operator-framework
diff --git a/‎helm/olmv1/templates/00-namespace.yml
Lines changed: 9 additions & 7 deletions b/‎helm/olmv1/templates/00-namespace.yml
Lines changed: 9 additions & 7 deletions
diff --git a/‎helm/olmv1/templates/09-clusterrole-catalogd-manager-role.yml
Lines changed: 10 additions & 1 deletion b/‎helm/olmv1/templates/09-clusterrole-catalogd-manager-role.yml
Lines changed: 10 additions & 1 deletion
diff --git a/‎helm/olmv1/templates/14-clusterrole-operator-controller-manager-role.yml
Lines changed: 10 additions & 1 deletion b/‎helm/olmv1/templates/14-clusterrole-operator-controller-manager-role.yml
Lines changed: 10 additions & 1 deletion
diff --git a/‎helm/olmv1/templates/26-service-olmv1-system-catalogd-service.yml
Lines changed: 2 additions & 2 deletions b/‎helm/olmv1/templates/26-service-olmv1-system-catalogd-service.yml
Lines changed: 2 additions & 2 deletions
diff --git a/‎helm/olmv1/templates/27-service-olmv1-system-operator-controller-service.yml
Lines changed: 2 additions & 2 deletions b/‎helm/olmv1/templates/27-service-olmv1-system-operator-controller-service.yml
Lines changed: 2 additions & 2 deletions
diff --git a/‎helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml
Lines changed: 62 additions & 21 deletions b/‎helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml
Lines changed: 62 additions & 21 deletions
diff --git a/‎helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml
Lines changed: 60 additions & 18 deletions b/‎helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml
Lines changed: 60 additions & 18 deletions
diff --git a/‎helm/olmv1/templates/40-mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml
Lines changed: 2 additions & 2 deletions b/‎helm/olmv1/templates/40-mutatingwebhookconfiguration-catalogd-mutating-webhook-configuration.yml
Lines changed: 2 additions & 2 deletions
diff --git a/‎helm/olmv1/templates/_helpers.tpl
Lines changed: 0 additions & 12 deletions b/‎helm/olmv1/templates/_helpers.tpl
Lines changed: 0 additions & 12 deletions
@@ -4,19 +4,21 @@ kind: Namespace
 metadata:
   annotations:
     {{- include "olmv1.annotations" . | nindent 4 }}
-    {{- with .Values.namespaces.olmv1.annotations }}
-      {{- toYamlPretty . | nindent 4 }}
+    {{- if .Values.options.openshift.enabled }}
+    openshift.io/node-selector: ""
+    workload.openshift.io/allowed: management
     {{- end }}
   labels:
+    {{- $psProfile := ternary "privileged" "restricted" .Values.options.openshift.enabled }}
     app.kubernetes.io/name: {{ include "olmv1.label.name" . }}
-    pod-security.kubernetes.io/audit: {{ .Values.namespaces.olmv1.podSecurityProfile }}
+    pod-security.kubernetes.io/audit: {{ $psProfile }}
     pod-security.kubernetes.io/audit-version: latest
-    pod-security.kubernetes.io/enforce: {{ .Values.namespaces.olmv1.podSecurityProfile }}
+    pod-security.kubernetes.io/enforce: {{ $psProfile }}
     pod-security.kubernetes.io/enforce-version: latest
-    pod-security.kubernetes.io/warn: {{ .Values.namespaces.olmv1.podSecurityProfile }}
+    pod-security.kubernetes.io/warn: {{ $psProfile }}
     pod-security.kubernetes.io/warn-version: latest
     {{- include "olmv1.labels" . | nindent 4 }}
-    {{- with .Values.namespaces.olmv1.labels }}
-      {{- toYamlPretty . | nindent 4 }}
+    {{- if .Values.options.openshift.enabled }}
+    openshift.io/cluster-monitoring: "true"
     {{- end }}
   name: {{ .Values.namespaces.olmv1.name }}
@@ -35,5 +35,14 @@ rules:
       - get
       - patch
       - update
-  {{- include "olmv1.catalogd.clusterRole.rules" . | nindent 2 }}
+  {{- if .Values.options.openshift.enabled }}
+  - apiGroups:
+      - security.openshift.io
+    resources:
+      - securitycontextconstraints
+    resourceNames:
+      - privileged
+    verbs:
+      - use
+  {{- end }}
 {{- end }}
@@ -62,5 +62,14 @@ rules:
     verbs:
       - list
       - watch
