feat(telco-kpis): Add hub operator lockdown mechanism for reproducible installations

Implement comprehensive operator version pinning and lockdown mechanism to enable
exact reproduction of hub operator deployments. This allows capturing the precise
state of installed operators and reinstalling them with identical images, channels,
and configurations.

Key Features:

1. Hub Lockdown Capture System:
   - New role: hub_lockdown_capture - Captures installed operator state from hub clusters
   - Captures CSV versions, channels, catalog sources, and FBC upstream digests
   - Exports lockdown configuration as JSON file for version control
   - Playbook: capture-hub-lockdown.yml - Orchestrates capture process

2. Hub Lockdown Application:
   - Enhanced lockdown_hub_config role to consume lockdown JSON
   - Automatic operator enrichment with pinned versions and channels
   - GitLab symlink resolution for lockdown URIs (handles file:// protocol)
   - Channel override mechanism from lockdown configuration

3. FBC Upstream Digest Capture:
   - Captures file-based catalog (FBC) image digests for full reproducibility
   - Ensures exact catalog versions can be restored
   - Supports both connected and disconnected deployments

4. Lockdown Comparison Tool:
   - Playbook: compare-hub-lockdown.yml - Compares lockdown configurations
   - Identifies operator version drift between environments
   - Generates comparison reports for validation

5. Workarounds Framework:
   - New role: workarounds - Generic framework for operator deployment workarounds
   - TALM ManifestWork CRD workaround (fixes TALM installation when MCE without CR)
   - Executes before operator installation to prevent deployment failures

6. Supporting Infrastructure:
   - artifact_management role: Standardized artifact collection and JUnit generation
   - telco_kpis_defaults role: Centralized default variables for telco-kpis tests
   - Enhanced ocp_version_facts: Fixed multi-arch image version parsing

Use Cases:
- Capture production hub operator state for disaster recovery
- Ensure identical operator versions across dev/staging/production
- Enable regression testing with exact operator configurations
- Support disconnected deployments with pinned catalog digests
- Facilitate compliance requirements for version tracking

Integration:
- deploy-ocp-operators.yml: Automatically applies lockdown when hub_lockdown_uri provided
- Works seamlessly with existing operator deployment workflows
- Compatible with both mirror_only and full installation modes

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Signed-off-by: Carlos Cardenosa <ccardeno@redhat.com>

Author: ccardenosa

ansible.cfg

@@ -5,7 +5,7 @@ task_output_limit = 10
 collections_path = ./collections
 host_key_checking = False
 force_color = True
-roles_path = ./playbooks/roles:./playbooks/compute/roles:./playbooks/infra/roles
+roles_path = ./playbooks/roles:./playbooks/compute/roles:./playbooks/infra/roles:./playbooks/telco-kpis/roles
 
 [ssh_connection]
 retries = 3

playbooks/deploy-ocp-operators.yml

@@ -112,6 +112,31 @@
   environment:
     K8S_AUTH_KUBECONFIG: "{{ kubeconfig }}"
   tasks:
+    # Hub Lockdown Integration (Telco-KPIs)
+    # Parse hub lockdown JSON and use operators from lockdown
+    - name: Parse hub lockdown JSON for operator deployment (Telco-KPIs)
+      ansible.builtin.include_role:
+        name: lockdown_hub_config
+      when: hub_lockdown_uri is defined and hub_lockdown_uri | length > 0
+
+    # Use operators from hub lockdown if provided, otherwise use operators parameter
+    - name: Select operator source (lockdown vs parameter)
+      when: use_hub_lockdown | default(false)
+      block:
+        - name: Use operators from hub lockdown JSON (already enriched)
+          ansible.builtin.set_fact:
+            operators: "{{ hub_lockdown_operators }}"
+
+        - name: Display hub lockdown operators
+          ansible.builtin.debug:
+            msg:
+              - "=========================================="
+              - "Hub Lockdown Operators: ENABLED"
+              - "=========================================="
+              - "Using operators from lockdown JSON:"
+              - "{{ operators | to_nice_json }}"
+              - "=========================================="
+
     - name: Install requirements
       ansible.builtin.pip:
         name:
@@ -225,6 +250,13 @@
         msg: "Mirror-only mode enabled. Skipping operator installation."
       when: mirror_only | bool
 
