thetechnick
diff --git a/‎api/v1/clusterextensionrevision_types.go‎
Lines changed: 20 additions & 0 deletions b/‎api/v1/clusterextensionrevision_types.go‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎cmd/operator-controller/main.go‎
Lines changed: 37 additions & 9 deletions b/‎cmd/operator-controller/main.go‎
Lines changed: 37 additions & 9 deletions
diff --git a/‎config/base/operator-controller/crd/experimental/olm.operatorframework.io_clusterextensionrevisions.yaml‎
Lines changed: 6 additions & 0 deletions b/‎config/base/operator-controller/crd/experimental/olm.operatorframework.io_clusterextensionrevisions.yaml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎internal/operator-controller/applier/boxcutter.go‎
Lines changed: 119 additions & 7 deletions b/‎internal/operator-controller/applier/boxcutter.go‎
Lines changed: 119 additions & 7 deletions
diff --git a/‎internal/operator-controller/applier/boxcutter_test.go‎
Lines changed: 10 additions & 2 deletions b/‎internal/operator-controller/applier/boxcutter_test.go‎
Lines changed: 10 additions & 2 deletions
@@ -66,8 +66,28 @@ type ClusterExtensionRevisionObject struct {
 	// +kubebuilder:validation:EmbeddedResource
 	// +kubebuilder:pruning:PreserveUnknownFields
 	Object unstructured.Unstructured `json:"object"`
+
+	// +kubebuilder:default="Prevent"
+	CollisionProtection CollisionProtection `json:"collisionProtection"`
 }
 
+// CollisionProtection specifies if and how ownership collisions are prevented.
+type CollisionProtection string
+
+const (
+	// CollisionProtectionPrevent prevents owner collisions entirely
+	// by only allowing to work with objects itself has created.
+	CollisionProtectionPrevent CollisionProtection = "Prevent"
+	// CollisionProtectionIfNoController allows to patch and override
+	// objects already present if they are not owned by another controller.
+	CollisionProtectionIfNoController CollisionProtection = "IfNoController"
+	// CollisionProtectionNone allows to patch and override objects
+	// already present and owned by other controllers.
+	// Be careful! This setting may cause multiple controllers to fight over a resource,
+	// causing load on the API server and etcd.
+	CollisionProtectionNone CollisionProtection = "None"
+)
+
 type ClusterExtensionRevisionPrevious struct {
 	// +kubebuilder:validation:Required
 	Name string `json:"name"`
 
@@ -489,22 +489,50 @@ func getCertificateProvider() render.CertificateProvider {
 func setupBoxcutter(mgr manager.Manager, ceReconciler *controllers.ClusterExtensionReconciler, preflights []applier.Preflight) error {
 	certProvider := getCertificateProvider()
 
