SANDBOX-1561 | feature: Make targets for debugging services and operators

[MikelAlejoBR]

Adds a new Make target which triggers build in the underlying services and operators which end up building the images without any code optimizations and with Delve on them.

Once pushed and deployed to the local OpenShift cluster, it patches the host operator, the member operator and the registration service to launch them with the Delve executable, which allows debugging them on port 50000 after port-forwarding to those pods.

Related PRs

• SANDBOX-1561 | feature: debug builds for the host operator host-operator#1227
• SANDBOX-1561 | feature: Makefile targets to build the operator in debug mode member-operator#720
• SANDBOX-1561 | feature: enable debug builds for the service registration-service#566

Jira ticket

[SANDBOX-1561]

Summary by CodeRabbit

• New Features

  • Added a debuggable local end-to-end deployment that launches services and operators with debugger support, enabling IDE attachment and easier port-forwarding for troubleshooting. Registration service is scaled for local debugging.

• Documentation

  • Added usage notes, prerequisites and environment settings for the new local debug deployment and connection workflow.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: MikelAlejoBR
Once this PR has been reviewed and has the lgtm label, please assign fbm3307 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

Adds a debug-focused E2E local deployment flow: a new Makefile target exports DEBUG_MODE=true, patches host/member operator CSVs to run under Delve (debugger on port 50000), adjusts registration service replicas, updates CI operator image push to optionally build debug images, and documents the new flow and prerequisites.

Changes

Cohort / File(s)	Summary
Documentation README.adoc	Documents the new dev-deploy-e2e-local-debug Make target, port-forwarding to debugger (50000), affected services (registration, host/member operator controller managers), default namespaces, and CRC prerequisites.
Make targets make/dev.mk	Adds dev-deploy-e2e-local-debug phony target that sets DEBUG_MODE=true, delegates to dev-deploy-e2e-local, then patches host/member CSVs to run Delve (replace container command/args) and sets registration service replicas to 1.
CI/operator scripts scripts/ci/manage-host-operator.sh, scripts/ci/manage-member-operator.sh	Call sites updated to invoke push_image with "${DEBUG_MODE}" argument when publishing operators.
Image push logic scripts/ci/manage-operator.sh	push_image now interprets a boolean debug arg to compute DEBUG_MODE_SUFFIX (-debug when true) and selects ${IMAGE_BUILDER}-push${DEBUG_MODE_SUFFIX} as the make target.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Dev as Developer (IDE)
  participant Make as Makefile (`dev-deploy-e2e-local-debug`)
  participant CI as CI scripts (`manage-*.sh`)
  participant OC as OpenShift (kubectl/oc)
  participant CSV as ClusterServiceVersion
  participant Pod as Operator Pod (with Delve)

  Note right of Make: Trigger debug flow\nexports DEBUG_MODE=true
  Dev->>Make: run dev-deploy-e2e-local-debug
  Make->>CI: call image build/push with DEBUG_MODE
  CI->>CI: compute DEBUG_MODE_SUFFIX, invoke make push target
  CI->>OC: apply operator images/manifests
  Make->>OC: patch CSVs for host/member (replace cmd/args -> Delve)
  OC->>CSV: update CSV containers
  CSV->>Pod: rollout operator pods with Delve enabled
  Dev->>Pod: port-forward 50000 -> connect debugger
  Note over Pod,Dev: Debugging session established

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

approved

Suggested reviewers

• metlos
• mfrancisc
• rajivnathan

Poem

🐰 In a burrow of builds I quietly dig,
Flags set to debug, Delve on port five-oh-oh-oh, big!
Make whispers "DEBUG_MODE," scripts answer the call,
Pods wake with breakpoints—hop in, debugger and all.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'SANDBOX-1561 | feature: Make targets for debugging services and operators' directly and clearly describes the main change: adding new Make targets for debugging services and operators.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

scripts/ci/manage-operator.sh (1)

47-62: Good implementation of debug mode support.

The conditional logic correctly enables debug-mode image builds by appending -debug to the make target when DEBUG_MODE is "true". This allows the downstream make targets to build Delve-enabled images.

