Add medik8s-lib shared step to deduplicate common functions

[razo7]

Summary

Extracts shared shell functions from medik8s step-registry steps into a
reusable medik8s-lib step, following the established pattern used by
ovn-utils,
telcov10n-shared-functions,
and openshift-microshift-includes.

What changed

New step: medik8s-lib — writes shared functions to ${SHARED_DIR}/medik8s-lib.sh:

• log(), run(), set_proxy() — universal utilities
• resolve_commit_sha(), verify_fbc_image() — FBC/GitLab resolution
• wait_for_mcp_rollout(), ensure_marketplace(), wait_for_catalogsource() — cluster operations
• GitLab/Quay constants (GITLAB_API, FBC_IMAGE_REPO, etc.)

Refactored consumers:

• medik8s-catalogsource — sources lib, removes ~165 lines of duplicated code
• medik8s-operator-subscribe — sources lib, removes ~15 lines of duplicated code

Why now

• No running jobs use these steps yet (periodic configs are in open PRs), so safe to refactor
• The upcoming medik8s-disconnected-catalogsource step (Add medik8s disconnected CatalogSource step for air-gapped operator testing #79687) duplicates the same functions
• Two more disconnected jobs are planned (RHWA-1038, RHWA-1039)

Usage

Workflow configs must include medik8s-lib before other medik8s steps:

test:
- ref: medik8s-lib
- ref: medik8s-catalogsource
- ref: medik8s-operator-subscribe

Files

CREATE  ci-operator/step-registry/medik8s/lib/OWNERS
CREATE  ci-operator/step-registry/medik8s/lib/medik8s-lib-commands.sh
CREATE  ci-operator/step-registry/medik8s/lib/medik8s-lib-ref.yaml
CREATE  ci-operator/step-registry/medik8s/lib/medik8s-lib-ref.metadata.json
MODIFY  ci-operator/step-registry/medik8s/catalogsource/medik8s-catalogsource-commands.sh
MODIFY  ci-operator/step-registry/medik8s/operator-subscribe/medik8s-operator-subscribe-commands.sh

Jira: RHWA-836

Summary by CodeRabbit

This PR adds a reusable medik8s shared-step and refactors two medik8s steps to source it, reducing duplication in OpenShift CI step-registry configuration.

What changed (practical impact)

• New step registry entry: ci-operator/step-registry/medik8s/lib

  • Adds medik8s-lib-commands.sh which writes a shared bash library to ${SHARED_DIR}/medik8s-lib.sh at runtime.
  • Library provides: log(), run(), set_proxy(), resolve_commit_sha(), verify_fbc_image(), wait_for_mcp_rollout(), ensure_marketplace(), wait_for_catalogsource().
  • Exposes GitLab/Quay constants (e.g., GITLAB_API, FBC_IMAGE_REPO, FBC_IMAGE_PREFIX, QUAY_REPO_PATH, MCP_CONFIG_JSONPATH).
  • Includes OWNERS and reference metadata (medik8s-lib-ref.yaml, medik8s-lib-ref.metadata.json) so workflows can ref: medik8s-lib before other medik8s steps.

• Consumers refactored to source the shared library:

  • ci-operator/step-registry/medik8s/catalogsource/medik8s-catalogsource-commands.sh
    • Removed ~165 lines of duplicated helpers and constants; now expects medik8s-lib.sh to supply those functions and constants while keeping its operational flow (collect_artifacts, apply_idms, create_catalogsource, main).
  • ci-operator/step-registry/medik8s/operator-subscribe/medik8s-operator-subscribe-commands.sh
    • Removed local log()/set_proxy() duplication (~15 lines); now sources medik8s-lib.sh.

Why / risk / timing

• No currently running jobs use these steps (periodic configs still in open PRs), so this is a safe refactor that prevents upcoming duplication (notably for disconnected-catalogsource work) and supports planned disconnected jobs (RHWA-1038, RHWA-1039). Workflows must declare medik8s-lib as a prior ref to ensure availability.

Notable commit fixes and review feedback addressed

• Added shellcheck source=/dev/null directives and error guards to satisfy SC1091 and CI.
• Removed trailing newline from metadata JSON to match make registry-metadata output.
• Restored a node-level image pull diagnostic block that had been lost during extraction.
• Fixed set_proxy() to propagate failures (no longer masks errors).
• Changed verify_fbc_image() to explicitly check HTTP status so 404 triggers the fallback path while other errors fail fast.

