(feat): [Boxcutter] Use serviceAccount for ClusterExtensionRevision operations

ClusterExtensionRevision controller now uses the serviceAccount from
ClusterExtension spec instead of admin client. This applies objects
with proper RBAC permissions via a factory pattern that creates
scoped clients per revision.

Assisted-by: CLAUDE

Author: camilamacedo86

cmd/operator-controller/main.go

@@ -42,10 +42,7 @@ import (
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 	"k8s.io/klog/v2"
 	"k8s.io/utils/ptr"
-	"pkg.package-operator.run/boxcutter/machinery"
 	"pkg.package-operator.run/boxcutter/managedcache"
-	"pkg.package-operator.run/boxcutter/ownerhandling"
-	"pkg.package-operator.run/boxcutter/validation"
 	ctrl "sigs.k8s.io/controller-runtime"
 	crcache "sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/certwatcher"
@@ -653,21 +650,31 @@ func (c *boxcutterReconcilerConfigurator) Configure(ceReconciler *controllers.Cl
 		return fmt.Errorf("unable to add tracking cache to manager: %v", err)
 	}
 
+	cerCoreClient, err := corev1client.NewForConfig(c.mgr.GetConfig())
+	if err != nil {
+		return fmt.Errorf("unable to create client for ClusterExtensionRevision controller: %w", err)
+	}
+	cerTokenGetter := authentication.NewTokenGetter(cerCoreClient, authentication.WithExpirationDuration(1*time.Hour))
+
+	revisionEngineFactory := &controllers.DefaultRevisionEngineFactory{
+		Scheme:           c.mgr.GetScheme(),
+		TrackingCache:    trackingCache,
+		DiscoveryClient:  discoveryClient,
+		RESTMapper:       c.mgr.GetRESTMapper(),
+		FieldOwnerPrefix: fieldOwnerPrefix,
+	}
+
+	scopedClientFactory := &controllers.DefaultScopedClientFactory{
+		BaseConfig:  c.mgr.GetConfig(),
+		Scheme:      c.mgr.GetScheme(),
+		TokenGetter: cerTokenGetter,
+	}
+
 	if err = (&controllers.ClusterExtensionRevisionReconciler{
-		Client: c.mgr.GetClient(),
-		RevisionEngine: machinery.NewRevisionEngine(
-			machinery.NewPhaseEngine(
-				machinery.NewObjectEngine(
-					c.mgr.GetScheme(), trackingCache, c.mgr.GetClient(),
-					ownerhandling.NewNative(c.mgr.GetScheme()),
-					machinery.NewComparator(ownerhandling.NewNative(c.mgr.GetScheme()), discoveryClient, c.mgr.GetScheme(), fieldOwnerPrefix),
-					fieldOwnerPrefix, fieldOwnerPrefix,
-				),
-				validation.NewClusterPhaseValidator(c.mgr.GetRESTMapper(), c.mgr.GetClient()),
-			),
-			validation.NewRevisionValidator(), c.mgr.GetClient(),
-		),
-		TrackingCache: trackingCache,
+		Client:                c.mgr.GetClient(),
+		RevisionEngineFactory: revisionEngineFactory,
+		TrackingCache:         trackingCache,
+		ScopedClientFactory:   scopedClientFactory,
 	}).SetupWithManager(c.mgr); err != nil {
 		return fmt.Errorf("unable to setup ClusterExtensionRevision controller: %w", err)
 	}

