✨ (feat): When using Boxcutter feature-gate, use ClusterExtension ServiceAccount for revision operations (#2429)

* (feat): [Boxcutter] Use ClusterExtension ServiceAccount for revision operations

Implement serviceAccount-scoped token-based authentication for
ClusterExtensionRevision controller using annotation-based configuration.

- Add RevisionEngineFactory with CreateRevisionEngine(ctx, rev) interface
- Read ServiceAccount from annotations (no ClusterExtension dependency)
- Token-based auth using TokenInjectingRoundTripper
- ServiceAccount name and namespace in annotations for observability
- TrackingCache uses global client for caching/cleanup
- Comprehensive error path tests

ClusterExtensionRevision can exist independently.
Easy mode impersonation deferred until API is finalized.

Assisted-by: Cursor

* (doc) Add godoc comments to label constants

Adds documentation comments to all label/annotation constants explaining:
- What each constant represents
- Where they are applied (labels vs annotations)
- ServiceAccount constants document their relationship to ClusterExtension spec

Addresses code review feedback for improved maintainability.

* (fix) Add ClusterExtensionRevision permissions to upgrade test RBAC

The upgrade test ServiceAccount needs permissions to manage
ClusterExtensionRevisions when BoxcutterRuntime is enabled.
Without these permissions, the upgraded controller cannot create
or update ClusterExtensionRevision resources, causing the
ClusterExtension to fail reconciliation after upgrade.

* review changes

* (fix): e2e: add bind/escalate verbs for Boxcutter Server-Side Apply

Add `bind` and `escalate` RBAC verbs to e2e test ServiceAccount to support
Boxcutter applier's use of Kubernetes Server-Side Apply (SSA).

Experimental e2e tests fail when Boxcutter uses ServiceAccount-scoped clients
to apply bundle RBAC resources (ClusterRoles and ClusterRoleBindings):

```
clusterrolebindings.rbac.authorization.k8s.io is forbidden:
User "system:serviceaccount:olmv1-e2e:olm-sa" cannot bind ClusterRole:
RBAC: attempting to grant RBAC permissions not currently held
```

- Uses helm.sh/helm/v3 library
- Applies resources with traditional CREATE/UPDATE operations
- Kubernetes RBAC allows ClusterRoleBinding creation when the ServiceAccount
  already has all the permissions being granted (permission matching)
- **Works WITHOUT `bind`/`escalate` verbs** ✅

- Uses pkg.package-operator.run/boxcutter machinery
- Applies resources with **Server-Side Apply (SSA)** (`client.Apply`)
- SSA enforces field-level ownership and **stricter RBAC enforcement**
- Kubernetes API server **requires explicit `bind` verb** for ClusterRoleBindings
- Permission matching fallback does NOT work reliably with SSA
- **REQUIRES `bind`/`escalate` verbs** ❌

Validated by running actual tests:

**Test 1: Main branch standard-e2e (Helm, NO bind/escalate)**
```bash
make test-e2e
```
Result: ✅ PASS (21 scenarios passed)

**Test 2: PR branch experimental-e2e (Boxcutter, NO bind/escalate)**
```bash
make test-experimental-e2e
```
Result: ❌ FAIL (cannot bind ClusterRole error)

**Test 3: PR branch experimental-e2e (Boxcutter, WITH bind/escalate)**
Result: ✅ PASS (all tests pass)

Add `bind` and `escalate` verbs to the e2e test RBAC template:

```yaml
- apiGroups: ["rbac.authorization.k8s.io"]
  resources: [clusterroles, roles, clusterrolebindings, rolebindings]
  verbs: [ update, create, list, watch, get, delete, patch, bind, escalate ]
```

These verbs allow the ServiceAccount to:
- `bind`: Create ClusterRoleBindings that reference roles with permissions
  the ServiceAccount doesn't have
- `escalate`: Create ClusterRoles with permissions the ServiceAccount doesn't have

This is the documented requirement in `docs/concepts/permission-model.md` for
extension installers and aligns with Kubernetes RBAC best practices.

1. **Required for SSA**: Server-Side Apply has stricter RBAC enforcement
2. **Documented requirement**: OLMv1 docs specify bind/escalate as proper approach
3. **Industry best practice**: Operator installers should have these verbs
4. **Supports all operators**: Not just test-operator with matching permissions
5. **Maintains SSA benefits**: Field ownership, conflict resolution, GitOps support

- Kubernetes RBAC: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#privilege-escalation-prevention-and-bootstrapping
- OLMv1 Permission Model: docs/concepts/permission-model.md
- Boxcutter machinery: pkg.package-operator.run/boxcutter/machinery (uses client.Apply)
- Testing evidence: FINAL_TESTED_ANSWER.md, SERVER_SIDE_APPLY_ANSWER.md

Tested-by: Actual e2e test runs comparing Helm vs Boxcutter behavior
Signed-off-by: Camila <camil@example.com>

* Split rbac phase into two

Signed-off-by: Per Goncalves da Silva <pegoncal@redhat.com>

---------

Signed-off-by: Camila <camil@example.com>
Signed-off-by: Per Goncalves da Silva <pegoncal@redhat.com>
Co-authored-by: Per Goncalves da Silva <pegoncal@redhat.com>

Author: camilamacedo86

cmd/operator-controller/main.go

@@ -42,10 +42,7 @@ import (
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 	"k8s.io/klog/v2"
 	"k8s.io/utils/ptr"
-	"pkg.package-operator.run/boxcutter/machinery"
 	"pkg.package-operator.run/boxcutter/managedcache"
-	"pkg.package-operator.run/boxcutter/ownerhandling"
-	"pkg.package-operator.run/boxcutter/validation"
 	ctrl "sigs.k8s.io/controller-runtime"
 	crcache "sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/certwatcher"
@@ -653,21 +650,29 @@ func (c *boxcutterReconcilerConfigurator) Configure(ceReconciler *controllers.Cl
 		return fmt.Errorf("unable to add tracking cache to manager: %v", err)
 	}
 
+	cerCoreClient, err := corev1client.NewForConfig(c.mgr.GetConfig())
+	if err != nil {
+		return fmt.Errorf("unable to create client for ClusterExtensionRevision controller: %w", err)
+	}
+	cerTokenGetter := authentication.NewTokenGetter(cerCoreClient, authentication.WithExpirationDuration(1*time.Hour))
+
+	revisionEngineFactory, err := controllers.NewDefaultRevisionEngineFactory(
+		c.mgr.GetScheme(),
+		trackingCache,
+		discoveryClient,
+		c.mgr.GetRESTMapper(),
+		fieldOwnerPrefix,
+		c.mgr.GetConfig(),
+		cerTokenGetter,
+	)
+	if err != nil {
+		return fmt.Errorf("unable to create revision engine factory: %w", err)
+	}
+
 	if err = (&controllers.ClusterExtensionRevisionReconciler{
-		Client: c.mgr.GetClient(),
-		RevisionEngine: machinery.NewRevisionEngine(
-			machinery.NewPhaseEngine(
-				machinery.NewObjectEngine(
-					c.mgr.GetScheme(), trackingCache, c.mgr.GetClient(),
-					ownerhandling.NewNative(c.mgr.GetScheme()),
-					machinery.NewComparator(ownerhandling.NewNative(c.mgr.GetScheme()), discoveryClient, c.mgr.GetScheme(), fieldOwnerPrefix),
-					fieldOwnerPrefix, fieldOwnerPrefix,
-				),
-				validation.NewClusterPhaseValidator(c.mgr.GetRESTMapper(), c.mgr.GetClient()),
-			),
-			validation.NewRevisionValidator(), c.mgr.GetClient(),
-		),
-		TrackingCache: trackingCache,
+		Client:                c.mgr.GetClient(),
+		RevisionEngineFactory: revisionEngineFactory,
+		TrackingCache:         trackingCache,
 	}).SetupWithManager(c.mgr); err != nil {
 		return fmt.Errorf("unable to setup ClusterExtensionRevision controller: %w", err)
 	}

hack/test/pre-upgrade-setup.sh

@@ -122,6 +122,19 @@ rules:
     - "update"
     resourceNames:
     - "${TEST_CLUSTER_EXTENSION_NAME}"
+  - apiGroups:
+    - "olm.operatorframework.io"
+    resources:
+    - "clusterextensionrevisions"
+    - "clusterextensionrevisions/finalizers"
+    verbs:
+    - "create"
+    - "update"
+    - "patch"
+    - "delete"
+    - "get"
+    - "list"
+    - "watch"
 EOF
 
 kubectl apply -f - <<EOF

internal/operator-controller/applier/boxcutter.go

@@ -186,6 +186,12 @@ func (r *SimpleRevisionGenerator) buildClusterExtensionRevision(
 	ext *ocv1.ClusterExtension,
 	annotations map[string]string,
 ) *ocv1.ClusterExtensionRevision {
+	if annotations == nil {
+		annotations = make(map[string]string)
+	}
+	annotations[labels.ServiceAccountNameKey] = ext.Spec.ServiceAccount.Name
+	annotations[labels.ServiceAccountNamespaceKey] = ext.Spec.Namespace
+
 	return &ocv1.ClusterExtensionRevision{
 		ObjectMeta: metav1.ObjectMeta{
 			Annotations: annotations,

internal/operator-controller/applier/boxcutter_test.go

@@ -66,6 +66,12 @@ func Test_SimpleRevisionGenerator_GenerateRevisionFromHelmRelease(t *testing.T)
 		ObjectMeta: metav1.ObjectMeta{
 			Name: "test-123",
 		},
+		Spec: ocv1.ClusterExtensionSpec{
+			Namespace: "test-namespace",
+			ServiceAccount: ocv1.ServiceAccountReference{
+				Name: "test-sa",
+			},
+		},
 	}
 
 	objectLabels := map[string]string{
@@ -79,10 +85,12 @@ func Test_SimpleRevisionGenerator_GenerateRevisionFromHelmRelease(t *testing.T)
 		ObjectMeta: metav1.ObjectMeta{
 			Name: "test-123-1",
 			Annotations: map[string]string{
-				"olm.operatorframework.io/bundle-name":      "my-bundle",
-				"olm.operatorframework.io/bundle-reference": "bundle-ref",
-				"olm.operatorframework.io/bundle-version":   "1.2.0",
-				"olm.operatorframework.io/package-name":     "my-package",
+				"olm.operatorframework.io/bundle-name":               "my-bundle",
+				"olm.operatorframework.io/bundle-reference":          "bundle-ref",
+				"olm.operatorframework.io/bundle-version":            "1.2.0",
+				"olm.operatorframework.io/package-name":              "my-package",
+				"olm.operatorframework.io/service-account-name":      "test-sa",
+				"olm.operatorframework.io/service-account-namespace": "test-namespace",
 			},
 			Labels: map[string]string{
 				labels.OwnerNameKey: "test-123",
@@ -172,6 +180,12 @@ func Test_SimpleRevisionGenerator_GenerateRevision(t *testing.T) {
 		ObjectMeta: metav1.ObjectMeta{
 			Name: "test-extension",
 		},
+		Spec: ocv1.ClusterExtensionSpec{
+			Namespace: "test-namespace",
+			ServiceAccount: ocv1.ServiceAccountReference{
+				Name: "test-sa",
+			},
+		},
 	}
 
 	rev, err := b.GenerateRevision(t.Context(), fstest.MapFS{}, ext, map[string]string{}, map[string]string{})
@@ -291,7 +305,12 @@ func Test_SimpleRevisionGenerator_AppliesObjectLabelsAndRevisionAnnotations(t *t
 		"other": "value",
 	}
 
-	rev, err := b.GenerateRevision(t.Context(), fstest.MapFS{}, &ocv1.ClusterExtension{}, map[string]string{
+	rev, err := b.GenerateRevision(t.Context(), fstest.MapFS{}, &ocv1.ClusterExtension{
+		Spec: ocv1.ClusterExtensionSpec{
+			Namespace:      "test-namespace",
+			ServiceAccount: ocv1.ServiceAccountReference{Name: "test-sa"},
+		},
+	}, map[string]string{
 		"some": "value",
 	}, revAnnotations)
 	require.NoError(t, err)
@@ -319,7 +338,12 @@ func Test_SimpleRevisionGenerator_Failure(t *testing.T) {
 		ManifestProvider: r,
 	}
 
-	rev, err := b.GenerateRevision(t.Context(), fstest.MapFS{}, &ocv1.ClusterExtension{}, map[string]string{}, map[string]string{})
+	rev, err := b.GenerateRevision(t.Context(), fstest.MapFS{}, &ocv1.ClusterExtension{
+		Spec: ocv1.ClusterExtensionSpec{
+			Namespace:      "test-namespace",
+			ServiceAccount: ocv1.ServiceAccountReference{Name: "test-sa"},
+		},
+	}, map[string]string{}, map[string]string{})
 	require.Nil(t, rev)
 	t.Log("by checking rendering errors are propagated")
 	require.Error(t, err)

internal/operator-controller/applier/phase.go

@@ -28,20 +28,22 @@ func determinePhase(gk schema.GroupKind) Phase {
 type Phase string
 
 const (
-	PhaseNamespaces Phase = "namespaces"
-	PhasePolicies   Phase = "policies"
-	PhaseRBAC       Phase = "rbac"
-	PhaseCRDs       Phase = "crds"
-	PhaseStorage    Phase = "storage"
-	PhaseDeploy     Phase = "deploy"
-	PhasePublish    Phase = "publish"
+	PhaseNamespaces   Phase = "namespaces"
+	PhasePolicies     Phase = "policies"
+	PhaseRBAC         Phase = "rbac"
+	PhaseRBACBindings Phase = "rbac-bindings"
+	PhaseCRDs         Phase = "crds"
+	PhaseStorage      Phase = "storage"
+	PhaseDeploy       Phase = "deploy"
+	PhasePublish      Phase = "publish"
 )
 
 // Well known phases ordered.
 var defaultPhaseOrder = []Phase{
 	PhaseNamespaces,
 	PhasePolicies,
 	PhaseRBAC,
+	PhaseRBACBindings,
 	PhaseCRDs,
 	PhaseStorage,
 	PhaseDeploy,
@@ -68,8 +70,11 @@ var (
 		PhaseRBAC: {
 			{Kind: "ServiceAccount"},
 			{Kind: "Role", Group: "rbac.authorization.k8s.io"},
-			{Kind: "RoleBinding", Group: "rbac.authorization.k8s.io"},
 			{Kind: "ClusterRole", Group: "rbac.authorization.k8s.io"},
+		},
+
+		PhaseRBACBindings: {
+			{Kind: "RoleBinding", Group: "rbac.authorization.k8s.io"},
 			{Kind: "ClusterRoleBinding", Group: "rbac.authorization.k8s.io"},
 		},
 

internal/operator-controller/applier/phase_test.go

@@ -87,6 +87,30 @@ func Test_PhaseSort(t *testing.T) {
 						},
 					},
 				},
+				{
+					Object: unstructured.Unstructured{
+						Object: map[string]interface{}{
+							"apiVersion": "rbac.authorization.k8s.io/v1",
+							"kind":       "ClusterRoleBinding",
+						},
+					},
+				},
+				{
+					Object: unstructured.Unstructured{
+						Object: map[string]interface{}{
+							"apiVersion": "rbac.authorization.k8s.io/v1",
+							"kind":       "RoleBinding",
+						},
+					},
+				},
+				{
+					Object: unstructured.Unstructured{
+						Object: map[string]interface{}{
+							"apiVersion": "rbac.authorization.k8s.io/v1",
+							"kind":       "Role",
+						},
+					},
+				},
 				{
 					Object: unstructured.Unstructured{
 						Object: map[string]interface{}{
@@ -150,6 +174,35 @@ func Test_PhaseSort(t *testing.T) {
 								},
 							},
 						},
+						{
+							Object: unstructured.Unstructured{
+								Object: map[string]interface{}{
+									"apiVersion": "rbac.authorization.k8s.io/v1",
+									"kind":       "Role",
+								},
+							},
+						},
+					},
+				},
+				{
+					Name: string(applier.PhaseRBACBindings),
+					Objects: []v1.ClusterExtensionRevisionObject{
+						{
+							Object: unstructured.Unstructured{
+								Object: map[string]interface{}{
+									"apiVersion": "rbac.authorization.k8s.io/v1",
+									"kind":       "ClusterRoleBinding",
+								},
+							},
+						},
+						{
+							Object: unstructured.Unstructured{
+								Object: map[string]interface{}{
+									"apiVersion": "rbac.authorization.k8s.io/v1",
+									"kind":       "RoleBinding",
+								},
+							},
+						},
 					},
 				},
 				{

internal/operator-controller/controllers/clusterextensionrevision_controller.go

@@ -43,9 +43,9 @@ const (
 // ClusterExtensionRevisionReconciler actions individual snapshots of ClusterExtensions,
 // as part of the boxcutter integration.
 type ClusterExtensionRevisionReconciler struct {
-	Client         client.Client
-	RevisionEngine RevisionEngine
-	TrackingCache  trackingCache
+	Client                client.Client
+	RevisionEngineFactory RevisionEngineFactory
+	TrackingCache         trackingCache
 }
 
 type trackingCache interface {
@@ -55,11 +55,6 @@ type trackingCache interface {
 	Free(ctx context.Context, user client.Object) error
 }
 
-type RevisionEngine interface {
-	Teardown(ctx context.Context, rev machinerytypes.Revision, opts ...machinerytypes.RevisionTeardownOption) (machinery.RevisionTeardownResult, error)
-	Reconcile(ctx context.Context, rev machinerytypes.Revision, opts ...machinerytypes.RevisionReconcileOption) (machinery.RevisionResult, error)
-}
-
 //+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clusterextensionrevisions,verbs=get;list;watch;update;patch;create;delete
 //+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clusterextensionrevisions/status,verbs=update;patch
 //+kubebuilder:rbac:groups=olm.operatorframework.io,resources=clusterextensionrevisions/finalizers,verbs=update
@@ -139,7 +134,13 @@ func (c *ClusterExtensionRevisionReconciler) reconcile(ctx context.Context, rev
 		return ctrl.Result{}, werr
 	}
 
-	rres, err := c.RevisionEngine.Reconcile(ctx, *revision, opts...)
+	revisionEngine, err := c.RevisionEngineFactory.CreateRevisionEngine(ctx, rev)
+	if err != nil {
+		setRetryingConditions(rev, err.Error())
+		return ctrl.Result{}, fmt.Errorf("failed to create revision engine: %v", err)
+	}
+
+	rres, err := revisionEngine.Reconcile(ctx, *revision, opts...)
 	if err != nil {
 		if rres != nil {
 			// Log detailed reconcile reports only in debug mode (V(1)) to reduce verbosity.
@@ -253,7 +254,13 @@ func (c *ClusterExtensionRevisionReconciler) reconcile(ctx context.Context, rev
 func (c *ClusterExtensionRevisionReconciler) teardown(ctx context.Context, rev *ocv1.ClusterExtensionRevision, revision *boxcutter.Revision) (ctrl.Result, error) {
 	l := log.FromContext(ctx)
 
-	tres, err := c.RevisionEngine.Teardown(ctx, *revision)
+	revisionEngine, err := c.RevisionEngineFactory.CreateRevisionEngine(ctx, rev)
+	if err != nil {
+		markAsAvailableUnknown(rev, ocv1.ClusterExtensionRevisionReasonReconciling, err.Error())
+		return ctrl.Result{}, fmt.Errorf("failed to create revision engine for teardown: %v", err)
+	}
+
+	tres, err := revisionEngine.Teardown(ctx, *revision)
 	if err != nil {
 		if tres != nil {
 			l.V(1).Info("teardown failure report", "report", tres.String())