✨ Add preauthorizer checks to Boxcutter applier

[perdasilva]

Description

Adds the PreAuthorizer checks to the Boxcutter applier for feature-gate parity between Helm and Boxcutter appliers.

The Boxcutter applier's PreAuthorization check requires clusterextensions/finalizers and clusterextensionrevisions/finalizers update permissions (on top of the permissions to manage the bundle's resources).

Changes:

• Refactors PreAuthorizer away from handling ClusterExtension specific permissions
• Refactors Helm applier to add ClusterExtension permissions for the PreAuthorization check
• Updates the Helm applier PreAuthorization unit tests and adds a component integration test to ensure it is being called with the right parameters
• Adds PreAuthorization checks to the Boxcutter Applier and adds the clusterextensionrevisions/finalizers update permission for the check
• Refactors Boxcutters createOrUpdate method to call perform the PreAuthorization checks
• Adds PreAuthorizator intergration tests to Boxcutter unit test suite

PreAuthorizer Refactoring Notes

Previously, the PreAuthorizer.PreAuthorize method took a ClusterExtension as a parameter and used it to derive the user to check the permissions against and to generate the clusterextensions/finalizers update permission implicitly required by the applier to manage update ownerReferences blockerOwnerDeletion.

This PR makes refactors the PreAuthorize methods to substitute the ClusterExtension parameter by two parameters:

• manifestManager -> the user to check the permissions agains
• additionsRequiredPermissions -> permissions that are required on top of the permissions strictly required to manage the manifests input through the manifestReader parameter.

This makes the PreAuthorizer more generic by removing ClusterExtension concerns, and allows the applier to define which permissions are needed for its operation beyond those dictated by the bundle manifests. Making the PreAuthorizer more generic, and moving applier specific concerns to the applier. The PreAuthorizer and Applier unit tests are update for this change (removing the clusterextensionrevision perms from the PreAuthorizer tests and adding that check to the applier).

E2E Notes

• Added the ClusterExtension reports <condition> as <status> with Reason <reason> and Message including <message fragment> to avoid checking the entire error message but only the salient points as the set could change in the future
• Refactored the templating functions to split concerns
• Split the namespace and service account from the RBAC step into its own step (RBAC steps call the service account step - so their behavior hasn't changes completely) - this enables testing the ClusterExtension before the service account gets its permissions

Note

• The Boxcutter applier still uses the manager client to create and update the revisions. The PreAuthorizer just ensures the service account has all the necessary permissions to do its job.

Reviewer Checklist

• API Go Documentation
• Tests: Unit Tests (and E2E Tests, if appropriate)
• Comprehensive Commit Messages
• Links to related GitHub Issue(s)

[netlify]

✅ Deploy Preview for olmv1 ready!

Name	Link
🔨 Latest commit	12adada
🔍 Latest deploy log	https://app.netlify.com/projects/olmv1/deploys/696a5d2d0a15210008840673
😎 Deploy Preview	https://deploy-preview-2443--olmv1.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[Copilot]

Pull request overview

This PR adds PreAuthorizer checks to the Boxcutter applier to achieve feature-gate parity with the Helm applier. The implementation validates that service accounts have the necessary RBAC permissions before applying cluster extensions, including the ability to update clusterextensionrevisions/finalizers which is specific to the Boxcutter workflow.

Changes:

• Added an Option pattern to configure PreAuthorizer with ClusterExtensionRevision finalizer permission checks
• Integrated PreAuthorizer into the Boxcutter applier with manifest generation and permission validation
• Updated main.go to initialize PreAuthorizer with the new option when the PreflightPermissions feature gate is enabled

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
internal/operator-controller/authorization/rbac.go	Added Option pattern and WithClusterExtensionRevisionPerms to optionally check for update permissions on clusterextensionrevisions/finalizers
internal/operator-controller/authorization/rbac_test.go	Added test case for PreAuthorizer with ClusterExtensionRevision permissions
internal/operator-controller/applier/boxcutter.go	Added PreAuthorizer field and runPreAuthorizationChecks method to validate permissions before applying revisions
internal/operator-controller/applier/boxcutter_test.go	Added integration test for PreAuthorizer with fake implementation
cmd/operator-controller/main.go	Initialize PreAuthorizer with WithClusterExtensionRevisionPerms option when PreflightPermissions feature gate is enabled

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov]

Codecov Report

❌ Patch coverage is 95.18072% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 73.67%. Comparing base (dc20dfb) to head (12adada).
⚠️ Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/operator-controller/applier/boxcutter.go	90.90%	2 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2443      +/-   ##
==========================================
+ Coverage   69.48%   73.67%   +4.18%     
==========================================
  Files         101      101              
  Lines        7701     7741      +40     
==========================================
+ Hits         5351     5703     +352     
+ Misses       1914     1592     -322     
- Partials      436      446      +10     

Flag	Coverage Δ
e2e	46.19% <0.00%> (-0.28%)	⬇️
experimental-e2e	53.65% <74.69%> (+40.09%)	⬆️
unit	57.22% <90.36%> (+0.14%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 6 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[perdasilva]

/hold I think I've found an issue

[openshift-ci]

New changes are detected. LGTM label has been removed.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from camilamacedo86. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[perdasilva]

/uhold

[Copilot]

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated no new comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[perdasilva]

/unhold

[pedjak]

one or more e2e tests asserting the behavior would be very helpful to add.

[pedjak]

nit: can we come up with some shorter function name perhaps?

[perdasilva]

Updated to revisionManagementPerms, I also updated the other one to extManagementPerms

[pedjak]

nit: was function name changing needed? createOrUpdate was nice and short. Perhaps we do not need to pass ClusterExtension to just extract user infos, we could actually pass userinfos here instead?

[perdasilva]

I'd say if there's you're adding a side-effect it's a good idea to change the function. Also, it's a private function, so it's it shouldn't an issue. But, I'm not married to it. I've reverted the name and added a call out to the side-effect to godoc and refactored the function signature.

[Copilot]

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[trgeiger]

I know that you're taking this variable name from the example already set in rbac.go, but to me the term "manifestManager" implies a more complex object than just user.Info, especially given we have stuff like the manager.Manager in our codebase.

This is purely a nitpick, but I wonder if a different variable name would help future legibility of the code. Maybe manifestUser? or manifestOwner? The latter might not be entirely accurate though.

[perdasilva]

I took the previous variable name, I think. Though, I'm happy to updated it to anything. The reason I thought manifestManager was reasonable is that it fits with the mental model of "we're checking permissions against the user that will manage the lifecycle of these manifests". Even just, user would be ok, imo, tho.

[perdasilva]

I've updated to just user

[trgeiger]

Yeah, user works. I see what you're saying about manifestManager, it definitely makes sense but I think it carries a bit of implied complexity that doesn't seem to fit. User is perfect.

[Copilot]

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated 5 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The revision name is hardcoded as 'test-ext-1' but doesn't match the ClusterExtension name 'test-ext' defined on line 964. This appears to be intentional based on revision naming conventions, but consider adding a comment explaining why the name differs or deriving it from the extension name for clarity.