Files of interest

• Added: ci-operator/step-registry/medik8s/lib/{OWNERS,medik8s-lib-commands.sh,medik8s-lib-ref.yaml,medik8s-lib-ref.metadata.json}
• Modified: ci-operator/step-registry/medik8s/catalogsource/medik8s-catalogsource-commands.sh
• Modified: ci-operator/step-registry/medik8s/operator-subscribe/medik8s-operator-subscribe-commands.sh

Jira: RHWA-836

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 5a477bd7-23f9-48ea-af32-3a91387de1b9

📥 Commits

Reviewing files that changed from the base of the PR and between c6f606d and 519cd92.

📒 Files selected for processing (4)

• ci-operator/step-registry/medik8s/catalogsource/medik8s-catalogsource-commands.sh
• ci-operator/step-registry/medik8s/lib/medik8s-lib-commands.sh
• ci-operator/step-registry/medik8s/lib/medik8s-lib-ref.metadata.json
• ci-operator/step-registry/medik8s/operator-subscribe/medik8s-operator-subscribe-commands.sh

✅ Files skipped from review due to trivial changes (1)

• ci-operator/step-registry/medik8s/lib/medik8s-lib-ref.metadata.json

🚧 Files skipped from review as they are similar to previous changes (1)

• ci-operator/step-registry/medik8s/operator-subscribe/medik8s-operator-subscribe-commands.sh

---

Walkthrough

This PR extracts common medik8s helper functionality into a reusable shared library script, registers it as a CI step, and refactors two consumer scripts to source it instead of duplicating code. The library provides logging, proxy configuration, GitLab/Quay integration, MCP polling, and Kubernetes marketplace helpers that were previously inlined in individual step scripts.

Changes

Shared Library Extraction and Consumer Migration

Layer / File(s)	Summary
Shared library implementation ci-operator/step-registry/medik8s/lib/medik8s-lib-commands.sh	New script that generates ${SHARED_DIR}/medik8s-lib.sh with exported helpers: log, run, set_proxy, resolve_commit_sha, verify_fbc_image, wait_for_mcp_rollout, ensure_marketplace, and wait_for_catalogsource, plus GitLab/Quay constants and related logic.
Library step registration and ownership ci-operator/step-registry/medik8s/lib/medik8s-lib-ref.yaml, ci-operator/step-registry/medik8s/lib/medik8s-lib-ref.metadata.json, ci-operator/step-registry/medik8s/lib/OWNERS	Adds a CI step ref for medik8s-lib with resource requests and ordering, metadata JSON linking the ref, and OWNERS listing approvers/reviewers.
Catalogsource script migration to shared library ci-operator/step-registry/medik8s/catalogsource/medik8s-catalogsource-commands.sh	Now sources medik8s-lib.sh, keeps only runtime defaults and control flow (collect_artifacts, apply_idms, create_catalogsource, main), and removes 163 lines of in-file helper implementations now provided by the library.
Operator-subscribe script migration to shared library ci-operator/step-registry/medik8s/operator-subscribe/medik8s-operator-subscribe-commands.sh	Now sources ${SHARED_DIR}/medik8s-lib.sh, removes the local log/set_proxy implementations, and relies on library-provided helpers while retaining existing defaults and main flow.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• openshift/release#79820: Adds similar helper functions (wait_for_mcp_rollout, MCP jsonpath) in medik8s step scripts; related to extracting those helpers into a shared library here.
• openshift/release#79547: Introduces medik8s operator-subscribe step that this PR updates to source the shared library and remove local proxy/log helpers.

Suggested labels

lgtm

Suggested reviewers

• beekhof
• clobrano
• maximunited

🚥 Pre-merge checks | ✅ 14 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (14 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the primary change: introducing a shared medik8s-lib step to deduplicate common helper functions across multiple medik8s workflows.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR contains no Ginkgo tests; all changes are shell scripts and CI configuration for a shared library refactoring. Custom check for stable test names is not applicable.
Test Structure And Quality	✅ Passed	This PR contains no Ginkgo test code—only shell scripts, YAML configs, and JSON metadata for a CI/CD step registry. The custom check is not applicable.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. Changes are limited to CI operator shell scripts and metadata files for medik8s shared library refactoring.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR contains no Ginkgo e2e tests—only bash scripts and CI operator manifests. The SNO compatibility check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR refactors CI bash scripts without scheduling constraints. Resources created lack affinity, nodeSelector, topologySpreadConstraints, or replica specifications.
Ote Binary Stdout Contract	✅ Passed	PR modifies CI helper shell scripts in ci-operator/step-registry, not OTE test binaries. These are workflow steps, not test binaries communicating with openshift-tests.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR; it only modifies bash scripts and CI configuration files for the medik8s step-registry.
No-Weak-Crypto	✅ Passed	No weak cryptography (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or non-constant-time secret comparisons detected in the PR changes.
Container-Privileges	✅ Passed	No container-level privileged settings found. Pod security labels on namespaces are policy declarations, not privilege grants.
No-Sensitive-Data-In-Logs	✅ Passed	No passwords, tokens, API keys, PII, session IDs, or sensitive credentials are exposed in logs. Only public data (commit SHAs, image paths, resource names) and standard Kubernetes paths are logged.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: razo7

