Add DeploymentConfig feature gate for registry+v1 bundle deployment customization

tmshort · tmshort · commit 3fd9c278c4dd · 2026-02-25T16:24:03.000-05:00
Wraps the deploymentConfig API feature (spec.config.inline.deploymentConfig)
behind a new Alpha feature gate so it can be disabled by default and is only
enabled in experimental manifests.

When the gate is disabled, deploymentConfig is removed from the bundle's
config schema before validation, giving users a clear "unknown field" error
rather than silently ignoring the configuration.

Assisted-by: Claude
Signed-off-by: Todd Short &lt;tshort@redhat.com&gt;
diff --git a/cmd/operator-controller/main.go b/cmd/operator-controller/main.go
@@ -479,6 +479,7 @@ func run() error {
 		CertificateProvider:         certProvider,
 		IsWebhookSupportEnabled:     certProvider != nil,
 		IsSingleOwnNamespaceEnabled: features.OperatorControllerFeatureGate.Enabled(features.SingleOwnNamespaceInstallSupport),
+		IsDeploymentConfigEnabled:   features.OperatorControllerFeatureGate.Enabled(features.DeploymentConfig),
 	}
 	var cerCfg reconcilerConfigurator
 	if features.OperatorControllerFeatureGate.Enabled(features.BoxcutterRuntime) {
diff --git a/helm/experimental.yaml b/helm/experimental.yaml
@@ -12,6 +12,7 @@ options:
         - PreflightPermissions
         - HelmChartSupport
         - BoxcutterRuntime
+        - DeploymentConfig
       disabled:
         - WebhookProviderOpenshiftServiceCA
 # List of enabled experimental features for catalogd
diff --git a/internal/operator-controller/applier/provider.go b/internal/operator-controller/applier/provider.go
@@ -33,6 +33,7 @@ type RegistryV1ManifestProvider struct {
 	CertificateProvider         render.CertificateProvider
 	IsWebhookSupportEnabled     bool
 	IsSingleOwnNamespaceEnabled bool
+	IsDeploymentConfigEnabled   bool
 }
 
 func (r *RegistryV1ManifestProvider) Get(bundleFS fs.FS, ext *ocv1.ClusterExtension) ([]client.Object, error) {
@@ -70,7 +71,11 @@ func (r *RegistryV1ManifestProvider) Get(bundleFS fs.FS, ext *ocv1.ClusterExtens
 		render.WithCertificateProvider(r.CertificateProvider),
 	}
 
-	if r.IsSingleOwnNamespaceEnabled {
+	// Always validate inline config when present so that disabled features produce
+	// a clear error rather than being silently ignored. When IsSingleOwnNamespaceEnabled
+	// is true we also call this with no config to validate required fields (e.g.
+	// watchNamespace for OwnNamespace-only bundles).
+	if r.IsSingleOwnNamespaceEnabled || ext.Spec.Config != nil {
 		configOpts, err := r.extractBundleConfigOptions(&rv1, ext)
 		if err != nil {
 			return nil, err
@@ -88,6 +93,14 @@ func (r *RegistryV1ManifestProvider) extractBundleConfigOptions(rv1 *bundle.Regi
 		return nil, fmt.Errorf("error getting configuration schema: %w", err)
 	}
 
+	// When the DeploymentConfig feature gate is disabled, remove deploymentConfig from the
+	// schema so that users get a clear "unknown field" error if they attempt to use it.
+	if !r.IsDeploymentConfigEnabled {
+		if props, ok := schema["properties"].(map[string]any); ok {
+			delete(props, "deploymentConfig")
+		}
+	}
+
 	bundleConfigBytes := extensionConfigBytes(ext)
 	bundleConfig, err := config.UnmarshalConfig(bundleConfigBytes, schema, ext.Spec.Namespace)
 	if err != nil {
@@ -99,13 +112,15 @@ func (r *RegistryV1ManifestProvider) extractBundleConfigOptions(rv1 *bundle.Regi
 		opts = append(opts, render.WithTargetNamespaces(*watchNS))
 	}
 