-  {{- include "olmv1.operatorController.clusterRole.rules" . | nindent 2 }}
+  {{- if .Values.options.openshift.enabled }}
+  - apiGroups:
+      - security.openshift.io
+    resources:
+      - securitycontextconstraints
+    resourceNames:
+      - privileged
+    verbs:
+      - use
+  {{- end }}
 {{- end }}
@@ -4,8 +4,8 @@ kind: Service
 metadata:
   annotations:
     {{- include "olmv1.annotations" . | nindent 4 }}
-    {{- with .Values.options.catalogd.service.annotations }}
-    {{- toYaml . | nindent 4 }}
+    {{- if .Values.options.openshift.enabled }}
+    service.beta.openshift.io/serving-cert-secret-name: catalogserver-cert
     {{- end }}
   labels:
     app.kubernetes.io/name: catalogd
 
@@ -4,8 +4,8 @@ kind: Service
 metadata:
   annotations:
     {{- include "olmv1.annotations" . | nindent 4 }}
-    {{- with .Values.options.operatorController.service.annotations }}
-    {{- toYaml . | nindent 4 }}
+    {{- if .Values.options.openshift.enabled }}
+    service.beta.openshift.io/serving-cert-secret-name: operator-controller-cert
     {{- end }}
   labels:
     app.kubernetes.io/name: operator-controller
 
@@ -21,8 +21,9 @@ spec:
       annotations:
         kubectl.kubernetes.io/default-container: manager
         {{- include "olmv1.annotations" . | nindent 8 }}
-        {{- with .Values.options.catalogd.deployment.podAnnotations }}
-        {{- toYamlPretty . | nindent 8 }}
+        {{- if .Values.options.openshift.enabled }}
+        target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
+        openshift.io/required-scc: privileged
         {{- end }}
       labels:
         app.kubernetes.io/name: catalogd
@@ -46,33 +47,34 @@ spec:
             - --tls-cert=/var/certs/tls.crt
             - --tls-key=/var/certs/tls.key
             - --pull-cas-dir=/var/ca-certs
-            {{- end }}
-            {{- with .Values.options.catalogd.deployment.podArguments }}
-            {{- toYaml . | nindent 12 }}
+            {{- else if .Values.options.openshift.enabled }}
+            - --tls-cert=/var/certs/tls.crt
+            - --tls-key=/var/certs/tls.key
+            - --v=${LOG_VERBOSITY}
+            - --global-pull-secret=openshift-config/pull-secret
             {{- end }}
           command:
             - ./catalogd
-          {{- if or .Values.options.e2e.enabled .Values.options.catalogd.deployment.env }}
+          {{- if or .Values.options.e2e.enabled .Values.options.openshift.enabled }}
           env:
-          {{- end }}
           {{- if .Values.options.e2e.enabled }}
             - name: GOCOVERDIR
               value: /e2e-coverage
           {{- end }}
-          {{- with .Values.options.catalogd.deployment.env }}
-          {{- toYamlPretty . | nindent 12 }}
+          {{- with .Values.options.openshift.enabled }}
+            - name: SSL_CERT_DIR
+              value: /var/ca-certs
+          {{- end }}
           {{- end }}
           image: "{{ .Values.options.catalogd.deployment.image }}"
+          name: manager
           {{- if not .Values.options.tilt.enabled }}
           livenessProbe:
             httpGet:
               path: /healthz
               port: 8081
             initialDelaySeconds: 15
             periodSeconds: 20
-          {{- end }}
-          name: manager
-          {{- if not .Values.options.tilt.enabled }}
           readinessProbe:
             httpGet:
               path: /readyz
@@ -99,13 +101,22 @@ spec:
             - mountPath: /var/ca-certs
               name: ca-certs
               readOnly: true
+            {{- else if .Values.options.openshift.enabled }}
+            - mountPath: /var/certs
+              name: catalogserver-certs
+            - mountPath: /var/ca-certs
+              name: ca-certs
+              readOnly: true
+            - mountPath: /etc/containers
+              name: etc-containers
+              readOnly: true
+            - mountPath: /etc/docker
+              name: etc-docker
