chore: Update OLM chart

https://github.com/CloudTooling/k8s-olm/actions/runs/19274210291

Author: github-actions[bot]

chart/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 description: Kubernetes Chart for Operator Lifecycle Manager
 name: olm
-version: 0.36.0
+version: 0.38.0
 annotations:
   artifacthub.io/links: |
       - name: Helm Chart

chart/README.md

@@ -1,6 +1,6 @@
 # olm
 
-![Version: 0.36.0](https://img.shields.io/badge/Version-0.36.0-informational?style=flat-square)
+![Version: 0.38.0](https://img.shields.io/badge/Version-0.38.0-informational?style=flat-square)
 
 Kubernetes Chart for Operator Lifecycle Manager
 
@@ -10,7 +10,7 @@ Kubernetes Chart for Operator Lifecycle Manager
 |-----|------|---------|-------------|
 | catalog.commandArgs | string | `"--configmapServerImage=quay.io/operator-framework/configmap-operator-registry:latest"` |  |
 | catalog.image.pullPolicy | string | `"Always"` |  |
-| catalog.image.ref | string | `"quay.io/operator-framework/olm:v0.36.0"` |  |
+| catalog.image.ref | string | `"quay.io/operator-framework/olm:v0.38.0"` |  |
 | catalog.nodeSelector."kubernetes.io/os" | string | `"linux"` |  |
 | catalog.opmImageArgs | string | `"--opmImage=quay.io/operator-framework/opm:latest"` |  |
 | catalog.replicaCount | int | `1` |  |
@@ -19,14 +19,15 @@ Kubernetes Chart for Operator Lifecycle Manager
 | catalog.service.externalPort | string | `"metrics"` |  |
 | catalog.service.internalPort | int | `8080` |  |
 | catalog.service.internalPortHttps | int | `8443` |  |
+| catalog.service.name | string | `"catalog-operator-metrics"` |  |
 | catalog.setWorkloadUserID | bool | `true` |  |
 | catalogGrpcPodPort | int | `50051` |  |
 | catalog_namespace | string | `"operator-lifecycle-manager"` |  |
 | certManager.certificate.extraDnsNames | list | `[]` |  |
 | certManager.certificate.extraIpAddresses | list | `[]` |  |
 | certManager.certificate.name | string | `"olm-cert"` |  |
 | certManager.certificate.secretName | string | `"olm-cert"` |  |
-| certManager.enabled | bool | `true` |  |
+| certManager.enabled | bool | `false` |  |
 | certManager.issuer.ca.secretName | string | `""` |  |
 | certManager.issuer.name | string | `"olm-ca-issuer"` |  |
 | certManager.issuer.selfSigned | bool | `true` |  |
@@ -52,19 +53,20 @@ Kubernetes Chart for Operator Lifecycle Manager
 | networkPolicy.metrics.ports[0].port | string | `"metrics"` |  |
 | networkPolicy.metrics.ports[0].protocol | string | `"TCP"` |  |
 | olm.image.pullPolicy | string | `"Always"` |  |
-| olm.image.ref | string | `"quay.io/operator-framework/olm:v0.36.0"` |  |
+| olm.image.ref | string | `"quay.io/operator-framework/olm:v0.38.0"` |  |
 | olm.nodeSelector."kubernetes.io/os" | string | `"linux"` |  |
 | olm.replicaCount | int | `1` |  |
 | olm.resources.requests.cpu | string | `"10m"` |  |
 | olm.resources.requests.memory | string | `"160Mi"` |  |
 | olm.service.externalPort | string | `"metrics"` |  |
 | olm.service.internalPort | int | `8080` |  |
 | olm.service.internalPortHttps | int | `8443` |  |
+| olm.service.name | string | `"olm-operator-metrics"` |  |
 | operator_namespace | string | `"operators"` |  |
 | operator_namespace_psa.enforceLevel | string | `"baseline"` |  |
 | operator_namespace_psa.enforceVersion | string | `"latest"` |  |
 | package.image.pullPolicy | string | `"Always"` |  |
-| package.image.ref | string | `"quay.io/operator-framework/olm:v0.36.0"` |  |
+| package.image.ref | string | `"quay.io/operator-framework/olm:v0.38.0"` |  |
 | package.maxSurge | int | `1` |  |
 | package.maxUnavailable | int | `1` |  |
 | package.nodeSelector."kubernetes.io/os" | string | `"linux"` |  |
@@ -73,6 +75,9 @@ Kubernetes Chart for Operator Lifecycle Manager
 | package.resources.requests.memory | string | `"50Mi"` |  |
 | package.service.internalPort | int | `5443` |  |
 | rbacApiVersion | string | `"rbac.authorization.k8s.io"` |  |
+| serviceCa.catalogOperator.secretName | string | `""` |  |
+| serviceCa.enabled | bool | `false` |  |
+| serviceCa.olmOperator.secretName | string | `""` |  |
 | writeStatusName | string | `"\"\""` |  |
 
