OCPBUGS-79591: Update FBCs v4.12-v4.22 with v1.3.4 prod bundle

[alebedev87]

Summary

• Add the v1.3.4 release to all FBC catalog templates (v4.12-v4.22) with the bundle entry in stable-v1 and stable-v1.3 channels
• Regenerate the catalogs with OCP_VERSION=4.x make generate-catalog

[openshift-ci-robot]

@alebedev87: This pull request references Jira Issue OCPBUGS-79591, which is invalid:

• expected the bug to be in one of the following states: NEW, ASSIGNED, POST, but it is MODIFIED instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Summary

• Add the v1.3.4 release to all FBC catalog templates (v4.12-v4.22) with the bundle entry in stable-v1 and stable-v1.3 channels
• Regenerate the catalogs with OCP_VERSION=4.x make generate-catalog

Test plan

• Verify the generated catalog.yaml files contain the v1.3.4 bundle entry
• Verify the upgrade path from v1.3.3 to v1.3.4 is correct in both stable-v1 and stable-v1.3 channels

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request adds support for external-dns-operator.v1.3.4 across all OpenShift catalog versions (v4.12 through v4.22). For each catalog version, the changes include: adding new OLM package entries in both the stable-v1 and stable-v1.3 channels with replaces: external-dns-operator.v1.3.3 and skipRange: <1.3.4, and introducing corresponding OLM bundle definitions with updated image digests and metadata. Template files receive incremental updates, while catalog files receive comprehensive updates including full bundle object definitions, CSV metadata, and related image listings.

Suggested reviewers

• davidesalerno
• melvinjoseph86

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Test Structure And Quality	❓ Inconclusive	PR is primarily YAML catalog updates for v1.3.4. Ginkgo test files were modified, but check scope unclear: are tests auto-generated?	Confirm if test files are auto-generated during catalog regeneration. If manual: webhook_test.go has cleanup issues (Create without Delete). If auto-generated: skip test quality assessment.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: updating FBC catalogs v4.12-v4.22 with the v1.3.4 external-dns-operator bundle, matching all file changes in the changeset.
Description check	✅ Passed	The description directly relates to the changeset by explaining the addition of v1.3.4 release to FBC catalog templates and the regeneration process, which aligns with the actual file modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The PR modifies only YAML OLM catalog files (v4.12-v4.22), not test files. The custom check applies to Ginkgo test names and is not applicable to catalog metadata files.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. All changes are YAML catalog configuration files. The check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR only modifies OLM catalog YAML files (catalog-template.yaml and catalog.yaml for v4.12-v4.22). No new Ginkgo e2e tests are added, so SNO test compatibility check does not apply.
Topology-Aware Scheduling Compatibility	✅ Passed	PR updates OLM catalog metadata files only. No deployment manifests, operator code, or scheduling constraints are added or modified. Not applicable.
Ote Binary Stdout Contract	✅ Passed	OTE Binary Stdout Contract check is not applicable. This PR modifies only OLM catalog YAML files and configuration, not OTE test binaries or code interfacing with openshift-tests.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	Custom check is not applicable. This PR modifies only OLM catalog YAML files to add external-dns-operator v1.3.4 releases across versions 4.12-4.22. No Ginkgo e2e tests are added.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@catalog/v4.15/catalog.yaml`:
- Around line 871-876: The RBAC in the generated bundle is wrong: update the
source role definitions/markers for the ClusterRoles named externaldns-editor
and externaldns-viewer so they use apiGroup "externaldns.olm.openshift.io" (not
"operator.openshift.io") and reference the plural resource name "externaldnses"
(not singular "externaldns"), then re-run your bundle/catalog generation to
produce new base64-encoded olm.bundle.object entries rather than hand-editing
the data; look for the ClusterRole/marker declarations that produce
externaldns-editor and externaldns-viewer to make these fixes.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 0acbf225-a46b-4628-815c-b603e84c0c84

📥 Commits

Reviewing files that changed from the base of the PR and between 58997fc and defe518.

📒 Files selected for processing (22)

• catalog/v4.12/catalog-template.yaml
• catalog/v4.12/catalog.yaml
• catalog/v4.13/catalog-template.yaml
• catalog/v4.13/catalog.yaml
• catalog/v4.14/catalog-template.yaml
• catalog/v4.14/catalog.yaml
• catalog/v4.15/catalog-template.yaml
• catalog/v4.15/catalog.yaml
• catalog/v4.16/catalog-template.yaml
• catalog/v4.16/catalog.yaml
• catalog/v4.17/catalog-template.yaml
• catalog/v4.17/catalog.yaml
• catalog/v4.18/catalog-template.yaml
• catalog/v4.18/catalog.yaml
• catalog/v4.19/catalog-template.yaml
• catalog/v4.19/catalog.yaml
• catalog/v4.20/catalog-template.yaml
• catalog/v4.20/catalog.yaml
• catalog/v4.21/catalog-template.yaml
• catalog/v4.21/catalog.yaml
• catalog/v4.22/catalog-template.yaml
• catalog/v4.22/catalog.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
python - <<'PY'
from pathlib import Path
import re, base64, json

