Add Boxcutter featuregate

Signed-off-by: Per Goncalves da Silva <[email protected]>

Author: Per Goncalves da Silva

cmd/operator-controller/main.go

@@ -22,6 +22,13 @@ import (
 	"errors"
 	"flag"
 	"fmt"
+	"github.com/operator-framework/operator-controller/internal/operator-controller/authorization"
+	"github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/convert"
+	"github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/preflights/crdupgradesafety"
+	"github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/render"
+	"github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/render/certproviders"
+	"github.com/operator-framework/operator-controller/internal/operator-controller/rukpak/render/registryv1"
+	apiextensionsv1client "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/typed/apiextensions/v1"
 	"net/http"
 	"os"
 	"path/filepath"
@@ -410,50 +417,47 @@ func run() error {
 		},
 	}
 
-	// aeClient, err := apiextensionsv1client.NewForConfig(mgr.GetConfig())
-	// if err != nil {
-	// 	setupLog.Error(err, "unable to create apiextensions client")
-	// 	return err
-	// }
-
-	// preflights := []applier.Preflight{
-	// 	crdupgradesafety.NewPreflight(aeClient.CustomResourceDefinitions()),
-	// }
-
-	// // determine if PreAuthorizer should be enabled based on feature gate
-	// var preAuth authorization.PreAuthorizer
-	// if features.OperatorControllerFeatureGate.Enabled(features.PreflightPermissions) {
-	// 	preAuth = authorization.NewRBACPreAuthorizer(mgr.GetClient())
-	// }
-
-	boxcutterApplier := &applier.Boxcutter{
-		Client: mgr.GetClient(),
-		Scheme: mgr.GetScheme(),
-	}
-
-	// determine if a certificate provider should be set in the bundle renderer and feature support for the provider
-	// based on the feature flag
-	// var certProvider render.CertificateProvider
-	// var isWebhookSupportEnabled bool
-	// if features.OperatorControllerFeatureGate.Enabled(features.WebhookProviderCertManager) {
-	// 	certProvider = certproviders.CertManagerCertificateProvider{}
-	// 	isWebhookSupportEnabled = true
-	// } else if features.OperatorControllerFeatureGate.Enabled(features.WebhookProviderOpenshiftServiceCA) {
-	// 	certProvider = certproviders.OpenshiftServiceCaCertificateProvider{}
-	// 	isWebhookSupportEnabled = true
-	// }
-
-	// now initialize the helmApplier, assigning the potentially nil preAuth
-	// helmApplier := &applier.Helm{
-	// 	ActionClientGetter: acg,
-	// 	Preflights:         preflights,
-	// 	BundleToHelmChartConverter: &convert.BundleToHelmChartConverter{
-	// 		BundleRenderer:          registryv1.Renderer,
-	// 		CertificateProvider:     certProvider,
-	// 		IsWebhookSupportEnabled: isWebhookSupportEnabled,
-	// 	},
-	// 	PreAuthorizer: preAuth,
-	// }
+	aeClient, err := apiextensionsv1client.NewForConfig(mgr.GetConfig())
+	if err != nil {
+		setupLog.Error(err, "unable to create apiextensions client")
+		return err
+	}
+
+	preflights := []applier.Preflight{
+		crdupgradesafety.NewPreflight(aeClient.CustomResourceDefinitions()),
+	}
+
+	// determine if PreAuthorizer should be enabled based on feature gate
+	var preAuth authorization.PreAuthorizer
+	if features.OperatorControllerFeatureGate.Enabled(features.PreflightPermissions) {
+		preAuth = authorization.NewRBACPreAuthorizer(mgr.GetClient())
+	}
+
+	// create applier
+	var ctrlBuilderOpts []controllers.ControllerBuilderOption
+	var extApplier controllers.Applier
+
+	if features.OperatorControllerFeatureGate.Enabled(features.BoxcutterRuntime) {
+		// TODO: add support for preflight checks
+		extApplier = &applier.Boxcutter{
+			Client: mgr.GetClient(),
+			Scheme: mgr.GetScheme(),
+		}
+		ctrlBuilderOpts = append(ctrlBuilderOpts, controllers.WithOwns(&ocv1.ClusterExtensionRevision{}))
+	} else {
+		// now initialize the helmApplier, assigning the potentially nil preAuth
+		certProvider := getCertificateProvider()
+		extApplier = &applier.Helm{
+			ActionClientGetter: acg,
+			Preflights:         preflights,
+			BundleToHelmChartConverter: &convert.BundleToHelmChartConverter{
+				BundleRenderer:          registryv1.Renderer,
+				CertificateProvider:     certProvider,
+				IsWebhookSupportEnabled: certProvider != nil,
+			},
+			PreAuthorizer: preAuth,
+		}
+	}
 
 	cm := contentmanager.NewManager(clientRestConfigMapper, mgr.GetConfig(), mgr.GetRESTMapper())
 	err = clusterExtensionFinalizers.Register(controllers.ClusterExtensionCleanupContentManagerCacheFinalizer, finalizers.FinalizerFunc(func(ctx context.Context, obj client.Object) (crfinalizer.Result, error) {
@@ -505,18 +509,17 @@ func run() error {
 		setupLog.Error(err, "unable to register AccessManager")
 		return err
 	}
-	// Boxcutter
 
