feat(OLM): Update to olm 0.36.0

hypery2k · hypery2k · commit ed67ef602f94 · 2025-10-13T13:12:23.000+02:00
diff --git a/chart/Chart.yaml b/chart/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 description: Kubernetes Chart for Operator Lifecycle Manager
 name: olm
-version: 0.35.0
+version: 0.36.0
 annotations:
   artifacthub.io/links: |
       - name: Helm Chart
diff --git a/chart/README.md b/chart/README.md
@@ -1,6 +1,6 @@
 # olm
 
-![Version: 0.35.0](https://img.shields.io/badge/Version-0.35.0-informational?style=flat-square)
+![Version: 0.36.0](https://img.shields.io/badge/Version-0.36.0-informational?style=flat-square)
 
 Kubernetes Chart for Operator Lifecycle Manager
 
@@ -10,17 +10,26 @@ Kubernetes Chart for Operator Lifecycle Manager
 |-----|------|---------|-------------|
 | catalog.commandArgs | string | `"--configmapServerImage=quay.io/operator-framework/configmap-operator-registry:latest"` |  |
 | catalog.image.pullPolicy | string | `"Always"` |  |
-| catalog.image.ref | string | `"quay.io/operator-framework/olm:v0.35.0"` |  |
+| catalog.image.ref | string | `"quay.io/operator-framework/olm:v0.36.0"` |  |
 | catalog.nodeSelector."kubernetes.io/os" | string | `"linux"` |  |
 | catalog.opmImageArgs | string | `"--opmImage=quay.io/operator-framework/opm:latest"` |  |
 | catalog.replicaCount | int | `1` |  |
 | catalog.resources.requests.cpu | string | `"10m"` |  |
 | catalog.resources.requests.memory | string | `"80Mi"` |  |
 | catalog.service.externalPort | string | `"metrics"` |  |
 | catalog.service.internalPort | int | `8080` |  |
+| catalog.service.internalPortHttps | int | `8443` |  |
 | catalog.setWorkloadUserID | bool | `true` |  |
 | catalogGrpcPodPort | int | `50051` |  |
 | catalog_namespace | string | `"operator-lifecycle-manager"` |  |
+| certManager.certificate.extraDnsNames | list | `[]` |  |
+| certManager.certificate.extraIpAddresses | list | `[]` |  |
+| certManager.certificate.name | string | `"olm-cert"` |  |
+| certManager.certificate.secretName | string | `"olm-cert"` |  |
+| certManager.enabled | bool | `true` |  |
+| certManager.issuer.ca.secretName | string | `""` |  |
+| certManager.issuer.name | string | `"olm-ca-issuer"` |  |
+| certManager.issuer.selfSigned | bool | `true` |  |
 | debug | bool | `false` |  |
 | imagestream | bool | `false` |  |
 | installType | string | `"upstream"` |  |
@@ -43,18 +52,19 @@ Kubernetes Chart for Operator Lifecycle Manager
 | networkPolicy.metrics.ports[0].port | string | `"metrics"` |  |
 | networkPolicy.metrics.ports[0].protocol | string | `"TCP"` |  |
 | olm.image.pullPolicy | string | `"Always"` |  |
-| olm.image.ref | string | `"quay.io/operator-framework/olm:v0.35.0"` |  |
+| olm.image.ref | string | `"quay.io/operator-framework/olm:v0.36.0"` |  |
 | olm.nodeSelector."kubernetes.io/os" | string | `"linux"` |  |
 | olm.replicaCount | int | `1` |  |
 | olm.resources.requests.cpu | string | `"10m"` |  |
 | olm.resources.requests.memory | string | `"160Mi"` |  |
 | olm.service.externalPort | string | `"metrics"` |  |
 | olm.service.internalPort | int | `8080` |  |
+| olm.service.internalPortHttps | int | `8443` |  |
 | operator_namespace | string | `"operators"` |  |
 | operator_namespace_psa.enforceLevel | string | `"baseline"` |  |
 | operator_namespace_psa.enforceVersion | string | `"latest"` |  |
 | package.image.pullPolicy | string | `"Always"` |  |
-| package.image.ref | string | `"quay.io/operator-framework/olm:v0.35.0"` |  |
+| package.image.ref | string | `"quay.io/operator-framework/olm:v0.36.0"` |  |
 | package.maxSurge | int | `1` |  |
 | package.maxUnavailable | int | `1` |  |
 | package.nodeSelector."kubernetes.io/os" | string | `"linux"` |  |
diff --git a/chart/crds/0000_50_olm_00-catalogsources.crd.yaml b/chart/crds/0000_50_olm_00-catalogsources.crd.yaml
@@ -631,8 +631,8 @@ spec:
                                 most preferred is the one with the greatest sum of weights, i.e.