docs/draft/howto/serviceaccount-scoped-revisions.md

@@ -0,0 +1,271 @@
+# How ServiceAccount Permissions Work with BoxcutterRuntime
+
+!!! note
+    This feature requires the `BoxcutterRuntime` feature-gate to be enabled.
+
+## What This Does
+
+When BoxcutterRuntime is enabled, OLM v1 uses the ServiceAccount you provide to install extensions. Your extension gets only the permissions you grant to that ServiceAccount.
+
+## Prerequisites
+
+* OLM v1 installed with BoxcutterRuntime enabled (see [Enable the Feature](#enable-the-feature))
+* A catalog that is being served
+* An existing namespace for your extension
+
+## How It Works
+
+### Two ServiceAccounts (Different Purposes)
+
+**1. Installer ServiceAccount** (you create and provide in ClusterExtension)
+- **Purpose:** Install and manage the extension
+- **Needs:** Permissions to create Deployments, CRDs, RBAC, etc.
+
+**2. Extension Runtime ServiceAccount** (inside the bundle)
+- **Purpose:** Run the extension operator after installation
+- **Needs:** Permissions for the operator's business logic
+
+!!! important
+    The installer ServiceAccount must have **all permissions the runtime ServiceAccount needs** PLUS permission to create that ServiceAccount and its RBAC.
+
+### What Happens During Installation
+
+1. You create a ClusterExtension with a ServiceAccount
+2. OLM creates a ClusterExtensionRevision (immutable snapshot of version)
+3. ClusterExtensionRevision controller reads the ServiceAccount from parent ClusterExtension
+4. Controller installs all resources using that ServiceAccount's permissions
+5. If ServiceAccount lacks permission, installation fails immediately with clear error
+
+## Example: Install Extension with Limited Permissions
+
+This example installs an extension that can only manage Deployments and Services in one namespace.
+
+### Step 1: Create namespace
+
+```terminal
+kubectl create namespace my-app
+```
+
+### Step 2: Create ServiceAccount
+
+```yaml title="Create ServiceAccount"
+kubectl apply -f - <<EOF
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: my-app-installer
+  namespace: my-app
+EOF
+```
+
+### Step 3: Grant permissions
+
+```yaml title="Create Role with limited permissions"
+kubectl apply -f - <<EOF
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: my-app-installer-role
+  namespace: my-app
+rules:
+- apiGroups: ["apps"]
+  resources: [deployments]
+  verbs: [create, get, list, watch, update, patch, delete]
+- apiGroups: [""]
+  resources: [services, configmaps, secrets, serviceaccounts]
+  verbs: [create, get, list, watch, update, patch, delete]
+- apiGroups: [rbac.authorization.k8s.io]
+  resources: [roles, rolebindings]
+  verbs: [create, get, list, watch, update, patch, delete]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: my-app-installer-binding
+  namespace: my-app
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: my-app-installer-role
+subjects:
+- kind: ServiceAccount
+  name: my-app-installer
+  namespace: my-app
+EOF
+```
+
+### Step 4: Install extension
+
+```yaml title="Create ClusterExtension"
+kubectl apply -f - <<EOF
+apiVersion: olm.operatorframework.io/v1
+kind: ClusterExtension
+metadata:
+  name: my-app
+spec:
+  namespace: my-app
+  serviceAccount:
+    name: my-app-installer
+  source:
+    sourceType: Catalog
+    catalog:
+      packageName: my-package
+EOF
+```
+
+### Step 5: Verify installation
+
+```terminal title="Check status"
+kubectl get clusterextension my-app
+```
+
+Expected output:
+```
+NAME     INSTALLED BUNDLE   VERSION   INSTALLED   PROGRESSING   AGE
+my-app   my-package.v1.0.0  1.0.0     True        False         30s
+```
+
+### What Gets Installed
+
+The extension can:
+- Create Deployments, Services, ConfigMaps in `my-app` namespace
+- Create ServiceAccounts and RBAC in `my-app` namespace
+
+The extension cannot:
+- Create CRDs (no permission → installation fails)
+- Access other namespaces (no permission)
+- Create cluster-wide resources (no ClusterRole)
+
+## Example: Upgrade Requires More Permissions
+
+### Initial Installation (v1.0.0)
+
+```yaml title="Extension v1.0.0 installed"
+ClusterExtension: my-app
+  version: "1.0.0"
+  serviceAccount: my-installer
+
+Role: my-installer-role
+  rules:
+  - resources: [deployments, services]  # ← Only needs these for v1.0.0
+```
+
+### Upgrade to v2.0.0 (needs CRDs)
+
+```yaml title="Request upgrade"
+kubectl patch clusterextension my-app --type='json' \
+  -p='[{"op": "replace", "path": "/spec/source/catalog/version", "value": "2.0.0"}]'
+```
+
+**What happens:**
+
+1. OLM creates `ClusterExtensionRevision` `my-app-2` for v2.0.0
+2. Controller tries to install using ServiceAccount `my-installer`
+3. v2.0.0 bundle contains a CRD
+4. Controller tries: `scopedClient.Create(ctx, crd)`
+5. **Fails:** ServiceAccount lacks CRD permission
+
+**Error in ClusterExtension status:**
+
+```terminal
+kubectl describe clusterextension my-app
+```
+
+```
+Status:
+  Conditions:
+    Type: Progressing
+    Status: True
+    Reason: Retrying
+    Message: permission denied: serviceAccount "my-installer" cannot create 
+             customresourcedefinitions in API group "apiextensions.k8s.io"
+```
+
+### Fix: Add Missing Permissions
+
+```yaml title="Add CRD permissions"
+kubectl apply -f - <<EOF
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: my-installer-cluster-role
+rules:
+- apiGroups: [apiextensions.k8s.io]
+  resources: [customresourcedefinitions]
+  verbs: [create, get, list, watch, update, patch, delete]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: my-installer-cluster-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: my-installer-cluster-role
+subjects:
+- kind: ServiceAccount
+  name: my-installer
+  namespace: my-app
+EOF
+```
+
+**Controller automatically retries** → upgrade succeeds!
+
+## Enable the Feature
+
+!!! tip
+    OLM v1 must be installed first. See [getting started](../../getting-started/olmv1_getting_started.md).
+
+```terminal title="Enable BoxcutterRuntime"
+kubectl patch deployment -n olmv1-system operator-controller-controller-manager --type='json' \
+  -p='[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value": "--feature-gates=BoxcutterRuntime=true"}]'
+```
+
+```terminal title="Wait for rollout"
+kubectl rollout status -n olmv1-system deployment/operator-controller-controller-manager
+```
+
+## Troubleshooting
+
+### Extension stuck in Progressing state
+
+```terminal
+kubectl describe clusterextension <name>
+```
+
+Look for permission errors in the conditions.
+
+### Permission denied during installation
+
+Your ServiceAccount needs more permissions. Check the error message to see what's missing.
+
+See [Derive ServiceAccount](derive-service-account.md) for help finding required permissions.
+
+### Extension won't install
+
+Check:
+
+1. ServiceAccount exists: `kubectl get sa <name> -n <namespace>`
+2. Role/RoleBinding exist: `kubectl get role,rolebinding -n <namespace>`
+3. Permissions match what the bundle needs
+
+## For Testing: Use cluster-admin
+
+!!! warning
+    Only for development/testing. Never in production.
+
+Give your ServiceAccount full admin permissions:
+
+```terminal
+kubectl create clusterrolebinding my-ext-admin \
+  --clusterrole=cluster-admin \
+  --serviceaccount=<namespace>:<serviceaccount-name>
+```
+
+This bypasses all permission checks. Use only for quick testing.
+
+## Related Documentation
+
+- [Derive ServiceAccount](derive-service-account.md) - Determine required RBAC permissions
+- [Permission Model](../../concepts/permission-model.md) - OLM v1 permission architecture
+- [Install Extension](../../tutorials/install-extension.md) - Basic installation guide

