openshift · Thealisyed · Jun 17, 2026 · Jun 17, 2026 · Jun 17, 2026
diff --git a/.claude-plugin/marketplace.json b/.claude-plugin/marketplace.json
@@ -0,0 +1,13 @@
+{
+  "name": "network-edge-tools",
+  "owner": {
+    "name": "openshift"
+  },
+  "plugins": [
+    {
+      "name": "konflux-release",
+      "source": "./plugins/konflux-release",
+      "description": "Konflux release workflow automation for ExternalDNS Operator (EDO)"
+    }
+  ]
+}
diff --git a/plugins/konflux-release/.claude-plugin/plugin.json b/plugins/konflux-release/.claude-plugin/plugin.json
@@ -0,0 +1,8 @@
+{
+  "name": "konflux-release",
+  "description": "Konflux release workflow automation for ExternalDNS Operator (EDO)",
+  "version": "0.1.0",
+  "author": {
+    "name": "github.com/openshift/network-edge-tools"
+  }
+}
diff --git a/plugins/konflux-release/README.md b/plugins/konflux-release/README.md
@@ -0,0 +1,79 @@
+# konflux-release
+
+Konflux release workflow automation for the ExternalDNS Operator (EDO).
+
+## Overview
+
+This plugin codifies the 6-phase Konflux release process that the NID team follows for EDO releases, based on the [release process documentation](https://github.com/openshift/external-dns-operator/pull/391) by Andrey Lebedev. Claude drives the workflow end-to-end — opening PRs, creating Release CRs, polling status, running verification — while a human reviewer stays in the loop to approve PRs and handle auth.
+
+## Commands
+
+| Command | Description |
+|---------|-------------|
+| `/konflux-release:release <version>` | Run the full 6-phase EDO release workflow |
+| `/konflux-release:status` | Check current release state and progress |
+| `/konflux-release:verify <version>` | Run production verification across all OCP versions |
+
+## Prerequisites
+
+- `oc` CLI authenticated to the Konflux cluster
+- `gh` CLI authenticated to GitHub
+- `kubectl` access to `external-dns-operator-tenant` namespace
+- `podman` installed (for verification)
+- `jira` CLI (optional, for closing tickets)
+
+## Setup: Pre-approve Permissions
+
+The release workflow runs many read and write commands. To avoid clicking "Yes" on every `git`, `gh`, `kubectl`, and `podman` command, add these patterns to your EDO repo's `.claude/settings.local.json`:
+
+```json
+{
+  "permissions": {
+    "allow": [
+      "Bash(git fetch *)",
+      "Bash(git show *)",
+      "Bash(git checkout *)",
+      "Bash(git branch *)",
+      "Bash(git add *)",
+      "Bash(git commit *)",
+      "Bash(git push *)",
+      "Bash(git diff *)",
+      "Bash(git log *)",
+      "Bash(git status*)",
+      "Bash(gh pr *)",
+      "Bash(gh auth *)",
+      "Bash(kubectl get *)",
+      "Bash(kubectl apply *)",
+      "Bash(oc whoami*)",
+      "Bash(grep *)",
+      "Bash(sed *)",
+      "Bash(cat *)",
+      "Bash(wc *)",
+      "Bash(podman run *)",
+      "Bash(jira issue *)"
+    ]
+  }
+}
+```
+
+This only needs to be done once per repo clone.
+
+## Process Phases
+
+1. **Code Readiness** — Verify all PRs merged, VERSION file correct
+2. **RPA Verification** — Confirm ReleasePlanAdmission exists in konflux-release-data
+3. **Stage Release** — Update FBC catalogs with stage bundle, create stage Release CRs
+4. **Prod Bundle Release** — Create prod Release CR for the bundle
+5. **FBC Prod Release** — Swap stage→prod registry in catalogs, create 11 FBC Release CRs
+6. **Verify + Close** — Verify bundle in all prod indexes, close Jira tickets
+
+## State Tracking
+
+Release state is persisted to `.work/konflux-release/release-state-{version}.json` so the workflow can be resumed across Claude sessions.
