✨ OPRUN-4221: Use operator-controller SA by default, make SA field optional by trgeiger · Pull Request #2333 · operator-framework/operator-controller

trgeiger · 2025-11-13T21:21:19Z

Changes the ClusterExtension API field spec.ServiceAccount to be optional. Operator-controller will use its own service account by default unless the spec.ServiceAccount field is set. RBAC PreAuthorization only happens if the optional SA field is set, as well.

Give operator-controller's SA cluster-admin by default.

Addresses OPRUN-4221

Wasn't sure if I should mark this major or minor change.

Description

Reviewer Checklist

API Go Documentation
Tests: Unit Tests (and E2E Tests, if appropriate)
Comprehensive Commit Messages
Links to related GitHub Issue(s)

netlify · 2025-11-13T21:21:25Z

✅ Deploy Preview for olmv1 ready!

Name	Link
🔨 Latest commit	`435dc41`
🔍 Latest deploy log	https://app.netlify.com/projects/olmv1/deploys/69164f611f283a00081eff31
😎 Deploy Preview	https://deploy-preview-2333--olmv1.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

openshift-ci · 2025-11-13T21:21:25Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign camilamacedo86, thetechnick for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Changes the ClusterExtension API field spec.ServiceAccount to be optional. Operator-controller will use its own service account by default unless the spec.ServiceAccount field is set. RBAC PreAuthorization only happens if the optional SA field is set, as well. Give operator-controller's SA cluster-admin by default.

codecov · 2025-11-13T21:51:00Z

Codecov Report

❌ Patch coverage is 33.33333% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 74.28%. Comparing base (d204888) to head (435dc41).
⚠️ Report is 22 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/operator-controller/action/restconfig.go	0.00%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2333      +/-   ##
==========================================
- Coverage   74.42%   74.28%   -0.14%     
==========================================
  Files          91       91              
  Lines        7057     7085      +28     
==========================================
+ Hits         5252     5263      +11     
- Misses       1393     1406      +13     
- Partials      412      416       +4

Flag	Coverage Δ
e2e	`45.63% <0.00%> (-0.24%)`	⬇️
experimental-e2e	`48.38% <0.00%> (-0.08%)`	⬇️
unit	`58.58% <33.33%> (+0.07%)`	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

trgeiger · 2025-11-13T22:14:13Z

Due to the changes to the clusterrole, I don't think this is ever going to pass upgrade-e2e since it can't change the clusterrole in place. What's the cleanest way of handling this, versioning our clusterrole moving forward? Just make a new one like the existing boxcutter experimental config does?

joelanford · 2025-11-18T22:36:40Z

@@ -403,7 +403,7 @@ type ServiceAccountReference struct {
 	// +kubebuilder:validation:MaxLength:=253
 	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="name is immutable"


Should we allow a CE to unset the SA now that it is optional? Open question. I think we need to discuss.

trgeiger · 2025-11-18T23:00:26Z

That's a great question. Does it make sense to hash that out in the RFC?

…

On Tue, Nov 18, 2025, 4:37 PM Joe Lanford ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ In api/v1/clusterextension_types.go <#2333 (comment)> : > @@ -403,7 +403,7 @@ type ServiceAccountReference struct { // +kubebuilder:validation:MaxLength:=253 // +kubebuilder:validation:XValidation:rule="self == oldSelf",message="name is immutable" Should we allow a CE to unset the SA now that it is optional? Open question. I think we need to discuss. — Reply to this email directly, view it on GitHub <#2333 (review)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AENY3BO7TJJNPRRO5ZKIQKD35ONRNAVCNFSM6AAAAACMBQXGOWVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZTINZZHE2DINRYGQ> . You are receiving this because you authored the thread.Message ID: ***@***.*** .com>

joelanford · 2025-11-19T21:44:25Z

We need to add an e2e that checks that we can correctly install a ClusterExtension that does not have a service account configured.

