Add Boxcutter FG mapping

Signed-off-by: Per Goncalves da Silva <[email protected]>

Author: Per Goncalves da Silva

go.mod

@@ -6,7 +6,7 @@ require (
 	github.com/TwiN/deepmerge v0.2.2
 	github.com/blang/semver/v4 v4.0.0
 	github.com/go-logr/logr v1.4.3
-	github.com/openshift/api v0.0.0-20251111013132-5c461e21bdb7
+	github.com/openshift/api v0.0.0-20251118143053-b6fddd3c8174
 	github.com/openshift/build-machinery-go v0.0.0-20250530140348-dc5b2804eeee
 	github.com/openshift/client-go v0.0.0-20251015124057-db0dee36e235
 	github.com/openshift/library-go v0.0.0-20251107090138-0de9712313a5

go.sum

@@ -296,8 +296,8 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
 github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
-github.com/openshift/api v0.0.0-20251111013132-5c461e21bdb7 h1:fdvcDJySvjVJctbPbdLPoMiMk+bls34+eq6tWOqdFZg=
-github.com/openshift/api v0.0.0-20251111013132-5c461e21bdb7/go.mod h1:d5uzF0YN2nQQFA0jIEWzzOZ+edmo6wzlGLvx5Fhz4uY=
+github.com/openshift/api v0.0.0-20251118143053-b6fddd3c8174 h1:lXwzB9GOX9LS3ZyrK5x6QBm/XF+Azfy1ZRXIeOR5olE=
+github.com/openshift/api v0.0.0-20251118143053-b6fddd3c8174/go.mod h1:d5uzF0YN2nQQFA0jIEWzzOZ+edmo6wzlGLvx5Fhz4uY=
 github.com/openshift/build-machinery-go v0.0.0-20250530140348-dc5b2804eeee h1:+Sp5GGnjHDhT/a/nQ1xdp43UscBMr7G5wxsYotyhzJ4=
 github.com/openshift/build-machinery-go v0.0.0-20250530140348-dc5b2804eeee/go.mod h1:8jcm8UPtg2mCAsxfqKil1xrmRMI3a+XU2TZ9fF8A7TE=
 github.com/openshift/client-go v0.0.0-20251015124057-db0dee36e235 h1:9JBeIXmnHlpXTQPi7LPmu1jdxznBhAE7bb1K+3D8gxY=

internal/featuregates/mapper.go

@@ -1,116 +1,120 @@
 package featuregates
 
 import (
-	"errors"
-	"strings"
+    "errors"
+    "strings"
 
-	configv1 "github.com/openshift/api/config/v1"
-	"github.com/openshift/api/features"
+    configv1 "github.com/openshift/api/config/v1"
+    "github.com/openshift/api/features"
 
-	"github.com/openshift/cluster-olm-operator/pkg/helmvalues"
+    "github.com/openshift/cluster-olm-operator/pkg/helmvalues"
 )
 
 // Add your new upstream feature gate here
 const (
-	// ref:
-	// 1. https://github.com/operator-framework/operator-controller/pull/1643
-	// 2. https://github.com/operator-framework/operator-controller/commit/5965d5c9ee56e9077dca39afa59047ece84ed97e#diff-bfcbe63805e38aeb1d57481bd753566c7ddf58702829e1c1ffd7698bd047de67R309
-	APIV1MetasHandler    = "APIV1MetasHandler"
-	PreflightPermissions = "PreflightPermissions"
-	// SingleOwnNamespaceInstallSupport: Enables support for Single- and OwnNamespace install modes.
-	SingleOwnNamespaceInstallSupport = "SingleOwnNamespaceInstallSupport"
-	// WebhookProviderOpenshiftServiceCA: Enables support for the installation of bundles containing webhooks using the openshift-serviceca tls certificate provider
-	// WebhookProviderCertManager: This is something that always needs to be disabled downstream
-	WebhookProviderOpenshiftServiceCA = "WebhookProviderOpenshiftServiceCA"
-	WebhookProviderCertManager        = "WebhookProviderCertManager"
+    // ref:
+    // 1. https://github.com/operator-framework/operator-controller/pull/1643
+    // 2. https://github.com/operator-framework/operator-controller/commit/5965d5c9ee56e9077dca39afa59047ece84ed97e#diff-bfcbe63805e38aeb1d57481bd753566c7ddf58702829e1c1ffd7698bd047de67R309
+    APIV1MetasHandler    = "APIV1MetasHandler"
+    PreflightPermissions = "PreflightPermissions"
+    // SingleOwnNamespaceInstallSupport: Enables support for Single- and OwnNamespace install modes.
+    SingleOwnNamespaceInstallSupport = "SingleOwnNamespaceInstallSupport"
+    // WebhookProviderOpenshiftServiceCA: Enables support for the installation of bundles containing webhooks using the openshift-serviceca tls certificate provider
+    // WebhookProviderCertManager: This is something that always needs to be disabled downstream
+    WebhookProviderOpenshiftServiceCA = "WebhookProviderOpenshiftServiceCA"
+    WebhookProviderCertManager        = "WebhookProviderCertManager"
+    NewOLMBoxCutterRuntime            = "BoxcutterRuntime"
 )
 
 type MapperInterface interface {
-	UpstreamForDownstream(downstreamGate configv1.FeatureGateName) func(*helmvalues.HelmValues, bool) error
-	DownstreamFeatureGates() []configv1.FeatureGateName
+    UpstreamForDownstream(downstreamGate configv1.FeatureGateName) func(*helmvalues.HelmValues, bool) error
+    DownstreamFeatureGates() []configv1.FeatureGateName
 }
 
 // Mapper knows the mapping between downstream and upstream feature gates for both OLM components
 
 type gateMapFunc map[configv1.FeatureGateName]func(*helmvalues.HelmValues, bool) error
 
 type Mapper struct {
-	featureGates gateMapFunc
+    featureGates gateMapFunc
 }
 
 func enableFeature(v *helmvalues.HelmValues, addList, removeList, feature string) error {
-	var errs []error
-	errs = append(errs, v.RemoveListValue(removeList, feature))
-	errs = append(errs, v.AddListValue(addList, feature))
-	return errors.Join(errs...)
+    var errs []error
+    errs = append(errs, v.RemoveListValue(removeList, feature))
+    errs = append(errs, v.AddListValue(addList, feature))
+    return errors.Join(errs...)
 }
 func enableCatalogdFeature(v *helmvalues.HelmValues, enabled bool, feature string) error {
-	if enabled {
-		return enableFeature(v, helmvalues.EnableCatalogd, helmvalues.DisableCatalogd, feature)
-	}
-	return enableFeature(v, helmvalues.DisableCatalogd, helmvalues.EnableCatalogd, feature)
+    if enabled {
+        return enableFeature(v, helmvalues.EnableCatalogd, helmvalues.DisableCatalogd, feature)
+    }
+    return enableFeature(v, helmvalues.DisableCatalogd, helmvalues.EnableCatalogd, feature)
 }
 
 func enableOperatorControllerFeature(v *helmvalues.HelmValues, enabled bool, feature string) error {
-	if enabled {
-		return enableFeature(v, helmvalues.EnableOperatorController, helmvalues.DisableOperatorController, feature)
-	}
-	return enableFeature(v, helmvalues.DisableOperatorController, helmvalues.EnableOperatorController, feature)
+    if enabled {
+        return enableFeature(v, helmvalues.EnableOperatorController, helmvalues.DisableOperatorController, feature)
+    }
+    return enableFeature(v, helmvalues.DisableOperatorController, helmvalues.EnableOperatorController, feature)
 }
 
 func NewMapper() *Mapper {
-	// Add your downstream to upstream mapping here
-
-	featureGates := gateMapFunc{
-		// features.FeatureGateNewOLMMyDownstreamFeature: functon that returns a list of enabled and disabled gates
-		features.FeatureGateNewOLMPreflightPermissionChecks: func(v *helmvalues.HelmValues, enabled bool) error {
-			return enableOperatorControllerFeature(v, enabled, PreflightPermissions)
-		},
-		features.FeatureGateNewOLMOwnSingleNamespace: func(v *helmvalues.HelmValues, enabled bool) error {
-			return enableOperatorControllerFeature(v, enabled, SingleOwnNamespaceInstallSupport)
-		},
-		features.FeatureGateNewOLMWebhookProviderOpenshiftServiceCA: func(v *helmvalues.HelmValues, enabled bool) error {
-			var errs []error
-			errs = append(errs, enableOperatorControllerFeature(v, enabled, WebhookProviderOpenshiftServiceCA))
-			// Always disable WebhookProviderCertManager
-			errs = append(errs, enableOperatorControllerFeature(v, false, WebhookProviderCertManager))
-			return errors.Join(errs...)
-		},
-		features.FeatureGateNewOLMCatalogdAPIV1Metas: func(v *helmvalues.HelmValues, enabled bool) error {
-			return enableCatalogdFeature(v, enabled, APIV1MetasHandler)
-		},
-	}
-
-	for _, m := range []gateMapFunc{featureGates} {
-		for downstreamGate := range m {
-			// features.FeatureGateNewOLM is a GA-enabled downstream feature gate.
-			// If there is a need to enable upstream alpha/beta features in the downstream GA release
-			// get approval via a merged openshift/enhancement describing the need, then carve out
-			// an exception in this failsafe code
-			if downstreamGate == features.FeatureGateNewOLM {
-				panic(errors.New("FeatureGateNewOLM used in mappings"))
-			}
-			if !strings.HasPrefix(string(downstreamGate), string(features.FeatureGateNewOLM)) {
-				panic(errors.New("all downstream feature gates must use NewOLM prefix by convention"))
-			}
-		}
-	}
-
-	return &Mapper{featureGates: featureGates}
+    // Add your downstream to upstream mapping here
+
+    featureGates := gateMapFunc{
+        // features.FeatureGateNewOLMMyDownstreamFeature: functon that returns a list of enabled and disabled gates
+        features.FeatureGateNewOLMPreflightPermissionChecks: func(v *helmvalues.HelmValues, enabled bool) error {
+            return enableOperatorControllerFeature(v, enabled, PreflightPermissions)
+        },
+        features.FeatureGateNewOLMOwnSingleNamespace: func(v *helmvalues.HelmValues, enabled bool) error {
+            return enableOperatorControllerFeature(v, enabled, SingleOwnNamespaceInstallSupport)
+        },
+        features.FeatureGateNewOLMWebhookProviderOpenshiftServiceCA: func(v *helmvalues.HelmValues, enabled bool) error {
+            var errs []error
+            errs = append(errs, enableOperatorControllerFeature(v, enabled, WebhookProviderOpenshiftServiceCA))
+            // Always disable WebhookProviderCertManager
+            errs = append(errs, enableOperatorControllerFeature(v, false, WebhookProviderCertManager))
+            return errors.Join(errs...)
+        },
+        features.FeatureGateNewOLMCatalogdAPIV1Metas: func(v *helmvalues.HelmValues, enabled bool) error {
+            return enableCatalogdFeature(v, enabled, APIV1MetasHandler)
+        },
+        features.FeatureGateNewOLMBoxCutterRuntime: func(v *helmvalues.HelmValues, enabled bool) error {
+            return enableOperatorControllerFeature(v, enabled, NewOLMBoxCutterRuntime)
+        },
+    }
+
+    for _, m := range []gateMapFunc{featureGates} {
+        for downstreamGate := range m {
+            // features.FeatureGateNewOLM is a GA-enabled downstream feature gate.
+            // If there is a need to enable upstream alpha/beta features in the downstream GA release
+            // get approval via a merged openshift/enhancement describing the need, then carve out
+            // an exception in this failsafe code
+            if downstreamGate == features.FeatureGateNewOLM {
+                panic(errors.New("FeatureGateNewOLM used in mappings"))
+            }
+            if !strings.HasPrefix(string(downstreamGate), string(features.FeatureGateNewOLM)) {
+                panic(errors.New("all downstream feature gates must use NewOLM prefix by convention"))
+            }
+        }
+    }
+
+    return &Mapper{featureGates: featureGates}
 }
 
 // DownstreamFeatureGates returns a list of all downstream feature gates
 // which have an upstream mapping configured
 func (m *Mapper) DownstreamFeatureGates() []configv1.FeatureGateName {
-	keys := make([]configv1.FeatureGateName, 0, len(m.featureGates))
-	for k := range m.featureGates {
-		keys = append(keys, k)
-	}
-	return keys
+    keys := make([]configv1.FeatureGateName, 0, len(m.featureGates))
+    for k := range m.featureGates {
+        keys = append(keys, k)
+    }
+    return keys
 }
 
 // UpstreamForDownstream returns upstream feature gates which are configured
 // for a given downstream feature gate
 func (m *Mapper) UpstreamForDownstream(downstreamGate configv1.FeatureGateName) func(*helmvalues.HelmValues, bool) error {
-	return m.featureGates[downstreamGate]
+    return m.featureGates[downstreamGate]
 }

internal/featuregates/mapper_test.go

@@ -34,6 +34,7 @@ func TestMapper_DownstreamFeatureGates(t *testing.T) {
 		features.FeatureGateNewOLMOwnSingleNamespace,
 		features.FeatureGateNewOLMWebhookProviderOpenshiftServiceCA,
 		features.FeatureGateNewOLMCatalogdAPIV1Metas,
+		features.FeatureGateNewOLMBoxCutterRuntime,
 	}
 
 	if len(gates) != len(expectedGates) {
@@ -68,6 +69,12 @@ func TestMapper_UpstreamForDownstream(t *testing.T) {
 			enabled:        false,
 			expectFunc:     true,
 		},
+		{
+			name:           "valid downstream gate - boxcutter runtime",
+			downstreamGate: features.FeatureGateNewOLMBoxCutterRuntime,
+			enabled:        false,
+			expectFunc:     true,
+		},
 		{
 			name:           "valid downstream gate - webhook provider",
 			downstreamGate: features.FeatureGateNewOLMWebhookProviderOpenshiftServiceCA,