thetechnick · thetechnick · Aug 1, 2025 · Jul 31, 2025 · Jul 31, 2025 · Jul 31, 2025
diff --git a/cmd/operator-controller/main.go b/cmd/operator-controller/main.go
@@ -443,7 +443,7 @@ func run() error {
 	// create applier
 	var ctrlBuilderOpts []controllers.ControllerBuilderOption
 	var extApplier controllers.Applier
-
+	certProvider := getCertificateProvider()
 	if features.OperatorControllerFeatureGate.Enabled(features.BoxcutterRuntime) {
 		// TODO: add support for preflight checks
 		// TODO: better scheme handling - which types do we want to support?
@@ -454,14 +454,14 @@ func run() error {
 			RevisionGenerator: &applier.SimpleRevisionGenerator{
 				Scheme: mgr.GetScheme(),
 				BundleRenderer: &applier.RegistryV1BundleRenderer{
-					BundleRenderer: registryv1.Renderer,
+					BundleRenderer:      registryv1.Renderer,
+					CertificateProvider: certProvider,
 				},
 			},
 		}
 		ctrlBuilderOpts = append(ctrlBuilderOpts, controllers.WithOwns(&ocv1.ClusterExtensionRevision{}))
 	} else {
 		// now initialize the helmApplier, assigning the potentially nil preAuth
-		certProvider := getCertificateProvider()
 		extApplier = &applier.Helm{
 			ActionClientGetter: acg,
 			Preflights:         preflights,

diff --git a/config/components/base/experimental/kustomization.yaml b/config/components/base/experimental/kustomization.yaml
@@ -16,5 +16,6 @@ components:
 - ../../features/preflight-permissions
 - ../../features/apiv1-metas-handler
 - ../../features/helm-chart
+- ../../features/boxcutter-runtime
 # This one is downstream only, so we shant use it
 # - ../../features/webhook-provider-openshift-serviceca
diff --git a/config/components/features/boxcutter-runtime/cluster_role_binding.yaml b/config/components/features/boxcutter-runtime/cluster_role_binding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: operator-controller-boxcutter-cluster-admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: operator-controller-controller-manager
+    namespace: olmv1-system
diff --git a/config/components/features/boxcutter-runtime/kustomization.yaml b/config/components/features/boxcutter-runtime/kustomization.yaml
@@ -2,6 +2,8 @@
 ---
 apiVersion: kustomize.config.k8s.io/v1alpha1
 kind: Component
+resources:
+ - cluster_role_binding.yaml
 patches:
  - target:
       kind: Deployment

diff --git a/internal/operator-controller/applier/boxcutter.go b/internal/operator-controller/applier/boxcutter.go
@@ -223,17 +223,23 @@ type BundleRenderer interface {
 }
 
 type RegistryV1BundleRenderer struct {
-	BundleRenderer render.BundleRenderer
+	BundleRenderer      render.BundleRenderer
+	CertificateProvider render.CertificateProvider
 }
 
 func (r *RegistryV1BundleRenderer) Render(bundleFS fs.FS, ext *ocv1.ClusterExtension) ([]client.Object, error) {
 	reg, err := source.FromFS(bundleFS).GetBundle()
 	if err != nil {
 		return nil, err
 	}
+
+	if len(reg.CSV.Spec.WebhookDefinitions) > 0 && r.CertificateProvider == nil {
+		return nil, fmt.Errorf("unsupported bundle: webhookDefinitions are not supported")
+	}
+
 	watchNamespace, err := GetWatchNamespace(ext)
 	if err != nil {
 		return nil, err
 	}
-	return r.BundleRenderer.Render(reg, ext.Spec.Namespace, render.WithTargetNamespaces(watchNamespace))
+	return r.BundleRenderer.Render(reg, ext.Spec.Namespace, render.WithTargetNamespaces(watchNamespace), render.WithCertificateProvider(r.CertificateProvider))
 }
diff --git a/manifests/experimental-e2e.yaml b/manifests/experimental-e2e.yaml
@@ -1699,6 +1699,21 @@ subjects:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
+metadata:
+  annotations:
+    olm.operatorframework.io/feature-set: experimental
+  name: operator-controller-boxcutter-cluster-admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: operator-controller-controller-manager
+  namespace: olmv1-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
 metadata:
   annotations:
     olm.operatorframework.io/feature-set: experimental
@@ -1968,6 +1983,7 @@ spec:
         - --feature-gates=SingleOwnNamespaceInstallSupport=true
         - --feature-gates=PreflightPermissions=true
         - --feature-gates=HelmChartSupport=true
+        - --feature-gates=BoxcutterRuntime=true
         - --catalogd-cas-dir=/var/certs
         - --pull-cas-dir=/var/certs
         - --tls-cert=/var/certs/tls.cert

diff --git a/manifests/experimental.yaml b/manifests/experimental.yaml
@@ -1699,6 +1699,21 @@ subjects:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
+metadata:
+  annotations:
+    olm.operatorframework.io/feature-set: experimental
+  name: operator-controller-boxcutter-cluster-admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: operator-controller-controller-manager
+  namespace: olmv1-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
 metadata:
   annotations:
     olm.operatorframework.io/feature-set: experimental
@@ -1934,6 +1949,7 @@ spec:
         - --feature-gates=SingleOwnNamespaceInstallSupport=true
         - --feature-gates=PreflightPermissions=true
         - --feature-gates=HelmChartSupport=true
+        - --feature-gates=BoxcutterRuntime=true
         - --catalogd-cas-dir=/var/certs
         - --pull-cas-dir=/var/certs
         - --tls-cert=/var/certs/tls.cert