feat(telco-kpis): Implement unified lockdowns role with hub capture and parse

Implements a unified lockdowns role for hub/spoke operator lockdown management,
enabling repeatable OpenShift cluster deployments with locked operator versions.

Key Features:

1. Unified Role Structure (lockdowns)
   - Mode-based dispatcher (hub/spoke) with action (parse/capture)
   - Common utilities: download, validation, symlink generation
   - Separate task files for hub and spoke operations
   - Jinja2 templates for lockdown JSON generation

2. Hub Lockdown Capture
   - Queries cluster for OCP version, Subscriptions, OperatorGroups, CatalogSources
   - Detects architecture via skopeo (x86_64/arm64, multi-arch support)
   - Maps mirrored catalog names to upstream (cs-redhat-operator-index-* → redhat-operators)
   - Enriches FBC operators with mirroring metadata:
     * fbc_iib_repo: 'latest'
     * ocp_operator_mirror_fbc_image_base: quay.io/redhat-user-workloads/telco-5g-tenant/{catalog}-{version}
   - Generates dual-format OCP pull specs (digest + tag)
   - Outputs timestamped lockdown JSON with cluster metadata

3. Hub Lockdown Parse
   - Downloads lockdown JSON from URI (GitLab, Gitea, file://)
   - GitLab symlink resolver handles multi-hop symlink chains:
     * lockdown-hub-x86_64.json → lockdown-hub-4.21-x86_64.json → ../4.21/actual.json
     * Detects JSON vs symlink text, resolves relative paths
     * Max 5 hops protection
   - Uses slurp module (not lookup) for SSH compatibility (Ansible controller vs remote host)
   - Validates lockdown structure (required fields, nested hierarchy)
   - Transforms operators for upstream compatibility:
     * Adds 'nsname' field from 'namespace' (upstream role requirement)
   - Sets facts: hub_lockdown_operators, hub_ocp_pull_spec, hub_ocp_version

4. Telco-KPIs Wrapper Playbook (deploy-ocp-operators.yml)
   - Three-phase workflow:
     * Phase 1: Parse lockdown (if hub_lockdown_uri provided) OR use parameters
     * Phase 2: Call upstream deploy-ocp-operators.yml with transformed operators
     * Phase 3: Capture lockdown (if generate_hub_lockdown requested)
   - Integrates with Jenkins install-hub-operators job
   - Supports both lockdown mode and parameter mode

5. Lockdown JSON Format
   - Nested structure: {hub: {ocp: {...}, operators: [...], metadata: {...}}}
   - OCP pull_spec with both digest (immutable) and tag (human-readable)
   - Operators include: name, namespace, catalog, channel, subscription_name,
     installed_csv, install_plan_approval, og_name, og_spec
   - FBC operators include additional: fbc_iib_repo, ocp_operator_mirror_fbc_image_base
   - Metadata: cluster_name, capture_timestamp (ISO8601)

6. Testing
   - Molecule test suites for hub parse and capture
   - 10 test scenarios covering parse, validation, symlinks, comparisons
   - Fixtures for direct JSON, 1-hop/2-hop symlinks, invalid JSON

Implementation Details:
- Uses kubernetes.core.k8s_info for cluster queries (no k8s_exec)
- Hardcoded FBC metadata for relaxed repeatability (vs reading CatalogSource state)
- Directory existence checks before template writes
- Variable scoping fixes for lockdown_artifact_dir across playbook phases

Fixes:
- Jenkins builds #75-77, #79, #81, #84, #85 failures with hub lockdown URI
- GitLab symlink resolution (/-/raw/ endpoint returns text, not target)
- Ansible execution context (lookup vs slurp on remote hosts)
- FBC operator mirroring metadata requirements
- Field name mismatches (namespace vs nsname)

Files:
- playbooks/telco-kpis/deploy-ocp-operators.yml (new wrapper)
- playbooks/telco-kpis/roles/lockdowns/ (unified role)
- playbooks/telco-kpis/roles/lockdowns/tasks/{main,hub,spoke,common}
- playbooks/telco-kpis/roles/lockdowns/templates/{hub,spoke,resolve-gitlab-symlinks}
- playbooks/telco-kpis/roles/lockdowns/molecule/hub/default/ (tests)

Integration:
- Jenkins: jobs/Telco-KPIs/install-hub-operators.Jenkinsfile
- GitLab: ran/dev-kpi-pipeline/-/tree/prow-lockdowns/hub/
- Upstream: playbooks/deploy-ocp-operators.yml (imports this wrapper)