Optional: standardize indentation

The indentation within the if-else block is inconsistent. Consider aligning for better readability:

 push_image() {
     # When the "${DEBUG_MODE}" argument is passed, we instruct Make to push
     # the "debug" images with Delve on them.
     if [[ $1 == "true" ]]; then
-      DEBUG_MODE_SUFFIX="-debug"
-      else
-      DEBUG_MODE_SUFFIX=""
+        DEBUG_MODE_SUFFIX="-debug"
+    else
+        DEBUG_MODE_SUFFIX=""
     fi

make/dev.mk (2)

54-55: Consider renaming CVS to CSV for clarity.

The variable names use "CVS" but the resource type is "ClusterServiceVersion," commonly abbreviated as "CSV." Using "CSV" would be clearer and avoid confusion with the legacy version control system.

Suggested naming improvement

 	# Get the CVSs for the host and member operators, in order to be able to
 	# patch them.
-	HOST_CVS_NAME=$$(oc get --namespace "${DEFAULT_HOST_NS}" --output name ClusterServiceVersion)
-	MEMBER_CVS_NAME=$$(oc get --namespace ${DEFAULT_MEMBER_NS} --output name ClusterServiceVersion)
+	HOST_CSV_NAME=$$(oc get --namespace "${DEFAULT_HOST_NS}" --output name ClusterServiceVersion)
+	MEMBER_CSV_NAME=$$(oc get --namespace ${DEFAULT_MEMBER_NS} --output name ClusterServiceVersion)

Then update references on lines 61, 69, and 70 accordingly.

---

69-70: Consider improving readability of long patch commands.

The JSON patch commands are very long (200+ characters), making them difficult to review and maintain. While the logic appears correct, consider breaking them into variables or using here-documents for better readability.

Example: Extract patch JSON to variables

+	# Define patch for host operator
+	HOST_PATCH='[{"op": "replace", "path": "/spec/install/spec/deployments/0/spec/template/spec/containers/1/args", "value": []}, {"op": "replace", "path": "/spec/install/spec/deployments/0/spec/template/spec/containers/1/command", "value": ["dlv", "--listen=:50000", "--headless", "--continue", "--api-version=2", "--accept-multiclient", "exec", "/usr/local/bin/host-operator", "--", "--health-probe-bind-address=:8081", "--metrics-bind-address=127.0.0.1:8080", "--leader-elect"]}]'
+
+	# Define patch for member operator  
+	MEMBER_PATCH='[{"op": "replace", "path": "/spec/install/spec/deployments/0/spec/template/spec/containers/0/args", "value": []}, {"op": "replace", "path": "/spec/install/spec/deployments/0/spec/template/spec/containers/0/command", "value": ["dlv", "--listen=:50000", "--headless", "--continue", "--api-version=2", "--accept-multiclient", "exec", "/usr/local/bin/member-operator", "--", "--health-probe-bind-address=:8081", "--metrics-bind-address=127.0.0.1:8080", "--leader-elect"]}]'
+
 	# Patch the host-operator and member-operator CSVs to make them run with
 	# Delve.
-	oc patch --namespace "${DEFAULT_HOST_NS}" "${HOST_CVS_NAME}" --type='json' --patch='[{"op": "replace", "path": "/spec/install/spec/deployments/0/spec/template/spec/containers/1/args", "value": []}, {"op": "replace", "path": "/spec/install/spec/deployments/0/spec/template/spec/containers/1/command", "value": ["dlv", "--listen=:50000", "--headless", "--continue", "--api-version=2", "--accept-multiclient", "exec", "/usr/local/bin/host-operator", "--", "--health-probe-bind-address=:8081", "--metrics-bind-address=127.0.0.1:8080", "--leader-elect"]}]'
-	oc patch --namespace "${DEFAULT_MEMBER_NS}" "${MEMBER_CVS_NAME}" --type='json' --patch='[{"op": "replace", "path": "/spec/install/spec/deployments/0/spec/template/spec/containers/0/args", "value": []}, {"op": "replace", "path": "/spec/install/spec/deployments/0/spec/template/spec/containers/0/command", "value": ["dlv", "--listen=:50000", "--headless", "--continue", "--api-version=2", "--accept-multiclient", "exec", "/usr/local/bin/member-operator", "--", "--health-probe-bind-address=:8081", "--metrics-bind-address=127.0.0.1:8080", "--leader-elect"]}]'
+	oc patch --namespace "${DEFAULT_HOST_NS}" "${HOST_CVS_NAME}" --type='json' --patch="$${HOST_PATCH}"
+	oc patch --namespace "${DEFAULT_MEMBER_NS}" "${MEMBER_CVS_NAME}" --type='json' --patch="$${MEMBER_PATCH}"

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c4598f6 and bf2dec3.

