diff --git a/cmd/operator-controller/main.go b/cmd/operator-controller/main.go index 02077693f7..380f5e61ac 100644 --- a/cmd/operator-controller/main.go +++ b/cmd/operator-controller/main.go @@ -443,7 +443,7 @@ func run() error { // create applier var ctrlBuilderOpts []controllers.ControllerBuilderOption var extApplier controllers.Applier - + certProvider := getCertificateProvider() if features.OperatorControllerFeatureGate.Enabled(features.BoxcutterRuntime) { // TODO: add support for preflight checks // TODO: better scheme handling - which types do we want to support? @@ -454,14 +454,14 @@ func run() error { RevisionGenerator: &applier.SimpleRevisionGenerator{ Scheme: mgr.GetScheme(), BundleRenderer: &applier.RegistryV1BundleRenderer{ - BundleRenderer: registryv1.Renderer, + BundleRenderer: registryv1.Renderer, + CertificateProvider: certProvider, }, }, } ctrlBuilderOpts = append(ctrlBuilderOpts, controllers.WithOwns(&ocv1.ClusterExtensionRevision{})) } else { // now initialize the helmApplier, assigning the potentially nil preAuth - certProvider := getCertificateProvider() extApplier = &applier.Helm{ ActionClientGetter: acg, Preflights: preflights, diff --git a/config/components/base/experimental/kustomization.yaml b/config/components/base/experimental/kustomization.yaml index ab4eac1f7b..f69e0e973d 100644 --- a/config/components/base/experimental/kustomization.yaml +++ b/config/components/base/experimental/kustomization.yaml @@ -16,5 +16,6 @@ components: - ../../features/preflight-permissions - ../../features/apiv1-metas-handler - ../../features/helm-chart +- ../../features/boxcutter-runtime # This one is downstream only, so we shant use it # - ../../features/webhook-provider-openshift-serviceca diff --git a/config/components/features/boxcutter-runtime/cluster_role_binding.yaml b/config/components/features/boxcutter-runtime/cluster_role_binding.yaml new file mode 100644 index 0000000000..e4a77f41f8 --- /dev/null +++ b/config/components/features/boxcutter-runtime/cluster_role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: operator-controller-boxcutter-cluster-admin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: ServiceAccount + name: operator-controller-controller-manager + namespace: olmv1-system \ No newline at end of file diff --git a/config/components/features/boxcutter-runtime/kustomization.yaml b/config/components/features/boxcutter-runtime/kustomization.yaml index d075a1121a..bb8922d093 100644 --- a/config/components/features/boxcutter-runtime/kustomization.yaml +++ b/config/components/features/boxcutter-runtime/kustomization.yaml @@ -2,6 +2,8 @@ --- apiVersion: kustomize.config.k8s.io/v1alpha1 kind: Component +resources: + - cluster_role_binding.yaml patches: - target: kind: Deployment diff --git a/internal/operator-controller/applier/boxcutter.go b/internal/operator-controller/applier/boxcutter.go index fe9461b6ca..0b864669c1 100644 --- a/internal/operator-controller/applier/boxcutter.go +++ b/internal/operator-controller/applier/boxcutter.go @@ -223,7 +223,8 @@ type BundleRenderer interface { } type RegistryV1BundleRenderer struct { - BundleRenderer render.BundleRenderer + BundleRenderer render.BundleRenderer + CertificateProvider render.CertificateProvider } func (r *RegistryV1BundleRenderer) Render(bundleFS fs.FS, ext *ocv1.ClusterExtension) ([]client.Object, error) { @@ -231,9 +232,14 @@ func (r *RegistryV1BundleRenderer) Render(bundleFS fs.FS, ext *ocv1.ClusterExten if err != nil { return nil, err } + + if len(reg.CSV.Spec.WebhookDefinitions) > 0 && r.CertificateProvider == nil { + return nil, fmt.Errorf("unsupported bundle: webhookDefinitions are not supported") + } + watchNamespace, err := GetWatchNamespace(ext) if err != nil { return nil, err } - return r.BundleRenderer.Render(reg, ext.Spec.Namespace, render.WithTargetNamespaces(watchNamespace)) + return r.BundleRenderer.Render(reg, ext.Spec.Namespace, render.WithTargetNamespaces(watchNamespace), render.WithCertificateProvider(r.CertificateProvider)) } diff --git a/manifests/experimental-e2e.yaml b/manifests/experimental-e2e.yaml index 36dc836c90..df80bef462 100644 --- a/manifests/experimental-e2e.yaml +++ b/manifests/experimental-e2e.yaml @@ -1699,6 +1699,21 @@ subjects: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding +metadata: + annotations: + olm.operatorframework.io/feature-set: experimental + name: operator-controller-boxcutter-cluster-admin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: operator-controller-controller-manager + namespace: olmv1-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: annotations: olm.operatorframework.io/feature-set: experimental @@ -1968,6 +1983,7 @@ spec: - --feature-gates=SingleOwnNamespaceInstallSupport=true - --feature-gates=PreflightPermissions=true - --feature-gates=HelmChartSupport=true + - --feature-gates=BoxcutterRuntime=true - --catalogd-cas-dir=/var/certs - --pull-cas-dir=/var/certs - --tls-cert=/var/certs/tls.cert diff --git a/manifests/experimental.yaml b/manifests/experimental.yaml index 2d124f617f..01e405bb60 100644 --- a/manifests/experimental.yaml +++ b/manifests/experimental.yaml @@ -1699,6 +1699,21 @@ subjects: --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding +metadata: + annotations: + olm.operatorframework.io/feature-set: experimental + name: operator-controller-boxcutter-cluster-admin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: operator-controller-controller-manager + namespace: olmv1-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding metadata: annotations: olm.operatorframework.io/feature-set: experimental @@ -1934,6 +1949,7 @@ spec: - --feature-gates=SingleOwnNamespaceInstallSupport=true - --feature-gates=PreflightPermissions=true - --feature-gates=HelmChartSupport=true + - --feature-gates=BoxcutterRuntime=true - --catalogd-cas-dir=/var/certs - --pull-cas-dir=/var/certs - --tls-cert=/var/certs/tls.cert