✨ Add preauthorizer checks to Boxcutter applier #2443
Conversation
openshift-ci
bot
added
the
do-not-merge/work-in-progress
✅ Deploy Preview for olmv1 ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
There was a problem hiding this comment.
Pull request overview
This PR adds PreAuthorizer checks to the Boxcutter applier to achieve feature-gate parity with the Helm applier. The implementation validates that service accounts have the necessary RBAC permissions before applying cluster extensions, including the ability to update clusterextensionrevisions/finalizers which is specific to the Boxcutter workflow.
Changes:
- Added an Option pattern to configure PreAuthorizer with ClusterExtensionRevision finalizer permission checks
- Integrated PreAuthorizer into the Boxcutter applier with manifest generation and permission validation
- Updated main.go to initialize PreAuthorizer with the new option when the PreflightPermissions feature gate is enabled
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| internal/operator-controller/authorization/rbac.go | Added Option pattern and WithClusterExtensionRevisionPerms to optionally check for update permissions on clusterextensionrevisions/finalizers |
| internal/operator-controller/authorization/rbac_test.go | Added test case for PreAuthorizer with ClusterExtensionRevision permissions |
| internal/operator-controller/applier/boxcutter.go | Added PreAuthorizer field and runPreAuthorizationChecks method to validate permissions before applying revisions |
| internal/operator-controller/applier/boxcutter_test.go | Added integration test for PreAuthorizer with fake implementation |
| cmd/operator-controller/main.go | Initialize PreAuthorizer with WithClusterExtensionRevisionPerms option when PreflightPermissions feature gate is enabled |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
perdasilva
force-pushed
the
boxcutter-preflight-auth-checks
branch
from
6f94c27 to
9d08956
Compare
perdasilva
force-pushed
the
boxcutter-preflight-auth-checks
branch
from
9d08956 to
7cdc319
Compare
perdasilva
force-pushed
the
boxcutter-preflight-auth-checks
branch
2 times, most recently
from
876225e to
7f4a867
Compare
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #2443 +/- ##
==========================================
- Coverage 73.01% 69.58% -3.44%
==========================================
Files 101 101
Lines 7730 7768 +38
==========================================
- Hits 5644 5405 -239
- Misses 1635 1928 +293
+ Partials 451 435 -16
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
perdasilva
force-pushed
the
boxcutter-preflight-auth-checks
branch
from
7f4a867 to
d542d16
Compare
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 6 out of 6 changed files in this pull request and generated 6 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
perdasilva
force-pushed
the
boxcutter-preflight-auth-checks
branch
from
d542d16 to
53a9309
Compare
openshift-merge-robot
added
the
needs-rebase
perdasilva
force-pushed
the
boxcutter-preflight-auth-checks
branch
from
53a9309 to
5cd737f
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
perdasilva
force-pushed
the
boxcutter-preflight-auth-checks
branch
from
5cd737f to
2b041e5
Compare
perdasilva
force-pushed
the
boxcutter-preflight-auth-checks
branch
from
2b041e5 to
13cdb4b
Compare
perdasilva
force-pushed
the
boxcutter-preflight-auth-checks
branch
from
c96c4bc to
40a2645
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 11 out of 11 changed files in this pull request and generated 5 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
perdasilva
force-pushed
the
boxcutter-preflight-auth-checks
branch
from
40a2645 to
325f80d
Compare
perdasilva
force-pushed
the
boxcutter-preflight-auth-checks
branch
from
325f80d to
12adada
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 11 out of 11 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
camilamacedo86
left a comment
camilamacedo86
left a comment
There was a problem hiding this comment.
All feedbacks and requests seems addressed
Great work folks. !!!
/lgtm
| objBytes, err := yaml.Marshal(obj) | ||
| if err != nil { | ||
| return nil, fmt.Errorf("error generating revision manifest: %w", err) | ||
| } | ||
| manifestBuilder.WriteString("---\n") | ||
| manifestBuilder.WriteString(string(objBytes)) | ||
| manifestBuilder.WriteString("\n") |
There was a problem hiding this comment.
We could use YAML printer for that:
import (
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/cli-runtime/pkg/printers"
)
func WriteToYAML(objects []runtime.Object, w io.Writer) error {
printer := printers.YAMLPrinter{}
for _, obj := range objects {
if err := printer.PrintObj(obj, w); err != nil {
return err
}
}
return nil
}There was a problem hiding this comment.