+
+## Component Ownership
+
+| Component | Owners |
+|-----------|--------|
+| Plugin | @Thealisyed |
+| EDO release process | @alebedev87, @grzpiotrowski |
diff --git a/plugins/konflux-release/commands/release.md b/plugins/konflux-release/commands/release.md
@@ -0,0 +1,76 @@
+---
+description: Run the full 6-phase EDO Konflux release workflow with Claude driving and a human reviewing
+argument-hint: "<version> [--resume]"
+---
+
+## Name
+konflux-release:release
+
+## Synopsis
+```
+/konflux-release:release <version> [--resume]
+```
+
+## Description
+
+The `konflux-release:release` command runs the complete EDO (ExternalDNS Operator) Konflux release workflow. Claude drives each phase — creating branches, editing FBC catalogs, opening PRs, generating Release CRs, polling status, and running verification. The human stays in the loop to review PRs, apply kubectl commands, and handle Konflux auth.
+
+## Implementation
+
+1. **Parse the version argument**. Must match pattern `X.Y.Z` (e.g., `1.2.2`, `1.3.6`).
+
+2. **Determine RHEL base**:
+   - Version starts with `1.2` → `rhel8`, release branch `release-1.2`, bundle app `ext-dns-optr-1-2-rhel-8`
+   - Version starts with `1.3` or higher → `rhel9`, release branch `main`, bundle app `ext-dns-optr-1-3-rhel-9`
+
+3. **Check for existing state file** at `.work/konflux-release/release-state-{version}.json`:
+   - If `--resume` is passed or the file exists, load state and resume from `current_phase`.
+   - If the file exists but `--resume` is NOT passed, ask the human: "A release state file exists for v{version} at phase {N}. Resume? (y/n)"
+   - If no file exists, initialize a new state and prompt the human for:
+     - **NE story number** (e.g., `NE-2730`) — used in PR titles
+     - **OCPBUGS ticket** (e.g., `OCPBUGS-78658`) — the CVE/bug driving this release
+
+4. **Verify prerequisites**:
+   - `oc whoami` succeeds (Konflux auth)
+   - `gh auth status` succeeds (GitHub auth)
+   - Current directory is the EDO repo (check for `bundle-hack/container_digest.sh`)
+
+5. **Load constants** from `plugins/konflux-release/team-docs/constants.md` (resolve the absolute path within the network-edge-tools repo).
+
+6. **Follow the `edo-release` skill** at `plugins/konflux-release/skills/edo-release/SKILL.md`. Execute each phase sequentially, updating the state file after each phase checkpoint.
+
+### Prerequisites
+
+- EDO repo must be cloned locally with `upstream` remote → `openshift/external-dns-operator`
+- `oc` CLI authenticated to the Konflux cluster
+- `gh` CLI authenticated to GitHub
+- `kubectl` access to `external-dns-operator-tenant` namespace
+- `podman` installed (for Phase 6 verification)
+- `jira` CLI (optional, for closing tickets in Phase 6)
+
+## Arguments
+
+- **version** *(required)*
+  The target release version in `X.Y.Z` format.
+  Example: `1.3.6`
+
+- **--resume** *(optional)*
+  Resume an in-progress release from the saved state file without prompting.
+
+## Examples
+
+1. **Start a new release**:
+   ```
+   /konflux-release:release 1.3.6
+   ```
+
+2. **Resume an in-progress release**:
+   ```
+   /konflux-release:release 1.3.6 --resume
+   ```
+
+## See Also
+- `plugins/konflux-release/skills/edo-release/SKILL.md` — Detailed phase procedures
+- `plugins/konflux-release/team-docs/constants.md` — EDO-specific constants
+- `/konflux-release:status` — Check release progress
+- `/konflux-release:verify` — Run production verification
diff --git a/plugins/konflux-release/commands/status.md b/plugins/konflux-release/commands/status.md
@@ -0,0 +1,68 @@
+---
+description: Check the current state and progress of an in-progress EDO Konflux release
+argument-hint: "[version]"
+---
+
+## Name
+konflux-release:status
+
+## Synopsis
+```
+/konflux-release:status [version]
+```
+
+## Description
+
+The `konflux-release:status` command reads the release state file and reports the current phase, completed phases, and any failed Release CRs. If Konflux auth is active, it also polls live Release CR statuses.
+
+## Implementation
+
+1. **Find state files**. Look for `.work/konflux-release/release-state-*.json` in the current directory:
+   - If `version` is provided, read `release-state-{version}.json` directly.