                                 for each node that meets all of the scheduling requirements (resource
                                 request, requiredDuringScheduling anti-affinity expressions, etc.),
-                                compute a sum by iterating through the elements of this field and adding
-                                "weight" to the sum if the node has pods which matches the corresponding podAffinityTerm; the
+                                compute a sum by iterating through the elements of this field and subtracting
+                                "weight" from the sum if the node has pods which matches the corresponding podAffinityTerm; the
                                 node(s) with the highest sum are the most preferred.
                               type: array
                               items:
diff --git a/chart/crds/0000_50_olm_00-clusterserviceversions.crd.yaml b/chart/crds/0000_50_olm_00-clusterserviceversions.crd.yaml
diff --git a/chart/crds/0000_50_olm_00-subscriptions.crd.yaml b/chart/crds/0000_50_olm_00-subscriptions.crd.yaml
diff --git a/chart/templates/0000_50_olm_04-cert-manager.yaml b/chart/templates/0000_50_olm_04-cert-manager.yaml
@@ -0,0 +1,46 @@
+{{- if .Values.certManager.enabled }}
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ .Values.certManager.issuer.name }}
+  namespace: {{ .Values.namespace }}
+spec:
+  {{- if .Values.certManager.issuer.selfSigned }}
+  selfSigned: {}
+  {{- else if .Values.certManager.issuer.ca }}
+  ca:
+    secretName: {{ .Values.certManager.issuer.ca.secretName }}
+  {{- end }}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ .Values.certManager.certificate.name }}
+  namespace: {{ .Values.namespace }}
+spec:
+  secretName: {{ .Values.certManager.certificate.secretName }}
+  isCA: false
+  usages:
+    - server auth
+    - client auth
+  dnsNames:
+    - localhost
+    - catalog-operator.{{ .Values.namespace }}.svc
+    - catalog-operator.{{ .Values.namespace }}.svc.cluster.local
+    - olm-operator.{{ .Values.namespace }}.svc
+    - olm-operator.{{ .Values.namespace }}.svc.cluster.local
+    {{- range .Values.certManager.certificate.extraDnsNames }}
+    - {{ . }}
+    {{- end }}
+  ipAddresses:
+    - 127.0.0.1
+    {{- range .Values.certManager.certificate.extraIpAddresses }}
+    - {{ . }}
+    {{- end }}
+  issuerRef:
+    name: {{ .Values.certManager.issuer.name }}
+    kind: Issuer
+    group: cert-manager.io
+{{- end }}
+
diff --git a/chart/templates/0000_50_olm_07-olm-operator.deployment.yaml b/chart/templates/0000_50_olm_07-olm-operator.deployment.yaml
@@ -22,16 +22,14 @@ spec:
         seccompProfile:
           type: RuntimeDefault
       serviceAccountName: olm-operator-serviceaccount
-      volumes: 
-      {{- if .Values.olm.tlsSecret }}
+      volumes:
+      {{- if .Values.certManager.enabled }}
       - name: srv-cert
         secret:
-          secretName: {{ .Values.olm.tlsSecret }}
-      {{- end }}
-      {{- if .Values.olm.clientCASecret }}
+          secretName: {{ .Values.certManager.certificate.secretName }}
       - name: profile-collector-cert
         secret:
-          secretName: {{ .Values.olm.clientCASecret }}
+          secretName: {{ .Values.certManager.certificate.secretName }}
       {{- end }}
       - name: tmpfs
         emptyDir: {}
@@ -43,12 +41,10 @@ spec:
             capabilities:
               drop: [ "ALL" ]
           volumeMounts:
-          {{- if .Values.olm.tlsSecret }}
+          {{- if .Values.certManager.enabled }}
           - name: srv-cert
             mountPath: "/srv-cert"
             readOnly: true
-          {{- end }}
-          {{- if .Values.olm.clientCASecret }}
