Installation Manual - 93 Disconnected catalog hygiene
Disable default external operator catalogs and pin greenfield v7 operator resolution to mirrored sources.
This chapter records the OP-GF-OPERATORS-02 catalog hygiene gate for the
greenfield v7 clusters.
The gate changed catalog desired state through GitOps. It did not install a new operator.
Governance
| Field | Value |
|---|---|
| Issue | OP-GF-OPERATORS-02 / #414 |
| Milestone | Workspace Governance |
| Governing ADR | ADR 0016 |
| Predecessor | OP-GF-OPERATORS-01 / #413 |
Intent
The previous readiness gate found that future operators could still resolve through default external catalog names. This gate made catalog resolution mirror-only and deterministic before starting Gatekeeper planning.
Access Path
Live checks and GitOps refreshes used:
local workspace -> dl385-2 -> gf-ocp-bootstrap-01 -> v7 kubeconfigsKubeconfigs on gf-ocp-bootstrap-01:
/home/ze/ocp-greenfield-deployment/artifacts/openshift/hub-dc-v7/auth/kubeconfig
/home/ze/ocp-greenfield-deployment/artifacts/openshift/spoke-dc-v7/auth/kubeconfigGitOps Commits
Platform GitOps commits:
495d41a Harden v7 operator catalog sources
b384be3 Allow spoke Argo to manage ClusterCatalogs
11e76f4 Order catalog sync after spoke RBACFinal live Argo revision:
11e76f466ddcccee78e6ea59f06c55ad775b3c25Desired-state Changes
Both clusters now declare:
apiVersion: config.openshift.io/v1
kind: OperatorHub
metadata:
name: cluster
spec:
disableAllDefaultSources: trueBoth clusters set the built-in external OLM v1 catalogs to unavailable:
openshift-redhat-operators
openshift-certified-operators
openshift-redhat-marketplace
openshift-community-operatorsSpoke was aligned with hub by adding:
cs-redhat-operator-index-v4-20
cs-certified-operator-index-v4-20
cc-redhat-operator-index-v4-20
cc-certified-operator-index-v4-20The spoke GitOps controller also received a narrow permission extension for
olm.operatorframework.io/clustercatalogs, and catalog resources were moved
to Argo sync wave 1 so RBAC lands before catalog reconciliation.
Validation
Render and dry-run validation passed:
oc kustomize clusters/hub-dc-v7
oc kustomize clusters/spoke-dc-v7
oc apply --dry-run=serverThe server-side dry-runs reported existing last-applied-configuration warnings for already-live resources. The new catalog and RBAC resources validated.
Argo State
Final Argo state:
| Application | State |
|---|---|
hub hub-dc-v7-bootstrap | Synced/Healthy |
hub spoke-dc-v7-cluster-config | Synced/Healthy |
spoke spoke-dc-v7-cluster-config | Synced/Healthy |
All three were at:
11e76f466ddcccee78e6ea59f06c55ad775b3c25Final Catalog State
Both clusters report default sources disabled:
certified-operators disabled=true
community-operators disabled=true
redhat-marketplace disabled=true
redhat-operators disabled=trueOnly mirrored classic CatalogSources remained in the checked set:
| CatalogSource | State |
|---|---|
cs-redhat-operator-index-v4-20 | READY |
cs-certified-operator-index-v4-20 | READY |
OLM v1 catalog state:
| ClusterCatalog | State |
|---|---|
cc-redhat-operator-index-v4-20 | Serving=True, mirrored Quay |
cc-certified-operator-index-v4-20 | Serving=True, mirrored Quay |
openshift-redhat-operators | Serving=False, Unavailable |
openshift-certified-operators | Serving=False, Unavailable |
openshift-redhat-marketplace | Serving=False, Unavailable |
openshift-community-operators | Serving=False, Unavailable |
Health
Cluster health stayed steady after reconciliation:
| Check | hub-dc-v7 | spoke-dc-v7 |
|---|---|---|
| OpenShift | 4.20.18 | 4.20.18 |
| ClusterVersion | Available, not Progressing, not Failing | Available, not Progressing, not Failing |
| Nodes | 3/3 Ready | 6/6 Ready |
| ClusterOperators | steady | steady |
| Non-running pods | none | none |
| Pending CSRs | none | none |
| Subscriptions | AtLatestKnown | AtLatestKnown |
| Non-complete InstallPlans | none | none |
OADP, External Secrets stores, RHACS, logging/Loki, and spoke ODF/Ceph/NooBaa remained healthy.
Package-source Check
The checked candidate packages now resolve to the mirrored Red Hat classic source on both clusters:
cs-redhat-operator-index-v4-20/openshift-marketplaceChecked packages:
gatekeeper-operator-product
netobserv-operator
tempo-product
opentelemetry-product
openshift-pipelines-operator-rh
cluster-kube-descheduler-operator
quay-operator
rhods-operatorResult
Catalog hygiene is complete for the current phase.
The next gate is:
OP-GF-OPERATORS-03: Gatekeeper preflight and dry-run-only install designDo not install Gatekeeper directly without that preflight. Gatekeeper affects admission, so the next step should validate channels, dependencies, dry-run manifests, and rollback posture first.