✨ Add preauthorizer checks to Boxcutter applier

[perdasilva]

Description

Adds the PreAuthorizer checks to the Boxcutter applier for feature-gate parity between Helm and Boxcutter appliers.

The Boxcutter applier's PreAuthorization check requires clusterextensions/finalizers and clusterextensionrevisions/finalizers update permissions (on top of the permissions to manage the bundle's resources).

Changes:

• Refactors PreAuthorizer away from handling ClusterExtension specific permissions
• Refactors Helm applier to add ClusterExtension permissions for the PreAuthorization check
• Updates the Helm applier PreAuthorization unit tests and adds a component integration test to ensure it is being called with the right parameters
• Adds PreAuthorization checks to the Boxcutter Applier and adds the clusterextensionrevisions/finalizers update permission for the check
• Refactors Boxcutters createOrUpdate method to call perform the PreAuthorization checks
• Adds PreAuthorizator intergration tests to Boxcutter unit test suite

PreAuthorizer Refactoring Notes

Previously, the PreAuthorizer.PreAuthorize method took a ClusterExtension as a parameter and used it to derive the user to check the permissions against and to generate the clusterextensions/finalizers update permission implicitly required by the applier to manage update ownerReferences blockerOwnerDeletion.

This PR makes refactors the PreAuthorize methods to substitute the ClusterExtension parameter by two parameters:

• manifestManager -> the user to check the permissions agains
• additionsRequiredPermissions -> permissions that are required on top of the permissions strictly required to manage the manifests input through the manifestReader parameter.

This makes the PreAuthorizer more generic by removing ClusterExtension concerns, and allows the applier to define which permissions are needed for its operation beyond those dictated by the bundle manifests. Making the PreAuthorizer more generic, and moving applier specific concerns to the applier. The PreAuthorizer and Applier unit tests are update for this change (removing the clusterextensionrevision perms from the PreAuthorizer tests and adding that check to the applier).

E2E Notes

• Added the ClusterExtension reports <condition> as <status> with Reason <reason> and Message including <message fragment> to avoid checking the entire error message but only the salient points as the set could change in the future
• Refactored the templating functions to split concerns
• Split the namespace and service account from the RBAC step into its own step (RBAC steps call the service account step - so their behavior hasn't changes completely) - this enables testing the ClusterExtension before the service account gets its permissions

Note

• The Boxcutter applier still uses the manager client to create and update the revisions. The PreAuthorizer just ensures the service account has all the necessary permissions to do its job.

Reviewer Checklist

• API Go Documentation
• Tests: Unit Tests (and E2E Tests, if appropriate)
• Comprehensive Commit Messages
• Links to related GitHub Issue(s)

[netlify]

✅ Deploy Preview for olmv1 ready!

Name	Link
🔨 Latest commit	4b73a61
🔍 Latest deploy log	https://app.netlify.com/projects/olmv1/deploys/696fa67f32ca2e00080b677b
😎 Deploy Preview	https://deploy-preview-2443--olmv1.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[Copilot]

Pull request overview

This PR adds PreAuthorizer checks to the Boxcutter applier to achieve feature-gate parity with the Helm applier. The implementation validates that service accounts have the necessary RBAC permissions before applying cluster extensions, including the ability to update clusterextensionrevisions/finalizers which is specific to the Boxcutter workflow.

Changes:

• Added an Option pattern to configure PreAuthorizer with ClusterExtensionRevision finalizer permission checks
• Integrated PreAuthorizer into the Boxcutter applier with manifest generation and permission validation
• Updated main.go to initialize PreAuthorizer with the new option when the PreflightPermissions feature gate is enabled

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
internal/operator-controller/authorization/rbac.go	Added Option pattern and WithClusterExtensionRevisionPerms to optionally check for update permissions on clusterextensionrevisions/finalizers
internal/operator-controller/authorization/rbac_test.go	Added test case for PreAuthorizer with ClusterExtensionRevision permissions
internal/operator-controller/applier/boxcutter.go	Added PreAuthorizer field and runPreAuthorizationChecks method to validate permissions before applying revisions
internal/operator-controller/applier/boxcutter_test.go	Added integration test for PreAuthorizer with fake implementation
cmd/operator-controller/main.go	Initialize PreAuthorizer with WithClusterExtensionRevisionPerms option when PreflightPermissions feature gate is enabled

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov]

Codecov Report

❌ Patch coverage is 90.12346% with 8 lines in your changes missing coverage. Please review.
✅ Project coverage is 69.50%. Comparing base (a9e5614) to head (4b73a61).
⚠️ Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
cmd/operator-controller/main.go	0.00%	4 Missing ⚠️
internal/operator-controller/applier/boxcutter.go	90.47%	2 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2443      +/-   ##
==========================================
- Coverage   73.01%   69.50%   -3.52%     
==========================================
  Files         101      101              
  Lines        7730     7768      +38     
==========================================
- Hits         5644     5399     -245     
- Misses       1635     1932     +297     
+ Partials      451      437      -14     

Flag	Coverage Δ
e2e	46.01% <0.00%> (-0.23%)	⬇️
experimental-e2e	13.43% <0.00%> (-36.33%)	⬇️
unit	57.20% <90.12%> (+0.13%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 6 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated no new comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[pedjak]