           - name: profile-collector-cert
             mountPath: "/profile-collector-cert"
             readOnly: true
@@ -78,31 +74,29 @@ spec:
           - --writePackageServerStatusName
           - {{ .Values.writePackageServerStatusName }}
           {{- end }}
-         {{- if .Values.olm.tlsSecret }}
+         {{- if .Values.certManager.enabled }}
           - --tls-cert
           - /srv-cert/tls.crt
           - --tls-key
           - /srv-cert/tls.key
-          {{- end }}
-          {{- if .Values.olm.clientCASecret }}
           - --client-ca
           - /profile-collector-cert/tls.crt
           {{- end }}
           image: {{ .Values.olm.image.ref }}
           imagePullPolicy: {{ .Values.olm.image.pullPolicy }}
           ports:
-            - containerPort: {{ .Values.olm.service.internalPort }}
+            - containerPort: {{ if .Values.certManager.enabled }}{{ .Values.olm.service.internalPortHttps }}{{ else }}{{ .Values.olm.service.internalPort }}{{ end }}
               name: metrics
           livenessProbe:
             httpGet:
               path: /healthz
-              port: {{ .Values.olm.service.internalPort }}
-              scheme: {{ if .Values.olm.tlsSecret }}HTTPS{{ else }}HTTP{{end}}
+              port: {{ if .Values.certManager.enabled }}{{ .Values.olm.service.internalPortHttps }}{{ else }}{{ .Values.olm.service.internalPort }}{{ end }}
+              scheme: {{ if .Values.certManager.enabled }}HTTPS{{ else }}HTTP{{ end }}
           readinessProbe:
             httpGet:
               path: /healthz
-              port: {{ .Values.olm.service.internalPort }}
-              scheme: {{ if .Values.olm.tlsSecret }}HTTPS{{ else }}HTTP{{end}}
+              port: {{ if .Values.certManager.enabled }}{{ .Values.olm.service.internalPortHttps }}{{ else }}{{ .Values.olm.service.internalPort }}{{ end }}
+              scheme: {{ if .Values.certManager.enabled }}HTTPS{{ else }}HTTP{{ end }}
           terminationMessagePolicy: FallbackToLogsOnError
           env:
           - name: OPERATOR_NAMESPACE
diff --git a/chart/templates/0000_50_olm_08-catalog-operator.deployment.yaml b/chart/templates/0000_50_olm_08-catalog-operator.deployment.yaml
@@ -23,15 +23,13 @@ spec:
           type: RuntimeDefault
       serviceAccountName: olm-operator-serviceaccount
       volumes:
-      {{- if .Values.catalog.tlsSecret }}
+      {{- if .Values.certManager.enabled }}
       - name: srv-cert
         secret:
-          secretName: {{ .Values.catalog.tlsSecret }}
-      {{- end }}
-      {{- if .Values.catalog.clientCASecret }}
+          secretName: {{ .Values.certManager.certificate.secretName }}
       - name: profile-collector-cert
         secret:
-          secretName: {{ .Values.catalog.clientCASecret }}
+          secretName: {{ .Values.certManager.certificate.secretName }}
       {{- end }}
       - name: tmpfs
         emptyDir: {}
@@ -43,12 +41,10 @@ spec:
             capabilities:
               drop: [ "ALL" ]
           volumeMounts:
-          {{- if .Values.catalog.tlsSecret }}
+          {{- if .Values.certManager.enabled }}
           - name: srv-cert
             mountPath: "/srv-cert"
             readOnly: true
-          {{- end }}
-          {{- if .Values.catalog.clientCASecret }}
           - name: profile-collector-cert
             mountPath: "/profile-collector-cert"
             readOnly: true
@@ -75,13 +71,11 @@ spec:
           - --writeStatusName
           - {{ .Values.writeStatusNameCatalog }}
           {{- end }}
-          {{- if .Values.catalog.tlsSecret }}
+          {{- if .Values.certManager.enabled }}
           - --tls-cert