-	// Extract and convert deploymentConfig if present
-	if deploymentConfigMap := bundleConfig.GetDeploymentConfig(); deploymentConfigMap != nil {
-		deploymentConfig, err := convertToDeploymentConfig(deploymentConfigMap)
-		if err != nil {
-			return nil, errorutil.NewTerminalError(ocv1.ReasonInvalidConfiguration, fmt.Errorf("invalid deploymentConfig: %w", err))
+	// Extract and convert deploymentConfig if present and the feature gate is enabled.
+	if r.IsDeploymentConfigEnabled {
+		if deploymentConfigMap := bundleConfig.GetDeploymentConfig(); deploymentConfigMap != nil {
+			deploymentConfig, err := convertToDeploymentConfig(deploymentConfigMap)
+			if err != nil {
+				return nil, errorutil.NewTerminalError(ocv1.ReasonInvalidConfiguration, fmt.Errorf("invalid deploymentConfig: %w", err))
+			}
+			opts = append(opts, render.WithDeploymentConfig(deploymentConfig))
 		}
-		opts = append(opts, render.WithDeploymentConfig(deploymentConfig))
 	}
 
 	return opts, nil
diff --git a/internal/operator-controller/applier/provider_test.go b/internal/operator-controller/applier/provider_test.go
@@ -461,6 +461,7 @@ func Test_RegistryV1ManifestProvider_DeploymentConfig(t *testing.T) {
 				},
 			},
 			IsSingleOwnNamespaceEnabled: true,
+			IsDeploymentConfigEnabled:   true,
 		}
 
 		bundleFS := bundlefs.Builder().WithPackageName("test").
@@ -492,6 +493,7 @@ func Test_RegistryV1ManifestProvider_DeploymentConfig(t *testing.T) {
 				},
 			},
 			IsSingleOwnNamespaceEnabled: true,
+			IsDeploymentConfigEnabled:   true,
 		}
 
 		bundleFS := bundlefs.Builder().WithPackageName("test").
@@ -524,6 +526,7 @@ func Test_RegistryV1ManifestProvider_DeploymentConfig(t *testing.T) {
 				},
 			},
 			IsSingleOwnNamespaceEnabled: true,
+			IsDeploymentConfigEnabled:   true,
 		}
 
 		bundleFS := bundlefs.Builder().WithPackageName("test").
@@ -566,6 +569,7 @@ func Test_RegistryV1ManifestProvider_DeploymentConfig(t *testing.T) {
 				},
 			},
 			IsSingleOwnNamespaceEnabled: true,
+			IsDeploymentConfigEnabled:   true,
 		}
 
 		bundleFS := bundlefs.Builder().WithPackageName("test").
@@ -602,6 +606,7 @@ func Test_RegistryV1ManifestProvider_DeploymentConfig(t *testing.T) {
 				},
 			},
 			IsSingleOwnNamespaceEnabled: true,
+			IsDeploymentConfigEnabled:   true,
 		}
 
 		bundleFS := bundlefs.Builder().WithPackageName("test").
@@ -631,6 +636,7 @@ func Test_RegistryV1ManifestProvider_DeploymentConfig(t *testing.T) {
 				},
 			},
 			IsSingleOwnNamespaceEnabled: true,
+			IsDeploymentConfigEnabled:   true,
 		}
 
 		bundleFS := bundlefs.Builder().WithPackageName("test").
@@ -654,6 +660,70 @@ func Test_RegistryV1ManifestProvider_DeploymentConfig(t *testing.T) {
 		require.Contains(t, err.Error(), "deploymentConfig.env")
 		require.ErrorIs(t, err, reconcile.TerminalError(nil), "config validation errors should be terminal")
 	})
+
+	t.Run("returns terminal error when deploymentConfig is used but feature gate is disabled", func(t *testing.T) {
+		provider := applier.RegistryV1ManifestProvider{
+			BundleRenderer: render.BundleRenderer{
+				ResourceGenerators: []render.ResourceGenerator{
+					func(rv1 *bundle.RegistryV1, opts render.Options) ([]client.Object, error) {
+						return nil, nil
+					},
+				},
+			},
+			IsSingleOwnNamespaceEnabled: true,
+			IsDeploymentConfigEnabled:   false,
+		}
+
+		bundleFS := bundlefs.Builder().WithPackageName("test").
+			WithCSV(clusterserviceversion.Builder().WithInstallModeSupportFor(v1alpha1.InstallModeTypeAllNamespaces).Build()).Build()
+
+		_, err := provider.Get(bundleFS, &ocv1.ClusterExtension{
+			Spec: ocv1.ClusterExtensionSpec{
+				Namespace: "install-namespace",
+				Config: &ocv1.ClusterExtensionConfig{
+					ConfigType: ocv1.ClusterExtensionConfigTypeInline,
+					Inline: &apiextensionsv1.JSON{
+						Raw: []byte(`{"deploymentConfig": {"env": [{"name": "TEST_ENV", "value": "test-value"}]}}`),
+					},
+				},
+			},
+		})
+		require.Error(t, err)
+		require.Contains(t, err.Error(), "unknown field \"deploymentConfig\"")
+		require.ErrorIs(t, err, reconcile.TerminalError(nil), "feature gate disabled error should be terminal")
+	})
+
+	t.Run("returns terminal error when deploymentConfig is used with SingleOwnNamespace disabled and DeploymentConfig gate disabled", func(t *testing.T) {
+		provider := applier.RegistryV1ManifestProvider{
+			BundleRenderer: render.BundleRenderer{
+				ResourceGenerators: []render.ResourceGenerator{
+					func(rv1 *bundle.RegistryV1, opts render.Options) ([]client.Object, error) {
+						return nil, nil
+					},
+				},
+			},
+			IsSingleOwnNamespaceEnabled: false,
+			IsDeploymentConfigEnabled:   false,
+		}
+
+		bundleFS := bundlefs.Builder().WithPackageName("test").
+			WithCSV(clusterserviceversion.Builder().WithInstallModeSupportFor(v1alpha1.InstallModeTypeAllNamespaces).Build()).Build()
+
+		_, err := provider.Get(bundleFS, &ocv1.ClusterExtension{
+			Spec: ocv1.ClusterExtensionSpec{
+				Namespace: "install-namespace",
+				Config: &ocv1.ClusterExtensionConfig{
+					ConfigType: ocv1.ClusterExtensionConfigTypeInline,
+					Inline: &apiextensionsv1.JSON{
+						Raw: []byte(`{"deploymentConfig": {"env": [{"name": "TEST_ENV", "value": "test-value"}]}}`),
+					},
+				},
+			},
+		})
+		require.Error(t, err)
+		require.Contains(t, err.Error(), "unknown field \"deploymentConfig\"")
+		require.ErrorIs(t, err, reconcile.TerminalError(nil), "config should not be silently ignored when both feature gates are disabled")
+	})
 }
 
 func Test_RegistryV1HelmChartProvider_Integration(t *testing.T) {
diff --git a/internal/operator-controller/features/features.go b/internal/operator-controller/features/features.go
@@ -18,6 +18,7 @@ const (
 	WebhookProviderOpenshiftServiceCA featuregate.Feature = "WebhookProviderOpenshiftServiceCA"
 	HelmChartSupport                  featuregate.Feature = "HelmChartSupport"
 	BoxcutterRuntime                  featuregate.Feature = "BoxcutterRuntime"
+	DeploymentConfig                  featuregate.Feature = "DeploymentConfig"
 )
 
 var operatorControllerFeatureGates = map[featuregate.Feature]featuregate.FeatureSpec{
@@ -80,6 +81,14 @@ var operatorControllerFeatureGates = map[featuregate.Feature]featuregate.Feature
 		PreRelease:    featuregate.Alpha,
 		LockToDefault: false,
 	},
+
+	// DeploymentConfig enables support for customizing operator deployments
+	// via spec.config.inline.deploymentConfig in ClusterExtension resources.
+	DeploymentConfig: {
+		Default:       false,
+		PreRelease:    featuregate.Alpha,
+		LockToDefault: false,
+	},
 }
 
 var OperatorControllerFeatureGate featuregate.MutableFeatureGate = featuregate.NewFeatureGate()
diff --git a/manifests/experimental-e2e.yaml b/manifests/experimental-e2e.yaml
@@ -2454,6 +2454,7 @@ spec:
             - --feature-gates=PreflightPermissions=true
             - --feature-gates=HelmChartSupport=true
             - --feature-gates=BoxcutterRuntime=true
+            - --feature-gates=DeploymentConfig=true
             - --feature-gates=WebhookProviderOpenshiftServiceCA=false
             - --tls-cert=/var/certs/tls.crt
             - --tls-key=/var/certs/tls.key
diff --git a/manifests/experimental.yaml b/manifests/experimental.yaml
@@ -2360,6 +2360,7 @@ spec:
             - --feature-gates=PreflightPermissions=true
             - --feature-gates=HelmChartSupport=true
             - --feature-gates=BoxcutterRuntime=true
+            - --feature-gates=DeploymentConfig=true
             - --feature-gates=WebhookProviderOpenshiftServiceCA=false
             - --tls-cert=/var/certs/tls.crt
             - --tls-key=/var/certs/tls.key
diff --git a/test/e2e/features/install.feature b/test/e2e/features/install.feature
@@ -500,3 +500,39 @@ Feature: Install ClusterExtension
     And ClusterExtension is available
     And ClusterExtensionRevision "${NAME}-1" has label "olm.operatorframework.io/owner-kind" with value "ClusterExtension"
     And ClusterExtensionRevision "${NAME}-1" has label "olm.operatorframework.io/owner-name" with value "${NAME}"
+
+  @DeploymentConfig
+  Scenario: deploymentConfig nodeSelector is applied to the operator deployment
+    When ClusterExtension is applied
+      """
+      apiVersion: olm.operatorframework.io/v1
+      kind: ClusterExtension
+      metadata:
+        name: ${NAME}
+      spec:
+        namespace: ${TEST_NAMESPACE}
+        serviceAccount:
+          name: olm-sa
+        config:
+          configType: Inline
+          inline:
+            deploymentConfig:
+              nodeSelector:
+                kubernetes.io/os: linux
+        source:
+          sourceType: Catalog
+          catalog:
+            packageName: test
+            selector:
+              matchLabels:
+                "olm.operatorframework.io/metadata.name": test-catalog
+      """
+    Then ClusterExtension is rolled out
+    And resource "deployment/test-operator" matches
+      """
+      spec:
+        template:
+          spec:
+            nodeSelector:
+              kubernetes.io/os: linux
+      """
diff --git a/test/e2e/steps/hooks.go b/test/e2e/steps/hooks.go
@@ -71,6 +71,7 @@ var (
 		features.WebhookProviderOpenshiftServiceCA: false,
 		features.HelmChartSupport:                  false,
 		features.BoxcutterRuntime:                  false,
+		features.DeploymentConfig:                  false,
 	}
 	logger logr.Logger
 )

Original file line number	Diff line number	Diff line change
`@@ -479,6 +479,7 @@ func run() error {`
`479`	`479`	`CertificateProvider: certProvider,`
`480`	`480`	`IsWebhookSupportEnabled: certProvider != nil,`
`481`	`481`	`IsSingleOwnNamespaceEnabled: features.OperatorControllerFeatureGate.Enabled(features.SingleOwnNamespaceInstallSupport),`
	`482`	`+ IsDeploymentConfigEnabled: features.OperatorControllerFeatureGate.Enabled(features.DeploymentConfig),`
`482`	`483`	`}`
`483`	`484`	`var cerCfg reconcilerConfigurator`
`484`	`485`	`if features.OperatorControllerFeatureGate.Enabled(features.BoxcutterRuntime) {`
Original file line number	Diff line number	Diff line change
`@@ -71,6 +71,7 @@ var (`
`71`	`71`	`features.WebhookProviderOpenshiftServiceCA: false,`
`72`	`72`	`features.HelmChartSupport: false,`
`73`	`73`	`features.BoxcutterRuntime: false,`
	`74`	`+ features.DeploymentConfig: false,`
`74`	`75`	`}`
`75`	`76`	`logger logr.Logger`
`76`	`77`	`)`