+	coreClient, err := corev1client.NewForConfig(mgr.GetConfig())
+	if err != nil {
+		return fmt.Errorf("unable to create core client: %w", err)
+	}
+	cfgGetter, err := helmclient.NewActionConfigGetter(mgr.GetConfig(), mgr.GetRESTMapper(),
+		helmclient.StorageDriverMapper(action.ChunkedStorageDriverMapper(coreClient, mgr.GetAPIReader(), cfg.systemNamespace)),
+		helmclient.ClientNamespaceMapper(func(obj client.Object) (string, error) {
+			ext := obj.(*ocv1.ClusterExtension)
+			return ext.Spec.Namespace, nil
+		}),
+	)
+	if err != nil {
+		return fmt.Errorf("unable to create helm action config getter: %w", err)
+	}
+
+	acg, err := action.NewWrappedActionClientGetter(cfgGetter,
+		helmclient.WithFailureRollbacks(false),
+	)
+	if err != nil {
+		return fmt.Errorf("unable to create helm action client getter: %w", err)
+	}
+
 	// TODO: add support for preflight checks
 	// TODO: better scheme handling - which types do we want to support?
 	_ = apiextensionsv1.AddToScheme(mgr.GetScheme())
-	ceReconciler.Applier = &applier.Boxcutter{
-		Client: mgr.GetClient(),
+	rg := &applier.SimpleRevisionGenerator{
 		Scheme: mgr.GetScheme(),
-		RevisionGenerator: &applier.SimpleRevisionGenerator{
-			Scheme: mgr.GetScheme(),
-			BundleRenderer: &applier.RegistryV1BundleRenderer{
-				BundleRenderer:      registryv1.Renderer,
-				CertificateProvider: certProvider,
-			},
+		BundleRenderer: &applier.RegistryV1BundleRenderer{
+			BundleRenderer:      registryv1.Renderer,
+			CertificateProvider: certProvider,
 		},
-		Preflights: preflights,
+	}
+	ceReconciler.Applier = &applier.Boxcutter{
+		Client:            mgr.GetClient(),
+		Scheme:            mgr.GetScheme(),
+		RevisionGenerator: rg,
+		Preflights:        preflights,
 	}
 	ceReconciler.RevisionStatesGetter = &controllers.BoxcutterRevisionStatesGetter{Reader: mgr.GetClient()}
+	ceReconciler.StorageMigrator = &applier.BoxcutterStorageMigrator{
+		Client:             mgr.GetClient(),
+		ActionClientGetter: acg,
+		RevisionGenerator:  rg,
+	}
 
 	// Boxcutter
 	const (
 
@@ -62,11 +62,17 @@ spec:
                     objects:
                       items:
                         properties:
+                          collisionProtection:
+                            default: Prevent
+                            description: CollisionProtection specifies if and how
+                              ownership collisions are prevented.
+                            type: string
                           object:
                             type: object
                             x-kubernetes-embedded-resource: true
                             x-kubernetes-preserve-unknown-fields: true
                         required:
+                        - collisionProtection
                         - object
                         type: object
                       type: array
 
@@ -11,18 +11,25 @@ import (
 	"io/fs"
 	"maps"
 	"slices"
+	"strings"
 
 	"github.com/davecgh/go-spew/spew"
+	"helm.sh/helm/v3/pkg/release"
+	"helm.sh/helm/v3/pkg/storage/driver"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/apiutil"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
+	"sigs.k8s.io/yaml"
+
+	helmclient "github.com/operator-framework/helm-operator-plugins/pkg/client"
 
 	ocv1 "github.com/operator-framework/operator-controller/api/v1"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/controllers"
+	"github.com/operator-framework/operator-controller/internal/operator-controller/labels"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/bundle/source"
 	"github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/render"
 )
@@ -33,13 +40,64 @@ const (
 
 type ClusterExtensionRevisionGenerator interface {
 	GenerateRevision(bundleFS fs.FS, ext *ocv1.ClusterExtension, objectLabels, revisionAnnotations map[string]string) (*ocv1.ClusterExtensionRevision, error)
+	GenerateRevisionFromHelmRelease(
+		helmRelease *release.Release, ext *ocv1.ClusterExtension,
+		objectLabels map[string]string,
+	) (*ocv1.ClusterExtensionRevision, error)
 }
 
 type SimpleRevisionGenerator struct {
 	Scheme         *runtime.Scheme
 	BundleRenderer BundleRenderer
 }
 
