🐛 Workload should still resilient when catalog is deleted

[camilamacedo86]

Problem

When a catalog becomes unavailable (deleted, registry offline, network issues), installed extensions break or stop being maintained. This PR ensures extensions continue working with their installed version until the catalog becomes available again.

What This Fixes

Issues on main when catalog is unavailable/deleted:

1. Accidentally deleted resources are NOT restored (both runtimes)
2. Configuration changes are blocked (both runtimes)
3. Auto-updates hang during catalog image transitions (both runtimes)
4. Status shows "Failed" instead of "Retrying" (both runtimes)
5. Version upgrade attempts show unclear status (both runtimes)
6. Catalog deletion/maintenance breaks extensions (both runtimes)
7. Resources drift if manually modified (Helm only)
8. Registry outages break extension health (Helm only)

Note: Boxcutter already maintains resources via CER controller; Helm did not.

Solution

Added smart fallback logic:

• Catalogs exist but resolution fails → Retry immediately (transient issue)
• Catalogs deleted → Fall back to installed bundle, continue maintaining resources
• Version change requested → Always retry (cannot upgrade without catalog)

Key Changes

1. Resolution step - Added catalog existence check before fallback
2. Helm applier - Added reconcileExistingRelease() to maintain resources when contentFS == nil
3. Boxcutter applier - Return success when contentFS == nil (CER controller maintains)
4. Status - Clear "Retrying" status instead of "Failed"

What "Extension Continue Working" Means

An extension continues working when:

• Operator Deployment is running and healthy
• All managed resources exist in cluster
• Deleted resources are automatically restored
• Resource specs match desired state (no drift)
• Status shows Installed=True
• Operator's business logic continues (e.g., Prometheus keeps scraping)

Testing

Added comprehensive e2e test suite in test/e2e/features/catalog-deletion-resilience.feature:

• Extension continues running after catalog deletion
• Resources auto-restored after catalog deletion
• Config changes work without catalog
• Version upgrades correctly blocked without catalog
• Multiple revisions remain stable (Boxcutter)
• Workload availability properly tracked

All scenarios tested for both Helm and Boxcutter runtimes where applicable.

What Still Requires Catalog (Correct Behavior)

• Fresh installs
• Version upgrades
• Package changes

Resolution Fails?

├─ Version change requested (1.0.0 → 1.0.1)?
│  └─ YES → RETRY (need catalog to upgrade)
│
├─ Catalogs exist in cluster?
│  ├─ YES → RETRY (transient issue, catalog updating)
│  └─ NO → Check for installed bundle...
│     ├─ Have installed bundle?
│     │  └─ YES → FALLBACK (maintain current workload)
│     └─ NO → RETRY (fresh install needs catalog)

TL;DR Reconcile Workflow and Scenarios

Step 1: Resolution + rollout succeed (healthy)

• RollingOut: empty
• Resolution runs → succeeds
• Rollout completes → moves to Installed
• State: Installed = v1.0.0, RollingOut = []

Step 2: Resolution succeeds, rollout starts, rollout fails partway

• RollingOut: empty initially
• Resolution runs → succeeds (v2.0.0)
• Start rolling out v2.0.0
• Rollout FAILS partway through (e.g., resource can't be applied)
• State: Installed = v1.0.0, RollingOut = [v2.0.0] ← v2.0.0 stuck here

Step 3: Catalog missing; resolution would fail, but we skip it

What happens:

if len(state.revisionStates.RollingOut) == 0 {  // FALSE (we have v2.0.0 rolling out)
    // Skip resolution entirely
} else {
    // Use the rolling-out revision
    resolvedRevisionMetadata = state.revisionStates.RollingOut[0]  // v2.0.0
}

Result:

• We CONTINUE trying to roll out v2.0.0
• We skip resolution entirely (don’t check if catalog exists)
• We don’t fall back to v1.0.0
• We keep retrying the v2.0.0 rollout that already started
• We don’t need the catalog because v2.0.0 content was already obtained when resolution succeeded in Step 2

Why this makes sense:

• Already committed: v2.0.0 was resolved while the catalog was available
• Have the content: bundle image for v2.0.0 was already pulled/cached
• Finish what we started: failure is applying resources, not resolving
• No catalog needed: retrying rollout doesn’t require catalog access

When does fallback happen?
Fallback to Installed only happens when:

• RollingOut is empty
• AND resolution fails
• AND catalog doesn't exist
• AND no version change was requested

In this scenario RollingOut is populated, so fallback never triggers.

