
+        cat <<EOF | oc create -f -
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    security.openshift.io/scc.podSecurityLabelSync: "false"
+    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/audit: baseline
+    pod-security.kubernetes.io/warn: baseline
+  name: openshift-marketplace
+EOF
+    fi
+}
+
+function create_metallb_catalogsource() {
+    echo "Creating CatalogSource for metallb..."
+
+    local catalog_name="metallb-konflux"
+    local version
+
+    version=$(oc get clusterversion version -o jsonpath='{.status.desired.version}' 2>/dev/null | cut -d. -f1-2)
+    if [[ -z "${version}" ]]; then
+        echo "Could not detect cluster version"
+        return 1
+    fi
+
+    echo "Detected OpenShift version: $version"
+
+    local index_image
+    if [[ "${DISCONNECTED}" == "true" ]]; then
+        local mirror_registry_url
+        mirror_registry_url=$(cat "${SHARED_DIR}/mirror_registry_url")
+        index_image="${mirror_registry_url//5000/6003}/redhat-user-workloads/ocp-art-tenant/art-fbc:ocp__${version}__metallb-rhel9-operator"
+    else
+        index_image="quay.io/redhat-user-workloads/ocp-art-tenant/art-fbc:ocp__${version}__metallb-rhel9-operator"
+    fi
+
+    if ! oc apply -f - <<EOF
+apiVersion: operators.coreos.com/v1alpha1
+kind: CatalogSource
+metadata:
+  name: ${catalog_name}
+  namespace: openshift-marketplace
+spec:
+  displayName: ${catalog_name}
+  image: "${index_image}"
+  publisher: OpenShift QE
+  sourceType: grpc
+  updateStrategy:
+    registryPoll:
+      interval: 15m
+EOF
+    then
+        echo "CatalogSource apply failed for metallb"
+        return 1
+    else
+        echo "CatalogSource created for metallb"
+    fi
+
+    # Wait for catalog ready
+    echo "Waiting for CatalogSource to be ready..."
+    if ! oc wait --for=jsonpath='{.status.connectionState.lastObservedState}'=READY \
+        catalogsource "$catalog_name" -n openshift-marketplace --timeout=300s 2>/dev/null; then
+        echo "CatalogSource $catalog_name not ready within timeout"
+        return 1
+    else
+        echo "CatalogSource is ready"
+    fi
+
+    return 0
+}
+
+if [[ "${KONFLUX_DEPLOY_CATALOG_SOURCE:-false}" == "false" ]]; then
+  echo "KONFLUX_DEPLOY_CATALOG_SOURCE is set to false, skipping CatalogSource deployment"
+  exit 0
+fi
+
+if [ -f "${SHARED_DIR}/proxy-conf.sh" ] ; then
+  source "${SHARED_DIR}/proxy-conf.sh"
+fi
+
+if [ ! -f "${SHARED_DIR}/nested_kubeconfig" ]; then
+  echo "kubeconfig for nested cluster not found in ${SHARED_DIR}/nested_kubeconfig"
+  exit 1
+fi
+
+export KUBECONFIG="${SHARED_DIR}/nested_kubeconfig"
+
+create_marketplace_namespace
+create_metallb_catalogsource