Related:
- Legacy branch: ipa-telco-kpis-prow-migration-20260619-before-deploy-ocp-operators-untouched
- Design docs: docs/designs/operator-lockdown-*.md
- README: playbooks/telco-kpis/roles/lockdowns/README.md

Author: ccardenosa

playbooks/deploy-ocp-operators.yml

@@ -201,7 +201,7 @@
       ansible.builtin.include_role:
         name: ocp_operator_mirror
       vars:
-        ocp_operator_mirror_registry_url: disconnected.registry.local:5000
+        ocp_operator_mirror_registry_url: "{{ disconnected_registry_url }}:{{ disconnected_registry_port }}"
         ocp_operator_mirror_registry_user: "{{ ansible_user }}"
         ocp_operator_mirror_registry_password: "{{ ansible_password }}"
         ocp_operator_mirror_pull_secret: "{{ pull_secret_string | b64decode }}"

playbooks/telco-kpis/deploy-ocp-operators.yml

@@ -0,0 +1,191 @@
+---
+# Telco-KPIs wrapper for deploy-ocp-operators.yml
+#
+# This wrapper adds hub operator lockdown support to the upstream deploy-ocp-operators.yml playbook:
+# 1. Parse lockdown JSON if hub_lockdown_uri provided (extract operators list)
+# 2. Call upstream deploy-ocp-operators.yml with normalized operators variable
+# 3. Generate lockdown JSON if generate_hub_lockdown requested (capture cluster state)
+#
+# Usage:
+#   # Without lockdown (uses HUB_OPERATORS parameter):
+#   ansible-playbook playbooks/telco-kpis/deploy-ocp-operators.yml \
+#     --extra-vars 'kubeconfig=/tmp/kubeconfig version=4.21 operators=[...]'
+#
+#   # With lockdown URI (operators extracted from lockdown):
+#   ansible-playbook playbooks/telco-kpis/deploy-ocp-operators.yml \
+#     --extra-vars 'kubeconfig=/tmp/kubeconfig hub_lockdown_uri=https://gitea.../hub-lockdown.json'
+#
+#   # Generate lockdown after installation:
+#   ansible-playbook playbooks/telco-kpis/deploy-ocp-operators.yml \
+#     --extra-vars 'kubeconfig=/tmp/kubeconfig version=4.21 operators=[...] generate_hub_lockdown=true hub_cluster=dev-kpi-01'
+
+- name: Phase 1 - Parse Hub Lockdown (if provided)
+  hosts: bastion
+  gather_facts: true
+  tasks:
+    - name: Hub lockdown integration
+      when:
+        - hub_lockdown_uri is defined
+        - hub_lockdown_uri | length > 0
+      block:
+        - name: Parse hub lockdown JSON using unified lockdowns role
+          ansible.builtin.include_role:
+            name: lockdowns
+          vars:
+            lockdown_mode: hub
+            lockdown_action: parse
+
+        - name: Pass lockdown operators to upstream (no transformation needed)
+          ansible.builtin.set_fact:
+            operators: "{{ hub_lockdown_operators }}"
+            version: "{{ hub_ocp_version }}"
+
+        - name: Display hub lockdown override
+          ansible.builtin.debug:
+            msg:
+              - "=========================================="
+              - "Hub Lockdown Mode: ENABLED"
+              - "=========================================="
+              - "Lockdown URI: {{ hub_lockdown_uri }}"
+              - "OCP Version: {{ version }}"
+              - "Operators Count: {{ operators | length }}"
+              - "=========================================="
+              - "NOTE: operators and version from lockdown override parameters"
+              - "=========================================="
+
+    - name: Validate required variables
+      ansible.builtin.assert:
+        that:
+          - operators is defined
+          - version is defined or (hub_lockdown_uri is defined and hub_lockdown_uri | length > 0)
+          - kubeconfig is defined
+        fail_msg: >-
+          Required variables: operators, version (or hub_lockdown_uri), kubeconfig
+        success_msg: "Required variables validated"
+
+    - name: Apply known operator deployment workarounds (before operator installation)
+      when:
+        - not (mirror_only | default(false) | bool)
+      ansible.builtin.include_role:
+        name: workarounds
+      vars:
+        workarounds_talm_manifestwork_crd_operators: "{{ operators }}"
+
+# Phase 2 - Call Upstream Operator Deployment
+- name: Phase 2 - Deploy Operators
+  ansible.builtin.import_playbook: ../deploy-ocp-operators.yml
+  # Variables passed through from caller or set by Phase 1:
+  #   - operators (from HUB_OPERATORS param OR hub lockdown)
+  #   - version (from OCP_VERSION param OR hub lockdown)
+  #   - disconnected (default: true for telco-kpis)
+  #   - mirror_only (default: false)
+  #   - kubeconfig
+
+# Phase 3 - Generate Hub Lockdown (if requested)
+- name: Phase 3 - Capture Hub Lockdown
