Use default_operator_source to configure MultiClusterHub

[maorfr]

Summary

Replace hardcoded catalog source name with the default_operator_source variable in MCE subscription configuration.

Context

Follow-up to #488 (Extract MultiClusterHub configuration to reusable task).

Changes

• Changed MCE subscription source from hardcoded cs-mirror-redhat-operators-v4-20 to {{ default_operator_source }}

Benefits

• Consistent with other operator configurations that use default_operator_source
• Avoids hardcoding version-specific catalog source names (the -v4-20 suffix)
• Makes the configuration more flexible across different OpenShift versions

Testing

• Verified the variable reference is correct
• Consistent with existing operator configuration patterns

Summary by CodeRabbit

Release Notes

• Bug Fixes
  • Improved operator source configuration for disconnected environments by enabling dynamic defaults instead of hardcoded values, providing greater deployment flexibility.

[coderabbitai]

Walkthrough

In operators/advanced-cluster-management/configure_mch.yaml, the hardcoded operator source cs-mirror-redhat-operators-v4-20 in the disconnected MCE subscription spec task is replaced with the templated variable {{ default_operator_source }}. No other logic is altered.

Changes

MCE Subscription Source Parameterization

Layer / File(s)	Summary
Parameterize MCE subscription operator source operators/advanced-cluster-management/configure_mch.yaml	The source field in the installer.open-cluster-management.io/mce-subscription-spec annotation now references {{ default_operator_source }} instead of the hardcoded value cs-mirror-redhat-operators-v4-20.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• rh-ecosystem-edge/enclave#485: Directly related — both PRs touch the installer.open-cluster-management.io/mce-subscription-spec annotation handling for disconnected MCE installs.
• rh-ecosystem-edge/enclave#309: Introduced default_operator_source as a variable to replace hardcoded operator source values, which is exactly the pattern this PR applies to the MCE subscription spec.

Suggested labels

operators

Suggested reviewers

• eliorerz

Poem

⚠️ LOW SEVERITY — hardcoded source identified and neutralized 🔒

A string once carved in stone now bends,
cs-mirror-redhat-operators-v4-20 ends.
A template variable takes its place,
default_operator_source — elegant grace.
Attack surface: unchanged. Sleep well tonight. 🛡️

🚥 Pre-merge checks | ✅ 11

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: replacing a hardcoded operator source with a dynamic variable reference for MultiClusterHub configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
No-Hardcoded-Secrets	✅ Passed	No hardcoded secrets found. The changed value (cs-mirror-redhat-operators-v4-20) is a public catalog source identifier, not a secret, API key, token, password, or credential.
No-Weak-Crypto	✅ Passed	No cryptographic operations found. PR modifies Ansible configuration for operator catalog source reference only, not crypto-related code.
No-Injection-Vectors	✅ Passed	No injection vectors detected. The change replaces a hardcoded string with a Jinja2 variable reference in an Ansible YAML file. Python code uses only yaml.safe_load, not eval/exec/pickle.loads; no...
Container-Privileges	✅ Passed	This PR modifies an Ansible configuration file with no Kubernetes container definitions or privilege escalation settings, making the check inapplicable.
No-Sensitive-Data-In-Logs	✅ Passed	No logging statements exist in the modified file; only public catalog source names (non-sensitive) are handled, stored in Kubernetes metadata without explicit logging.
Ai-Attribution	✅ Passed	No AI tool usage mentioned in PR or commit; no attribution required. The commit lacks trailers, which is correct if no AI assistance was used.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch configure-mch-default_operator_source

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[maorfr]

this will fail when being called from sync.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@operators/advanced-cluster-management/configure_mch.yaml`:
- Line 11: The `default_operator_source` variable referenced in the template at
line 11 of the configure_mch.yaml file is not available in the task's scope,
causing the MCE subscription spec to fail in disconnected deployments. Fix this
by either: (1) computing the value locally in configure_mch.yaml using the
pattern `"cs-{{ mirror_rh_operator_catalog }}-v4-20"` where
mirror_rh_operator_catalog is available from defaults/catalogs.yaml, or (2)
explicitly passing default_operator_source through a `vars:` parameter in the
`include_tasks` call from 06-day2.yaml that includes this task. Choose the
approach that best fits your deployment pattern—option 1 keeps the logic
self-contained, while option 2 makes the dependency explicit at the call site.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: fad49a47-8520-43a4-bb1d-c5bc95c70369

📥 Commits

Reviewing files that changed from the base of the PR and between 45d0061 and 2b8c43b.