+func (r *SimpleRevisionGenerator) GenerateRevisionFromHelmRelease(
+	helmRelease *release.Release, ext *ocv1.ClusterExtension,
+	objectLabels map[string]string,
+) (*ocv1.ClusterExtensionRevision, error) {
+	docs := splitManifestDocuments(helmRelease.Manifest)
+	objs := make([]ocv1.ClusterExtensionRevisionObject, 0, len(docs))
+	for _, doc := range docs {
+		obj := unstructured.Unstructured{}
+		if err := yaml.Unmarshal([]byte(doc), &obj); err != nil {
+			return nil, err
+		}
+
+		labels := maps.Clone(obj.GetLabels())
+		if labels == nil {
+			labels = map[string]string{}
+		}
+		maps.Copy(labels, objectLabels)
+		obj.SetLabels(labels)
+		obj.SetOwnerReferences(nil) // reset OwnerReferences for migration.
+
+		objs = append(objs, ocv1.ClusterExtensionRevisionObject{
+			Object:              obj,
+			CollisionProtection: ocv1.CollisionProtectionNone, // allow to adopt objects from previous release
+		})
+	}
+
+	// Build desired revision
+	return &ocv1.ClusterExtensionRevision{
+		ObjectMeta: metav1.ObjectMeta{
+			Annotations: map[string]string{
+				labels.BundleNameKey:      helmRelease.Labels[labels.BundleNameKey],
+				labels.PackageNameKey:     helmRelease.Labels[labels.PackageNameKey],
+				labels.BundleVersionKey:   helmRelease.Labels[labels.BundleVersionKey],
+				labels.BundleReferenceKey: helmRelease.Labels[labels.BundleReferenceKey],
+			},
+			Labels: map[string]string{
+				controllers.ClusterExtensionRevisionOwnerLabel: ext.Name,
+			},
+			Name: fmt.Sprintf("%s-1", ext.Name),
+		},
+		Spec: ocv1.ClusterExtensionRevisionSpec{
+			Phases:   PhaseSort(objs),
+			Revision: 1,
+		},
+	}, nil
+}
+
 func (r *SimpleRevisionGenerator) GenerateRevision(bundleFS fs.FS, ext *ocv1.ClusterExtension, objectLabels, revisionAnnotations map[string]string) (*ocv1.ClusterExtensionRevision, error) {
 	// extract plain manifests
 	plain, err := r.BundleRenderer.Render(bundleFS, ext)
@@ -50,14 +108,12 @@ func (r *SimpleRevisionGenerator) GenerateRevision(bundleFS fs.FS, ext *ocv1.Clu
 	// objectLabels
 	objs := make([]ocv1.ClusterExtensionRevisionObject, 0, len(plain))
 	for _, obj := range plain {
-		if len(obj.GetLabels()) > 0 {
-			labels := maps.Clone(obj.GetLabels())
-			if labels == nil {
-				labels = map[string]string{}
-			}
-			maps.Copy(labels, objectLabels)
-			obj.SetLabels(labels)
+		labels := maps.Clone(obj.GetLabels())
+		if labels == nil {
+			labels = map[string]string{}
 		}
+		maps.Copy(labels, objectLabels)
+		obj.SetLabels(labels)
 
 		gvk, err := apiutil.GVKForObject(obj, r.Scheme)
 		if err != nil {
@@ -94,6 +150,49 @@ func (r *SimpleRevisionGenerator) GenerateRevision(bundleFS fs.FS, ext *ocv1.Clu
 	}, nil
 }
 