+  hosts: bastion
+  gather_facts: true
+  tasks:
+    - name: Generate hub lockdown JSON
+      when:
+        - generate_hub_lockdown is defined
+        - generate_hub_lockdown | bool
+      block:
+        - name: Validate capture parameters
+          ansible.builtin.assert:
+            that:
+              - hub_cluster is defined
+              - kubeconfig is defined
+            fail_msg: "hub_cluster and kubeconfig required for lockdown capture"
+            success_msg: "Capturing lockdown for cluster: {{ hub_cluster }}"
+
+        - name: Set lockdown artifact directory (if not using Jenkins-provided path)
+          when: hub_lockdown_output_file is not defined
+          ansible.builtin.set_fact:
+            lockdown_artifact_dir: "{{ lookup('env', 'ARTIFACT_DIR') | default('/artifacts', true) }}"
+
+        - name: Set lockdown output path
+          ansible.builtin.set_fact:
+            hub_lockdown_output_path: >-
+              {{
+                hub_lockdown_output_file
+                if (hub_lockdown_output_file is defined)
+                else (
+                  lockdown_artifact_dir + '/hub-lockdown-' + hub_cluster + '-' +
+                  (lookup('env', 'BUILD_NUMBER') | default(ansible_date_time.epoch, true)) + '.json'
+                )
+              }}
+
+        - name: Set lockdown artifact directory from output path
+          ansible.builtin.set_fact:
+            lockdown_artifact_dir: "{{ hub_lockdown_output_path | dirname }}"
+
+        - name: Capture hub lockdown using unified lockdowns role
+          ansible.builtin.include_role:
+            name: lockdowns
+          vars:
+            lockdown_mode: hub
+            lockdown_action: capture
+            hub_lockdown_output_file: "{{ hub_lockdown_output_path }}"
+
+        - name: Generate symlink for latest lockdown
+          ansible.builtin.include_role:
+            name: lockdowns
+            tasks_from: common/generate-symlink.yml
+          vars:
+            lockdown_output_file: "{{ hub_lockdown_output_path }}"
+            lockdown_mode: hub
+
+        - name: Display lockdown capture result
+          ansible.builtin.debug:
+            msg:
+              - "=========================================="
+              - "Hub Lockdown Captured Successfully"
+              - "=========================================="
+              - "Output File: {{ hub_lockdown_output_path }}"
+              - "Symlink: {{ lockdown_artifact_dir }}/hub-lockdown-latest.json"
+              - "=========================================="
+              - "Upload this file to Gitea for future deployments"
+              - "=========================================="
+
+    - name: Compare lockdown if both input and generated exist
+      when:
+        - generate_hub_lockdown is defined
+        - generate_hub_lockdown | bool
+        - hub_lockdown_data is defined
+      block:
+        - name: Write parsed input lockdown to temp file for comparison
+          ansible.builtin.copy:
+            content: "{{ hub_lockdown_data | to_nice_json }}"
+            dest: /tmp/hub-lockdown-input.json
+            mode: '0644'
+
+        - name: Compare input vs generated lockdown
+          ansible.builtin.shell: |
+            if command -v jd &> /dev/null; then
+              jd -set /tmp/hub-lockdown-input.json {{ hub_lockdown_output_path }}
+            elif command -v jq &> /dev/null; then
+              echo "=== Input Lockdown ==="
+              jq -S . /tmp/hub-lockdown-input.json > /tmp/input-sorted.json
+              echo "=== Generated Lockdown ==="
+              jq -S . {{ hub_lockdown_output_path }} > /tmp/generated-sorted.json
+              diff -u /tmp/input-sorted.json /tmp/generated-sorted.json || true
+            else
+              echo "WARNING: Neither jd nor jq available for comparison"
+              echo "Install jd (https://github.com/josephburnett/jd) for better diffs"
+            fi
+          register: lockdown_diff
+          changed_when: false
+          failed_when: false
+
+        - name: Display lockdown comparison result
+          ansible.builtin.debug:
+            msg: "{{ lockdown_diff.stdout_lines }}"
+          when: lockdown_diff.stdout_lines is defined
+
+        - name: Save diff to artifacts
+          ansible.builtin.copy:
+            content: "{{ lockdown_diff.stdout }}"
+            dest: "{{ lockdown_artifact_dir }}/hub-lockdown-diff.txt"
+            mode: '0644'
+          when: lockdown_diff.stdout is defined

