From b072fb6074b9a21cd4770fe84325ae9ee5a94bf5 Mon Sep 17 00:00:00 2001 From: Joe Lanford Date: Wed, 30 Jul 2025 20:47:59 -0400 Subject: [PATCH 1/3] boxcutter webhook support Signed-off-by: Joe Lanford --- cmd/operator-controller/main.go | 6 +++--- internal/operator-controller/applier/boxcutter.go | 10 ++++++++-- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/cmd/operator-controller/main.go b/cmd/operator-controller/main.go index 02077693f7..380f5e61ac 100644 --- a/cmd/operator-controller/main.go +++ b/cmd/operator-controller/main.go @@ -443,7 +443,7 @@ func run() error { // create applier var ctrlBuilderOpts []controllers.ControllerBuilderOption var extApplier controllers.Applier - + certProvider := getCertificateProvider() if features.OperatorControllerFeatureGate.Enabled(features.BoxcutterRuntime) { // TODO: add support for preflight checks // TODO: better scheme handling - which types do we want to support? @@ -454,14 +454,14 @@ func run() error { RevisionGenerator: &applier.SimpleRevisionGenerator{ Scheme: mgr.GetScheme(), BundleRenderer: &applier.RegistryV1BundleRenderer{ - BundleRenderer: registryv1.Renderer, + BundleRenderer: registryv1.Renderer, + CertificateProvider: certProvider, }, }, } ctrlBuilderOpts = append(ctrlBuilderOpts, controllers.WithOwns(&ocv1.ClusterExtensionRevision{})) } else { // now initialize the helmApplier, assigning the potentially nil preAuth - certProvider := getCertificateProvider() extApplier = &applier.Helm{ ActionClientGetter: acg, Preflights: preflights, diff --git a/internal/operator-controller/applier/boxcutter.go b/internal/operator-controller/applier/boxcutter.go index fe9461b6ca..0b864669c1 100644 --- a/internal/operator-controller/applier/boxcutter.go +++ b/internal/operator-controller/applier/boxcutter.go @@ -223,7 +223,8 @@ type BundleRenderer interface { } type RegistryV1BundleRenderer struct { - BundleRenderer render.BundleRenderer + BundleRenderer render.BundleRenderer + CertificateProvider render.CertificateProvider } func (r *RegistryV1BundleRenderer) Render(bundleFS fs.FS, ext *ocv1.ClusterExtension) ([]client.Object, error) { @@ -231,9 +232,14 @@ func (r *RegistryV1BundleRenderer) Render(bundleFS fs.FS, ext *ocv1.ClusterExten if err != nil { return nil, err } + + if len(reg.CSV.Spec.WebhookDefinitions) > 0 && r.CertificateProvider == nil { + return nil, fmt.Errorf("unsupported bundle: webhookDefinitions are not supported") + } + watchNamespace, err := GetWatchNamespace(ext) if err != nil { return nil, err } - return r.BundleRenderer.Render(reg, ext.Spec.Namespace, render.WithTargetNamespaces(watchNamespace)) + return r.BundleRenderer.Render(reg, ext.Spec.Namespace, render.WithTargetNamespaces(watchNamespace), render.WithCertificateProvider(r.CertificateProvider)) } From c757c61483b8780f5f4be7802c0b7013c2e64837 Mon Sep 17 00:00:00 2001 From: Joe Lanford Date: Thu, 31 Jul 2025 16:06:40 -0400 Subject: [PATCH 2/3] add BoxcutterRuntime feature gate to experimental release Signed-off-by: Joe Lanford --- config/components/base/experimental/kustomization.yaml | 1 + manifests/experimental-e2e.yaml | 1 + manifests/experimental.yaml | 1 + 3 files changed, 3 insertions(+) diff --git a/config/components/base/experimental/kustomization.yaml b/config/components/base/experimental/kustomization.yaml index ab4eac1f7b..f69e0e973d 100644 --- a/config/components/base/experimental/kustomization.yaml +++ b/config/components/base/experimental/kustomization.yaml @@ -16,5 +16,6 @@ components: - ../../features/preflight-permissions - ../../features/apiv1-metas-handler - ../../features/helm-chart +- ../../features/boxcutter-runtime # This one is downstream only, so we shant use it # - ../../features/webhook-provider-openshift-serviceca diff --git a/manifests/experimental-e2e.yaml b/manifests/experimental-e2e.yaml