📒 Files selected for processing (1)

• operators/advanced-cluster-management/configure_mch.yaml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify that default_operator_source is defined before configure_mch.yaml is called

# Check if default_operator_source is set in load-vars.yaml
echo "=== Checking load-vars.yaml for default_operator_source ==="
rg -A 20 'load-vars.yaml' playbooks/06-day2.yaml
rg -n 'default_operator_source' playbooks/common/load-vars.yaml playbooks/defaults/* config/* 2>/dev/null || echo "Not found in common load files"

# Check all include_tasks calls to configure_mch.yaml
echo -e "\n=== All callers of configure_mch.yaml ==="
rg -B 2 -A 2 'configure_mch.yaml' --type=yaml

# Check where default_operator_source is set
echo -e "\n=== Where default_operator_source is defined ==="
rg -n 'default_operator_source:' --type=yaml

Repository: rh-ecosystem-edge/enclave

Length of output: 1990

---

🏁 Script executed:

# Check the full context of 06-day2.yaml to see if default_operator_source is defined at play level
head -100 playbooks/06-day2.yaml | cat -n

# View configure_mch.yaml around line 11 with more context
echo "=== configure_mch.yaml (lines 1-20) ===" && head -20 operators/advanced-cluster-management/configure_mch.yaml | cat -n

# Check if default_operator_source is referenced anywhere else in configure_mch.yaml
echo -e "\n=== All references to default_operator_source in configure_mch.yaml ===" && rg -n 'default_operator_source' operators/advanced-cluster-management/configure_mch.yaml

# Check if default_operator_source is ever used as a play-level variable
echo -e "\n=== Play-level variable definitions in 06-day2.yaml ===" && rg -B 5 -A 5 '^\s*vars:' playbooks/06-day2.yaml | head -40

Repository: rh-ecosystem-edge/enclave

Length of output: 6044

---

🏁 Script executed:

# View the actual contents of load-vars.yaml
echo "=== playbooks/common/load-vars.yaml ===" && cat playbooks/common/load-vars.yaml

# Check if there's inventory or group_vars that might define default_operator_source
echo -e "\n=== Checking for inventory or group_vars ===" && find . -name 'group_vars' -o -name 'host_vars' -o -name 'inventory*' | head -20

# Check if the playbook even runs or if variable is conditionally used
echo -e "\n=== Full configure_mch.yaml to understand variable usage ===" && cat operators/advanced-cluster-management/configure_mch.yaml

Repository: rh-ecosystem-edge/enclave

Length of output: 4749

---

🏁 Script executed:

# Check the defaults files that are loaded, specifically operators.yaml and catalogs.yaml
echo "=== defaults/operators.yaml ===" && cat defaults/operators.yaml

echo -e "\n=== defaults/catalogs.yaml ===" && cat defaults/catalogs.yaml

# Also search for where mirror_rh_operator_catalog is defined (used in configure_operators.yaml)
echo -e "\n=== Searching for mirror_rh_operator_catalog definition ===" && rg -n 'mirror_rh_operator_catalog' defaults/

Repository: rh-ecosystem-edge/enclave

Length of output: 3227

---

Critical: Undefined variable reference — default_operator_source is not available in this task's scope.

Line 11 uses {{ default_operator_source }}, but this variable is neither defined at the play level in 06-day2.yaml nor passed through the include_tasks call (line 35 includes no vars: parameter). The variable is only locally scoped in playbooks/tasks/configure_operators.yaml and playbooks/tasks/deploy_plugin.yaml.

Since this task executes only when disconnected | default(true) is true (line 7), rendering will fail or produce an empty string, breaking the MCE subscription spec configuration.

Risk: Runtime failure or incorrect catalog source configuration in disconnected deployments.

Suggested fix: Compute default_operator_source locally using the available mirror_rh_operator_catalog variable from defaults/catalogs.yaml (follow the pattern: "cs-{{ mirror_rh_operator_catalog }}-v4-20"), or pass it explicitly via vars: in the include_tasks call from 06-day2.yaml.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@operators/advanced-cluster-management/configure_mch.yaml` at line 11, The
`default_operator_source` variable referenced in the template at line 11 of the
configure_mch.yaml file is not available in the task's scope, causing the MCE
subscription spec to fail in disconnected deployments. Fix this by either: (1)
computing the value locally in configure_mch.yaml using the pattern `"cs-{{
mirror_rh_operator_catalog }}-v4-20"` where mirror_rh_operator_catalog is
available from defaults/catalogs.yaml, or (2) explicitly passing
default_operator_source through a `vars:` parameter in the `include_tasks` call
from 06-day2.yaml that includes this task. Choose the approach that best fits
your deployment pattern—option 1 keeps the logic self-contained, while option 2
makes the dependency explicit at the call site.