How about that we do this instead? I find it a bit more readable/understanble:

diff --git a/test/e2e/steps/steps.go b/test/e2e/steps/steps.go
index f888a042..ab097182 100644
--- a/test/e2e/steps/steps.go
+++ b/test/e2e/steps/steps.go
@@ -267,21 +267,11 @@ func waitFor(ctx context.Context, conditionFn func() bool) {
 	require.Eventually(godog.T(ctx), conditionFn, timeout, tick)
 }
 
-type conditionMessageCmp func(string) bool
+type msgMatchFn func(string) bool
 
-func condMsgEquals(expected string) conditionMessageCmp {
-	return func(actual string) bool {
-		return actual == expected
-	}
-}
+func alwaysMatch(_ string) bool { return true }
 
-func condMsgContains(expected string) conditionMessageCmp {
-	return func(actual string) bool {
-		return strings.Contains(actual, expected)
-	}
-}
-
-func waitForCondition(ctx context.Context, resourceType, resourceName, conditionType, conditionStatus string, conditionReason *string, msgCmp *conditionMessageCmp) error {
+func waitForCondition(ctx context.Context, resourceType, resourceName, conditionType, conditionStatus string, conditionReason *string, msgFn msgMatchFn) error {
 	require.Eventually(godog.T(ctx), func() bool {
 		v, err := k8sClient("get", resourceType, resourceName, "-o", fmt.Sprintf("jsonpath={.status.conditions[?(@.type==\"%s\")]}", conditionType))
 		if err != nil {
@@ -298,7 +288,7 @@ func waitForCondition(ctx context.Context, resourceType, resourceName, condition
 		if conditionReason != nil && condition.Reason != *conditionReason {
 			return false
 		}
-		if msgCmp != nil && !(*msgCmp)(condition.Message) {
+		if msgFn != nil && !msgFn(condition.Message) {
 			return false
 		}
 
@@ -307,25 +297,31 @@ func waitForCondition(ctx context.Context, resourceType, resourceName, condition
 	return nil
 }
 
-func waitForExtensionCondition(ctx context.Context, conditionType, conditionStatus string, conditionReason *string, msgCmp *conditionMessageCmp) error {
+func waitForExtensionCondition(ctx context.Context, conditionType, conditionStatus string, conditionReason *string, msgMatchFn msgMatchFn) error {
 	sc := scenarioCtx(ctx)
-	return waitForCondition(ctx, "clusterextension", sc.clusterExtensionName, conditionType, conditionStatus, conditionReason, msgCmp)
+	return waitForCondition(ctx, "clusterextension", sc.clusterExtensionName, conditionType, conditionStatus, conditionReason, msgMatchFn)
 }
 
 func ClusterExtensionReportsCondition(ctx context.Context, conditionType, conditionStatus, conditionReason string, msg *godog.DocString) error {
-	var conditionMsgCmp *conditionMessageCmp
+	cmp := alwaysMatch
 	if msg != nil {
-		conditionMsgCmp = ptr.To(condMsgEquals(substituteScenarioVars(strings.Join(strings.Fields(msg.Content), " "), scenarioCtx(ctx))))
+		expectedMsg := substituteScenarioVars(msg.Content, scenarioCtx(ctx))
+		cmp = func(v string) bool {
+			return v == expectedMsg
+		}
 	}
-	return waitForExtensionCondition(ctx, conditionType, conditionStatus, &conditionReason, conditionMsgCmp)
+	return waitForExtensionCondition(ctx, conditionType, conditionStatus, &conditionReason, cmp)
 }
 
 func ClusterExtensionReportsConditionWithMessageFragment(ctx context.Context, conditionType, conditionStatus, conditionReason string, msgFragment *godog.DocString) error {
-	var conditionMsgCmp *conditionMessageCmp
+	cmp := alwaysMatch
 	if msgFragment != nil {
-		conditionMsgCmp = ptr.To(condMsgContains(substituteScenarioVars(strings.Join(strings.Fields(msgFragment.Content), " "), scenarioCtx(ctx))))
+		expectedMsg := substituteScenarioVars(strings.Join(strings.Fields(msgFragment.Content), " "), scenarioCtx(ctx))
+		cmp = func(actual string) bool {
+			return strings.Contains(actual, expectedMsg)
+		}
 	}
-	return waitForExtensionCondition(ctx, conditionType, conditionStatus, &conditionReason, conditionMsgCmp)
+	return waitForExtensionCondition(ctx, conditionType, conditionStatus, &conditionReason, cmp)
 }
 
 func ClusterExtensionReportsConditionWithoutMsg(ctx context.Context, conditionType, conditionStatus, conditionReason string) error {

[perdasilva]

brought these changes over - in hindsight I should have used patch XDD

[Copilot]

Pull request overview

Copilot reviewed 12 out of 12 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[pedjak]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pedjak, tmshort

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [pedjak,tmshort]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Copilot]

Pull request overview

Copilot reviewed 12 out of 12 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[pedjak]

/lgtm

[camilamacedo86]

/override codecov/project

[openshift-ci]

@camilamacedo86: Overrode contexts on behalf of camilamacedo86: codecov/project

Details

In response to this:

/override codecov/project

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[grokspawn]

overrides across openshift/operator-framework domain cannot work.
However, codecov is not a required test in this repo, so it just may be taking a minute to process (it's batching).