+              readOnly: true
             {{- end }}
-            {{- with .Values.options.catalogd.deployment.volumeMounts }}
-              {{- toYamlPretty . | nindent 12 }}
-            {{- end }}
-          {{- with .Values.deployments.containerSpec }}
-          {{- toYamlPretty . | nindent 10 }}
-          {{- end }}
+         {{- with .Values.deployments.containerSpec }}
+         {{- toYamlPretty . | nindent 10 }}
+         {{- end }}
       serviceAccountName: catalogd-controller-manager
       volumes:
         {{- if .Values.options.e2e.enabled }}
@@ -134,9 +145,39 @@ spec:
                 path: olm-ca.crt
             optional: false
             secretName: catalogd-service-cert-git-version
-        {{- end }}
-        {{- with .Values.options.catalogd.deployment.volumes }}
-          {{- toYaml . | nindent 8 }}
+        {{- else if .Values.options.openshift.enabled }}
+        - name: catalogserver-certs
+          secret:
+            items:
+              - key: tls.crt
+                path: tls.crt
+              - key: tls.key
+                path: tls.key
+            optional: false
+            secretName: catalogserver-cert
+        - name: ca-certs
+          projected:
+            sources:
+              - configMap:
+                  items:
+                    - key: ca-bundle.crt
+                      path: ca-bundle.crt
+                  name: catalogd-trusted-ca-bundle
+                  optional: false
+              - configMap:
+                  items:
+                    - key: service-ca.crt
+                      path: service-ca.crt
+                  name: openshift-service-ca.crt
+                  optional: false
+        - hostPath:
+            path: /etc/containers
+            type: Directory
+          name: etc-containers
+        - hostPath:
+            path: /etc/docker
+            type: Directory
+          name: etc-docker
         {{- end }}
       {{- with .Values.deployments.templateSpec }}
       {{- toYamlPretty . | nindent 6 }}
 
@@ -20,8 +20,9 @@ spec:
       annotations:
         kubectl.kubernetes.io/default-container: manager
         {{- include "olmv1.annotations" . | nindent 8 }}
-        {{- with .Values.options.operatorController.deployment.podAnnotations }}
-        {{- toYamlPretty . | nindent 8 }}
+        {{- if .Values.options.openshift.enabled }}
+        target.workload.openshift.io/management: '{"effect": "PreferredDuringScheduling"}'
+        openshift.io/required-scc: privileged
         {{- end }}
       labels:
         app.kubernetes.io/name: operator-controller
@@ -46,33 +47,35 @@ spec:
             - --pull-cas-dir=/var/ca-certs
             - --tls-cert=/var/certs/tls.crt
             - --tls-key=/var/certs/tls.key
-            {{- end }}
-            {{- with .Values.options.operatorController.deployment.podArguments }}
-            {{- toYamlPretty . | nindent 12 }}
+            {{- else if .Values.options.openshift.enabled }}
+            - --tls-cert=/var/certs/tls.crt
+            - --tls-key=/var/certs/tls.key
+            - --catalogd-cas-dir=/var/ca-certs
+            - --v=${LOG_VERBOSITY}
+            - --global-pull-secret=openshift-config/pull-secret
             {{- end }}
           command:
             - /operator-controller
-          {{- if or .Values.options.e2e.enabled .Values.options.operatorController.deployment.env }}
+          {{- if or .Values.options.e2e.enabled .Values.options.openshift.enabled }}
           env:
-          {{- end }}
           {{- if .Values.options.e2e.enabled }}
             - name: GOCOVERDIR
               value: /e2e-coverage
           {{- end }}
-          {{- with .Values.options.operatorController.deployment.env }}
-          {{- toYamlPretty . | nindent 12 }}
+          {{- if .Values.options.openshift.enabled }}
+            - name: SSL_CERT_DIR
+              value: /var/ca-certs