The JSON serialization also seems a bit finicky, so I would also suggest adding a unit test that serializes a ClusterExtension lacking a service account into JSON and checks to ensure that there is no spec.serviceAccount field in the output at all.

joelanford · 2025-11-19T21:57:33Z

 	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="name is immutable"
 	// +kubebuilder:validation:XValidation:rule="self.matches(\"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\")",message="name must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters"
-	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Optional


Suggested change

// +kubebuilder:validation:Optional

// +optional

joelanford · 2025-11-19T21:57:46Z

 	// +kubebuilder:validation:XValidation:rule="self.matches(\"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\")",message="name must be a valid DNS1123 subdomain. It must contain only lowercase alphanumeric characters, hyphens (-) or periods (.), start and end with an alphanumeric character, and be no longer than 253 characters"
-	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Optional
 	Name string `json:"name"`


Suggested change

Name string `json:"name"`

Name string `json:"name,omitempty"`

trgeiger requested a review from a team as a code owner November 13, 2025 21:21

openshift-ci Bot requested review from ankitathomas and oceanc80 November 13, 2025 21:21

trgeiger marked this pull request as draft November 13, 2025 21:21

openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 13, 2025

trgeiger force-pushed the sa-optional branch from 920432f to 435dc41 Compare November 13, 2025 21:36

trgeiger changed the title ~~✨ Use operator-controller SA by default, make SA field optional~~ ✨ OPRUN-4219: Use operator-controller SA by default, make SA field optional Nov 13, 2025

trgeiger changed the title ~~✨ OPRUN-4219: Use operator-controller SA by default, make SA field optional~~ ✨ OPRUN-4221: Use operator-controller SA by default, make SA field optional Nov 17, 2025

joelanford reviewed Nov 18, 2025

View reviewed changes

joelanford reviewed Nov 19, 2025

View reviewed changes

trgeiger closed this Nov 21, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

✨ OPRUN-4221: Use operator-controller SA by default, make SA field optional#2333

✨ OPRUN-4221: Use operator-controller SA by default, make SA field optional#2333
trgeiger wants to merge 1 commit into
operator-framework:mainfrom
trgeiger:sa-optional

trgeiger commented Nov 13, 2025 •

edited

Loading

Uh oh!

netlify Bot commented Nov 13, 2025 •

edited

Loading

Uh oh!

openshift-ci Bot commented Nov 13, 2025

Uh oh!

codecov Bot commented Nov 13, 2025 •

edited

Loading

Uh oh!

trgeiger commented Nov 13, 2025

Uh oh!

joelanford Nov 18, 2025

Uh oh!

trgeiger commented Nov 18, 2025 via email

Uh oh!

joelanford commented Nov 19, 2025

Uh oh!

joelanford Nov 19, 2025

Uh oh!

joelanford Nov 19, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

		@@ -403,7 +403,7 @@ type ServiceAccountReference struct {
		// +kubebuilder:validation:MaxLength:=253
		// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="name is immutable"

	Name string `json:"name"`
	Name string `json:"name,omitempty"`

Conversation

trgeiger commented Nov 13, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

Reviewer Checklist

Uh oh!

netlify Bot commented Nov 13, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

✅ Deploy Preview for olmv1 ready!

Uh oh!

openshift-ci Bot commented Nov 13, 2025

Uh oh!

codecov Bot commented Nov 13, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

trgeiger commented Nov 13, 2025

Uh oh!

joelanford Nov 18, 2025

Choose a reason for hiding this comment

Uh oh!

trgeiger commented Nov 18, 2025 via email

Uh oh!

joelanford commented Nov 19, 2025

Uh oh!

joelanford Nov 19, 2025

Choose a reason for hiding this comment

Uh oh!

joelanford Nov 19, 2025

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

trgeiger commented Nov 13, 2025 •

edited

Loading

netlify Bot commented Nov 13, 2025 •

edited

Loading

codecov Bot commented Nov 13, 2025 •

edited

Loading