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/step-registry/medik8s/OWNERS [razo7]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@ci-operator/step-registry/medik8s/lib/medik8s-lib-commands.sh`:
- Around line 60-85: The current manifest check uses curl -sSf which treats any
non-2xx as failure and triggers the fallback; change the logic to explicitly
request and inspect the HTTP status code for the manifest URL (use curl -sS -o
/dev/null -w '%{http_code}' with the same retry/connect timeouts against
"https://quay.io/v2/${QUAY_REPO_PATH}/${image_name}/manifests/${FBC_COMMIT_SHA}"),
then only run the fallback tag lookup when the returned status is 404; for any
other non-200/404 status (timeouts, 5xx, network errors) log the full error and
exit with failure so we don’t silently replace FBC_COMMIT_SHA. Ensure you update
references in this block: the manifest check, the fallback_tag logic, and the
use of FBC_COMMIT_SHA/FBC_SHA_PINNED to reflect the new status-based branching.
- Around line 25-31: The set_proxy() function currently always returns 0 even if
sourcing "${SHARED_DIR}/proxy-conf.sh" fails; change it so that after attempting
to source the file (inside the [[ -f "${SHARED_DIR}/proxy-conf.sh" ]] block) you
capture the source command's exit status and return that status (or otherwise
return non-zero) instead of unconditionally returning 0—i.e., in set_proxy()
check the result of source "${SHARED_DIR}/proxy-conf.sh" and propagate failure
(return or exit) so callers see the error.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: e030ed04-d63f-421d-8b6d-67ff3204a5a4

📥 Commits

Reviewing files that changed from the base of the PR and between 63ca5bb and c6f606d.

📒 Files selected for processing (6)

• ci-operator/step-registry/medik8s/catalogsource/medik8s-catalogsource-commands.sh
• ci-operator/step-registry/medik8s/lib/OWNERS
• ci-operator/step-registry/medik8s/lib/medik8s-lib-commands.sh
• ci-operator/step-registry/medik8s/lib/medik8s-lib-ref.metadata.json
• ci-operator/step-registry/medik8s/lib/medik8s-lib-ref.yaml
• ci-operator/step-registry/medik8s/operator-subscribe/medik8s-operator-subscribe-commands.sh

[ugreener]

CI blocker: this source line fails step-registry-shellcheck with SC1091 because shellcheck cannot follow runtime-generated paths. Add the shellcheck directive and an error guard so a missing lib fails with an actionable message instead of a cryptic "No such file or directory".

Fix:

# shellcheck source=/dev/null
source "${SHARED_DIR}/medik8s-lib.sh" || { echo "ERROR: medik8s-lib.sh not found. Did you include medik8s-lib ref before this step?" >&2; exit 1; }

Same fix needed in medik8s-operator-subscribe-commands.sh:3.

[ugreener]

Same shellcheck CI blocker as in medik8s-catalogsource-commands.sh:3. Add # shellcheck source=/dev/null above this line and consider adding the error guard.

Fix:

# shellcheck source=/dev/null
source "${SHARED_DIR}/medik8s-lib.sh" || { echo "ERROR: medik8s-lib.sh not found. Did you include medik8s-lib ref before this step?" >&2; exit 1; }

[ugreener]

CI blocker: this file does not match the byte-for-byte output of make registry-metadata, causing the step-registry-metadata CI check to fail. Metadata JSON files in the step-registry must be generated, not hand-written.

Fix: Run make registry-metadata from the repo root and commit the regenerated file.

[ugreener]

Regression: the extraction dropped a node-level image pull diagnostic block that was present in the original wait_for_catalogsource(). When the CatalogSource fails to become READY, this block identifies whether the node can actually pull the catalog image, which is critical for diagnosing image-pull failures.

Fix: Restore the following block before run oc get mcp,node:

    local node_name
    node_name=$(oc -n openshift-marketplace get pods -l "olm.catalogSource=$CATALOG_SOURCE_NAME" \
        -o=jsonpath='{.items[0].spec.nodeName}' 2>/dev/null || true)
    if [[ -n "$node_name" ]]; then
        run oc debug "node/$node_name" -- chroot /host podman pull --authfile /var/lib/kubelet/config.json "${CATALOG_IMAGE}" || true
    fi

[razo7]

Holding this PR until #79687 is merged (then we will rebase the PR with additional fixes)
/hold

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@razo7: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[openshift-ci]

@razo7: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/step-registry-shellcheck	519cd92	link	true	/test step-registry-shellcheck

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.