text = Path("catalog/v4.15/catalog.yaml").read_text()

for m in re.finditer(r'data:\s*([A-Za-z0-9+/=]+)', text):
    payload = m.group(1)
    obj = json.loads(base64.b64decode(payload).decode())
    if obj.get("kind") == "ClusterRole" and obj.get("metadata", {}).get("name") in {"externaldns-editor", "externaldns-viewer"}:
        print(f'\n{obj["metadata"]["name"]}')
        for rule in obj.get("rules", []):
            print("  apiGroups:", rule.get("apiGroups"))
            print("  resources:", rule.get("resources"))

print("\nExpected for both roles:")
print("  apiGroups: ['externaldns.olm.openshift.io']")
print("  resources: ['externaldnses'] / ['externaldnses/status']")
PY

Repository: openshift/external-dns-operator

Length of output: 239

---

🏁 Script executed:

#!/bin/bash
python3 - <<'PY'
from pathlib import Path
import re, base64, json, gzip

text = Path("catalog/v4.15/catalog.yaml").read_text()

for m in re.finditer(r'data:\s*([A-Za-z0-9+/=]+)', text):
    payload = m.group(1)
    try:
        # Decompress gzip first, then decode JSON
        compressed = base64.b64decode(payload)
        decompressed = gzip.decompress(compressed)
        obj = json.loads(decompressed.decode())
        
        if obj.get("kind") == "ClusterRole" and obj.get("metadata", {}).get("name") in {"externaldns-editor", "externaldns-viewer"}:
            print(f'\n{obj["metadata"]["name"]}')
            for rule in obj.get("rules", []):
                print("  apiGroups:", rule.get("apiGroups"))
                print("  resources:", rule.get("resources"))
    except gzip.BadGzipFile:
        # If not gzip, try direct JSON decode
        try:
            obj = json.loads(base64.b64decode(payload).decode())
            if obj.get("kind") == "ClusterRole" and obj.get("metadata", {}).get("name") in {"externaldns-editor", "externaldns-viewer"}:
                print(f'\n{obj["metadata"]["name"]}')
                for rule in obj.get("rules", []):
                    print("  apiGroups:", rule.get("apiGroups"))
                    print("  resources:", rule.get("resources"))
        except:
            pass

print("\nExpected for both roles:")
print("  apiGroups: ['externaldns.olm.openshift.io']")
print("  resources: ['externaldnses'] / ['externaldnses/status']")
PY

Repository: openshift/external-dns-operator

Length of output: 4285

---

The generated editor/viewer roles have mismatched RBAC configurations.

The externaldns-editor role uses the correct apiGroup (externaldns.olm.openshift.io) but targets the singular resource externaldns instead of the plural externaldnses. The externaldns-viewer role has two errors: it targets the wrong apiGroup (operator.openshift.io instead of externaldns.olm.openshift.io) and also uses the singular externaldns instead of externaldnses. These misconfigurations prevent the aggregate roles from granting proper access to ExternalDNS objects. Fix the source RBAC definitions/markers and regenerate the bundle/catalog rather than hand-patching the base64.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@catalog/v4.15/catalog.yaml` around lines 871 - 876, The RBAC in the generated
bundle is wrong: update the source role definitions/markers for the ClusterRoles
named externaldns-editor and externaldns-viewer so they use apiGroup
"externaldns.olm.openshift.io" (not "operator.openshift.io") and reference the
plural resource name "externaldnses" (not singular "externaldns"), then re-run
your bundle/catalog generation to produce new base64-encoded olm.bundle.object
entries rather than hand-editing the data; look for the ClusterRole/marker
declarations that produce externaldns-editor and externaldns-viewer to make
these fixes.

[melvinjoseph86]

/lgtm

[openshift-ci]

@alebedev87: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[grzpiotrowski]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: grzpiotrowski

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [grzpiotrowski]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[grzpiotrowski]

/jira refresh

[openshift-ci-robot]

@grzpiotrowski: This pull request references Jira Issue OCPBUGS-79591, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@alebedev87: Jira Issue OCPBUGS-79591: All pull requests linked via external trackers have merged:

• openshift/external-dns#151
• openshift/external-dns#152
• openshift/external-dns-operator#417
• openshift/external-dns-operator#420
• openshift/external-dns-operator#422
• openshift/external-dns#163
• openshift/external-dns-operator#436
• openshift/external-dns-operator#442
• openshift/external-dns-operator#441
• openshift/external-dns-operator#453

Jira Issue OCPBUGS-79591 has been moved to the MODIFIED state.

Details

In response to this:

Summary

• Add the v1.3.4 release to all FBC catalog templates (v4.12-v4.22) with the bundle entry in stable-v1 and stable-v1.3 channels
• Regenerate the catalogs with OCP_VERSION=4.x make generate-catalog

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.