NO-ISSUE: Synchronize From Upstream Repositories

api/v1/clusterextension_types.go

@@ -107,6 +107,17 @@ type ClusterExtensionSpec struct {
 	//
 	// +optional
 	Config *ClusterExtensionConfig `json:"config,omitempty"`
+
+	// progressDeadlineMinutes is an optional field that defines the maximum period
+	// of time in minutes after which an installation should be considered failed and
+	// require manual intervention. This functionality is disabled when no value
+	// is provided. The minimum period is 10 minutes, and the maximum is 720 minutes (12 hours).
+	//
+	// +kubebuilder:validation:Minimum:=10
+	// +kubebuilder:validation:Maximum:=720
+	// +optional
+	// <opcon:experimental>
+	ProgressDeadlineMinutes int32 `json:"progressDeadlineMinutes,omitempty"`
 }
 
 const SourceTypeCatalog = "Catalog"

api/v1/clusterextensionrevision_types.go

@@ -87,6 +87,17 @@ type ClusterExtensionRevisionSpec struct {
 	// +listMapKey=name
 	// +optional
 	Phases []ClusterExtensionRevisionPhase `json:"phases,omitempty"`
+
+	// progressDeadlineMinutes is an optional field that defines the maximum period
+	// of time in minutes after which an installation should be considered failed and
+	// require manual intervention. This functionality is disabled when no value
+	// is provided. The minimum period is 10 minutes, and the maximum is 720 minutes (12 hours).
+	//
+	// +kubebuilder:validation:Minimum:=10
+	// +kubebuilder:validation:Maximum:=720
+	// +optional
+	// <opcon:experimental>
+	ProgressDeadlineMinutes int32 `json:"progressDeadlineMinutes,omitempty"`
 }
 
 // ClusterExtensionRevisionLifecycleState specifies the lifecycle state of the ClusterExtensionRevision.

api/v1/common_types.go

@@ -32,6 +32,7 @@ const (
 	ReasonDeprecated = "Deprecated"
 
 	// Common reasons
-	ReasonSucceeded = "Succeeded"
-	ReasonFailed    = "Failed"
+	ReasonSucceeded                = "Succeeded"
+	ReasonFailed                   = "Failed"
+	ReasonProgressDeadlineExceeded = "ProgressDeadlineExceeded"
 )

api/v1/validation_test.go

@@ -0,0 +1,176 @@
+package v1
+
+import (
+	"fmt"
+	"testing"
+
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+func TestValidate(t *testing.T) {
+	type args struct {
+		object         any
+		skipDefaulting bool
+	}
+	type want struct {
+		valid bool
+	}
+	type testCase struct {
+		args args
+		want want
+	}
+	defaultExtensionSpec := func(s *ClusterExtensionSpec) *ClusterExtensionSpec {
+		s.Namespace = "ns"
+		s.ServiceAccount = ServiceAccountReference{
+			Name: "sa",
+		}
+		s.Source = SourceConfig{
+			SourceType: SourceTypeCatalog,
+			Catalog: &CatalogFilter{
+				PackageName: "test",
+			},
+		}
+		return s
+	}
+	defaultRevisionSpec := func(s *ClusterExtensionRevisionSpec) *ClusterExtensionRevisionSpec {
+		s.Revision = 1
+		return s
+	}
+	c := newClient(t)
+	i := 0
+
+	for name, tc := range map[string]testCase{
+		"ClusterExtension: invalid progress deadline < 10": {
+			args: args{
+				object: ClusterExtensionSpec{
+					ProgressDeadlineMinutes: 9,
+				},
+			},
+			want: want{valid: false},
+		},
+		"ClusterExtension: valid progress deadline = 10": {
+			args: args{
+				object: ClusterExtensionSpec{
+					ProgressDeadlineMinutes: 10,
+				},
+			},
+			want: want{valid: true},
+		},
+		"ClusterExtension: valid progress deadline = 360": {
+			args: args{
+				object: ClusterExtensionSpec{
+					ProgressDeadlineMinutes: 360,
+				},
+			},
+			want: want{valid: true},
+		},
+		"ClusterExtension: valid progress deadline = 720": {
+			args: args{
+				object: ClusterExtensionSpec{
+					ProgressDeadlineMinutes: 720,
+				},
+			},
+			want: want{valid: true},
+		},
+		"ClusterExtension: invalid progress deadline > 720": {
+			args: args{
+				object: ClusterExtensionSpec{
+					ProgressDeadlineMinutes: 721,
+				},
+			},
+			want: want{valid: false},
+		},
+		"ClusterExtension: no progress deadline set": {
+			args: args{
+				object: ClusterExtensionSpec{},
+			},
+			want: want{valid: true},
+		},
+		"ClusterExtensionRevision: invalid progress deadline < 10": {
+			args: args{
+				object: ClusterExtensionRevisionSpec{
+					ProgressDeadlineMinutes: 9,
+				},
+			},
+			want: want{valid: false},
+		},
+		"ClusterExtensionRevision: valid progress deadline = 10": {
+			args: args{
+				object: ClusterExtensionRevisionSpec{
+					ProgressDeadlineMinutes: 10,
+				},
+			},
+			want: want{valid: true},
+		},
+		"ClusterExtensionRevision: valid progress deadline = 360": {
+			args: args{
+				object: ClusterExtensionRevisionSpec{
+					ProgressDeadlineMinutes: 360,
+				},
+			},
+			want: want{valid: true},
+		},
+		"ClusterExtensionRevision: valid progress deadline = 720": {
+			args: args{
+				object: ClusterExtensionRevisionSpec{
+					ProgressDeadlineMinutes: 720,
+				},
+			},
+			want: want{valid: true},
+		},
+		"ClusterExtensionRevision: invalid progress deadline > 720": {
+			args: args{
+				object: ClusterExtensionRevisionSpec{
+					ProgressDeadlineMinutes: 721,
+				},
+			},
+			want: want{valid: false},
+		},
+		"ClusterExtensionRevision: no progress deadline set": {
+			args: args{
+				object: ClusterExtensionRevisionSpec{},
+			},
+			want: want{valid: true},
+		},
+	} {
+		t.Run(name, func(t *testing.T) {
+			var obj client.Object
+			switch s := tc.args.object.(type) {
+			case ClusterExtensionSpec:
+				ce := &ClusterExtension{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: fmt.Sprintf("ce-%d", i),
+					},
+					Spec: s,
+				}
+				if !tc.args.skipDefaulting {
+					defaultExtensionSpec(&ce.Spec)
+				}
+				obj = ce
+			case ClusterExtensionRevisionSpec:
+				cer := &ClusterExtensionRevision{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: fmt.Sprintf("cer-%d", i),
+					},
+					Spec: s,
+				}
+				if !tc.args.skipDefaulting {
+					defaultRevisionSpec(&cer.Spec)
+				}
+				obj = cer
+			default:
+				t.Fatalf("unknown type %T", s)
+			}
+			i++
+			err := c.Create(t.Context(), obj)
+			if tc.want.valid && err != nil {
+				t.Fatal("expected create to succeed, but got:", err)
+			}
+			if !tc.want.valid && !errors.IsInvalid(err) {
+				t.Fatal("expected create to fail due to invalid payload, but got:", err)
+			}
+		})
+	}
+}

cmd/operator-controller/main.go

@@ -598,7 +598,12 @@ func (c *boxcutterReconcilerConfigurator) Configure(ceReconciler *controllers.Cl
 		return err
 	}
 
-	// TODO: add support for preflight checks
+	// determine if PreAuthorizer should be enabled based on feature gate
+	var preAuth authorization.PreAuthorizer
+	if features.OperatorControllerFeatureGate.Enabled(features.PreflightPermissions) {
+		preAuth = authorization.NewRBACPreAuthorizer(c.mgr.GetClient())
+	}
+
 	// TODO: better scheme handling - which types do we want to support?
 	_ = apiextensionsv1.AddToScheme(c.mgr.GetScheme())
 	rg := &applier.SimpleRevisionGenerator{
@@ -610,6 +615,7 @@ func (c *boxcutterReconcilerConfigurator) Configure(ceReconciler *controllers.Cl
 		Scheme:            c.mgr.GetScheme(),
 		RevisionGenerator: rg,
 		Preflights:        c.preflights,
+		PreAuthorizer:     preAuth,
 		FieldOwner:        fmt.Sprintf("%s/clusterextension-controller", fieldOwnerPrefix),
 	}
 	revisionStatesGetter := &controllers.BoxcutterRevisionStatesGetter{Reader: c.mgr.GetClient()}