 ----------------------------------------------

chart/templates/0000_50_olm_02-olm-operator.serviceaccount.yaml

@@ -8,6 +8,18 @@ rules:
   verbs: ["watch", "list", "get", "create", "update", "patch", "delete", "deletecollection", "escalate", "bind"]
 - nonResourceURLs: ["*"]
   verbs: ["*"]
+- apiGroups:
+    - authentication.k8s.io
+  resources:
+    - tokenreviews
+  verbs:
+    - create
+- apiGroups:
+    - authorization.k8s.io
+  resources:
+    - subjectaccessreviews
+  verbs:
+    - create
 ---
 kind: ServiceAccount
 apiVersion: v1

chart/templates/0000_50_olm_03-services.yaml

@@ -1,39 +1,43 @@
-{{ if .Values.monitoring.enabled }}
+{{- if or .Values.monitoring.enabled .Values.serviceCa.enabled }}
 apiVersion: v1
 kind: Service
 metadata:
-  name: olm-operator-metrics
+  name: {{ .Values.olm.service.name }}
   namespace: {{ .Values.namespace }}
+  {{- if .Values.serviceCa.enabled }}
   annotations:
-    service.alpha.openshift.io/serving-cert-secret-name: olm-operator-serving-cert
+    service.alpha.openshift.io/serving-cert-secret-name: {{ .Values.serviceCa.olmOperator.secretName }}
+  {{- end }}
   labels:
     app: olm-operator
 spec:
   type: ClusterIP
   ports:
   - name: https-metrics
-    port: {{ .Values.olm.service.externalPort }}
+    port: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}{{ .Values.olm.service.internalPortHttps }}{{ else }}{{ .Values.olm.service.externalPort }}{{ end }}
     protocol: TCP
-    targetPort: {{ .Values.olm.service.internalPort }}
+    targetPort: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}{{ .Values.olm.service.internalPortHttps }}{{ else }}{{ .Values.olm.service.internalPort }}{{ end }}
   selector:
     app: olm-operator
 ---
 apiVersion: v1
 kind: Service
 metadata:
-  name: catalog-operator-metrics
+  name: {{ .Values.catalog.service.name }}
   namespace: {{ .Values.namespace }}
+  {{- if .Values.serviceCa.enabled }}
   annotations:
-    service.alpha.openshift.io/serving-cert-secret-name: catalog-operator-serving-cert
+    service.alpha.openshift.io/serving-cert-secret-name: {{ .Values.serviceCa.catalogOperator.secretName }}
+  {{- end }}
   labels:
     app: catalog-operator
 spec:
   type: ClusterIP
   ports:
   - name: https-metrics
-    port: {{ .Values.catalog.service.externalPort }}
+    port: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}{{ .Values.catalog.service.internalPortHttps }}{{ else }}{{ .Values.catalog.service.externalPort }}{{ end }}
     protocol: TCP
-    targetPort: {{ .Values.catalog.service.internalPort }}
+    targetPort: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}{{ .Values.catalog.service.internalPortHttps }}{{ else }}{{ .Values.catalog.service.internalPort }}{{ end }}
   selector:
     app: catalog-operator
 {{ end }}