I've updated to use the YAMLPrinter and a byte buffer ^^
|
|
||
| type PreAuthorizer interface { | ||
| PreAuthorize(ctx context.Context, ext *ocv1.ClusterExtension, manifestReader io.Reader) ([]ScopedPolicyRules, error) | ||
| PreAuthorize(ctx context.Context, user user.Info, manifestReader io.Reader, additionalRequiredPerms ...UserAuthorizerAttributesFactory) ([]ScopedPolicyRules, error) |
There was a problem hiding this comment.
I've moved the godoc string from the implementation to the interface
| apiVersion: v1 | ||
| kind: Namespace | ||
| metadata: | ||
| name: ${TEST_NAMESPACE} | ||
| --- | ||
| apiVersion: v1 | ||
| kind: ServiceAccount | ||
| metadata: | ||
| name: ${SERVICEACCOUNT_NAME} | ||
| namespace: ${TEST_NAMESPACE} | ||
| --- |
There was a problem hiding this comment.
I would keep within the same template all needed resources, so to keep the step logic simpler.
There was a problem hiding this comment.
I needed to split the steps for the e2e test
There was a problem hiding this comment.
I need to have the service account and namespace stamped out for the ClusterExtension and then to apply the perms. I'd prefer not having to maintain two files with the same template.
| matchLabels: | ||
| "olm.operatorframework.io/metadata.name": test-catalog | ||
| """ | ||
| And ClusterExtension reports Progressing as True with Reason Retrying and Message includes: |
There was a problem hiding this comment.
can we match against the full message?
There was a problem hiding this comment.
It's a bit hard right now because there's a difference b/w what is required forthe Helm applier and what is required by the Boxcutter applier. I also didn't want the test to break every time something changes in the bundle and having to manage long winded and message messages. The other tests should fail.
test/e2e/steps/steps.go
Outdated
| return false | ||
| } | ||
| if msg != nil && condition["message"] != *msg { | ||
| if msgCmp != nil && !(*msgCmp)(condition["message"].(string)) { |
There was a problem hiding this comment.
moved the deserialization to meta.Condition instead of map[string]interface{}
test/e2e/features/recover.feature
Outdated
| And ClusterExtension reports Installed as True | ||
|
|
||
| @PreflightPermissions | ||
| Scenario: Add missing permissions |
There was a problem hiding this comment.
let's be more descriptive with the scenario.
There was a problem hiding this comment.
Updated to something more descriptive. Thanks for calling this out. One of those things you leave last and then forget about =SS
perdasilva
force-pushed
the
boxcutter-preflight-auth-checks
branch
from
12adada to
dd63342
Compare
|
New changes are detected. LGTM label has been removed. |
|
/approve Approved for inclusion, but still needs LGTM (@pedjak) |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: tmshort The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
openshift-merge-robot
added
the
needs-rebase
Signed-off-by: Per Goncalves da Silva <pegoncal@redhat.com>
perdasilva
force-pushed
the
boxcutter-preflight-auth-checks
branch
from
dd63342 to
d0a8787
Compare
openshift-merge-robot
removed
the
needs-rebase
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 11 out of 11 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
7 participants
Description
Adds the PreAuthorizer checks to the Boxcutter applier for feature-gate parity between Helm and Boxcutter appliers.
The Boxcutter applier's PreAuthorization check requires clusterextensions/finalizers and clusterextensionrevisions/finalizers update permissions (on top of the permissions to manage the bundle's resources).
Changes:
createOrUpdatemethod to call perform the PreAuthorization checksPreAuthorizer Refactoring Notes
Previously, the
PreAuthorizer.PreAuthorizemethod took a ClusterExtension as a parameter and used it to derive the user to check the permissions against and to generate theclusterextensions/finalizersupdate permission implicitly required by the applier to manage update ownerReferences blockerOwnerDeletion.This PR makes refactors the PreAuthorize methods to substitute the ClusterExtension parameter by two parameters:
This makes the PreAuthorizer more generic by removing ClusterExtension concerns, and allows the applier to define which permissions are needed for its operation beyond those dictated by the bundle manifests. Making the PreAuthorizer more generic, and moving applier specific concerns to the applier. The PreAuthorizer and Applier unit tests are update for this change (removing the clusterextensionrevision perms from the PreAuthorizer tests and adding that check to the applier).
E2E Notes
ClusterExtension reports <condition> as <status> with Reason <reason> and Message including <message fragment>to avoid checking the entire error message but only the salient points as the set could change in the futureNote
Reviewer Checklist