+    - name: Apply operator dependency and CRD workarounds (TALM/MCE/ACM)
+      when: not (mirror_only | bool)
+      ansible.builtin.include_role:
+        name: workarounds
+      vars:
+        workarounds_talm_manifestwork_crd_operators: "{{ operator_input }}"
+
     - name: Install Operators
       when: not (mirror_only | bool)
       ansible.builtin.include_role:

playbooks/roles/ocp_version_facts/tasks/pull-spec-provided.yml

@@ -10,7 +10,7 @@
         (ocp_version_facts_pull_spec | default(''))
         | regex_search('(?<=release:)([0-9]+\.[0-9]+\.[0-9]+(?:-[0-9a-zA-Z.-]+)?)')
         | default('')
-        | regex_replace('-(x86|x64|x86_64|aarch64|ppc64le|s390x)$', '')
+        | regex_replace('-(x86|x64|x86_64|aarch64|ppc64le|s390x|multi)$', '')
       }}
 
 - name: Display parsed release version for debugging

playbooks/telco-kpis/capture-hub-lockdown.yml

@@ -0,0 +1,64 @@
+---
+# Capture hub lockdown JSON for reproducible operator deployments
+#
+# This playbook generates a complete snapshot of installed hub operators
+# including catalog digests, operator CSVs, and deployment metadata.
+#
+# Usage:
+#   ansible-playbook playbooks/telco-kpis/capture-hub-lockdown.yml \
+#     -i inventories/ocp-deployment/build-inventory.py \
+#     --extra-vars "hub_cluster=dev-kpi-01 ocp_version=4.17 kubeconfig=/path/to/kubeconfig"
+
+- name: Capture Hub Lockdown State
+  hosts: bastion
+  gather_facts: true
+
+  vars:
+    lockdown_output_file: "/tmp/hub-lockdown-{{ hub_cluster }}-{{ ansible_date_time.epoch }}.json"
+    jenkins_build_number: ""
+    jenkins_job_name: ""
+
+  tasks:
+    - name: Validate required variables
+      ansible.builtin.assert:
+        that:
+          - hub_cluster is defined
+          - ocp_version is defined
+          - kubeconfig is defined
+        fail_msg: "Required variables: hub_cluster, ocp_version, kubeconfig"
+
+    - name: Include hub lockdown capture role
+      ansible.builtin.include_role:
+        name: hub_lockdown_capture
+      vars:
+        output_file: "{{ lockdown_output_file }}"
+        cluster_name: "{{ hub_cluster }}"
+        cluster_kubeconfig: "{{ kubeconfig }}"
+        cluster_ocp_version: "{{ ocp_version }}"
+        build_number: "{{ jenkins_build_number }}"
+        job_name: "{{ jenkins_job_name }}"
+
+    - name: Ensure artifacts directory exists
+      ansible.builtin.file:
+        path: "{{ lookup('env', 'ARTIFACT_DIR') | default('/artifacts', true) }}"
+        state: directory
+        mode: '0755'
+      delegate_to: localhost
+
+    - name: Fetch lockdown to artifacts directory
+      ansible.builtin.fetch:
+        src: "{{ lockdown_output_file }}"
+        dest: "{{ lookup('env', 'ARTIFACT_DIR') | default('/artifacts', true) }}/"
+        flat: true
+
+    - name: Display lockdown file location
+      ansible.builtin.debug:
+        msg:
+          - "=========================================="
+          - "Hub Lockdown Captured Successfully"
+          - "=========================================="
+          - "Hub Cluster: {{ hub_cluster }}"
+          - "OCP Version: {{ ocp_version }}"
+          - "Output File: {{ lockdown_output_file | basename }}"
+          - "Artifact Location: {{ lookup('env', 'ARTIFACT_DIR') | default('/artifacts', true) }}/{{ lockdown_output_file | basename }}"
+          - "=========================================="