chart/templates/0000_50_olm_07-olm-operator.deployment.yaml

@@ -30,6 +30,13 @@ spec:
       - name: profile-collector-cert
         secret:
           secretName: {{ .Values.certManager.certificate.secretName }}
+      {{- else if .Values.serviceCa.enabled }}
+      - name: srv-cert
+        secret:
+          secretName: {{ .Values.serviceCa.olmOperator.secretName }}
+      - name: profile-collector-cert
+        secret:
+          secretName: {{ .Values.serviceCa.olmOperator.secretName }}
       {{- end }}
       - name: tmpfs
         emptyDir: {}
@@ -41,7 +48,7 @@ spec:
             capabilities:
               drop: [ "ALL" ]
           volumeMounts:
-          {{- if .Values.certManager.enabled }}
+          {{- if or .Values.certManager.enabled .Values.serviceCa.enabled }}
           - name: srv-cert
             mountPath: "/srv-cert"
             readOnly: true
@@ -74,7 +81,7 @@ spec:
           - --writePackageServerStatusName
           - {{ .Values.writePackageServerStatusName }}
           {{- end }}
-         {{- if .Values.certManager.enabled }}
+         {{- if or .Values.certManager.enabled .Values.serviceCa.enabled }}
           - --tls-cert
           - /srv-cert/tls.crt
           - --tls-key
@@ -85,18 +92,18 @@ spec:
           image: {{ .Values.olm.image.ref }}
           imagePullPolicy: {{ .Values.olm.image.pullPolicy }}
           ports:
-            - containerPort: {{ if .Values.certManager.enabled }}{{ .Values.olm.service.internalPortHttps }}{{ else }}{{ .Values.olm.service.internalPort }}{{ end }}
+            - containerPort: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}{{ .Values.olm.service.internalPortHttps }}{{ else }}{{ .Values.olm.service.internalPort }}{{ end }}
               name: metrics
           livenessProbe:
             httpGet:
               path: /healthz
-              port: {{ if .Values.certManager.enabled }}{{ .Values.olm.service.internalPortHttps }}{{ else }}{{ .Values.olm.service.internalPort }}{{ end }}
-              scheme: {{ if .Values.certManager.enabled }}HTTPS{{ else }}HTTP{{ end }}
+              port: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}{{ .Values.olm.service.internalPortHttps }}{{ else }}{{ .Values.olm.service.internalPort }}{{ end }}
+              scheme: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}HTTPS{{ else }}HTTP{{ end }}
           readinessProbe:
             httpGet:
               path: /healthz
-              port: {{ if .Values.certManager.enabled }}{{ .Values.olm.service.internalPortHttps }}{{ else }}{{ .Values.olm.service.internalPort }}{{ end }}
-              scheme: {{ if .Values.certManager.enabled }}HTTPS{{ else }}HTTP{{ end }}
+              port: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}{{ .Values.olm.service.internalPortHttps }}{{ else }}{{ .Values.olm.service.internalPort }}{{ end }}
+              scheme: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}HTTPS{{ else }}HTTP{{ end }}
           terminationMessagePolicy: FallbackToLogsOnError
           env:
           - name: OPERATOR_NAMESPACE