+          {{- end }}
           {{- end }}
           image: "{{ .Values.options.operatorController.deployment.image }}"
+          name: manager
           {{- if not .Values.options.tilt.enabled }}
           livenessProbe:
             httpGet:
               path: /healthz
               port: 8081
             initialDelaySeconds: 15
             periodSeconds: 20
-          {{- end }}
-          name: manager
-          {{- if not .Values.options.tilt.enabled }}
           readinessProbe:
             httpGet:
               path: /readyz
@@ -102,9 +105,18 @@ spec:
             - mountPath: /var/ca-certs
               name: ca-certs
               readOnly: true
-            {{- end }}
-            {{- with .Values.options.operatorController.deployment.volumeMounts }}
-              {{- toYaml . | nindent 12 }}
+            {{- else if .Values.options.openshift.enabled }}
+            - mountPath: /var/certs
+              name: operator-controller-certs
+            - mountPath: /var/ca-certs
+              name: ca-certs
+              readOnly: true
+            - mountPath: /etc/containers
+              name: etc-containers
+              readOnly: true
+            - mountPath: /etc/docker
+              name: etc-docker
+              readOnly: true
             {{- end }}
           {{- with .Values.deployments.containerSpec }}
           {{- toYaml . | nindent 10 }}
@@ -140,9 +152,39 @@ spec:
                 path: olm-ca.crt
             optional: false
             secretName: operator-controller-cert
-        {{- end }}
-        {{- with .Values.options.operatorController.deployment.volumes }}
-          {{- toYaml . | nindent 8 }}
+        {{- else if .Values.options.openshift.enabled }}
+        - name: operator-controller-certs
+          secret:
+            items:
+              - key: tls.crt
+                path: tls.crt
+              - key: tls.key
+                path: tls.key
+            optional: false
+            secretName: operator-controller-cert
+        - name: ca-certs
+          projected:
+            sources:
+              - configMap:
+                  items:
+                    - key: ca-bundle.crt
+                      path: ca-bundle.crt
+                  name: operator-controller-trusted-ca-bundle
+                  optional: false
+              - configMap:
+                  items:
+                    - key: service-ca.crt
+                      path: service-ca.crt
+                  name: openshift-service-ca.crt
+                  optional: false
+        - hostPath:
+            path: /etc/containers
+            type: Directory
+          name: etc-containers
+        - hostPath:
+            path: /etc/docker
+            type: Directory
+          name: etc-docker
         {{- end }}
       {{- with .Values.deployments.templateSpec }}
       {{- toYamlPretty . | nindent 6 }}
 
@@ -10,8 +10,8 @@ metadata:
     {{- if .Values.options.certManager.enabled }}
     cert-manager.io/inject-ca-from-secret: cert-manager/olmv1-ca
     {{- end }}
-    {{- with .Values.options.catalogd.webhook.annotations }}
-    {{- toYamlPretty . | nindent 4 }}
+    {{- if .Values.options.openshift.enabled }}
+    service.beta.openshift.io/inject-cabundle: "true"
     {{- end }}
     {{- include "olmv1.annotations" . | nindent 4 }}
 webhooks:
 
@@ -41,18 +41,6 @@ olm.operatorframework.io/feature-set: {{ .Values.options.featureSet -}}{{- if .V
 Insertion of additional rules for RBAC
 */}}
 
-{{- define "olmv1.catalogd.clusterRole.rules" -}}
-{{- with .Values.options.catalogd.clusterRole.rules }}
-{{- toYamlPretty . }}
-{{- end }}
-{{- end }}
-
-{{- define "olmv1.operatorController.clusterRole.rules" -}}
-{{- with .Values.options.operatorController.clusterRole.rules }}
-{{- toYamlPretty . }}
-{{- end }}
-{{- end }}
-
 {{/*
 Returns "operator-controller", "catalogd" or "olmv1" depending on enabled components
 */}}