playbooks/telco-kpis/compare-hub-lockdown.yml

@@ -0,0 +1,138 @@
+---
+# Compare generated hub lockdown with input lockdown
+#
+# This playbook compares two hub lockdown JSON files and reports differences.
+# Used for validation when GENERATE_HUB_LOCKDOWN is enabled along with HUB_LOCKDOWN_URI.
+#
+# Usage:
+#   ansible-playbook playbooks/telco-kpis/compare-hub-lockdown.yml \
+#     -i inventories/ocp-deployment/build-inventory.py \
+#     --extra-vars "generated_lockdown=/path/to/generated.json input_lockdown_uri=https://..."
+
+- name: Compare Hub Lockdown Files
+  hosts: bastion
+  gather_facts: false
+
+  vars:
+    comparison_output: "/tmp/lockdown-comparison.txt"
+
+  tasks:
+    - name: Validate required variables
+      ansible.builtin.assert:
+        that:
+          - generated_lockdown is defined
+          - input_lockdown_uri is defined
+        fail_msg: "Required variables: generated_lockdown, input_lockdown_uri"
+
+    - name: Resolve GitLab symlinks and download input lockdown JSON
+      ansible.builtin.include_role:
+        name: lockdown_hub_config
+        tasks_from: resolve_gitlab_symlinks.yml
+      vars:
+        lockdown_url: "{{ input_lockdown_uri }}"
+        lockdown_dest: /tmp/input-lockdown.json
+
+    - name: Check if generated lockdown exists
+      ansible.builtin.stat:
+        path: "{{ generated_lockdown }}"
+      register: generated_stat
+
+    - name: Fail if generated lockdown not found
+      ansible.builtin.fail:
+        msg: "Generated lockdown file not found: {{ generated_lockdown }}"
+      when: not generated_stat.stat.exists
+
+    - name: Compare lockdown files using jd (JSON diff)
+      ansible.builtin.shell: |
+        set -o pipefail
+
+        # Try jd first (better JSON diff tool)
+        if command -v jd &>/dev/null; then
+          jd -set /tmp/input-lockdown.json {{ generated_lockdown }}
+        else
+          # Fallback to jq diff
+          echo "=== Input Lockdown (from {{ input_lockdown_uri }}) ==="
+          jq -S . /tmp/input-lockdown.json
+          echo ""
+          echo "=== Generated Lockdown ==="
+          jq -S . {{ generated_lockdown }}
+          echo ""
+          echo "=== Differences (- input, + generated) ==="
+          diff -u <(jq -S . /tmp/input-lockdown.json) <(jq -S . {{ generated_lockdown }}) || true
+        fi
+      args:
+        executable: /bin/bash
+      register: lockdown_diff
+      changed_when: false
+      failed_when: false
+
+    - name: Save comparison output
+      ansible.builtin.copy:
+        content: "{{ lockdown_diff.stdout }}"
+        dest: "{{ comparison_output }}"
+        mode: '0644'
+
+    - name: Normalize and checksum input lockdown (excluding metadata)
+      ansible.builtin.command:
+        cmd: jq -S 'del(.hub.metadata)' /tmp/input-lockdown.json
+      register: input_normalized
+      changed_when: false
+
+    - name: Normalize and checksum generated lockdown (excluding metadata)
+      ansible.builtin.command:
+        cmd: jq -S 'del(.hub.metadata)' {{ generated_lockdown }}
+      register: generated_normalized
+      changed_when: false
+
+    - name: Set lockdown match result based on normalized content
+      ansible.builtin.set_fact:
+        lockdown_match:
+          rc: "{{ 0 if input_normalized.stdout == generated_normalized.stdout else 1 }}"
+
+    - name: Display comparison results
+      ansible.builtin.debug:
+        msg:
+          - "=========================================="
+          - "Hub Lockdown Comparison"
+          - "=========================================="
+          - "Input Lockdown: {{ input_lockdown_uri }}"
+          - "Generated Lockdown: {{ generated_lockdown }}"
+          - "Match Status: {{ 'IDENTICAL ✓' if lockdown_match.rc == 0 else 'DIFFERENT ⚠' }}"
+          - "=========================================="
+
+    - name: Display diff output
+      ansible.builtin.debug:
+        msg: "{{ lockdown_diff.stdout_lines }}"
+      when: lockdown_match.rc != 0
+
+    - name: Warn if lockdowns don't match
+      ansible.builtin.debug:
+        msg:
+          - "⚠⚠⚠ WARNING ⚠⚠⚠"
+          - "Generated lockdown differs from input lockdown!"
+          - "This may indicate:"
+          - "  - Operator versions were upgraded automatically"
+          - "  - CatalogSource digests changed"
+          - "  - Different operator configuration was deployed"
+          - ""
+          - "Review the diff above to understand the differences."
+          - "Consider updating the input lockdown JSON if the generated version is correct."
+      when: lockdown_match.rc != 0
+
+    - name: Copy comparison output to artifacts (only when ARTIFACT_DIR is explicitly set)
+      when:
+        - lockdown_match.rc != 0
+        - lookup('env', 'ARTIFACT_DIR') | length > 0
+      block:
+        - name: Ensure artifacts directory exists
+          ansible.builtin.file:
+            path: "{{ lookup('env', 'ARTIFACT_DIR') }}"
+            state: directory
+            mode: '0755'
+
+        - name: Copy comparison output to artifacts
+          ansible.builtin.copy:
+            src: "{{ comparison_output }}"
+            dest: "{{ lookup('env', 'ARTIFACT_DIR') }}/lockdown-comparison.txt"
+            mode: '0644'
+            remote_src: true