product-lifecycle: Add plc_lookup.py CLI, migrate to v2 API

[harche]

Summary

• Replaces inline curl/python one-liners in product-lifecycle SKILL.md with a standalone Python CLI (plc_lookup.py) wrapping the Red Hat Product Life Cycle API v2
• Addresses review feedback from PR OTA-1963: skills: Add cluster-update skills (update-advisor, product-lifecycle) #6: v1→v2 migration, all 5 support status types, drop PLCC acronym, proper error handling
• Adds pagination (--limit, --offset) for broad queries
• Includes 46 tests (unit with mocked API + integration against live API)
• Updates update-advisor SKILL.md cross-references

Builds on top of #6 (that PR stays open).

CLI usage

python3 cluster-update/product-lifecycle/scripts/plc_lookup.py products "logging for Red Hat OpenShift"
python3 cluster-update/product-lifecycle/scripts/plc_lookup.py products "OpenShift" --ocp 4.21 --limit 5
python3 cluster-update/product-lifecycle/scripts/plc_lookup.py olm-check --ocp 4.21 --operators '[{"package":"cluster-logging"}]'

Test plan

• All 46 tests pass locally (python3 -m unittest — 19 unit + 17 integration against live API + 10 pagination)
• Verify plc_lookup.py -h shows clean help output
• Verify script works from repo root path
• Verify SKILL.md paths resolve correctly

🤖 Generated with Claude Code

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: harche

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [harche]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[harche]

/hold

will look into this after #6

[harche]

Testing Results

Eval Framework (Agent-in-the-loop)

Ran 12 skill evals via the agentic-skills eval framework using Claude on Vertex AI. Test queries use the exact prompt format CVO proposals send to the agent, with real OLM operator data and readiness JSON.

product-lifecycle (7 evals)

Test Case	Query	Expected	Result
plc_proposal_olm_batch_check	5-operator batch olm-check from proposal context	5 checked, 3 unavailable	✅
plc_cluster_logging_supported	cluster-logging v6.5 lifecycle + OCP 4.21 compat	supported, compatible	✅
plc_web_terminal_compat_check	web-terminal supported version for OCP 4.21	no supported version for 4.21	✅
plc_compliance_operator_status	compliance-operator v1.9 lifecycle status	found, supported	✅
plc_ocp_platform_status	OCP 4.21 platform lifecycle	supported	✅
plc_ocp_old_version_extended	OCP 4.14 lifecycle phase	extended	✅
plc_batch_known_operators_only	2-operator batch check (cluster-logging + web-terminal)	both found, neither EOL	✅

update-advisor (5 evals)

Each test sends a complete readiness JSON (same format CVO produces) and verifies the agent's upgrade decision:

Test Case	Scenario	Expected Decision	Result
advisor_healthy_cluster_recommend	All 9 checks pass, no issues	recommend	✅
advisor_degraded_operator_caution	1 degraded operator (authentication)	caution	✅
advisor_api_deprecation_block	Removed API with 1250 active requests	block	✅
advisor_etcd_unhealthy_block	1 of 3 etcd members not ready	block	✅
advisor_errored_checks_escalate	7 of 9 readiness checks errored (API unreachable)	escalate	✅

All 12 agent evals + 46 unit/integration tests passed.

End-to-End with CVO Readiness Data

Tested the full proposal → readiness → skill pipeline using a custom CVO build from openshift/cluster-version-operator#1395 deployed to a live OCP 4.21.5 cluster on GCP (6 nodes).

Installed OLM operators for testing:

• cluster-logging v6.5.1 (channel: stable-6.5)
• compliance-operator v1.9.0 (channel: stable)
• openshift-pipelines-operator-rh v1.22.0 (channel: latest)
• web-terminal v1.16.0 (channel: fast)
• devworkspace-operator v0.41.0 (channel: fast)

Flow verified:

1. CVO creates proposals with readiness JSON containing olm_operator_lifecycle data for all 5 operators
2. The update-advisor skill analyzes readiness data and classifies findings per its decision policy
3. The update-advisor calls product-lifecycle to cross-check operators against the PLC API
4. plc_lookup.py olm-check correctly returns lifecycle data for cluster-logging and web-terminal, reports "unavailable" for compliance-operator, openshift-pipelines, and devworkspace-operator
5. plc_lookup.py products finds compliance-operator by product name even when olm-check can't match by package name