/hold until we have a RFC approved

• RFC: Catalog Deletion Resilience for ClusterExtensions
• Internal discussion conveys: https://redhat-internal.slack.com/archives/C06KP34REFJ/p1768291605594589?thread_ts=1768235428.251779&cid=C06KP34REFJ

[netlify]

✅ Deploy Preview for olmv1 ready!

Name	Link
🔨 Latest commit	e59f517
🔍 Latest deploy log	https://app.netlify.com/projects/olmv1/deploys/6965386bb3c2ff0008083ecd
😎 Deploy Preview	https://deploy-preview-2439--olmv1.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign pedjak for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Copilot]

Pull request overview

This PR adds comprehensive end-to-end tests to verify that installed OLM extensions continue functioning correctly when their source catalog is deleted. The tests cover both standard runtime and experimental Boxcutter runtime scenarios.

Changes:

• Added new feature file with 8 scenarios testing catalog deletion resilience
• Implemented CatalogIsDeleted function to support catalog deletion in tests
• Added step registrations for ClusterExtension update operations

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
test/e2e/steps/steps.go	Adds CatalogIsDeleted function and step registrations for testing catalog deletion and ClusterExtension updates
test/e2e/features/catalog-deletion-resilience.feature	Defines 8 test scenarios covering extension resilience, resource restoration, config changes, version upgrades, and revision behavior when catalog is deleted

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 5 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated 6 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov]

Codecov Report

❌ Patch coverage is 74.22680% with 25 lines in your changes missing coverage. Please review.
✅ Project coverage is 73.31%. Comparing base (1fa4169) to head (e59f517).

Files with missing lines	Patch %	Lines
internal/operator-controller/applier/helm.go	39.13%	7 Missing and 7 partials ⚠️
...er/controllers/clusterextension_reconcile_steps.go	89.06%	6 Missing and 1 partial ⚠️
internal/operator-controller/applier/boxcutter.go	50.00%	2 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2439      +/-   ##
==========================================
+ Coverage   73.00%   73.31%   +0.31%     
==========================================
  Files         100      100              
  Lines        7641     7727      +86     
==========================================
+ Hits         5578     5665      +87     
+ Misses       1625     1620       -5     
- Partials      438      442       +4     

Flag	Coverage Δ
e2e	47.93% <59.79%> (+1.07%)	⬆️
experimental-e2e	49.70% <54.63%> (+1.01%)	⬆️
unit	57.04% <52.57%> (-0.07%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[camilamacedo86]

/hold

TBD internal discussion: https://redhat-internal.slack.com/archives/C06KP34REFJ/p1768241320285279?thread_ts=1768235428.251779&cid=C06KP34REFJ

[camilamacedo86]

/hold cancel to receive reviews

[pedjak]

for e2e test, after deleting the catalog, we need to ensure that we assert resources after the next reconciliation is done.

[pedjak]

If we are testing reconcile after successful installation, then we should also populate status properly to indicate that, or have two Reconcile calls, first when catalog is available, and the second when it is not.

[pedjak]

perhaps would be better to set condition message to the one emitted in to the log?

[pedjak]

perhaps l.Error is better suited here?

[pedjak]

perhaps would be better to set condition message to the one emitted in to the log?

[pedjak]

l.Error perhaps?

[pedjak]

how are updated blocked, when we expect Retrying to be reported?

[pedjak]

Not sure if we really need that test, given that we have already Scenario: Resources are restored after catalog deletion. From user perspective it is only important that the removed resource is restored, and that ClusterExtension reports the right things. IMHO, ClusterExtensionRevision is an implementation detail that it is of no interested for users.

[camilamacedo86]

We must ensure that we do not delete those that belong to the owner, for example, and delete them.
We should ensure that all is kept.

[pedjak]

Why do we expect that the deployment should become not ready? The scenario states that

Revision remains available when workload recovers after catalog deletion

hence, I would expect that the deployment remains available too.

[pedjak]

IMHO, we can drop this test, we are perfectly covered with the test that does not assert ClusterExtensionRevision resources at all (IMHO, the implementation detail).

[pedjak]

similar to above, not sure if we really need this test.