(chore): Add JSONSchema validation for bundle configuration

Bundle configuration is now validated using JSONSchema. Configuration
errors (typos, missing required fields, wrong types) are caught
immediately with clear error messages instead of failing during installation.

Assisted-by: Cursor

Author: camilamacedo86

go.mod

@@ -23,6 +23,7 @@ require (
 	github.com/operator-framework/operator-registry v1.61.0
 	github.com/prometheus/client_golang v1.23.2
 	github.com/prometheus/common v0.67.2
+	github.com/santhosh-tekuri/jsonschema/v6 v6.0.2
 	github.com/spf13/cobra v1.10.1
 	github.com/spf13/pflag v1.0.10
 	github.com/stretchr/testify v1.11.1
@@ -192,7 +193,6 @@ require (
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/rubenv/sql-migrate v1.8.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	github.com/santhosh-tekuri/jsonschema/v6 v6.0.2 // indirect
 	github.com/secure-systems-lab/go-securesystemslib v0.9.1 // indirect
 	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/sigstore/fulcio v1.7.1 // indirect

internal/operator-controller/applier/provider.go

@@ -69,19 +69,19 @@ func (r *RegistryV1ManifestProvider) Get(bundleFS fs.FS, ext *ocv1.ClusterExtens
 	}
 
 	if r.IsSingleOwnNamespaceEnabled {
-		bundleConfigBytes := extensionConfigBytes(ext)
-		// treat no config as empty to properly validate the configuration
-		// e.g. ensure that validation catches missing required fields
-		if bundleConfigBytes == nil {
-			bundleConfigBytes = []byte(`{}`)
+		schema, err := rv1.Get()
+		if err != nil {
+			return nil, fmt.Errorf("error getting configuration schema: %w", err)
 		}
-		bundleConfig, err := bundle.UnmarshalConfig(bundleConfigBytes, rv1, ext.Spec.Namespace)
+
+		bundleConfigBytes := extensionConfigBytes(ext)
+		bundleConfig, err := bundle.UnmarshalConfig(bundleConfigBytes, schema, ext.Spec.Namespace)
 		if err != nil {
-			return nil, fmt.Errorf("invalid bundle configuration: %w", err)
+			return nil, fmt.Errorf("invalid ClusterExtension configuration: %w", err)
 		}
 
-		if bundleConfig != nil && bundleConfig.WatchNamespace != nil {
-			opts = append(opts, render.WithTargetNamespaces(*bundleConfig.WatchNamespace))
+		if watchNS := bundleConfig.GetWatchNamespace(); watchNS != nil {
+			opts = append(opts, render.WithTargetNamespaces(*watchNS))
 		}
 	}
 

internal/operator-controller/applier/provider_test.go

@@ -97,7 +97,7 @@ func Test_RegistryV1ManifestProvider_Integration(t *testing.T) {
 
 		_, err := provider.Get(bundleFS, ext)
 		require.Error(t, err)
-		require.Contains(t, err.Error(), "invalid bundle configuration")
+		require.Contains(t, err.Error(), "invalid ClusterExtension configuration")
 	})
 
 	t.Run("returns rendered manifests", func(t *testing.T) {
@@ -392,7 +392,7 @@ func Test_RegistryV1ManifestProvider_SingleOwnNamespaceSupport(t *testing.T) {
 			},
 		})
 		require.Error(t, err)
-		require.Contains(t, err.Error(), "invalid 'watchNamespace' \"not-install-namespace\": must be install namespace (install-namespace)")
+		require.Contains(t, err.Error(), "invalid ClusterExtension configuration: invalid configuration:")
 	})
 
 	t.Run("rejects bundles without AllNamespaces, SingleNamespace, or OwnNamespace install mode support when Single/OwnNamespace install mode support is enabled", func(t *testing.T) {