Cluster readiness summary (from proposal ota-4-21-5-to-4-21-16):

• 9/9 readiness checks passed in 2.56s
• 34 ClusterOperators healthy, 6 nodes ready, 3/3 etcd members
• 207 CRDs (0 version issues), 21 PDBs (0 blocking)
• OVNKubernetes, TLS Intermediate, no deprecated APIs
• 5 OLM operators detected with versions, channels, and install status

Ground truth verification

All expected values in evals were verified against the live PLC v2 API:

$ plc_lookup.py products "Red Hat OpenShift Container Platform" --ocp 4.21  →  4.21: supported
$ plc_lookup.py products "Red Hat OpenShift Container Platform" --ocp 4.14  →  4.14: extended
$ plc_lookup.py products "logging for Red Hat OpenShift" --ocp 4.21         →  6.5: supported, ocp_compatible=true
$ plc_lookup.py products "compliance operator"                              →  v1.9: supported
$ plc_lookup.py olm-check --ocp 4.21 --operators '[5 operators]'           →  2 found, 3 unavailable

🤖 Generated with Claude Code

[harche]

/cc @wking

[harche]

/hold improving evals with better data.

[harche]

Converting to draft, I need to make a few more changes before it is ready for the review.

[harche]

Converting to draft, I need to make a few more changes before it is ready for the review.

back to open.

[harche]

Cross-PR testing

Tested end-to-end with:

• openshift/cluster-version-operator#1395 — CVO readiness checks + proposal wiring + typed analysis schema
• openshift/cluster-update-console-plugin#8 — Console UI with dropdown selector, expandable analysis panels, typed component rendering

All three deployed together on OCP 4.21.5 cluster. The product-lifecycle skill (plc_lookup.py) successfully runs inside the agent sandbox, querying the PLCC API and populating operator lifecycle data in the ota_olm_operator_status component.

The skill path fix (cluster-update/... → product-lifecycle/...) is required for the sandbox mount paths to resolve correctly.

[harche]

/override ci/prow/eval

[openshift-ci]

@harche: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[wking]

how specific do we want to make these eval checks? E.g. you currently have a boolean here. But you could raise the bar a bit for the AI engine being evaluated by requiring an array of degraded operator names. Or further by requiring an array of degraded operator names and propogation of the reason and message (OAuthFlaky and oauth pods intermittently failing for the authentication information in the fixture prompt, for example). Or you could raise the bar even higher by requiring AI to return some suggested next-step that goes beyond the information we already knew when generating the input query. Is the goal here smoke-testing, or high-fidelity spec -> status plumbing, or AI-adds-value-beyond-what-the-classical-bots-already-knew, or what?

[wking]

nit: you're already importing plc_lookup to feed tests like self.assertEqual(plc_lookup.normalize_status("Full Support"), "supported"). We could reroll plc_lookup to replace the current main() and args = parser.parse_args() with:

def main(args=None):
    # ...
    args = parser.parse_args(args=args, output=sys.stdout)
    # ...

so this test harness can call:

output = io.StringIO()
plc_lookup.main(args=['products', 'logging for Red Hat OpenShift'], output=io)

or some such, without needing to bother with SCRIPT_PATH magic or subprocess execution.

Doesn't need to happen in this pull though, or maybe ever. I'm just floating as a potential simplification that might make future maintenance easier, and we can always come back to this in the future if SCRIPT_PATH gives us trouble.

[wking]

nit: seems like this risks us conflating two unknown statuses? Maybe normalize_status should opaquely pass through any unrecognized status strings?

[wking]

hmm, I'd have expected the case-insensitive lookup to return the same result as the General availability test a few cases earlier. Are we asserting that phase casing is important for some reason?

[wking]

nit: it's a bit strange to me to have two arguments where the later is a subset of the data in the former. It seems like we'd reduce the space for inconsistencies if we had one argument for the whole product structure, and the second argument with just the information needed to look up the version we wanted formatted (and not the entire version structure we wanted formatted). Like format_product_version(product=SAMPLE_PRODUCT, version_index=0) or format_product_version(product=SAMPLE_PRODUCT, version_name=SAMPLE_PRODUCT['versions'][0].name) or some such. No need to block merging over this, just pointing it out in case it makes sense to you, or in case someone else wants to reroll to use that approach in the future.