internal/operator-controller/applier/boxcutter_test.go

@@ -66,6 +66,12 @@ func Test_SimpleRevisionGenerator_GenerateRevisionFromHelmRelease(t *testing.T)
 		ObjectMeta: metav1.ObjectMeta{
 			Name: "test-123",
 		},
+		Spec: ocv1.ClusterExtensionSpec{
+			Namespace: "test-namespace",
+			ServiceAccount: ocv1.ServiceAccountReference{
+				Name: "test-sa",
+			},
+		},
 	}
 
 	objectLabels := map[string]string{
@@ -172,6 +178,12 @@ func Test_SimpleRevisionGenerator_GenerateRevision(t *testing.T) {
 		ObjectMeta: metav1.ObjectMeta{
 			Name: "test-extension",
 		},
+		Spec: ocv1.ClusterExtensionSpec{
+			Namespace: "test-namespace",
+			ServiceAccount: ocv1.ServiceAccountReference{
+				Name: "test-sa",
+			},
+		},
 	}
 
 	rev, err := b.GenerateRevision(t.Context(), fstest.MapFS{}, ext, map[string]string{}, map[string]string{})
@@ -291,7 +303,12 @@ func Test_SimpleRevisionGenerator_AppliesObjectLabelsAndRevisionAnnotations(t *t
 		"other": "value",
 	}
 
-	rev, err := b.GenerateRevision(t.Context(), fstest.MapFS{}, &ocv1.ClusterExtension{}, map[string]string{
+	rev, err := b.GenerateRevision(t.Context(), fstest.MapFS{}, &ocv1.ClusterExtension{
+		Spec: ocv1.ClusterExtensionSpec{
+			Namespace:      "test-namespace",
+			ServiceAccount: ocv1.ServiceAccountReference{Name: "test-sa"},
+		},
+	}, map[string]string{
 		"some": "value",
 	}, revAnnotations)
 	require.NoError(t, err)
@@ -319,7 +336,12 @@ func Test_SimpleRevisionGenerator_Failure(t *testing.T) {
 		ManifestProvider: r,
 	}
 
-	rev, err := b.GenerateRevision(t.Context(), fstest.MapFS{}, &ocv1.ClusterExtension{}, map[string]string{}, map[string]string{})
+	rev, err := b.GenerateRevision(t.Context(), fstest.MapFS{}, &ocv1.ClusterExtension{
+		Spec: ocv1.ClusterExtensionSpec{
+			Namespace:      "test-namespace",
+			ServiceAccount: ocv1.ServiceAccountReference{Name: "test-sa"},
+		},
+	}, map[string]string{}, map[string]string{})
 	require.Nil(t, rev)
 	t.Log("by checking rendering errors are propagated")
 	require.Error(t, err)