feat(profile): add --operator-channel and --catalog-source flags

[jangel97]

Summary

• Add --operator-channel flag to override the OLM subscription channel per operator (e.g. --operator-channel serverless-operator=candidate)
• Add --catalog-source flag to use a custom index image per operator (e.g. --catalog-source nfd=quay.io/my-team/index:test), creating a CatalogSource CR automatically
• Validation runs before infrastructure provisioning to fail fast on invalid inputs
• Override logic is centralized in installOperator() — no profile files need changes
• Docs updated with usage examples and operator package name reference table

Test plan

• Build passes
• Validation catches empty keys/values before provisioning
• End-to-end test with --operator-channel override
• End-to-end test with --catalog-source override (NFD installed from custom index image hosted on ttl.sh, verified CatalogSource pod running and subscription pointing to custom catalog)

[coderabbitai]

Warning

Review limit reached

@jangel97, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 38 minutes and 19 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 96da0934-59e9-4308-9c70-f661baaa6c90

📥 Commits

Reviewing files that changed from the base of the PR and between 3c0fd15 and 49d12c6.

📒 Files selected for processing (6)

• cmd/mapt/cmd/aws/services/snc.go
• docs/aws/openshift-snc.md
• pkg/provider/aws/action/snc/snc.go
• pkg/target/service/snc/api.go
• pkg/target/service/snc/profile/operator.go
• pkg/target/service/snc/profile/profile.go

📝 Walkthrough

Walkthrough

This PR adds CLI support for per-operator OLM customization in OpenShift SNC deployments. Users can override individual operator subscription channels and provide custom CatalogSource index images, which are provisioned as Kubernetes custom resources before profile deployment begins.

Changes

Operator and CatalogSource Overrides

Layer / File(s)	Summary
API Contract Extension pkg/target/service/snc/api.go	SNCArgs struct gains Profiles, OperatorChannels, and CatalogSources fields to carry operator override configuration.
Profile Deployment - CatalogSource Infrastructure pkg/target/service/snc/profile/profile.go	Added crypto/sha256 and Kubernetes apiextensions imports, extended DeployArgs with operator channel and catalog source override maps, implemented ValidateOperatorOverrides validation helper, and implemented ensureCatalogSources to deterministically create CatalogSource custom resources keyed by index image hash before profile prerequisites are processed.
Operator-level Override Application pkg/target/service/snc/profile/operator.go	installOperator now applies per-operator channel overrides via args.OperatorChannels and catalog source overrides via args.catalogSourceCRs, and adds created CatalogSource CR resources to Pulumi operator install dependencies.
AWS Action Layer Orchestration and Validation pkg/provider/aws/action/snc/snc.go	Extended openshiftSNCRequest struct to hold profiles, operator channels, catalog sources, and disk size; validation of operator overrides via profile.ValidateOperatorOverrides; and wiring of those fields through to profile deployment in profile.DeployArgs.
CLI Flag Registration and Wiring cmd/mapt/cmd/aws/services/snc.go	Added --operator-channel and --catalog-source flag constants with descriptions, registered both as StringToStringP options, and wired flag values into SNCArgs construction.
User-facing Documentation docs/aws/openshift-snc.md	New "Operator overrides" section describing flag usage, single and multi-operator override examples, default behavior, and a table mapping profiles to installed OLM operators.

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and accurately summarizes the main changes: adding two new CLI flags (--operator-channel and --catalog-source) for operator configuration.
Description check	✅ Passed	The description comprehensively covers the changes, including flag purposes, validation approach, implementation details, and test verification.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/aws/openshift-snc.md`:
- Around line 88-98: The fenced code blocks showing the commands (e.g., the
block with "mapt aws openshift-snc create" and the block with
"--operator-channel serverless-operator=preview,nfd=4.17") are missing language
specifiers; update each triple-backtick fence to include "bash" (```bash) so the
two blocks that contain the mapt aws openshift-snc create command and the
operator-channel example are annotated for proper syntax highlighting and to
satisfy MD040.
- Around line 104-117: Add the missing language specifier to both fenced code
blocks by marking them as bash to satisfy markdownlint MD040; update the two
code fences that show the "mapt aws openshift-snc create" examples (the
single-profile example using flags like --profile and --catalog-source, and the
combined example using --profile, --operator-channel and --catalog-source) to
start with ```bash so the commands are rendered with shell syntax highlighting.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 74225bc6-e2fc-444a-8d43-dd1ae0909fb9

📥 Commits

Reviewing files that changed from the base of the PR and between ce74314 and 3c0fd15.