index 36dc836c90..d8a4ed2320 100644 --- a/manifests/experimental-e2e.yaml +++ b/manifests/experimental-e2e.yaml @@ -1968,6 +1968,7 @@ spec: - --feature-gates=SingleOwnNamespaceInstallSupport=true - --feature-gates=PreflightPermissions=true - --feature-gates=HelmChartSupport=true + - --feature-gates=BoxcutterRuntime=true - --catalogd-cas-dir=/var/certs - --pull-cas-dir=/var/certs - --tls-cert=/var/certs/tls.cert diff --git a/manifests/experimental.yaml b/manifests/experimental.yaml index 2d124f617f..6adbaaef68 100644 --- a/manifests/experimental.yaml +++ b/manifests/experimental.yaml @@ -1934,6 +1934,7 @@ spec: - --feature-gates=SingleOwnNamespaceInstallSupport=true - --feature-gates=PreflightPermissions=true - --feature-gates=HelmChartSupport=true + - --feature-gates=BoxcutterRuntime=true - --catalogd-cas-dir=/var/certs - --pull-cas-dir=/var/certs - --tls-cert=/var/certs/tls.cert From 3a3406a93f48bf089e15e7f7babfeec1706d6587 Mon Sep 17 00:00:00 2001 From: Joe Lanford Date: Thu, 31 Jul 2025 17:29:21 -0400 Subject: [PATCH 3/3] add boxcutter cluster-admin cluster role binding in boxcutter's feature component Signed-off-by: Joe Lanford --- .../boxcutter-runtime/cluster_role_binding.yaml | 12 ++++++++++++ .../features/boxcutter-runtime/kustomization.yaml | 2 ++ manifests/experimental-e2e.yaml | 15 +++++++++++++++ manifests/experimental.yaml | 15 +++++++++++++++ 4 files changed, 44 insertions(+) create mode 100644 config/components/features/boxcutter-runtime/cluster_role_binding.yaml diff --git a/config/components/features/boxcutter-runtime/cluster_role_binding.yaml b/config/components/features/boxcutter-runtime/cluster_role_binding.yaml new file mode 100644 index 0000000000..e4a77f41f8 --- /dev/null +++ b/config/components/features/boxcutter-runtime/cluster_role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: operator-controller-boxcutter-cluster-admin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: ServiceAccount + name: operator-controller-controller-manager + namespace: olmv1-system \ No newline at end of file diff --git a/config/components/features/boxcutter-runtime/kustomization.yaml b/config/components/features/boxcutter-runtime/kustomization.yaml index d075a1121a..bb8922d093 100644 --- a/config/components/features/boxcutter-runtime/kustomization.yaml +++ b/config/components/features/boxcutter-runtime/kustomization.yaml @@ -2,6 +2,8 @@ --- apiVersion: kustomize.config.k8s.io/v1alpha1 kind: Component +resources: + - cluster_role_binding.yaml patches: - target: kind: Deployment diff --git a/manifests/experimental-e2e.yaml b/manifests/experimental-e2e.yaml index d8a4ed2320..df80bef462 100644 --- a/manifests/experimental-e2e.yaml +++ b/manifests/experimental-e2e.yaml @@ -1699,6 +1699,21 @@ subjects: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding +metadata: + annotations: + olm.operatorframework.io/feature-set: experimental + name: operator-controller-boxcutter-cluster-admin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: operator-controller-controller-manager + namespace: olmv1-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: annotations: olm.operatorframework.io/feature-set: experimental diff --git a/manifests/experimental.yaml b/manifests/experimental.yaml index 6adbaaef68..01e405bb60 100644 --- a/manifests/experimental.yaml +++ b/manifests/experimental.yaml @@ -1699,6 +1699,21 @@ subjects: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding +metadata: + annotations: + olm.operatorframework.io/feature-set: experimental + name: operator-controller-boxcutter-cluster-admin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: operator-controller-controller-manager + namespace: olmv1-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: annotations: olm.operatorframework.io/feature-set: experimental