[wking]

nit: do we want to assert total and returned here too, like we did for test_limit and earlier? Seems easy to just continue that pattern on? Or if we want to make it even harder to forget to check some aspect of the response, we can pivot all of these to self.assertEqual(meta, $FIXME_HAND_CRAFT_ENTIRE_META_DICT) so the tests fail if meta includes a new key we forgot to add test-coverage for.

[wking]

probably worth an self.assertEqual(output['results'][0]['product'], 'logging for Red Hat OpenShift') or some such here too, to confirm that the result we're looking at is the expected SAMPLE_PRODUCT entry without having to rely on the 6.5 version. Maybe drop the 6.5 check and use:

for result in output['results']:
    self.assertEqual(result['product'], 'logging for Red Hat OpenShift')`

since what we're trying to excercise in this test_found case is the name-based lookup?

[wking]

why assertGreater here instead of being more clear on the specifics of the results we expect? We should be able to assertEqual the entire output string, right?

[wking]

nit: if we're allowing >0 results, shouldn't we be iterating over results to confirm that at least one of the results is cluster-logging? That way this test keeps passing if the lifecycle data picks up some other product that matches logging but which isn't the OLM-installed operator we're looking for and that other product happens to come first.

[wking]

$ curl -s 'https://access.redhat.com/product-life-cycles/api/v2/products?name=Openshift+Container+Platform' | jq -c '.data[] | {name, former_names}'
{"name":"Red Hat OpenShift Container Platform","former_names":["OpenShift Container Platform"," OpenShift Container Platform 3"," OpenShift Container Platform 4"]}

so at the moment, only the one hit. Can we assert that at least one entry has name or a former_names entry that exactly matches Red Hat OpenShift Container Platform instead of using the weaker OpenShift search? Something like:

names = []
for result in output['results']:
    names.append(result.get('product'))
    names.extend(results.get('former_names', [])
self.assertIn('Red Hat OpenShift Container Platform', names)

or are we not preserving former_names through to the results structure?

[wking]

nit: slightly easier to debug this failing if we include some hints about the surprisingly-compatible versions, like:

self.assertEqual(compatible, [], 'No logging version should be compatible with OCP 3.11')

[wking]

nit: if we want to assert something useful about the content of the subcommand help, we could use something like:

self.assertIn('Max results to return (0 = all, default: all)', r.stdout)

[wking]

I'm not aware of a commitment from OLS that whatever image they use to back their sandbox Pod will always have python3. But 🤷 , that's what end-to-end testing is for, wherever that is happening.

[wking]

I'm not clear on the value of a 1:1 mapping. See here on my concerns around the unknown default vs. passing through the raw type. And checking the production API now, there doesn't seems to be much diversity like case-inconsistency to collapse:

$ curl -s 'https://access.redhat.com/product-life-cycles/api/v2/products' | jq -r '.data[].versions[].type' | sort | uniq -c | sort -n
     12 
     43 End of Maintenance
    116 Extended Support
    173 Maintenance Support
    263 Full Support
    891 End of life

Can we use the raw types, instead of inventing our own strings? Or are we concerned that the upstream consistency will break down over time, or that the upstream API will introduce other new strings that we want to collapse into a smaller set of our strings? Or...?

[wking]

don't we need the other phases too, e.g. Extended update support and Extended update support Term 2?:

$ curl -s 'https://access.redhat.com/product-life-cycles/api/v2/products?name=fence+agents+remediation' | jq -c '.data[].versions[0].phases[]'
{"name":"General availability","start_date":"N/A","end_date":"2026-06-16T00:00:00.000Z","start_date_format":"string","end_date_format":"date","additional_text":""}
{"name":"Full support","start_date":"2026-06-16T00:00:00.000Z","end_date":"2026-12-31T00:00:00.000Z","start_date_format":"date","end_date_format":"date","additional_text":""}
{"name":"Maintenance support","start_date":"2027-01-01T00:00:00.000Z","end_date":"2027-12-31T00:00:00.000Z","start_date_format":"date","end_date_format":"date","additional_text":""}
{"name":"Extended update support","start_date":"2028-01-01T00:00:00.000Z","end_date":"2028-06-30T00:00:00.000Z","start_date_format":"date","end_date_format":"date","additional_text":""}
{"name":"Extended update support Term 2","start_date":"2028-07-01T00:00:00.000Z","end_date":"2029-06-30T00:00:00.000Z","start_date_format":"date","end_date_format":"date","additional_text":""}

