✨ Add preauthorizer checks to Boxcutter applier

[perdasilva]

Description

Adds the PreAuthorizer checks to the Boxcutter applier for feature-gate parity between Helm and Boxcutter appliers.

The Boxcutter applier's PreAuthorization check requires clusterextensions/finalizers and clusterextensionrevisions/finalizers update permissions (on top of the permissions to manage the bundle's resources).

Changes:

• Refactors PreAuthorizer away from handling ClusterExtension specific permissions
• Refactors Helm applier to add ClusterExtension permissions for the PreAuthorization check
• Updates the Helm applier PreAuthorization unit tests and adds a component integration test to ensure it is being called with the right parameters
• Adds PreAuthorization checks to the Boxcutter Applier and adds the clusterextensionrevisions/finalizers update permission for the check
• Refactors Boxcutters createOrUpdate method to call perform the PreAuthorization checks
• Adds PreAuthorizator intergration tests to Boxcutter unit test suite

PreAuthorizer Refactoring Notes

Previously, the PreAuthorizer.PreAuthorize method took a ClusterExtension as a parameter and used it to derive the user to check the permissions against and to generate the clusterextensions/finalizers update permission implicitly required by the applier to manage update ownerReferences blockerOwnerDeletion.

This PR makes refactors the PreAuthorize methods to substitute the ClusterExtension parameter by two parameters:

• manifestManager -> the user to check the permissions agains
• additionsRequiredPermissions -> permissions that are required on top of the permissions strictly required to manage the manifests input through the manifestReader parameter.

This makes the PreAuthorizer more generic by removing ClusterExtension concerns, and allows the applier to define which permissions are needed for its operation beyond those dictated by the bundle manifests. Making the PreAuthorizer more generic, and moving applier specific concerns to the applier. The PreAuthorizer and Applier unit tests are update for this change (removing the clusterextensionrevision perms from the PreAuthorizer tests and adding that check to the applier).

Note

• The Boxcutter applier still uses the manager client to create and update the revisions. The PreAuthorizer just ensures the service account has all the necessary permissions to do its job.

Reviewer Checklist

• API Go Documentation
• Tests: Unit Tests (and E2E Tests, if appropriate)
• Comprehensive Commit Messages
• Links to related GitHub Issue(s)

[netlify]

✅ Deploy Preview for olmv1 ready!

Name	Link
🔨 Latest commit	b295770
🔍 Latest deploy log	https://app.netlify.com/projects/olmv1/deploys/6968f4d05eab180008d01ac9
😎 Deploy Preview	https://deploy-preview-2443--olmv1.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[Copilot]

Pull request overview

This PR adds PreAuthorizer checks to the Boxcutter applier to achieve feature-gate parity with the Helm applier. The implementation validates that service accounts have the necessary RBAC permissions before applying cluster extensions, including the ability to update clusterextensionrevisions/finalizers which is specific to the Boxcutter workflow.

Changes:

• Added an Option pattern to configure PreAuthorizer with ClusterExtensionRevision finalizer permission checks
• Integrated PreAuthorizer into the Boxcutter applier with manifest generation and permission validation
• Updated main.go to initialize PreAuthorizer with the new option when the PreflightPermissions feature gate is enabled

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
internal/operator-controller/authorization/rbac.go	Added Option pattern and WithClusterExtensionRevisionPerms to optionally check for update permissions on clusterextensionrevisions/finalizers
internal/operator-controller/authorization/rbac_test.go	Added test case for PreAuthorizer with ClusterExtensionRevision permissions
internal/operator-controller/applier/boxcutter.go	Added PreAuthorizer field and runPreAuthorizationChecks method to validate permissions before applying revisions
internal/operator-controller/applier/boxcutter_test.go	Added integration test for PreAuthorizer with fake implementation
cmd/operator-controller/main.go	Initialize PreAuthorizer with WithClusterExtensionRevisionPerms option when PreflightPermissions feature gate is enabled

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov]

Codecov Report

❌ Patch coverage is 89.87342% with 8 lines in your changes missing coverage. Please review.
✅ Project coverage is 69.52%. Comparing base (dc20dfb) to head (b295770).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
cmd/operator-controller/main.go	0.00%	4 Missing ⚠️
internal/operator-controller/applier/boxcutter.go	90.90%	2 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2443      +/-   ##
==========================================
+ Coverage   69.48%   69.52%   +0.04%     
==========================================
  Files         101      101              
  Lines        7701     7738      +37     
==========================================
+ Hits         5351     5380      +29     
- Misses       1914     1920       +6     
- Partials      436      438       +2     

Flag	Coverage Δ
e2e	46.07% <0.00%> (-0.40%)	⬇️
experimental-e2e	13.48% <0.00%> (-0.08%)	⬇️
unit	57.21% <89.87%> (+0.12%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 6 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated no new comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated no new comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[camilamacedo86]

I think I am ok with the change
/lgtm

It would be nice get a second reviewer maybe @tylerslaton who works in this area and has more context as we could get help from @pedjak as well.

[perdasilva]

/hold I think I've found an issue

[openshift-ci]

New changes are detected. LGTM label has been removed.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from camilamacedo86. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[perdasilva]

/uhold

[Copilot]

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated no new comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[perdasilva]

/unhold