+type BoxcutterStorageMigrator struct {
+	ActionClientGetter helmclient.ActionClientGetter
+	RevisionGenerator  ClusterExtensionRevisionGenerator
+	Client             client.Client
+}
+
+func (m *BoxcutterStorageMigrator) Migrate(ctx context.Context, ext *ocv1.ClusterExtension, objectLabels map[string]string) error {
+	existingRevisionList := ocv1.ClusterExtensionRevisionList{}
+	if err := m.Client.List(ctx, &existingRevisionList, client.MatchingLabels{
+		controllers.ClusterExtensionRevisionOwnerLabel: ext.Name,
+	}); err != nil {
+		return fmt.Errorf("listing ClusterExtensionRevisions before attempting migration: %w", err)
+	}
+	if len(existingRevisionList.Items) != 0 {
+		// No migration needed.
+		return nil
+	}
+
+	ac, err := m.ActionClientGetter.ActionClientFor(ctx, ext)
+	if err != nil {
+		return err
+	}
+
+	helmRelease, err := ac.Get(ext.GetName())
+	if errors.Is(err, driver.ErrReleaseNotFound) {
+		// no Helm Release -> no prior installation.
+		return nil
+	}
+	if err != nil {
+		return err
+	}
+
+	rev, err := m.RevisionGenerator.GenerateRevisionFromHelmRelease(helmRelease, ext, objectLabels)
+	if err != nil {
+		return err
+	}
+
+	if err := m.Client.Create(ctx, rev); err != nil {
+		return err
+	}
+	return nil
+}
+
 type Boxcutter struct {
 	Client            client.Client
 	Scheme            *runtime.Scheme
@@ -289,3 +388,16 @@ func (r *RegistryV1BundleRenderer) Render(bundleFS fs.FS, ext *ocv1.ClusterExten
 	}
 	return r.BundleRenderer.Render(reg, ext.Spec.Namespace, render.WithTargetNamespaces(watchNamespace), render.WithCertificateProvider(r.CertificateProvider))
 }
+
+func splitManifestDocuments(file string) []string {
+	//nolint:prealloc
+	var docs []string
+	for _, manifest := range strings.Split(file, "\n") {
+		manifest = strings.TrimSpace(manifest)
+		if len(manifest) == 0 {
+			continue
+		}
+		docs = append(docs, manifest)
+	}
+	return docs
+}
@@ -10,6 +10,7 @@ import (
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"helm.sh/helm/v3/pkg/release"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -268,7 +269,7 @@ func TestBoxcutter_Apply(t *testing.T) {
 			UID:  "test-uid",
 		},
 	}
-	defaultDesiredHash := "faaeb52a1cb7c968c96278bc1cd804e50d3ae9faae08807c9279a5e569933ea0"
+	defaultDesiredHash := "347b93565df45eb39cc8a7f158d66163da553b78ed5ac89f4b300372db1942a6"
 	defaultDesiredRevision := &ocv1.ClusterExtensionRevision{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: "test-ext-1",
@@ -460,7 +461,7 @@ func TestBoxcutter_Apply(t *testing.T) {
 
 				assert.Equal(t, "test-ext-2", newRev.Name)
 				assert.Equal(t, int64(2), newRev.Spec.Revision)
-				assert.Equal(t, "ec8213d4061a75b55cd67a009d9cdeb1bdd6f503d4b3bb7b6cfea3a5233aad43", newRev.Annotations[applier.RevisionHashAnnotation])
+				assert.Equal(t, "6f681b6990c9939556392d2be3eb9389dd71e84fa051773a9aaf8cf8b34ff5b6", newRev.Annotations[applier.RevisionHashAnnotation])
 				require.Len(t, newRev.Spec.Previous, 1)
 				assert.Equal(t, "test-ext-1", newRev.Spec.Previous[0].Name)
 				assert.Equal(t, types.UID("rev-uid-1"), newRev.Spec.Previous[0].UID)
@@ -534,6 +535,13 @@ func (m *mockBundleRevisionBuilder) GenerateRevision(bundleFS fs.FS, ext *ocv1.C
 	return m.makeRevisionFunc(bundleFS, ext, objectLabels, revisionAnnotations)
 }
 
+func (m *mockBundleRevisionBuilder) GenerateRevisionFromHelmRelease(
+	helmRelease *release.Release, ext *ocv1.ClusterExtension,
+	objectLabels map[string]string,
+) (*ocv1.ClusterExtensionRevision, error) {
+	return nil, nil
+}
+
 type mockBundleRenderer func(bundleFS fs.FS, ext *ocv1.ClusterExtension) ([]client.Object, error)
 
 func (f mockBundleRenderer) Render(bundleFS fs.FS, ext *ocv1.ClusterExtension) ([]client.Object, error) {