+   - If no version is provided, list all state files and report on the most recent one.
+   - If no state files exist, report "No active releases found."
+
+2. **Read and parse** the state JSON file.
+
+3. **Display the phase summary**:
+   ```
+   EDO v{version} Konflux Release Status
+   ======================================
+   Phase 1: Code Readiness       ✓ Completed
+   Phase 2: RPA Verification     ✓ Completed
+   Phase 3: Stage Release         ✓ Completed
+   Phase 4: Prod Bundle Release   → In Progress
+   Phase 5: FBC Prod Release      · Pending
+   Phase 6: Verify + Close        · Pending
+
+   Current phase: 4 — Prod Bundle Release
+   Started: 2026-06-17 10:30 UTC
+   Last updated: 2026-06-17 14:22 UTC
+   ```
+
+4. **Show key values** if populated:
+   - Bundle digest
+   - Snapshot name
+   - PR numbers
+   - Failed Release CRs (with error messages if available)
+
+5. **Optionally poll live status** if Konflux auth is active (`oc whoami` succeeds):
+   - Check Release CR status for the current phase
+   - Report live status alongside saved state
+
+## Arguments
+
+- **version** *(optional)*
+  The release version to check. If omitted, shows the most recent active release.
+
+## Examples
+
+1. **Check a specific release**:
+   ```
+   /konflux-release:status 1.3.6
+   ```
+
+2. **Check the most recent release**:
+   ```
+   /konflux-release:status
+   ```
diff --git a/plugins/konflux-release/commands/verify.md b/plugins/konflux-release/commands/verify.md
@@ -0,0 +1,80 @@
+---
+description: Run production verification for an EDO release across all OCP operator indexes
+argument-hint: "<version>"
+---
+
+## Name
+konflux-release:verify
+
+## Synopsis
+```
+/konflux-release:verify <version>
+```
+
+## Description
+
+The `konflux-release:verify` command verifies that an EDO release bundle is present in all production Red Hat operator indexes (v4.12 through v4.22). It runs `podman` with `--pull=always` to ensure fresh index images are used.
+
+## Implementation
+
+1. **Verify podman is available**:
+   ```bash
+   which podman
+   ```
+
+2. **Run verification across all 11 OCP versions**:
+   ```bash
+   for ver in 12 13 14 15 16 17 18 19 20 21 22; do
+     RESULT=$(podman run --pull=always --rm \
+       registry.redhat.io/redhat/redhat-operator-index:v4.${ver} \
+       ls /configs/external-dns-operator/ 2>&1)
+     EXIT_CODE=$?
+     if [ $EXIT_CODE -eq 0 ] && [ -n "$RESULT" ]; then
+       echo "v4.${ver}: FOUND"
+     else
+       echo "v4.${ver}: NOT FOUND"
+     fi
+   done
+   ```
+
+   **CRITICAL**: Always use `--pull=always`. Without it, podman reuses cached index images that may not contain the latest bundle, producing false NOT FOUND results.
+
+3. **Present results as a table**:
+   ```
+   EDO v{version} Production Verification
+   =======================================
+   v4.12: FOUND ✓
+   v4.13: FOUND ✓
+   v4.14: FOUND ✓
+   v4.15: FOUND ✓
+   v4.16: FOUND ✓
+   v4.17: FOUND ✓
+   v4.18: FOUND ✓
+   v4.19: FOUND ✓
+   v4.20: FOUND ✓
+   v4.21: FOUND ✓
+   v4.22: FOUND ✓
+
+   Result: 11/11 verified ✓
+   ```
+
+4. **If any versions show NOT FOUND**, advise:
+   - Confirm the FBC prod Release CR for that version succeeded
+   - Image propagation may take a few minutes after Release CR success
+   - Re-run with `--pull=always` (this command always does, but warn if running manually)
+
+## Arguments
+
+- **version** *(required)*
+  The release version to verify (e.g., `1.2.2`).
+
+## Examples
+
+1. **Verify a completed release**:
+   ```
+   /konflux-release:verify 1.2.2
+   ```
+
+## See Also
+- `/konflux-release:status` — Check release state
+- `/konflux-release:release` — Run the full release workflow