 	if err = (&controllers.ClusterExtensionReconciler{
 		Client:                cl,
 		Resolver:              resolver,
 		ImageCache:            imageCache,
 		ImagePuller:           imagePuller,
-		Applier:               boxcutterApplier,
+		Applier:               extApplier,
 		InstalledBundleGetter: &controllers.DefaultInstalledBundleGetter{ActionClientGetter: acg},
 		Finalizers:            clusterExtensionFinalizers,
 		Manager:               cm,
-	}).SetupWithManager(mgr); err != nil {
+	}).SetupWithManager(mgr, ctrlBuilderOpts...); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "ClusterExtension")
 		return err
 	}
@@ -577,6 +580,15 @@ func run() error {
 	return nil
 }
 
+func getCertificateProvider() render.CertificateProvider {
+	if features.OperatorControllerFeatureGate.Enabled(features.WebhookProviderCertManager) {
+		return certproviders.CertManagerCertificateProvider{}
+	} else if features.OperatorControllerFeatureGate.Enabled(features.WebhookProviderOpenshiftServiceCA) {
+		return certproviders.OpenshiftServiceCaCertificateProvider{}
+	}
+	return nil
+}
+
 func main() {
 	if err := operatorControllerCmd.Execute(); err != nil {
 		fmt.Fprintf(os.Stderr, "Error: %v\n", err)

config/components/features/boxcutter-runtime/kustomization.yaml

@@ -0,0 +1,9 @@
+# DO NOT ADD A NAMESPACE HERE
+---
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+patches:
+ - target:
+      kind: Deployment
+      name: operator-controller-controller-manager
+   path: patches/enable-featuregate.yaml

config/components/features/boxcutter-runtime/patches/enable-featuregate.yaml

@@ -0,0 +1,4 @@
+# enable Boxcutter runtime feature gate
+- op: add
+  path: /spec/template/spec/containers/0/args/-
+  value: "--feature-gates=BoxcutterRuntime=true"

internal/operator-controller/controllers/clusterextension_controller.go

@@ -413,12 +413,19 @@ func SetDeprecationStatus(ext *ocv1.ClusterExtension, bundleName string, depreca
 	}
 }
 
+type ControllerBuilderOption func(builder *ctrl.Builder)
+
+func WithOwns(obj client.Object) ControllerBuilderOption {
+	return func(builder *ctrl.Builder) {
+		builder.Owns(obj)
+	}
+}
+
 // SetupWithManager sets up the controller with the Manager.
-func (r *ClusterExtensionReconciler) SetupWithManager(mgr ctrl.Manager) error {
-	controller, err := ctrl.NewControllerManagedBy(mgr).
+func (r *ClusterExtensionReconciler) SetupWithManager(mgr ctrl.Manager, opts ...ControllerBuilderOption) error {
+	ctrlBuilder := ctrl.NewControllerManagedBy(mgr).
 		For(&ocv1.ClusterExtension{}).
 		Named("controller-operator-cluster-extension-controller").
-		Owns(&ocv1.ClusterExtensionRevision{}).
 		Watches(&ocv1.ClusterCatalog{},
 			crhandler.EnqueueRequestsFromMapFunc(clusterExtensionRequestsForCatalog(mgr.GetClient(), mgr.GetLogger())),
 			builder.WithPredicates(predicate.Funcs{
@@ -437,8 +444,13 @@ func (r *ClusterExtensionReconciler) SetupWithManager(mgr ctrl.Manager) error {
 					}
 					return true
 				},
-			})).
-		Build(r)
+			}))
+
+	for _, applyOpt := range opts {
+		applyOpt(ctrlBuilder)
+	}
+
+	controller, err := ctrlBuilder.Build(r)
 	if err != nil {
 		return err
 	}

internal/operator-controller/features/features.go

@@ -17,6 +17,7 @@ const (
 	WebhookProviderCertManager        featuregate.Feature = "WebhookProviderCertManager"
 	WebhookProviderOpenshiftServiceCA featuregate.Feature = "WebhookProviderOpenshiftServiceCA"
 	HelmChartSupport                  featuregate.Feature = "HelmChartSupport"
+	BoxcutterRuntime                  featuregate.Feature = "BoxcutterRuntime"
 )
 
 var operatorControllerFeatureGates = map[featuregate.Feature]featuregate.FeatureSpec{
@@ -72,6 +73,13 @@ var operatorControllerFeatureGates = map[featuregate.Feature]featuregate.Feature
 		PreRelease:    featuregate.Alpha,
 		LockToDefault: false,
 	},
+
+	// BoxcutterRuntime configures OLM to use the Boxcutter runtime for extension lifecycling
+	BoxcutterRuntime: {
+		Default:       false,
+		PreRelease:    featuregate.Alpha,
+		LockToDefault: false,
+	},
 }
 
 var OperatorControllerFeatureGate featuregate.MutableFeatureGate = featuregate.NewFeatureGate()