[wking]

nit: I'm not all that clear on https://access.redhat.com/product-life-cycles/api/v2/products order commitments (do they commit to stable ordering? Do they commit to any particular order like "alphabetical by current product name"? What happens if a product gets renamed? Does the caller here really care about limiting results for pagination? Do we have a situation where we'd recommend the consuming AI agent actually paginate the results? Maybe we can just drop the pagination feature as something with unclear value, return all the results every time, and recommend in the skill Markdown that the agent try to be specific with their queries? Or maybe we can drop --offset, keep --limit, and explain in the skill that if the response shows --limit mattered, that the AI should look at the returned product names and try to use that context to try again with a more specific name for the products it was hoping to retrieve?

[wking]

nit: this is restoring the numbered section headings I'd dropped in b3b6cd2 (#21). Do you not buy my motivation for that change?

[wking]

nit: this is restoring the triple-backticked block I'd converted to Markdown sections in b3b6cd2 (#21). Do you not buy my motivation for that change?

[wking]

hmm, this seems like a risky way to try and find the subset of products that includes package. For example:

$ curl -s 'https://access.redhat.com/product-life-cycles/api/v2/products' | jq -c '.data[] | select(.package) | {name, former_names, package}' | grep -v OpenShift
{"name":"AMQ broker","former_names":["Red Hat AMQ","Red Hat AMQ Broker"],"package":"amq-broker-rhel8"}
{"name":"AMQ Broker Operator (RHEL8)","former_names":[],"package":"amq-broker-rhel8"}
{"name":"AMQ Broker Operator (RHEL9)","former_names":[],"package":"amq-broker-rhel9"}
{"name":"AMQ interconnect","former_names":["Red Hat AMQ Interconnect"],"package":"amq7-interconnect-operator"}
...
$ curl -s 'https://access.redhat.com/product-life-cycles/api/v2/products' | jq -c '.data[] | select(.package) | {name, former_names, package}' | grep -v OpenShift | wc -l
122

vs. only 9 with the name=OpenShift product filter:

$ curl -s 'https://access.redhat.com/product-life-cycles/api/v2/products?name=OpenShift' | jq -c '.data[] | select(.package) | {name, former_names, package}'{"name":"builds for Red Hat OpenShift","former_names":["Builds for Red Hat OpenShift"],"package":"openshift-builds-operator"}
{"name":"custom metrics autoscaler","former_names":["Custom Metric Autoscaler operator for Red Hat OpenShift"],"package":"openshift-custom-metrics-autoscaler-operator"}
{"name":"kernel module management","former_names":["Kernel Module Management operator for Red Hat OpenShift"],"package":"kernel-module-management"}
{"name":"logging for Red Hat OpenShift","former_names":["Red Hat OpenShift Logging"],"package":"cluster-logging"}
{"name":"OpenShift APIs for Data Protection","former_names":["OpenShift API for Data Protection"],"package":"redhat-oadp-operator"}
{"name":"Red Hat OpenShift AI Self-Managed","former_names":["Red Hat OpenShift Data Science self-managed"],"package":"rhods-operator"}
{"name":"Red Hat OpenShift Data Foundation","former_names":["OpenShift Container Storage 4","Red Hat OpenShift Data Foundation (formerly OpenShift Container Storage 4)"],"package":"odf-operator"}
{"name":"Red Hat OpenShift intelligent assistant","former_names":["Red Hat OpenShift Lightspeed"],"package":"lightspeed-operator"}
{"name":"Red Hat OpenShift support for Windows Containers","former_names":["Red Hat OpenShift support for Windows Containers","Red Hat OpenShift for Windows Containers"],"package":"windows-machine-config-operator"}
{"name":"web terminal operator","former_names":["Red Hat OpenShift Web Terminal Operator","Web Terminal Operator"],"package":"web-terminal"}

[wking]

I hope we aren't often moving packages from one product to another, but I'm not sure it's impossible. For compat check purposes, we probably want to preserve every product that mentions the package we're interested in. You can use collections.defaultdict for this, something like:

by_package = collections.defaultdict(list)
for p in batch:
        pkg = p.get("package")
        if pkg:
            by_package[pkg].append(p)

after which by_package.get(package_name) would give you a list of all the products claiming that package, or None.

