✨ OPRUN-4221: Use operator-controller SA by default, make SA field optional

[trgeiger]

Changes the ClusterExtension API field spec.ServiceAccount to be optional. Operator-controller will use its own service account by default unless the spec.ServiceAccount field is set. RBAC PreAuthorization only happens if the optional SA field is set, as well.

Give operator-controller's SA cluster-admin by default.

Addresses OPRUN-4221

Wasn't sure if I should mark this major or minor change.

Description

Reviewer Checklist

• API Go Documentation
• Tests: Unit Tests (and E2E Tests, if appropriate)
• Comprehensive Commit Messages
• Links to related GitHub Issue(s)

[netlify]

✅ Deploy Preview for olmv1 ready!

Name	Link
🔨 Latest commit	435dc41
🔍 Latest deploy log	https://app.netlify.com/projects/olmv1/deploys/69164f611f283a00081eff31
😎 Deploy Preview	https://deploy-preview-2333--olmv1.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign camilamacedo86, thetechnick for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• api/OWNERS
• helm/OWNERS
• internal/operator-controller/OWNERS
• manifests/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[codecov]

Codecov Report

❌ Patch coverage is 33.33333% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 74.28%. Comparing base (d204888) to head (435dc41).
⚠️ Report is 22 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/operator-controller/action/restconfig.go	0.00%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2333      +/-   ##
==========================================
- Coverage   74.42%   74.28%   -0.14%     
==========================================
  Files          91       91              
  Lines        7057     7085      +28     
==========================================
+ Hits         5252     5263      +11     
- Misses       1393     1406      +13     
- Partials      412      416       +4     

Flag	Coverage Δ
e2e	45.63% <0.00%> (-0.24%)	⬇️
experimental-e2e	48.38% <0.00%> (-0.08%)	⬇️
unit	58.58% <33.33%> (+0.07%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[trgeiger]

Due to the changes to the clusterrole, I don't think this is ever going to pass upgrade-e2e since it can't change the clusterrole in place. What's the cleanest way of handling this, versioning our clusterrole moving forward? Just make a new one like the existing boxcutter experimental config does?

[joelanford]

Should we allow a CE to unset the SA now that it is optional? Open question. I think we need to discuss.

[trgeiger]

That's a great question. Does it make sense to hash that out in the RFC?

…

On Tue, Nov 18, 2025, 4:37 PM Joe Lanford ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In api/v1/clusterextension_types.go <#2333 (comment)> : > @@ -403,7 +403,7 @@ type ServiceAccountReference struct { // +kubebuilder:validation:MaxLength:=253 // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="name is immutable" Should we allow a CE to unset the SA now that it is optional? Open question. I think we need to discuss. — Reply to this email directly, view it on GitHub <#2333 (review)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AENY3BO7TJJNPRRO5ZKIQKD35ONRNAVCNFSM6AAAAACMBQXGOWVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZTINZZHE2DINRYGQ> . You are receiving this because you authored the thread.Message ID: ***@***.*** .com>

[joelanford]

We need to add an e2e that checks that we can correctly install a ClusterExtension that does not have a service account configured.

The JSON serialization also seems a bit finicky, so I would also suggest adding a unit test that serializes a ClusterExtension lacking a service account into JSON and checks to ensure that there is no spec.serviceAccount field in the output at all.

[joelanford]

Suggested change

	// +kubebuilder:validation:Optional
	// +optional

[joelanford]

Suggested change

	Name string `json:"name"`
	Name string `json:"name,omitempty"`