📒 Files selected for processing (5)

• README.adoc
• make/dev.mk
• scripts/ci/manage-host-operator.sh
• scripts/ci/manage-member-operator.sh
• scripts/ci/manage-operator.sh

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-12-11T16:29:34.403Z

Learnt from: rsoaresd
Repo: codeready-toolchain/toolchain-e2e PR: 1232
File: make/devsandbox-dashboard.mk:57-57
Timestamp: 2025-12-11T16:29:34.403Z
Learning: In make/devsandbox-dashboard.mk, the test-devsandbox-dashboard-e2e-local target intentionally allows PUBLISH_UI=true and DEPLOY_UI=true to enable publishing and deploying when running locally (outside a container), while test-devsandbox-dashboard-in-container sets PUBLISH_UI=false because image pushing is not available from inside the container.

Applied to files:

• make/dev.mk
• README.adoc

🧬 Code graph analysis (2)

scripts/ci/manage-host-operator.sh (1)

scripts/ci/manage-operator.sh (1)

• push_image (47-62)

scripts/ci/manage-member-operator.sh (1)

scripts/ci/manage-operator.sh (1)

• push_image (47-62)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Build & push operator bundles & dashboard image for e2e tests
• GitHub Check: Unit Tests

🔇 Additional comments (5)

scripts/ci/manage-host-operator.sh (1)

99-99: LGTM! DEBUG_MODE propagation is correct.

The push_image calls now correctly propagate the DEBUG_MODE environment variable to enable debug-enabled image builds when set. The variable is expected to be exported by the caller (e.g., make/dev.mk), and if unset, the function will default to the standard non-debug build path.

Also applies to: 111-111

scripts/ci/manage-member-operator.sh (1)

98-98: LGTM! Consistent with host operator changes.

The push_image invocation correctly propagates DEBUG_MODE to enable debug builds, matching the pattern established in manage-host-operator.sh.

README.adoc (1)

154-161: Excellent documentation for the debug target.

The documentation clearly explains the new debugging workflow, including:

• Build characteristics (no optimizations, Delve included)
• Debugger port (50000)
• Port-forwarding instructions
• List of debuggable services

This will help developers quickly understand and use the debugging feature.

make/dev.mk (2)

42-50: Good use of export for DEBUG_MODE propagation.

The target correctly exports DEBUG_MODE=true to enable debug builds in downstream make targets and shell scripts. The .ONESHELL: directive appropriately enables multi-line shell commands for the complex patching logic that follows.

---

61-61: Verify: Silent failure handling may hide errors.

The || true silently ignores failures when patching the registration service command. If the CSV doesn't exist or the patch path is invalid, this will fail silently and the registration service won't be configured for debugging.

Consider whether this should fail loudly or if the silent handling is intentional (e.g., for cases where the CSV structure differs).

Would it be better to check if the patch succeeded and provide a warning, or is silent failure acceptable here?

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

make/dev.mk (1)

54-55: Verify CSV retrieval when multiple CSVs exist.

The command oc get --output name ClusterServiceVersion returns all CSVs in the namespace. If there are multiple CSVs (e.g., from previous deployments or other operators), the variable will contain multiple names, potentially causing the subsequent oc patch commands to fail or behave unexpectedly.

Consider filtering for the specific operator CSV:

Suggested improvement

-	HOST_CSV_NAME=$$(oc get --namespace "${DEFAULT_HOST_NS}" --output name ClusterServiceVersion)
-	MEMBER_CSV_NAME=$$(oc get --namespace ${DEFAULT_MEMBER_NS} --output name ClusterServiceVersion)
+	HOST_CSV_NAME=$$(oc get --namespace "${DEFAULT_HOST_NS}" --output name ClusterServiceVersion | grep toolchain-host-operator)
+	MEMBER_CSV_NAME=$$(oc get --namespace "${DEFAULT_MEMBER_NS}" --output name ClusterServiceVersion | grep toolchain-member-operator)

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between bf2dec3 and b390515.

📒 Files selected for processing (5)

• README.adoc
• make/dev.mk
• scripts/ci/manage-host-operator.sh
• scripts/ci/manage-member-operator.sh
• scripts/ci/manage-operator.sh

🚧 Files skipped from review as they are similar to previous changes (1)

• scripts/ci/manage-host-operator.sh

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: rsoaresd
Repo: codeready-toolchain/toolchain-e2e PR: 1232
File: make/devsandbox-dashboard.mk:57-57
Timestamp: 2025-12-11T16:29:34.403Z
Learning: In make/devsandbox-dashboard.mk, the test-devsandbox-dashboard-e2e-local target intentionally allows PUBLISH_UI=true and DEPLOY_UI=true to enable publishing and deploying when running locally (outside a container), while test-devsandbox-dashboard-in-container sets PUBLISH_UI=false because image pushing is not available from inside the container.

📚 Learning: 2025-12-11T16:29:34.403Z

Learnt from: rsoaresd
Repo: codeready-toolchain/toolchain-e2e PR: 1232
File: make/devsandbox-dashboard.mk:57-57
Timestamp: 2025-12-11T16:29:34.403Z
Learning: In make/devsandbox-dashboard.mk, the test-devsandbox-dashboard-e2e-local target intentionally allows PUBLISH_UI=true and DEPLOY_UI=true to enable publishing and deploying when running locally (outside a container), while test-devsandbox-dashboard-in-container sets PUBLISH_UI=false because image pushing is not available from inside the container.

Applied to files:

• make/dev.mk
• README.adoc

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: GolangCI Lint
• GitHub Check: Unit Tests
• GitHub Check: Build & push operator bundles & dashboard image for e2e tests

🔇 Additional comments (4)

scripts/ci/manage-member-operator.sh (1)

98-98: LGTM!

The change correctly passes DEBUG_MODE to push_image, aligning with the pattern in manage-host-operator.sh. When DEBUG_MODE is unset or empty, push_image will default to the non-debug push target, which is the expected behavior.

README.adoc (1)

154-160: LGTM!

The documentation clearly explains the new dev-deploy-e2e-local-debug target, including its purpose, how to connect (port-forwarding on 50000), and which services are debuggable. This aligns with the implementation in make/dev.mk.

make/dev.mk (2)

69-70: Hardcoded container indices may be fragile.

The patches use fixed indices (containers/1 for host-operator, containers/0 for member-operator). If the container order in the CSV deployment spec changes, the wrong container will be patched.

This is acceptable for a dev-only debugging target, but be aware that changes to the operator CSV structures could silently break this functionality.

---

42-50: Good use of .ONESHELL and exported variable.

The .ONESHELL directive correctly ensures shell variables persist across recipe lines, and export DEBUG_MODE=true properly propagates the flag to downstream Make invocations via dev-deploy-e2e-local.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

The || true suppresses all errors, including legitimate failures.

While this may be intentional to handle cases where the env var already exists, it also hides real problems like malformed JSON patches or connectivity issues. Consider checking for the specific error condition or removing the fallback if this patch is required for debugging to work.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# First, understand the repo structure and the manage-operator.sh script
git ls-files | head -20

Repository: codeready-toolchain/toolchain-e2e

Length of output: 591

---

🏁 Script executed:

# Look at the manage-operator.sh script to understand what repos it references
cat -n scripts/ci/manage-operator.sh | head -100

Repository: codeready-toolchain/toolchain-e2e

Length of output: 4890

---

🏁 Script executed:

# Search for any Makefile targets related to "push-debug"
rg 'push-debug|push.*debug' --type=make -n

Repository: codeready-toolchain/toolchain-e2e

Length of output: 59

---

🏁 Script executed:

# Also check for any docker or podman push targets
rg 'docker-push|podman-push' --type=make -n

Repository: codeready-toolchain/toolchain-e2e

Length of output: 59

---

🏁 Script executed:

# Check if there are external repo references or documentation
rg 'host-operator|member-operator' -n | head -20

Repository: codeready-toolchain/toolchain-e2e

Length of output: 4535

---

🌐 Web query:

host-operator repository Makefile docker-push-debug target

💡 Result:

Do you mean the host-operator in the codeready-toolchain GitHub repo (github.com/codeready-toolchain/host-operator)? If so, do you want me to (a) show the Makefile section for the docker-push-debug target, (b) explain what that target does, or (c) locate a different host-operator repo?

---

🌐 Web query:

member-operator repository Makefile podman-push-debug target

💡 Result:

Which repository do you mean (link or org/name)? I can then fetch its Makefile and explain the podman-push-debug target or how to run it.

---

🌐 Web query:

codeready-toolchain host-operator Makefile push-debug target site:github.com

💡 Result:

Do you want me to find the exact Makefile "push-debug" target inside the codeready-toolchain/host-operator GitHub repo (and show its contents)? If so I’ll search GitHub and return the file location and snippet.

---

🌐 Web query:

site:github.com/codeready-toolchain/host-operator Makefile

💡 Result:

I found the repository and its Makefile in the codeready-toolchain/host-operator repo on GitHub: https://github.com/codeready-toolchain/host-operator (Makefile listed in the repo root). [1]

Would you like me to fetch and show the Makefile contents?

---

🌐 Web query:

site:github.com/codeready-toolchain/member-operator Makefile push

💡 Result:

The repo’s Makefile provides image-push targets — notably podman-push and push-to-quay-staging. The README instructs running:

• make podman-push QUAY_NAMESPACE=codeready-toolchain
• make push-to-quay-staging QUAY_NAMESPACE=codeready-toolchain. [1][2]

Sources:
[1] codeready-toolchain/member-operator README (Makefile push instructions).
[2] codeready-toolchain/member-operator Makefile (repository).

---

🌐 Web query:

"push-debug" OR "docker-push-debug" OR "podman-push-debug" site:github.com/codeready-toolchain/host-operator

💡 Result:

I searched the codeready-toolchain/host-operator repository for "push-debug", "docker-push-debug", and "podman-push-debug" and found no matches. Would you like me to (a) search all of GitHub for those terms, or (b) search the repository for similar/related build or push targets (e.g., Makefile, scripts, GitHub Actions)?

---

🌐 Web query:

"push-debug" OR "docker-push-debug" OR "podman-push-debug" site:github.com/codeready-toolchain/member-operator

💡 Result:

I searched the codeready-toolchain/member-operator repository and found no matches for "push-debug", "docker-push-debug", or "podman-push-debug". (github.com)

Citations:

• 1: https://github.com/codeready-toolchain/member-operator

---

The debug push targets do not exist in the operator repositories. This implementation will fail at runtime.

The docker-push-debug and podman-push-debug make targets referenced on line 59 do not exist in either the host-operator or member-operator repositories. When push_image() is called with the first argument set to "true", the make command will fail because the target ${IMAGE_BUILDER}-push-debug is undefined.

Either:

1. Add the docker-push-debug and podman-push-debug targets to the operator Makefiles, or
2. Remove the debug mode suffix logic from this function and handle debug builds separately

🧰 Tools

🪛 Shellcheck (0.11.0)

[warning] 60-60: IMAGE_LOC appears unused. Verify use (or export if used externally).

(SC2034)

🤖 Prompt for AI Agents

In scripts/ci/manage-operator.sh around lines 47 to 62, the function push_image
builds a make target with a "-debug" suffix when the first arg is "true", but
those docker-push-debug/podman-push-debug targets do not exist causing runtime
failures; remove the DEBUG_MODE_SUFFIX logic so the make invocation always calls
the existing ${IMAGE_BUILDER}-push target (and leave debug-image handling to a
separate, explicit flow), or alternatively add a guard that only appends
"-debug" when the target actually exists; update the function to use a single
known target (or perform an explicit conditional to call a separate debug build
routine) and ensure IMAGE_LOC/IMAGE_TAG logic remains correct.

[rajivnathan]

Wonder whether this should be added as an option for consistency with other options or it's fine to treat it as a special environment variable.

@MatousJobanek and @rsoaresd may have thoughts on this