chart/templates/0000_50_olm_08-catalog-operator.deployment.yaml

@@ -30,6 +30,13 @@ spec:
       - name: profile-collector-cert
         secret:
           secretName: {{ .Values.certManager.certificate.secretName }}
+      {{- else if .Values.serviceCa.enabled }}
+      - name: srv-cert
+        secret:
+          secretName: {{ .Values.serviceCa.catalogOperator.secretName }}
+      - name: profile-collector-cert
+        secret:
+          secretName: {{ .Values.serviceCa.catalogOperator.secretName }}
       {{- end }}
       - name: tmpfs
         emptyDir: {}
@@ -41,7 +48,7 @@ spec:
             capabilities:
               drop: [ "ALL" ]
           volumeMounts:
-          {{- if .Values.certManager.enabled }}
+          {{- if or .Values.certManager.enabled .Values.serviceCa.enabled }}
           - name: srv-cert
             mountPath: "/srv-cert"
             readOnly: true
@@ -71,7 +78,7 @@ spec:
           - --writeStatusName
           - {{ .Values.writeStatusNameCatalog }}
           {{- end }}
-          {{- if .Values.certManager.enabled }}
+          {{- if or .Values.certManager.enabled .Values.serviceCa.enabled }}
           - --tls-cert
           - /srv-cert/tls.crt
           - --tls-key
@@ -92,18 +99,18 @@ spec:
           {{- end }}
           imagePullPolicy: {{ .Values.catalog.image.pullPolicy }}
           ports:
-            - containerPort: {{ if .Values.certManager.enabled }}{{ .Values.catalog.service.internalPortHttps }}{{ else }}{{ .Values.catalog.service.internalPort }}{{ end }}
+            - containerPort: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}{{ .Values.catalog.service.internalPortHttps }}{{ else }}{{ .Values.catalog.service.internalPort }}{{ end }}
               name: metrics
           livenessProbe:
             httpGet:
               path: /healthz
-              port: {{ if .Values.certManager.enabled }}{{ .Values.catalog.service.internalPortHttps }}{{ else }}{{ .Values.catalog.service.internalPort }}{{ end }}
-              scheme: {{ if .Values.certManager.enabled }}HTTPS{{ else }}HTTP{{ end }}
+              port: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}{{ .Values.catalog.service.internalPortHttps }}{{ else }}{{ .Values.catalog.service.internalPort }}{{ end }}
+              scheme: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}HTTPS{{ else }}HTTP{{ end }}
           readinessProbe:
             httpGet:
               path: /healthz
-              port: {{ if .Values.certManager.enabled }}{{ .Values.catalog.service.internalPortHttps }}{{ else }}{{ .Values.catalog.service.internalPort }}{{ end }}
-              scheme: {{ if .Values.certManager.enabled }}HTTPS{{ else }}HTTP{{ end }}
+              port: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}{{ .Values.catalog.service.internalPortHttps }}{{ else }}{{ .Values.catalog.service.internalPort }}{{ end }}
+              scheme: {{ if or .Values.certManager.enabled .Values.serviceCa.enabled }}HTTPS{{ else }}HTTP{{ end }}
           terminationMessagePolicy: FallbackToLogsOnError
           {{- if .Values.catalog.resources }}
           resources:

chart/templates/0000_90_olm_00-service-monitor.yaml

@@ -87,4 +87,27 @@ rules:
   - get
   - list
   - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: operator-lifecycle-manager-metrics-reader
+rules:
+- nonResourceURLs:
+  - "/metrics"
+  verbs:
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: operator-lifecycle-manager-metrics-reader
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: operator-lifecycle-manager-metrics-reader
+subjects:
+- kind: ServiceAccount
+  name: prometheus-k8s
+  namespace: {{ .Values.monitoring.namespace }}
 {{ end }}

chart/values.yaml

@@ -24,9 +24,10 @@ catalogGrpcPodPort: 50051
 olm:
   replicaCount: 1
   image:
-    ref: quay.io/operator-framework/olm:v0.36.0
+    ref: quay.io/operator-framework/olm:v0.38.0
     pullPolicy: Always
   service:
+    name: olm-operator-metrics
     internalPort: 8080
     internalPortHttps: 8443
     externalPort: metrics
@@ -43,9 +44,10 @@ catalog:
   commandArgs: --configmapServerImage=quay.io/operator-framework/configmap-operator-registry:latest
   opmImageArgs: --opmImage=quay.io/operator-framework/opm:latest
   image:
-    ref: quay.io/operator-framework/olm:v0.36.0
+    ref: quay.io/operator-framework/olm:v0.38.0
     pullPolicy: Always
   service:
+    name: catalog-operator-metrics
     internalPort: 8080
     internalPortHttps: 8443
     externalPort: metrics
@@ -61,7 +63,7 @@ package:
   maxUnavailable: 1
   maxSurge: 1
   image:
-    ref: quay.io/operator-framework/olm:v0.36.0
+    ref: quay.io/operator-framework/olm:v0.38.0
     pullPolicy: Always
   service:
     internalPort: 5443
@@ -77,7 +79,7 @@ monitoring:
   namespace: monitoring
 
 certManager:
-  enabled: true
+  enabled: false
   issuer:
     name: olm-ca-issuer
     selfSigned: true
@@ -89,6 +91,18 @@ certManager:
     extraDnsNames: []
     extraIpAddresses: []
 
+# OpenShift service-ca configuration
+# When enabled, uses OpenShift service-ca-operator for certificate management
+# This is mutually exclusive with certManager - only one should be enabled
+serviceCa:
+  enabled: false
+  # Secret names are left empty in upstream, to be filled by downstream values.yaml
+  # Service names are taken from olm.service.name and catalog.service.name
+  olmOperator:
+    secretName: ""
+  catalogOperator:
+    secretName: ""
+
 networkPolicy:
   dns:
     ports: