🌱 Externalize CER phase objects into Secrets

[pedjak]

Description

ClusterExtensionRevision (CER) objects embed full Kubernetes manifests inline, which hits etcd's 1.5 MiB object size limit for large bundles.

This PR externalizes phase objects into immutable Secrets. Each object is JSON-serialized as a separate key in the Secret, optionally gzip-compressed when larger than 900 KiB. Keys are content-addressable (SHA-256) so identical objects are deduplicated. The applier creates Secrets first, then the CER with refs, then patches ownerReferences — a crash-safe three-step sequence. The CER controller resolves refs back to objects at apply time, capping decompression at 10 MiB.

API changes add ObjectSourceRef as an alternative to the inline Object field, with CEL validation ensuring exactly one is set.

Design doc: docs/concepts/large-bundle-support.md (included in this PR)

E2e tests:

• New scenario validating ref Secrets exist, are immutable, properly labeled, and have ownerRefs to the CER

Reviewer Checklist

• API Go Documentation
• Tests: Unit Tests (and E2E Tests, if appropriate)
• Comprehensive Commit Messages
• Links to related GitHub Issue(s)

[netlify]

✅ Deploy Preview for olmv1 ready!

Name	Link
🔨 Latest commit	782de94
🔍 Latest deploy log	https://app.netlify.com/projects/olmv1/deploys/69c6d133bdc4880008693d7b
😎 Deploy Preview	https://deploy-preview-2595--olmv1.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[Copilot]

Pull request overview

This PR introduces Secret-backed references for ClusterExtensionRevision (CER) phase objects to remove etcd object-size limits from being a bundle-size constraint, updating the API/CRDs, applier, reconciler, and e2e coverage accordingly.

Changes:

• Add ObjectSourceRef and make CER phase objects support either inline object or Secret ref (exactly one required via validation).
• Externalize phase objects into immutable, content-addressable Secrets during revision apply, and resolve refs in the CER controller (with gzip auto-detection).
• Extend e2e and unit tests to validate refs, Secret immutability/labels/ownerRefs, and ref resolution behavior.

Reviewed changes

Copilot reviewed 21 out of 21 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
api/v1/clusterextensionrevision_types.go	Adds ObjectSourceRef, makes object optional, adds ref, and CEL validation for exclusivity.
api/v1/clusterextensionrevision_types_test.go	Adds validity tests for inline vs ref vs invalid combinations.
api/v1/zz_generated.deepcopy.go	Updates deepcopy behavior for the new Ref field/type.
applyconfigurations/api/v1/objectsourceref.go	Adds apply-configuration type for ObjectSourceRef.
applyconfigurations/api/v1/clusterextensionrevisionobject.go	Adds Ref support in apply-configuration for revision objects.
applyconfigurations/utils.go	Registers ObjectSourceRef apply-configuration by kind.
manifests/experimental.yaml	Updates CRD schema/docs for optional object, new ref, and validation.
manifests/experimental-e2e.yaml	Same CRD schema updates for the e2e manifest set.
helm/.../olm.operatorframework.io_clusterextensionrevisions.yaml	Updates packaged CRD YAML for the same schema changes.
internal/operator-controller/labels/labels.go	Adds RevisionNameKey label constant for listing revision-associated resources.
internal/operator-controller/applier/secretpacker.go	Introduces SecretPacker to bin-pack serialized objects into immutable Secrets and produce refs.
internal/operator-controller/applier/boxcutter.go	Externalizes desired revisions before SSA comparison; adds crash-safe create sequence and ownerRef patching helpers.
internal/operator-controller/applier/boxcutter_test.go	Updates tests to include corev1 scheme + system namespace for Secret operations.
internal/operator-controller/applier/secretpacker_test.go	Adds unit tests for packing, determinism, compression behavior, labels, immutability.
internal/operator-controller/applier/externalize_test.go	Adds focused tests for apply-config conversion + inline→ref replacement behavior.
internal/operator-controller/controllers/clusterextensionrevision_controller.go	Resolves Secret refs (including gzip) when building boxcutter phases; adds Secret RBAC marker.
internal/operator-controller/controllers/resolve_ref_test.go	Adds unit tests exercising ref resolution paths and common failure cases.
cmd/operator-controller/main.go	Passes configured SystemNamespace into Boxcutter.
test/e2e/steps/steps.go	Adds steps to validate refs + referenced Secrets and updates resource listing to resolve refs.
test/e2e/features/install.feature	Adds an e2e scenario asserting externalization invariants (refs, immutability, labels, ownerRefs).
docs/concepts/large-bundle-support.md	Adds design/behavior documentation for large bundle support via per-object Secret refs.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

SecretPacker computes the ref key from data after optional gzip compression. This makes ref.key (and therefore the Secret name) depend on the encoding choice/threshold and gzip implementation details rather than the underlying manifest content. Compute the hash from the canonical serialized JSON bytes, and then (optionally) store a gzipped payload under that stable key.

[Copilot]

When two objects have identical content, currentData[key] = data overwrites the existing entry but currentSize is still incremented. That can cause premature Secret finalization and extra Secrets (and could even trip the size check incorrectly if many duplicates exist). Only add to currentSize when the key is new (or track size based on the map contents).

Suggested change

	// If adding this entry would exceed the limit, finalize the current Secret.
	if currentSize+len(data) > maxSecretDataSize && len(currentData) > 0 {
	finalizeCurrent()
	}
	currentData[key] = data
	currentSize += len(data)
	// Only account for size when this is a new key in the current Secret.
	if _, exists := currentData[key]; !exists {
	// If adding this entry would exceed the limit, finalize the current Secret.
	if currentSize+len(data) > maxSecretDataSize && len(currentData) > 0 {
	finalizeCurrent()
	}
	currentData[key] = data
	currentSize += len(data)
	}

[Copilot]

specObj.Object.Object != nil treats an empty-but-present inline object (object: {}) as set, which can lead to later failures when kind/name are missing. Since the API validation is presence-based, prefer checking for actual content (e.g., len(specObj.Object.Object) > 0) to avoid accepting empty inline objects as valid inputs here.

Suggested change

	case specObj.Object.Object != nil:
	case len(specObj.Object.Object) > 0:

[Copilot]

ObjectSourceRef.namespace is optional in the API/CRD, but resolveObjectRef performs Client.Get with ref.Namespace as-is. If a user supplies a ref without a namespace, this will always look in the empty namespace and fail. Either make namespace required at the API level, or implement a well-defined default (e.g., the controller/system namespace) before fetching.

[Copilot]

The crash-safety section claims the controller will detect and delete orphaned Secrets created in step 1 if the corresponding CER doesn't exist. The current implementation doesn't appear to delete orphaned ref Secrets; instead, ensureSecretOwnerReferences can later adopt any Secret with the revision label. Please align the doc with the actual behavior (or implement the described orphan cleanup).

[Copilot]

The doc states that if a referenced Secret/key is not found, the reconciler sets a terminal error condition on the CER. In the current controller implementation, ref resolution failures are treated as retryable (Retrying/Reconciling) and will requeue indefinitely. Please update the doc to match behavior or update the controller to make ref resolution failures terminal as described.

Suggested change

	the reconciler sets a terminal error condition on the CER.
	the reconciler records a transient error condition on the CER and continues to
	requeue the revision for reconciliation until the reference is resolved or the
	CER is deleted.

[Copilot]

io.ReadAll(reader) will fully decompress whatever is stored in the Secret key. Since refs can be user-provided, this allows a gzip bomb / oversized payload to drive high memory usage in the controller. Consider enforcing a maximum decompressed size (e.g., via io.LimitReader) before unmarshalling.

[Copilot]

Ref resolution errors currently flow into setRetryingConditions and return an error, so a missing Secret/key will be retried indefinitely. The API adds ClusterExtensionRevisionReasonRefResolutionFailed, but it's not used here. If missing/invalid refs are meant to be terminal (as the docs suggest), set a non-retrying condition reason (e.g., RefResolutionFailed/Blocked) and avoid endless requeues.

[Copilot]

ensureSecretOwnerReferences lists all Secrets in the system namespace with olm.operatorframework.io/revision-name=<cer.Name> and patches an ownerReference onto any missing it. This can accidentally adopt stale/orphan Secrets from previous failed attempts (or any Secret with that label), even if they are not referenced by the CER. To avoid Secret bloat/unintended ownership, consider deriving the expected Secret names from cer.Spec.Phases[].Objects[].Ref and only patching those.

Suggested change

	// List Secrets with the revision-name label
	secretList := &corev1.SecretList{}
	if err := bc.Client.List(ctx, secretList,
	client.InNamespace(bc.SystemNamespace),
	client.MatchingLabels{labels.RevisionNameKey: cer.Name},
	); err != nil {
	return fmt.Errorf("listing ref Secrets for revision %q: %w", cer.Name, err)
	}
	var needsPatch []corev1.Secret
	for _, s := range secretList.Items {
	hasOwnerRef := false
	for _, ref := range s.OwnerReferences {
	if ref.UID == cer.UID {
	hasOwnerRef = true
	break
	}
	}
	if !hasOwnerRef {
	needsPatch = append(needsPatch, s)
	}
	}
	if len(needsPatch) == 0 {
	return nil
	}
	return bc.patchOwnerRefsOnSecrets(ctx, cer.Name, cer.UID, needsPatch)
	// Derive the set of expected Secret references from the CER spec instead of
	// adopting all Secrets with the revision-name label. This avoids
	// accidentally adopting stale/orphaned Secrets.
	var secretsToPatch []corev1.Secret
	for _, phase := range cer.Spec.Phases {
	for _, obj := range phase.Objects {
	ref := obj.Ref
	if ref == nil {
	continue
	}
	// Only consider Secret references.
	if ref.Kind != "Secret" {
	continue
	}
	// Default to the system namespace if the reference does not specify one,
	// preserving previous behavior that targeted Secrets in bc.SystemNamespace.
	ns := ref.Namespace
	if ns == "" {
	ns = bc.SystemNamespace
	}
	secret := &corev1.Secret{}
	if err := bc.Client.Get(ctx, client.ObjectKey{Namespace: ns, Name: ref.Name}, secret); err != nil {
	if apierrors.IsNotFound(err) {
	// If the referenced Secret no longer exists, skip it.
	continue
	}
	return fmt.Errorf("getting referenced Secret %s/%s for revision %q: %w", ns, ref.Name, cer.Name, err)
	}
	secretsToPatch = append(secretsToPatch, *secret)
	}
	}
	if len(secretsToPatch) == 0 {
	return nil
	}
	return bc.patchOwnerRefsOnSecrets(ctx, cer.Name, cer.UID, secretsToPatch)

[codecov]

Codecov Report

❌ Patch coverage is 77.73852% with 63 lines in your changes missing coverage. Please review.
✅ Project coverage is 68.86%. Comparing base (e709e65) to head (782de94).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/operator-controller/applier/boxcutter.go	81.61%	14 Missing and 11 partials ⚠️
...ternal/operator-controller/applier/secretpacker.go	80.00%	10 Missing and 7 partials ⚠️
api/v1/zz_generated.deepcopy.go	11.11%	8 Missing ⚠️
...controllers/clusterextensionrevision_controller.go	77.77%	5 Missing and 3 partials ⚠️
...gurations/api/v1/clusterextensionrevisionobject.go	0.00%	3 Missing ⚠️
applyconfigurations/utils.go	0.00%	2 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##             main    #2595       +/-   ##
===========================================
+ Coverage   53.09%   68.86%   +15.76%     
===========================================
  Files         137      139        +2     
  Lines        9609     9876      +267     
===========================================
+ Hits         5102     6801     +1699     
+ Misses       4149     2558     -1591     
- Partials      358      517      +159     

Flag	Coverage Δ
e2e	37.45% <0.00%> (?)
experimental-e2e	52.27% <66.54%> (?)
unit	53.51% <68.55%> (+0.41%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

Copilot reviewed 22 out of 22 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

SecretPacker.Pack increments currentSize by len(data) even when currentData already contains the same key (e.g., identical objects). Because currentData is a map, the later write overwrites and doesn't actually increase Secret size, but currentSize still grows, which can cause premature splitting into new Secrets or even a false "exceeds maximum" error. Consider only incrementing currentSize when inserting a new key (or track size based on map entries) while still adding pending refs for duplicates so multiple objects can point at the same key.

[Copilot]

ObjectSourceRef.Namespace is optional in the API/CRD, but resolveObjectRef uses ref.Namespace directly when constructing the Secret key. A CER with a ref that omits namespace will pass validation but then fail reconciliation. Either make namespace required at the API/CRD level, or default an empty ref.Namespace to the configured system namespace (and plumb that config into this reconciler).

Suggested change

	secret := &corev1.Secret{}
	key := client.ObjectKey{Name: ref.Name, Namespace: ref.Namespace}
	if err := c.Client.Get(ctx, key, secret); err != nil {
	return nil, fmt.Errorf("getting Secret %s/%s: %w", ref.Namespace, ref.Name, err)
	}
	data, ok := secret.Data[ref.Key]
	if !ok {
	return nil, fmt.Errorf("key %q not found in Secret %s/%s", ref.Key, ref.Namespace, ref.Name)
	}
	// Auto-detect gzip compression (magic bytes 0x1f 0x8b)
	if len(data) >= 2 && data[0] == 0x1f && data[1] == 0x8b {
	reader, err := gzip.NewReader(bytes.NewReader(data))
	if err != nil {
	return nil, fmt.Errorf("creating gzip reader for key %q in Secret %s/%s: %w", ref.Key, ref.Namespace, ref.Name, err)
	}
	defer reader.Close()
	decompressed, err := io.ReadAll(reader)
	if err != nil {
	return nil, fmt.Errorf("decompressing key %q in Secret %s/%s: %w", ref.Key, ref.Namespace, ref.Name, err)
	}
	data = decompressed
	}
	obj := &unstructured.Unstructured{}
	if err := json.Unmarshal(data, &obj.Object); err != nil {
	return nil, fmt.Errorf("unmarshaling object from key %q in Secret %s/%s: %w", ref.Key, ref.Namespace, ref.Name, err)
	ns := ref.Namespace
	if ns == "" {
	return nil, fmt.Errorf("namespace must be specified in ObjectSourceRef when resolving Secret %q", ref.Name)
	}
	secret := &corev1.Secret{}
	key := client.ObjectKey{Name: ref.Name, Namespace: ns}
	if err := c.Client.Get(ctx, key, secret); err != nil {
	return nil, fmt.Errorf("getting Secret %s/%s: %w", ns, ref.Name, err)
	}
	data, ok := secret.Data[ref.Key]
	if !ok {
	return nil, fmt.Errorf("key %q not found in Secret %s/%s", ref.Key, ns, ref.Name)
	}
	// Auto-detect gzip compression (magic bytes 0x1f 0x8b)
	if len(data) >= 2 && data[0] == 0x1f && data[1] == 0x8b {
	reader, err := gzip.NewReader(bytes.NewReader(data))
	if err != nil {
	return nil, fmt.Errorf("creating gzip reader for key %q in Secret %s/%s: %w", ref.Key, ns, ref.Name, err)
	}
	defer reader.Close()
	decompressed, err := io.ReadAll(reader)
	if err != nil {
	return nil, fmt.Errorf("decompressing key %q in Secret %s/%s: %w", ref.Key, ns, ref.Name, err)
	}
	data = decompressed
	}
	obj := &unstructured.Unstructured{}
	if err := json.Unmarshal(data, &obj.Object); err != nil {
	return nil, fmt.Errorf("unmarshaling object from key %q in Secret %s/%s: %w", ref.Key, ns, ref.Name, err)

[Copilot]

resolveObjectRef uses io.ReadAll on potentially gzip-compressed Secret data without any upper bound on the decompressed size. A small gzip payload can expand massively and cause memory pressure/DoS. Consider enforcing a max decompressed size (e.g., via io.LimitReader) and returning a clear error when the limit is exceeded.

[Copilot]

listExtensionRevisionResources silently skips a phase object when neither ref nor inline object is detected (no default/error branch). That can hide invalid CERs and return an incomplete resource list, which could lead to false positives in e2e assertions. Consider returning an error when an object has neither (or when the inline object map is empty) to make failures explicit.

Suggested change

	objs = append(objs, &specObj.Object)
	objs = append(objs, &specObj.Object)
	default:
	return nil, fmt.Errorf("phase %q object %d has neither ref nor inline object", phase.Name, j)

[dtfranz]

Does omission of namespace imply OLM system namespace? If so could we add a comment here for that?

[dtfranz]

I know we're currently just putting all the secrets in the system namespace, but if we have a namespace field on the ObjectSourceRefs in the CER, shouldn't they be used here? Or, do we even need the namespace field in there if they're always in SystemNamespace?

[dtfranz]

To maybe answer my own question: since CER controller doesn't handle Secrets lifecycle, it must assume they exist in the system namespace. Also, upon CER creation the ObjectSourceRef hasn't been filled out yet thus there's no namespace to reference in there. Is that right?

[dtfranz]

Not that it really matters at all but, I'd argue this PR is more of a ✨ than a 🌱 PR 🤷
At best it might just make it stand out a bit more in the PR list for potential reviewers but not a blocker issue at all.

[Copilot]

Pull request overview

Copilot reviewed 22 out of 22 changed files in this pull request and generated 6 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The comment says the large object exceeds gzipThreshold (800 KiB), but gzipThreshold is currently 900 * 1024. Update the comment (or the constant) so the test description matches the actual threshold being exercised.

[Copilot]

This section claims that if a crash occurs between creating ref Secrets and creating the CER, the controller will detect orphaned Secrets (revision-name label with no corresponding CER) and delete them. I couldn’t find any code in this PR that performs that orphan Secret deletion; the current crash recovery logic focuses on patching missing ownerReferences. Please either implement the described orphan cleanup behavior or adjust the document to reflect the actual behavior (e.g., reusing the already-created Secrets on retry).

Suggested change

	| crash here → Orphaned Secrets exist with no owner.
	| ClusterExtension controller detects them on
	| next reconciliation by listing Secrets with
	| the revision label and checking whether the
	| corresponding CER exists. If not, deletes them.
	| crash here → Secrets may exist with the revision label but
	| no corresponding CER yet. On the next
	| reconciliation, the ClusterExtension controller
	| reuses any existing Secrets with the revision
	| label when (re)creating the CER instead of
	| creating new ones.

[Copilot]

SecretPacker computes ref.Key from data after optional gzip compression. That makes keys (and de-duplication) dependent on compression settings and could force new revisions if the gzip threshold/level changes even when the underlying object JSON is identical. Consider hashing the canonical JSON bytes (pre-compression) and using that hash as the Secret data key, while still optionally storing the value compressed under that stable key.

[Copilot]

secretNameFromData prefixes the Secret name with the full revision name and then appends -<16 hex chars>. If the CER name is near Kubernetes' 253-char limit, this can produce an invalid Secret name and fail installs/upgrades for long extension names. Consider truncating the revision-name prefix to fit within 253 characters (leaving room for the dash + hash), or omit the prefix and rely on labels for association.

Suggested change

	return fmt.Sprintf("%s-%x", p.RevisionName, h.Sum(nil)[:8])
	// Use the first 16 hex characters of the SHA-256 digest as the suffix.
	hashSuffix := fmt.Sprintf("%x", h.Sum(nil)[:8])
	// Kubernetes resource names are limited to 253 characters. Ensure the
	// generated Secret name "<revisionName>-<hashSuffix>" does not exceed
	// that limit by truncating the revisionName prefix if necessary.
	const maxKubeNameLen = 253
	maxPrefixLen := maxKubeNameLen - 1 - len(hashSuffix) // 1 for the "-"
	revisionName := p.RevisionName
	if maxPrefixLen < 0 {
	// Fallback: if constraints are somehow inconsistent, use only the hash.
	return hashSuffix
	}
	if len(revisionName) > maxPrefixLen {
	revisionName = revisionName[:maxPrefixLen]
	}
	return fmt.Sprintf("%s-%s", revisionName, hashSuffix)

[Copilot]

patchOwnerRefsOnSecrets builds a merge patch from the Secret objects passed in. In createExternalizedRevision, those objects come from packResult.Secrets (locally constructed) and may not reflect the live Secret when Step 1 hit AlreadyExists. Because JSON merge patch treats arrays atomically, this can overwrite existing metadata.ownerReferences on an already-existing Secret instead of appending. Consider Get-ing each Secret first (or listing by name) and computing the patch from the live object before appending the ownerReference.

[Copilot]

The e2e resolveObjectRef helper passes ref.Namespace directly to kubectl -n. Since ObjectSourceRef.namespace is optional and should default to the OLM system namespace when empty, this helper will fail for valid refs that omit namespace. Consider defaulting an empty ref.Namespace to the test’s OLM system namespace before calling kubectl.

Suggested change

	out, err := k8sClient("get", "secret", ref.Name, "-n", ref.Namespace, "-o", "json")
	if err != nil {
	return nil, fmt.Errorf("getting Secret %s/%s: %w", ref.Namespace, ref.Name, err)
	}
	var secret corev1.Secret
	if err := json.Unmarshal([]byte(out), &secret); err != nil {
	return nil, fmt.Errorf("unmarshaling Secret %s/%s: %w", ref.Namespace, ref.Name, err)
	}
	data, ok := secret.Data[ref.Key]
	if !ok {
	return nil, fmt.Errorf("key %q not found in Secret %s/%s", ref.Key, ref.Namespace, ref.Name)
	}
	// Auto-detect gzip compression (magic bytes 0x1f 0x8b)
	if len(data) >= 2 && data[0] == 0x1f && data[1] == 0x8b {
	reader, err := gzip.NewReader(bytes.NewReader(data))
	if err != nil {
	return nil, fmt.Errorf("creating gzip reader for key %q in Secret %s/%s: %w", ref.Key, ref.Namespace, ref.Name, err)
	}
	defer reader.Close()
	const maxDecompressedSize = 10 * 1024 * 1024 // 10 MiB
	limited := io.LimitReader(reader, maxDecompressedSize+1)
	decompressed, err := io.ReadAll(limited)
	if err != nil {
	return nil, fmt.Errorf("decompressing key %q in Secret %s/%s: %w", ref.Key, ref.Namespace, ref.Name, err)
	}
	if len(decompressed) > maxDecompressedSize {
	return nil, fmt.Errorf("decompressed data for key %q in Secret %s/%s exceeds maximum size (%d bytes)", ref.Key, ref.Namespace, ref.Name, maxDecompressedSize)
	}
	data = decompressed
	}
	obj := &unstructured.Unstructured{}
	if err := json.Unmarshal(data, &obj.Object); err != nil {
	return nil, fmt.Errorf("unmarshaling object from key %q in Secret %s/%s: %w", ref.Key, ref.Namespace, ref.Name, err)
	ns := ref.Namespace
	if ns == "" {
	// Default to the OLM system namespace when the ref omits namespace.
	// The test harness can set this via the OLM_NAMESPACE environment variable.
	if envNS := os.Getenv("OLM_NAMESPACE"); envNS != "" {
	ns = envNS
	}
	}
	out, err := k8sClient("get", "secret", ref.Name, "-n", ns, "-o", "json")
	if err != nil {
	return nil, fmt.Errorf("getting Secret %s/%s: %w", ns, ref.Name, err)
	}
	var secret corev1.Secret
	if err := json.Unmarshal([]byte(out), &secret); err != nil {
	return nil, fmt.Errorf("unmarshaling Secret %s/%s: %w", ns, ref.Name, err)
	}
	data, ok := secret.Data[ref.Key]
	if !ok {
	return nil, fmt.Errorf("key %q not found in Secret %s/%s", ref.Key, ns, ref.Name)
	}
	// Auto-detect gzip compression (magic bytes 0x1f 0x8b)
	if len(data) >= 2 && data[0] == 0x1f && data[1] == 0x8b {
	reader, err := gzip.NewReader(bytes.NewReader(data))
	if err != nil {
	return nil, fmt.Errorf("creating gzip reader for key %q in Secret %s/%s: %w", ref.Key, ns, ref.Name, err)
	}
	defer reader.Close()
	const maxDecompressedSize = 10 * 1024 * 1024 // 10 MiB
	limited := io.LimitReader(reader, maxDecompressedSize+1)
	decompressed, err := io.ReadAll(limited)
	if err != nil {
	return nil, fmt.Errorf("decompressing key %q in Secret %s/%s: %w", ref.Key, ns, ref.Name, err)
	}
	if len(decompressed) > maxDecompressedSize {
	return nil, fmt.Errorf("decompressed data for key %q in Secret %s/%s exceeds maximum size (%d bytes)", ref.Key, ns, ref.Name, maxDecompressedSize)
	}
	data = decompressed
	}
	obj := &unstructured.Unstructured{}
	if err := json.Unmarshal(data, &obj.Object); err != nil {
	return nil, fmt.Errorf("unmarshaling object from key %q in Secret %s/%s: %w", ref.Key, ns, ref.Name, err)

[perdasilva]

From the CER as its own thing perspective, should we make namespace required and drop the relationship with OLM?

[perdasilva]

/approve

Some things we may want to revisit in a follow-up:

• Adding a secret type for CER manifest secrets
• Remove defaulting to the OLM system namespace (since we're positioning the API as separate from OLM)
• The dynamic choice of zip/no zip might make it harder to end-users know whether a manifest is compressed or not. Maybe we could add something to the reference structure to call it out, or just make everything zipped?

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: perdasilva

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [perdasilva]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[camilamacedo86]

/lgtm

I think it is OK for now, and we can interact and improve in follow-ups