move Mirrored catalogsource configuration ACM policy to operators

[maorfr]

this step is currently executed as part of day 2 operations, but without it - core operators can not be installed on spoke clusters. moving it to be installed after operators.

Summary by CodeRabbit

• Refactor
  • Reorganized installation workflow to apply ACM catalog source policies during post-install phase rather than day-2 operations, simplifying the day-2 workflow to focus on Clair disconnected configuration.

[coderabbitai]

Walkthrough

This PR relocates ACM mirrored catalogsource policy task execution from the day2 phase to the post-install phase. The change adds a new conditional task to post-install.yaml, removes the equivalent task from day2.yaml, updates bootstrap.sh orchestration, and reorders validation test expectations to match the new execution sequence.

Changes

ACM Catalog Source Policy Phase Migration

Layer / File(s)	Summary
ACM catalog source policy task in post-install phase playbooks/04-post-install.yaml	Documentation and new task block added: iterates over openshift_versions, includes tasks/catalogsource.yaml with per-cluster KUBECONFIG environment, tagged as acm-policy-catalogsources, conditional on disconnected mode.
Remove ACM catalog source policy from day2 phase playbooks/06-day2.yaml	Task block and documentation removed; day2 workflow now transitions directly from Clair disconnected configuration to Quay disconnected finish without ACM policy application.
Bootstrap entrypoint wiring for relocated ACM policy bootstrap.sh	Added acm-policy-catalogsources invocation in step_post_install; removed from step_day2, routing task execution to new phase.
Validation test expectations for execution order scripts/verification/validate.sh	Test array reordered so 04-post-install.yaml:acm-policy-catalogsources appears before 05-operators and day2 tests, reflecting updated execution sequence.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

---

A catalog moves home from day to dawn,
Where policies wait in the post-install spawn, ✨
Bootstrap conducts with orchestral care, 🎼
Tests reorder with validation's flair! ✓

🚥 Pre-merge checks | ✅ 9 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Ai-Attribution	⚠️ Warning	Commit lacks required AI attribution trailer; CONTRIBUTING.md mandates "Assisted-by: Claude Code" trailer for AI-assisted commits, but none is present.	Add "Assisted-by: Claude Code noreply@anthropic.com" trailer to the commit message per CONTRIBUTING.md requirements for AI-assisted work.
Title check	⚠️ Warning	The PR title states 'move Mirrored catalogsource configuration ACM policy to operators', but the actual changes move this configuration to post-install (step_post_install), not to operators.	Update the title to accurately reflect the destination: 'move Mirrored catalogsource configuration ACM policy to post-install' or similar phrasing that matches the implementation.

✅ Passed checks (9 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
No-Hardcoded-Secrets	✅ Passed	No hardcoded secrets detected. All credentials and paths use Jinja2 template variables. No API keys, passwords, tokens, private keys, or embedded credentials found in modified files.
No-Weak-Crypto	✅ Passed	No weak cryptography detected. PR moves ACM catalogsource configuration between playbooks; no MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB, custom crypto, or insecure secret comparisons found.
No-Injection-Vectors	✅ Passed	Pull request contains no injection vectors. All changes use safe YAML parsing, Jinja2 templating, and fixed command structures with no user input concatenation.
Container-Privileges	✅ Passed	No privileged container configurations found; PR only modifies Ansible playbooks and ACM policies, not container specs.
No-Sensitive-Data-In-Logs	✅ Passed	PR relocates existing task without introducing sensitive data logging. KUBECONFIG env var pattern already pervasive in codebase without no_log; no new sensitive logging statements added.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch acm-cs-post-install

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[eurijon]

ACM is installed in phase 5 (playbooks/05-operators.yaml) so shouldn't the mirrored catalogsource policy be placed after ACM is fully set up? before addon plugins or as part of operator tasks?

[maorfr]

ACM is installed in phase 5 (playbooks/05-operators.yaml) so shouldn't the mirrored catalogsource policy be placed after ACM is fully set up? before addon plugins or as part of operator tasks?

you are very right. implemented exactly as you described.

[maorfr]

e2e failure related to #469