           - /srv-cert/tls.crt
           - --tls-key
           - /srv-cert/tls.key
-          {{- end }}
-          {{- if .Values.catalog.clientCASecret }}
           - --client-ca
           - /profile-collector-cert/tls.crt
           {{- end }}
@@ -98,18 +92,18 @@ spec:
           {{- end }}
           imagePullPolicy: {{ .Values.catalog.image.pullPolicy }}
           ports:
-            - containerPort: {{ .Values.olm.service.internalPort }}
+            - containerPort: {{ if .Values.certManager.enabled }}{{ .Values.catalog.service.internalPortHttps }}{{ else }}{{ .Values.catalog.service.internalPort }}{{ end }}
               name: metrics
           livenessProbe:
             httpGet:
               path: /healthz
-              port: {{ .Values.catalog.service.internalPort }}
-              scheme: {{ if .Values.catalog.tlsSecret }}HTTPS{{ else }}HTTP{{end}}
+              port: {{ if .Values.certManager.enabled }}{{ .Values.catalog.service.internalPortHttps }}{{ else }}{{ .Values.catalog.service.internalPort }}{{ end }}
+              scheme: {{ if .Values.certManager.enabled }}HTTPS{{ else }}HTTP{{ end }}
           readinessProbe:
             httpGet:
               path: /healthz
-              port: {{ .Values.catalog.service.internalPort }}
-              scheme: {{ if .Values.catalog.tlsSecret }}HTTPS{{ else }}HTTP{{end}}
+              port: {{ if .Values.certManager.enabled }}{{ .Values.catalog.service.internalPortHttps }}{{ else }}{{ .Values.catalog.service.internalPort }}{{ end }}
+              scheme: {{ if .Values.certManager.enabled }}HTTPS{{ else }}HTTP{{ end }}
           terminationMessagePolicy: FallbackToLogsOnError
           {{- if .Values.catalog.resources }}
           resources:
diff --git a/chart/templates/_helpers.tpl b/chart/templates/_helpers.tpl
@@ -13,4 +13,4 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- define "fullname" -}}
 {{- $name := default .Chart.Name .Values.nameOverride -}}
 {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
+{{- end -}}
diff --git a/chart/values.yaml b/chart/values.yaml
@@ -24,13 +24,12 @@ catalogGrpcPodPort: 50051
 olm:
   replicaCount: 1
   image:
-    ref: quay.io/operator-framework/olm:v0.35.0
+    ref: quay.io/operator-framework/olm:v0.36.0
     pullPolicy: Always
   service:
     internalPort: 8080
+    internalPortHttps: 8443
     externalPort: metrics
-  # tlsSecret: olm-operator-serving-cert
-  # clientCASecret: pprof-serving-cert
   nodeSelector:
     kubernetes.io/os: linux
   resources:
@@ -44,13 +43,12 @@ catalog:
   commandArgs: --configmapServerImage=quay.io/operator-framework/configmap-operator-registry:latest
   opmImageArgs: --opmImage=quay.io/operator-framework/opm:latest
   image:
-    ref: quay.io/operator-framework/olm:v0.35.0
+    ref: quay.io/operator-framework/olm:v0.36.0
     pullPolicy: Always
   service:
     internalPort: 8080
+    internalPortHttps: 8443
     externalPort: metrics
-  # tlsSecret: catalog-operator-serving-cert
-  # clientCASecret: pprof-serving-cert
   nodeSelector:
     kubernetes.io/os: linux
   resources:
@@ -63,7 +61,7 @@ package:
   maxUnavailable: 1
   maxSurge: 1
   image:
-    ref: quay.io/operator-framework/olm:v0.35.0
+    ref: quay.io/operator-framework/olm:v0.36.0
     pullPolicy: Always
   service:
     internalPort: 5443
@@ -78,6 +76,19 @@ monitoring:
   enabled: false
   namespace: monitoring
 
+certManager:
+  enabled: true
+  issuer:
+    name: olm-ca-issuer
+    selfSigned: true
+    ca:
+      secretName: ""
+  certificate:
+    name: olm-cert
+    secretName: olm-cert
+    extraDnsNames: []
+    extraIpAddresses: []
+
 networkPolicy:
   dns:
     ports:
