Revert API changes

Per Goncalves da Silva · Per Goncalves da Silva · commit e29f50213b23 · 2025-02-27T13:24:40.000+01:00
Signed-off-by: Per Goncalves da Silva &lt;pegoncal@redhat.com&gt;
diff --git a/api/v1/clusterextension_types.go b/api/v1/clusterextension_types.go
@@ -66,19 +66,10 @@ type ClusterExtensionSpec struct {
 	// with the cluster that are required to manage the extension.
 	// The ServiceAccount must be configured with the necessary permissions to perform these interactions.
 	// The ServiceAccount must exist in the namespace referenced in the spec.
+	// serviceAccount is required.
 	//
-	// serviceAccount is optional. If a service account is not defined, requests to the apiserver will instead use
-	// username "olmv1:clusterextensions:<clusterExtension.metadata.name>:admin" and groups
-	// "olmv1:clusterextensions:admin" and "system:authenticated"
-	//
-	// Deprecated: Use of serviceAccount is not recommended. Instead, administrators are encouraged
-	// to use the synthetic user/groups described above. All of the same RBAC setup is still required with these
-	// synthetic user/groups. However, this mode is preferred because it requires administrators to specifically
-	// configure RBAC for extension management, rather than enabling piggybacking on existing highly privileged
-	// service accounts that already exist on the cluster.
-	//
-	// +optional
-	ServiceAccount *ServiceAccountReference `json:"serviceAccount"`
+	// +kubebuilder:validation:Required
+	ServiceAccount ServiceAccountReference `json:"serviceAccount"`
 
 	// source is a required field which selects the installation source of content
 	// for this ClusterExtension. Selection is performed by setting the sourceType.
diff --git a/api/v1/zz_generated.deepcopy.go b/api/v1/zz_generated.deepcopy.go
diff --git a/config/base/operator-controller/crd/bases/olm.operatorframework.io_clusterextensions.yaml b/config/base/operator-controller/crd/bases/olm.operatorframework.io_clusterextensions.yaml
@@ -135,16 +135,7 @@ spec:
                   with the cluster that are required to manage the extension.
                   The ServiceAccount must be configured with the necessary permissions to perform these interactions.
                   The ServiceAccount must exist in the namespace referenced in the spec.
-
-                  serviceAccount is optional. If a service account is not defined, requests to the apiserver will instead use
-                  username "olmv1:clusterextensions:<clusterExtension.metadata.name>:admin" and groups
-                  "olmv1:clusterextensions:admin" and "system:authenticated"
-
-                  Deprecated: Use of serviceAccount is not recommended. Instead, administrators are encouraged
-                  to use the synthetic user/groups described above. All of the same RBAC setup is still required with these
-                  synthetic user/groups. However, this mode is preferred because it requires administrators to specifically
-                  configure RBAC for extension management, rather than enabling piggybacking on existing highly privileged
-                  service accounts that already exist on the cluster.
+                  serviceAccount is required.
                 properties:
                   name:
                     description: |-
@@ -467,6 +458,7 @@ spec:
                     has(self.catalog) : !has(self.catalog)'
             required:
             - namespace
+            - serviceAccount
             - source
             type: object
           status:
diff --git a/internal/operator-controller/controllers/clusterextension_admission_test.go b/internal/operator-controller/controllers/clusterextension_admission_test.go
@@ -356,7 +356,7 @@ func TestClusterExtensionAdmissionServiceAccount(t *testing.T) {
 					},
 				},
 				Namespace: "default",
-				ServiceAccount: &ocv1.ServiceAccountReference{
+				ServiceAccount: ocv1.ServiceAccountReference{
 					Name: tc.serviceAccount,
 				},
 			}))
diff --git a/internal/operator-controller/controllers/clusterextension_controller_test.go b/internal/operator-controller/controllers/clusterextension_controller_test.go
@@ -284,7 +284,7 @@ func TestClusterExtensionServiceAccountNotFound(t *testing.T) {
 				},
 			},
 			Namespace: "default",
-			ServiceAccount: &ocv1.ServiceAccountReference{
+			ServiceAccount: ocv1.ServiceAccountReference{
 				Name: "missing-sa",
 			},
 		},
diff --git a/test/e2e/cluster_extension_install_test.go b/test/e2e/cluster_extension_install_test.go
@@ -395,7 +395,7 @@ func TestClusterExtensionInstallWithDeprecatedServiceAccount(t *testing.T) {
 			},
 		},
 		Namespace:      ns.Name,
-		ServiceAccount: &ocv1.ServiceAccountReference{Name: sa.Name},
+		ServiceAccount: ocv1.ServiceAccountReference{Name: sa.Name},
 	}
 	t.Log("It resolves the specified package with correct bundle path")
 	t.Log("By creating the ClusterExtension resource")

Original file line number	Diff line number	Diff line change
`@@ -395,7 +395,7 @@ func TestClusterExtensionInstallWithDeprecatedServiceAccount(t *testing.T) {`
`395`	`395`	`},`
`396`	`396`	`},`
`397`	`397`	`Namespace: ns.Name,`
`398`		`- ServiceAccount: &ocv1.ServiceAccountReference{Name: sa.Name},`
	`398`	`+ ServiceAccount: ocv1.ServiceAccountReference{Name: sa.Name},`
`399`	`399`	`}`
`400`	`400`	`t.Log("It resolves the specified package with correct bundle path")`
`401`	`401`	`t.Log("By creating the ClusterExtension resource")`