📒 Files selected for processing (6)

• cmd/mapt/cmd/aws/services/snc.go
• docs/aws/openshift-snc.md
• pkg/provider/aws/action/snc/snc.go
• pkg/target/service/snc/api.go
• pkg/target/service/snc/profile/operator.go
• pkg/target/service/snc/profile/profile.go

[adrianriobo]

Code Review — --operator-channel and --catalog-source flags

Overview

Adds two CLI flags to the SNC provisioner that let callers override OLM subscription channels and inject custom CatalogSource index images per operator. This is the mechanism needed to install OpenShift
AI from a custom FBC bundle — you'd use --catalog-source rhods-operator=quay.io/your-org/fbc-index:tag combined with --operator-channel rhods-operator=fast.

---

Design — Good

• Centralized override in installOperator — overrides are applied in one place, no per-operator special-casing needed.
• CatalogSource naming with mapt-cs-<pkg>-<sha256[:8]> is deterministic and avoids collisions across re-runs (Pulumi can diff it).
• DeletedWith propagation — CatalogSource CRs are also marked with the compute resource, so they're skipped on destroy.
• ValidateOperatorOverrides runs before infra provisioning — fail-fast without spending money on an EC2 instance.
• Incompatibility documentation (ProfileOpenShiftAI + ProfileServiceMesh) is well commented.

---

Issues

1. No CatalogSource readiness wait — likely to break RHOAI installs (critical)

ensureCatalogSources creates the CatalogSource CR and returns. OLM then needs to pull the FBC image and spin up the gRPC server (30–90 seconds). The Subscription is created with
pulumi.DependsOn(cs.Resource) which only waits for the K8s object to exist, not for OLM to index it. The subscription will fail with "no operators found" until the catalog is ready.

Suggested fix: reuse the existing waitForCRCondition pattern to poll .status.connectionState.lastObservedState == "READY" before returning from ensureCatalogSources.

2. MaxCPUs logic is inverted for multi-profile use

The function returns the upper CPU cap, but when two profiles each set maxCPUs, the effective cap should be min (you must satisfy both constraints), not max. Only ProfileNvidia sets maxCPUs
today so it doesn't bite yet, but the logic is wrong:

// Should return the lowest non-zero cap, not the highest
func MaxCPUs(profiles []string) int32 {                                                                                                                                                                   
    var cap int32                                                                                                                                                                                         
    for _, p := range profiles {                                                                                                                                                                          
        if effect, ok := profileRegistry[p]; ok && effect.maxCPUs > 0 {                                                                                                                                   
            if cap == 0 || effect.maxCPUs < cap {                                                                                                                                                         
                cap = effect.maxCPUs
            }                                                                                                                                                                                             
        }                                                 
    }
    return cap
}

3. No validation that override packages match known operators                                                                                                                                             
 
ValidateOperatorOverrides only rejects empty strings. A typo in the package name (e.g. rhoods-operator instead of rhods-operator) silently creates an unused CatalogSource with no warning to the user.   
                                                          
4. No test coverage                                                                                                                                                                                       
                                                          
Validate, ValidateOperatorOverrides, ensureCatalogSources, and the override logic in installOperator have no unit tests. Table-driven tests for the validation functions would at minimum catch           
regressions.                                              
                                                                                                                                                                                                          
---                                                       
Minor
     
- The hash[:8] truncation (32 bits) is fine for human-facing names; practical collision risk is negligible.
- sourceType: grpc is correct for FBC index images.                                                                                                                                                       
- The --catalog-source nfd=quay.io/... example in the docs is clear.                                                                                                                                      
                                                                                                                                                                                                          
---                                                                                                                                                                                                       
Summary                                                   
       
The approach is solid and the FBC mechanism (custom CatalogSource + channel override) is correct. The critical gap is #1 — without waiting for the CatalogSource to be READY, the RHOAI subscription will
race against OLM catalog indexing and fail intermittently. The fix is straightforward using the waitForCRCondition pattern already in the codebase.