[wking]

Ah, and looks like we do need this already, e.g.:

$ curl -s 'https://access.redhat.com/product-life-cycles/api/v2/products' | jq -r '.data[].package | select(.)' | sort | uniq -c | sort -n | tail
      1 trustee-operator
      1 vertical-pod-autoscaler
      1 volsync-product
      1 watcher-operator
      1 web-terminal
      1 windows-machine-config-operator
      2 amq7-interconnect-operator
      2 amq-broker-rhel8
      2 amq-streams
      2 skupper-operator
$ curl -s 'https://access.redhat.com/product-life-cycles/api/v2/products' | jq -c '.data[] | select(.package == "skupper-operator") | {name, former_names}'
{"name":"Red Hat Service Interconnect","former_names":[]}
{"name":"Red Hat Service Interconnect Operator","former_names":[]}

Happily for at least Red Hat Service Interconnect*, there doesn't seem to be any difference in phase information:

$ diff -u1 <(curl -s 'https://access.redhat.com/product-life-cycles/api/v2/products?name=Red+Hat+Service+Interconnect' | jq -c '.data[] | .versions[] | .name as $v | .phases[] | {version: $v, phase: .}') <(curl -s 'https://access.redhat.com/product-life-cycles/api/v2/products?name=Red+Hat+Service+Interconnect+Operator' | jq -c '.data[] | .versions[] | .name as $v | .phases[] | {version: $v, phase: .}')

I haven't checked the others.

[wking]

This seems like it's trying to backstop for the earlier OpenShift query missing the product(s) that ships this package. But it's not a complete guard, e.g. it fails for the skupper-operator package:

$ curl -s 'https://access.redhat.com/product-life-cycles/api/v2/products?name=skupper-operator'
{"data":[]}
$ curl -s 'https://access.redhat.com/product-life-cycles/api/v2/products?name=OpenShift' | jq -c '[.data[] | select(.package == "skupper-operator")]'
[]
$ curl -s 'https://access.redhat.com/product-life-cycles/api/v2/products' | jq -c '[.data[] | select(.package == "skupper-operator").name]'
["Red Hat Service Interconnect","Red Hat Service Interconnect Operator"]

[wking]

Our previous discussion ended up deciding allowed-tools was too under-specified to be worth including. Doesn't look like the spec has evolved since then.

[wking]

nit: this skill doesn't have to care that the tool queries the v2 API, so we can probably drop the change to this line. One less place that will need bumping if we eventually pivot the tool to a v3 API or whatever.

[wking]

Internal tool detail, right? I expect dropping this line would save the AI agent a few tokens parsing the skill, and not impact its ability to use the tool at all. And I expect dropping this line will save us the effort of having to remember to bump this line if the tool behavior changes in the future.

[wking]

can't we drop python3 here, set the executable bit on plc_lookup.py, and rely on the #!/usr/bin/env python3 shebang to get the script invoked by its intended interpreter? Or is there something about volume mounting the skills image into the sandbox container that messes with executable bits?

[wking]

This is restoring the commitment to explicit CVO behavior (calling for 9 exact checks) that we'd dropped after this earlier thread. Is my argument there making less sense now than it did then? 😅

[wking]

This is restoring the room for inconsistent claims that we'd dropped after this earlier thread. Is my argument there making less sense now than it did then? 😅

[wking]

This is restoring the section committing to CVO behavior that seems hard to maintain, and which we'd dropped after this earlier thread. Is my argument there making less sense now than it did then? 😅

[wking]

We'd dropped this section after this earlier thread, and also have the Investigate with other skills section a bit further down that you're currently dropping. Why pivot back to the old approach?