boxcutter webhook support

joelanford · joelanford · commit 1b9f11aaa392 · 2025-08-07T15:24:21.000-04:00
Signed-off-by: Joe Lanford &lt;joe.lanford@gmail.com&gt;
diff --git a/cmd/operator-controller/main.go b/cmd/operator-controller/main.go
@@ -443,7 +443,7 @@ func run() error {
 	// create applier
 	var ctrlBuilderOpts []controllers.ControllerBuilderOption
 	var extApplier controllers.Applier
-
+	certProvider := getCertificateProvider()
 	if features.OperatorControllerFeatureGate.Enabled(features.BoxcutterRuntime) {
 		// TODO: add support for preflight checks
 		// TODO: better scheme handling - which types do we want to support?
@@ -454,14 +454,14 @@ func run() error {
 			RevisionGenerator: &applier.SimpleRevisionGenerator{
 				Scheme: mgr.GetScheme(),
 				BundleRenderer: &applier.RegistryV1BundleRenderer{
-					BundleRenderer: registryv1.Renderer,
+					BundleRenderer:      registryv1.Renderer,
+					CertificateProvider: certProvider,
 				},
 			},
 		}
 		ctrlBuilderOpts = append(ctrlBuilderOpts, controllers.WithOwns(&ocv1.ClusterExtensionRevision{}))
 	} else {
 		// now initialize the helmApplier, assigning the potentially nil preAuth
-		certProvider := getCertificateProvider()
 		extApplier = &applier.Helm{
 			ActionClientGetter: acg,
 			Preflights:         preflights,
diff --git a/internal/operator-controller/applier/boxcutter.go b/internal/operator-controller/applier/boxcutter.go
@@ -223,17 +223,23 @@ type BundleRenderer interface {
 }
 
 type RegistryV1BundleRenderer struct {
-	BundleRenderer render.BundleRenderer
+	BundleRenderer      render.BundleRenderer
+	CertificateProvider render.CertificateProvider
 }
 
 func (r *RegistryV1BundleRenderer) Render(bundleFS fs.FS, ext *ocv1.ClusterExtension) ([]client.Object, error) {
 	reg, err := source.FromFS(bundleFS).GetBundle()
 	if err != nil {
 		return nil, err
 	}
+
+	if len(reg.CSV.Spec.WebhookDefinitions) > 0 && r.CertificateProvider == nil {
+		return nil, fmt.Errorf("unsupported bundle: webhookDefinitions are not supported")
+	}
+
 	watchNamespace, err := GetWatchNamespace(ext)
 	if err != nil {
 		return nil, err
 	}
-	return r.BundleRenderer.Render(reg, ext.Spec.Namespace, render.WithTargetNamespaces(watchNamespace))
+	return r.BundleRenderer.Render(reg, ext.Spec.Namespace, render.WithTargetNamespaces(watchNamespace), render.WithCertificateProvider(r.CertificateProvider))
 }

Original file line number	Diff line number	Diff line change
`@@ -223,17 +223,23 @@ type BundleRenderer interface {`
`223`	`223`	`}`
`224`	`224`
`225`	`225`	`type RegistryV1BundleRenderer struct {`
`226`		`- BundleRenderer render.BundleRenderer`
	`226`	`+ BundleRenderer render.BundleRenderer`
	`227`	`+ CertificateProvider render.CertificateProvider`
`227`	`228`	`}`
`228`	`229`
`229`	`230`	`func (r RegistryV1BundleRenderer) Render(bundleFS fs.FS, ext ocv1.ClusterExtension) ([]client.Object, error) {`
`230`	`231`	`reg, err := source.FromFS(bundleFS).GetBundle()`
`231`	`232`	`if err != nil {`
`232`	`233`	`return nil, err`
`233`	`234`	`}`
	`235`	`+`
	`236`	`+ if len(reg.CSV.Spec.WebhookDefinitions) > 0 && r.CertificateProvider == nil {`
	`237`	`+ return nil, fmt.Errorf("unsupported bundle: webhookDefinitions are not supported")`
	`238`	`+ }`
	`239`	`+`
`234`	`240`	`watchNamespace, err := GetWatchNamespace(ext)`
`235`	`241`	`if err != nil {`
`236`	`242`	`return nil, err`
`237`	`243`	`}`
`238`		`- return r.BundleRenderer.Render(reg, ext.Spec.Namespace, render.WithTargetNamespaces(watchNamespace))`
	`244`	`+ return r.BundleRenderer.Render(reg, ext.Spec.Namespace, render.WithTargetNamespaces(watchNamespace), render.WithCertificateProvider(r.CertificateProvider))`
`239`	`245`	`}`