🐛 OCPBUGS-78455: fix(Boxcutter-Collision): Fix collision detection bypass after ClusterExtension upgrade

[camilamacedo86]

When a ClusterExtension was upgraded (e.g., v1.0.0 to v1.0.1), the upgrade set a higher revision number on managed objects. A second

ClusterExtension installing the same package was then allowed because boxcutter's revision linearity check returned ActionProgressed instead of ActionCollision, silently skipping the conflict.

Fix: after boxcutter reconcile, check ActionProgressed results for objects whose controller ownerReference belongs to a revision from a different ClusterExtension, and treat those as collisions.

Motivated by: https://redhat.atlassian.net/browse/OCPBUGS-78455

[netlify]

✅ Deploy Preview for olmv1 ready!

Name	Link
🔨 Latest commit	b3688d3
🔍 Latest deploy log	https://app.netlify.com/projects/olmv1/deploys/69c242654b49360008b28620
😎 Deploy Preview	https://deploy-preview-2578--olmv1.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign grokspawn for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Copilot]

Pull request overview

Fixes a Boxcutter collision-detection bypass that could allow a second ClusterExtension to install the same package after the first ClusterExtension upgraded and bumped managed-object revision numbers.

Changes:

• Treat ActionProgressed results as collisions when the reconciled object is controller-owned by a different ClusterExtensionRevision (foreign ownerRef).
• Add an E2E scenario covering “upgrade then duplicate install” and a new step to ensure both ClusterExtension resources are cleaned up.
• Add unit tests validating the new “foreign revision ownerRef” collision behavior.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File	Description
internal/operator-controller/controllers/clusterextensionrevision_controller.go	Adds foreign-ownerRef collision detection for ActionProgressed objects and tracks sibling CER names during reconcile.
internal/operator-controller/controllers/clusterextensionrevision_controller_test.go	Adds unit coverage for foreign/sibling/non-CER controller ownerRef cases.
test/e2e/steps/steps.go	Adds a step to track the currently-applied ClusterExtension for cleanup when a scenario applies a second CE.
test/e2e/features/update.feature	Adds an E2E scenario asserting collisions are detected after an upgrade when installing a duplicate CE.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov]

Codecov Report

❌ Patch coverage is 91.66667% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 67.89%. Comparing base (a307a6d) to head (b3688d3).

Files with missing lines	Patch %	Lines
...controllers/clusterextensionrevision_controller.go	91.66%	2 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2578      +/-   ##
==========================================
+ Coverage   65.84%   67.89%   +2.04%     
==========================================
  Files         137      137              
  Lines        9560     9586      +26     
==========================================
+ Hits         6295     6508     +213     
+ Misses       2795     2581     -214     
- Partials      470      497      +27     

Flag	Coverage Δ
e2e	38.04% <0.00%> (+26.86%)	⬆️
experimental-e2e	51.24% <80.55%> (+0.17%)	⬆️
unit	52.95% <86.11%> (+0.14%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[grokspawn]

why are we avoiding setting this to a local and iterating over it? If we're concerned that the contents can change over the course of this call then couldn't we end up in a situation where the first call determines a bounds which exceeds the returned results later in the loop?
Like if L551 says i := 12, but then obj.GetOwnerReferences() is updated to hold fewer than 12 items.

Why not

refs := obj.GetOwnerReferences()
for i := range refs {
   ref := refs[i]

[camilamacedo86]

I think we can. Goog Catcher 🥇

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The new foreign-owner collision check depends on siblingRevisionNames being complete. If labels.OwnerNameKey is missing on the reconciling CER, buildBoxcutterPhases only seeds the set with cer.Name, so an ActionProgressed object still controlled by another revision of the same ClusterExtension will be misclassified as a foreign collision. Consider skipping the foreign-owner collision check (or treating all CER controllers as "sibling") when the owner label is missing, to preserve the current “missing label => no sibling lookup” behavior.

[Copilot]

When labels.OwnerNameKey is missing on the CER, this function returns siblingRevisionNames containing only cer.Name and an empty previousObjs. With the new ActionProgressed foreign-controller detection, that incomplete sibling set can cause false-positive collisions (any CER controller ref other than cer.Name will look “foreign”). Consider returning an explicit hasOwnerLabel flag (or otherwise ensuring the sibling set is complete) so callers can safely decide whether to enforce the foreign-owner collision check.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

buildBoxcutterPhases re-implements the same filtering/listing logic as listPreviousRevisions (owner label lookup, TrackingCache.List, and the archived/deleting/revision-number filters). This duplication makes it easy for the two paths (previous owners used for boxcutter vs. previous revisions archived on completion) to drift over time. Consider refactoring so buildBoxcutterPhases reuses listPreviousRevisions for previousObjs and only does the additional sibling-name collection separately (or extend listPreviousRevisions to optionally return both).