playbooks/telco-kpis/roles/lockdowns/Makefile

@@ -0,0 +1,90 @@
+.PHONY: test test-hub test-hub-parse test-hub-capture test-spoke test-hub-local test-spoke-local prepare converge verify clean help
+
+# Get absolute path to eco-ci-cd root (5 levels up from role dir)
+ECO_CI_CD_ROOT := $(shell cd ../../../.. && pwd)
+
+# Default target
+test: test-hub-parse test-hub-capture
+
+# Run hub parse tests in container
+test-hub-parse:
+	@echo "=========================================="
+	@echo "  Running Hub PARSE Tests"
+	@echo "=========================================="
+	@podman run --rm --platform linux/amd64 \
+		-v $(ECO_CI_CD_ROOT):/eco-ci-cd:Z \
+		-w /eco-ci-cd/playbooks/telco-kpis/roles/lockdowns \
+		-e ANSIBLE_ROLES_PATH=/eco-ci-cd/playbooks/telco-kpis/roles \
+		--entrypoint /bin/sh \
+		quay.io/ccardenosa/eco-ci-cd:latest \
+		-c "ansible-playbook -i localhost, -c local molecule/hub/default/test.yml"
+	@echo ""
+	@echo "✓ Hub parse tests passed!"
+
+# Run hub capture tests in container
+test-hub-capture:
+	@echo "=========================================="
+	@echo "  Running Hub CAPTURE Tests"
+	@echo "=========================================="
+	@podman run --rm --platform linux/amd64 \
+		-v $(ECO_CI_CD_ROOT):/eco-ci-cd:Z \
+		-w /eco-ci-cd/playbooks/telco-kpis/roles/lockdowns \
+		-e ANSIBLE_ROLES_PATH=/eco-ci-cd/playbooks/telco-kpis/roles \
+		--entrypoint /bin/sh \
+		quay.io/ccardenosa/eco-ci-cd:latest \
+		-c "ansible-playbook -i localhost, -c local molecule/hub/default/test-capture.yml"
+	@echo ""
+	@echo "✓ Hub capture tests passed!"
+
+# Run all hub tests (parse + capture)
+test-hub: test-hub-parse test-hub-capture
+	@echo ""
+	@echo "✓ All hub tests passed!"
+
+# Run spoke tests in container (when implemented)
+test-spoke:
+	@echo "=========================================="
+	@echo "  Running Lockdowns Role Spoke Tests"
+	@echo "=========================================="
+	@echo "TODO: Spoke tests not yet implemented"
+
+# Run individual hub test phases (for debugging - requires local ansible)
+prepare-hub:
+	@ansible-playbook -i localhost, -c local molecule/hub/default/prepare.yml
+
+converge-hub:
+	@ansible-playbook -i localhost, -c local molecule/hub/default/converge.yml
+
+verify-hub:
+	@ansible-playbook -i localhost, -c local molecule/hub/default/verify.yml
+
+# Clean up test artifacts
+clean:
+	@rm -rf /tmp/molecule-tests
+	@rm -f /tmp/hub-lockdown.json /tmp/spoke-lockdown.json
+	@echo "✓ Test artifacts cleaned"
+
+# Help target
+help:
+	@echo "Lockdowns Role Tests"
+	@echo ""
+	@echo "Usage:"
+	@echo "  make test              Run all hub tests (parse + capture)"
+	@echo "  make test-hub          Run all hub tests (parse + capture)"
+	@echo "  make test-hub-parse    Run hub parse tests only"
+	@echo "  make test-hub-capture  Run hub capture tests only"
+	@echo "  make test-spoke        Run spoke tests (TODO)"
+	@echo "  make prepare-hub       Run hub prepare phase only (requires ansible)"
+	@echo "  make converge-hub      Run hub converge phase only (requires ansible)"
+	@echo "  make verify-hub        Run hub verify phase only (requires ansible)"
+	@echo "  make clean             Remove test artifacts"
+	@echo ""
+	@echo "Hub Parse Tests:"
+	@echo "  1. prepare   - Creates mock hub lockdown JSON file"
+	@echo "  2. converge  - Runs role parse action (read JSON)"
+	@echo "  3. verify    - Validates parse results (10 assertions)"
+	@echo ""
+	@echo "Hub Capture Tests:"
+	@echo "  1. prepare   - Sets up mock k8s_info responses"
+	@echo "  2. converge  - Runs capture logic (generate JSON)"
+	@echo "  3. verify    - Validates generated JSON (10 assertions)"