commitchecker.yaml

@@ -1,4 +1,4 @@
-expectedMergeBase: b08a054acc3892fb5b1977299c8a92cbddd90819
+expectedMergeBase: 8167ff8fd3ab3880459f9d1e5626c6e3073e3428
 upstreamBranch: main
 upstreamOrg: operator-framework
 upstreamRepo: operator-controller

docs/api-reference/olmv1-api-reference.md

@@ -344,6 +344,7 @@ _Appears in:_
 | `source` _[SourceConfig](#sourceconfig)_ | source is required and selects the installation source of content for this ClusterExtension.<br />Set the sourceType field to perform the selection.<br />Catalog is currently the only implemented sourceType.<br />Setting sourceType to "Catalog" requires the catalog field to also be defined.<br />Below is a minimal example of a source definition (in yaml):<br />source:<br />  sourceType: Catalog<br />  catalog:<br />    packageName: example-package |  | Required: \{\} <br /> |
 | `install` _[ClusterExtensionInstallConfig](#clusterextensioninstallconfig)_ | install is optional and configures installation options for the ClusterExtension,<br />such as the pre-flight check configuration. |  |  |
 | `config` _[ClusterExtensionConfig](#clusterextensionconfig)_ | config is optional and specifies bundle-specific configuration.<br />Configuration is bundle-specific and a bundle may provide a configuration schema.<br />When not specified, the default configuration of the resolved bundle is used.<br />config is validated against a configuration schema provided by the resolved bundle. If the bundle does not provide<br />a configuration schema the bundle is deemed to not be configurable. More information on how<br />to configure bundles can be found in the OLM documentation associated with your current OLM version. |  |  |
+| `progressDeadlineMinutes` _integer_ | progressDeadlineMinutes is an optional field that defines the maximum period<br />of time in minutes after which an installation should be considered failed and<br />require manual intervention. This functionality is disabled when no value<br />is provided. The minimum period is 10 minutes, and the maximum is 720 minutes (12 hours).<br /><opcon:experimental> |  | Maximum: 720 <br />Minimum: 10 <br /> |
 
 
 #### ClusterExtensionStatus

helm/olmv1/base/operator-controller/crd/experimental/olm.operatorframework.io_clusterextensionrevisions.yaml

@@ -166,6 +166,16 @@ spec:
                 x-kubernetes-validations:
                 - message: phases is immutable
                   rule: self == oldSelf || oldSelf.size() == 0
+              progressDeadlineMinutes:
+                description: |-
+                  progressDeadlineMinutes is an optional field that defines the maximum period
+                  of time in minutes after which an installation should be considered failed and
+                  require manual intervention. This functionality is disabled when no value
+                  is provided. The minimum period is 10 minutes, and the maximum is 720 minutes (12 hours).
+                format: int32
+                maximum: 720
+                minimum: 10
+                type: integer
               revision:
                 description: |-
                   revision is a required, immutable sequence number representing a specific revision

helm/olmv1/base/operator-controller/crd/experimental/olm.operatorframework.io_clusterextensions.yaml

@@ -165,6 +165,16 @@ spec:
                   rule: self == oldSelf
                 - message: namespace must be a valid DNS1123 label
                   rule: self.matches("^[a-z0-9]([-a-z0-9]*[a-z0-9])?$")
+              progressDeadlineMinutes:
+                description: |-
+                  progressDeadlineMinutes is an optional field that defines the maximum period
+                  of time in minutes after which an installation should be considered failed and
+                  require manual intervention. This functionality is disabled when no value
+                  is provided. The minimum period is 10 minutes, and the maximum is 720 minutes (12 hours).
+                format: int32
+                maximum: 720
+                minimum: 10
+                type: integer
               serviceAccount:
                 description: |-
                   serviceAccount specifies a ServiceAccount used to perform all interactions with the cluster