Skip to content

✨ Add preauthorizer checks to Boxcutter applier #2443

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
perdasilva wants to merge 1 commit into
base: main
Choose a base branch
from
Open

✨ Add preauthorizer checks to Boxcutter applier #2443

perdasilva wants to merge 1 commit into from
+436 −111

Conversation

@perdasilva
Copy link
Contributor

@perdasilva perdasilva commented Jan 13, 2026
edited
Loading

Description

Adds the PreAuthorizer checks to the Boxcutter applier for feature-gate parity between Helm and Boxcutter appliers.

The Boxcutter applier's PreAuthorization check requires clusterextensions/finalizers and clusterextensionrevisions/finalizers update permissions (on top of the permissions to manage the bundle's resources).

Changes:

  • Refactors PreAuthorizer away from handling ClusterExtension specific permissions
  • Refactors Helm applier to add ClusterExtension permissions for the PreAuthorization check
  • Updates the Helm applier PreAuthorization unit tests and adds a component integration test to ensure it is being called with the right parameters
  • Adds PreAuthorization checks to the Boxcutter Applier and adds ClusterExtension and ClusterExtensionRevision permissions for the check
  • Refactors Boxcutters createOrUpdate method to call perform the PreAuthorization checks
  • Adds PreAuthorizator intergration tests to Boxcutter unit test suite

Reviewer Checklist

  • API Go Documentation
  • Tests: Unit Tests (and E2E Tests, if appropriate)
  • Comprehensive Commit Messages
  • Links to related GitHub Issue(s)

Copilot AI review requested due to automatic review settings January 13, 2026 14:42
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 13, 2026
@openshift-ci
Copy link

openshift-ci bot commented Jan 13, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign camilamacedo86 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@netlify
Copy link

netlify bot commented Jan 13, 2026
edited
Loading

Deploy Preview for olmv1 ready!

Name Link
🔨 Latest commit 387691d
🔍 Latest deploy log https://app.netlify.com/projects/olmv1/deploys/6967c9b00ec2bf000846cbe3
😎 Deploy Preview https://deploy-preview-2443--olmv1.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

Copilot AI reviewed Jan 13, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds PreAuthorizer checks to the Boxcutter applier to achieve feature-gate parity with the Helm applier. The implementation validates that service accounts have the necessary RBAC permissions before applying cluster extensions, including the ability to update clusterextensionrevisions/finalizers which is specific to the Boxcutter workflow.

Changes:

  • Added an Option pattern to configure PreAuthorizer with ClusterExtensionRevision finalizer permission checks
  • Integrated PreAuthorizer into the Boxcutter applier with manifest generation and permission validation
  • Updated main.go to initialize PreAuthorizer with the new option when the PreflightPermissions feature gate is enabled

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
internal/operator-controller/authorization/rbac.go Added Option pattern and WithClusterExtensionRevisionPerms to optionally check for update permissions on clusterextensionrevisions/finalizers
internal/operator-controller/authorization/rbac_test.go Added test case for PreAuthorizer with ClusterExtensionRevision permissions
internal/operator-controller/applier/boxcutter.go Added PreAuthorizer field and runPreAuthorizationChecks method to validate permissions before applying revisions
internal/operator-controller/applier/boxcutter_test.go Added integration test for PreAuthorizer with fake implementation
cmd/operator-controller/main.go Initialize PreAuthorizer with WithClusterExtensionRevisionPerms option when PreflightPermissions feature gate is enabled

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@perdasilva perdasilva force-pushed the boxcutter-preflight-auth-checks branch from 6f94c27 to 9d08956 Compare January 13, 2026 14:56
Copilot AI review requested due to automatic review settings January 13, 2026 15:00
@perdasilva perdasilva force-pushed the boxcutter-preflight-auth-checks branch from 9d08956 to 7cdc319 Compare January 13, 2026 15:00
@perdasilva perdasilva force-pushed the boxcutter-preflight-auth-checks branch 2 times, most recently from 876225e to 7f4a867 Compare January 13, 2026 15:25
@codecov
Copy link

codecov bot commented Jan 13, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 95.18072% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 73.62%. Comparing base (dc20dfb) to head (387691d).

Files with missing lines Patch % Lines
internal/operator-controller/applier/boxcutter.go 91.66% 2 Missing and 2 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2443      +/-   ##
==========================================
+ Coverage   69.48%   73.62%   +4.13%     
==========================================
  Files         101      101              
  Lines        7701     7742      +41     
==========================================
+ Hits         5351     5700     +349     
+ Misses       1914     1594     -320     
- Partials      436      448      +12
Flag Coverage Δ
e2e 46.19% <0.00%> (-0.28%) ⬇️
experimental-e2e 53.76% <87.95%> (+40.20%) ⬆️
unit 57.23% <90.36%> (+0.14%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Copilot AI reviewed Jan 13, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@perdasilva perdasilva force-pushed the boxcutter-preflight-auth-checks branch from 7f4a867 to d542d16 Compare January 13, 2026 17:09
@perdasilva perdasilva marked this pull request as ready for review January 13, 2026 17:09
Copilot AI review requested due to automatic review settings January 13, 2026 17:09
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 13, 2026
@openshift-ci openshift-ci bot requested review from joelanford and tmshort January 13, 2026 17:09
Copilot AI reviewed Jan 13, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 6 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@perdasilva perdasilva force-pushed the boxcutter-preflight-auth-checks branch from d542d16 to 53a9309 Compare January 14, 2026 16:06
@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 14, 2026
Copilot AI review requested due to automatic review settings January 14, 2026 16:08
@perdasilva perdasilva force-pushed the boxcutter-preflight-auth-checks branch from 53a9309 to 5cd737f Compare January 14, 2026 16:08
Copilot AI reviewed Jan 14, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@perdasilva perdasilva force-pushed the boxcutter-preflight-auth-checks branch from 5cd737f to 2b041e5 Compare January 14, 2026 16:26
Copilot AI review requested due to automatic review settings January 14, 2026 16:28
@perdasilva perdasilva force-pushed the boxcutter-preflight-auth-checks branch from 2b041e5 to 13cdb4b Compare January 14, 2026 16:28
@perdasilva perdasilva force-pushed the boxcutter-preflight-auth-checks branch from 13cdb4b to 9e07dab Compare January 14, 2026 16:34
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 14, 2026
Copilot AI reviewed Jan 14, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Add preflight checks to Boxcutter applier
387691d 
Signed-off-by: Per Goncalves da Silva <pegoncal@redhat.com>
@perdasilva perdasilva force-pushed the boxcutter-preflight-auth-checks branch from 9e07dab to 387691d Compare January 14, 2026 16:51
camilamacedo86
camilamacedo86 reviewed Jan 14, 2026
View reviewed changes
internal/operator-controller/authorization/rbac_test.go
Verbs: []string{"update"},
APIGroups: []string{""},
Resources: []string{"clusterextensions/finalizers"},
ResourceNames: []string{"test-cluster-extension"},
Copy link
Contributor

@camilamacedo86 camilamacedo86 Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So now if we do not have the permissions for those, will all work?

Copilot AI reviewed Jan 14, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@camilamacedo86 camilamacedo86 camilamacedo86 left review comments

Copilot code review Copilot Copilot left review comments

@joelanford joelanford Awaiting requested review from joelanford

@tmshort tmshort Awaiting requested review from tmshort

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@perdasilva @camilamacedo86 @openshift-merge-robot