Epic Goal

Replace deprecated Operator SDK commands in the sandboxed-containers-operator bundle generation workflow with supported alternatives before March 2026 GA, ensuring continued ability to update and release operator bundles.

Why is this important?

• Operator SDK CLI is being deprecated in OpenShift 4.16 and will stop shipping after OpenShift 4.18
• Support for Operator SDK ends after the 3-year lifecycle of OpenShift 4.18 (well before March 2026 GA)
• The make bundle workflow uses 3 operator-sdk commands that must be replaced:
  __ operator-sdk generate kustomize manifests -q - Generates kustomize manifest files
  __ operator-sdk generate bundle - Generates bundle metadata, annotations, and Dockerfile
  __ operator-sdk bundle validate - Validates bundle structure and metadata
• Bundle generation is required for every component update - 7 components trigger bundle regeneration via automated nudges
• Without working bundle generation, the entire release pipeline stops (cannot update any of 8 OSC components)
• Konflux builds require pre-generated bundle files committed to git - if we cannot generate them, we cannot build releases

CRITICAL DEADLINE: January 2026 (2 months before GA for stabilization)

Current Build Architecture

Developer/Automation Workflow:

• Component update triggers nudge PR on sandboxed-containers-operator repo
• Developer/automation runs make bundle locally (uses operator-sdk commands)
• Generated bundle/ directory and bundle.Dockerfile committed to konflux-osc-operator-bundle branch
• Commit to konflux branch triggers Konflux build

Konflux Build Process:

• Clones konflux-osc-operator-bundle branch (NOT main/devel)
• Uses simple bundle.Dockerfile (FROM scratch) to copy pre-generated files
• Packages bundle/ directory into multi-arch image (x86_64, s390x)
• Runs security scans and compliance checks
• Publishes to quay.io/redhat-user-workloads/ose-osc-tenant/osc-operator-bundle

Key Insight: Konflux does NOT run operator-sdk - it only packages pre-generated files. The operator-sdk dependency is in the local developer workflow for generating those files.

Problem: Operator SDK deprecation breaks step 2 of developer workflow - cannot generate bundle files anymore, which blocks the entire release pipeline.

Scope

In Scope:

• Replace operator-sdk generate kustomize manifests with kustomize commands
• Replace operator-sdk generate bundle with alternative tooling (OPM, scripts, etc.)
• Replace operator-sdk bundle validate with OPM validation
• Update Makefile bundle target
• Ensure generated bundle files are byte-identical to current process
• Verify automated nudge workflow continues working
• Update developer documentation (DEVELOPMENT.md)

Out of Scope:

• Trustee-operator migration (separate epic)
• Konflux pipeline modifications (bundle build already works - just needs pre-generated files)
• Runtime behavior changes to the operator itself
• Changes to operator functionality or CRDs

Acceptance Criteria

The Epic is complete when:

Bundle Generation Workflow

• All operator-sdk commands in Makefile replaced with kustomize/OPM equivalents
• make bundle produces byte-identical manifests to current process
• Local developer workflow functions correctly without operator-sdk
• Bundle metadata generation preserves all current fields (channels, version, labels, annotations)

Automated Systems

• Nudge PRs from all 7 components trigger correct bundle regeneration
• Bundle files can be committed to konflux-osc-operator-bundle branch
• Konflux builds succeed with newly generated bundle files
• End-to-end flow verified: component change → bundle regeneration → bundle nudge → catalog nudge

Validation

• Bundle validation produces same results as current operator-sdk validation
• All existing bundle quality checks still pass
• OPM validation catches same issues as operator-sdk

Integration Testing

• Generated bundles deploy successfully to test clusters
• All OSC functionality tests pass with new bundle generation process
• Peer-pods features work correctly
• Integration with all 8 components verified

Documentation & Cleanup

• DEVELOPMENT.md reflects new bundle generation process
• Bundle generation scripts updated (if any automation exists)
• Rollback procedure documented
• Team trained on new workflow

Test Considerations

Pre-migration Testing:

• Capture baseline: current bundle manifests, validation output
• Document current operator-sdk command behavior for comparison
• Archive working make bundle output for diff comparison

Migration Testing:

• Byte-for-byte diff of generated bundles (old vs new process)
• Verify all metadata fields are preserved
• Test image reference substitution for all 7 component images
• Validate kustomize overlays work correctly
• Test on developer workstations (not just CI)

Integration Testing:

• Test full nudge cycle in development environment
• Verify bundle regeneration after component updates
• Confirm Konflux builds work with newly generated bundle files
• Bundle deployment to test cluster
• End-to-end: component change → bundle update → catalog update

Regression Testing:

• All OSC e2e test suites
• Peer-pods functionality
• GPU workloads
• Multi-component interactions
• Upgrade scenarios

Performance Testing:

• Bundle generation time comparison
• Developer workflow efficiency
• No significant degradation acceptable

Dependencies

_ _Blocks:* Trustee-operator SDK migration (Epic 2)
_ _Requires:* Kustomize, OPM tooling available locally and in any automation
_ _Impacts:* 7 components that trigger bundle nudges (osc-operator, osc-monitor, osc-caa, osc-caa-webhook, osc-podvm-builder, osc-podvm-payload, osc-operator-bundle), plus osc-test-fbc catalog

Risk Assessment

High Risk:

• Breaking bundle generation would block ALL component releases
• Automated nudge system relies on ability to regenerate bundles
• Timeline is tight (3 months to complete before stabilization)
• Developer workflow disruption during transition

Mitigation:

• Validate new process generates identical output before switching
• Maintain parallel capability during transition
• Document rollback procedure before production cutover
• Test with real nudge PRs in development environment
• Conduct spikes early to reduce implementation risk

Additional Context

Total Story Points: 35 (2 spikes + 12 stories)
Timeline: 3 months (Oct-Dec 2025)
Team: Platform Engineering, QE
Key Repository: sandboxed-containers-operator
Build Branch: konflux-osc-operator-bundle (where bundle files are committed - separate from main/devel)

Component Breakdown:

• 7 components trigger bundle nudges: osc-operator, osc-monitor, osc-caa, osc-caa-webhook, osc-podvm-builder, osc-podvm-payload, osc-operator-bundle
• 1 component does not trigger nudges: osc-must-gather
• 1 catalog consumes bundle: osc-test-fbc

operator-sdk Commands to Replace:

operator-sdk generate kustomize manifests -q (line 236 in Makefile)

operator-sdk generate bundle $(BUNDLE_GEN_FLAGS) (line 238 in Makefile)

operator-sdk bundle validate ./bundle (line 239 in Makefile)