Add optional SQL proxy sidecar for OpenShift compatibility

.github/workflows/docker_image.yaml

@@ -20,7 +20,17 @@ jobs:
         uses: docker/metadata-action@v5
         with:
           images: crate/crate-operator
-          tags: type=semver,pattern={{major}}.{{minor}}.{{patch}}
+          tags: |
+            type=semver,pattern={{major}}.{{minor}}.{{patch}}
+            type=raw,value={{tag}}
+      - name: Docker meta (sidecar)
+        id: meta_sidecar
+        uses: docker/metadata-action@v5
+        with:
+          images: crate/crate-control
+          tags: |
+            type=semver,pattern={{major}}.{{minor}}.{{patch}}
+            type=raw,value={{tag}}
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: Login to DockerHub
@@ -36,3 +46,11 @@ jobs:
           platforms: linux/amd64,linux/arm64
           push: true
           tags: ${{ steps.meta.outputs.tags }}
+      - name: Build and publish sidecar
+        uses: docker/build-push-action@v6
+        with:
+          context: ./sidecars/cratecontrol
+          file: ./sidecars/cratecontrol/Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta_sidecar.outputs.tags }}

CHANGES.rst

@@ -5,6 +5,24 @@ Changelog
 Unreleased
 ----------
 
+* Added support for running CrateDB on Red Hat OpenShift Container Platform.
+  When ``CLOUD_PROVIDER`` is set to ``openshift``, the operator will:
+
+  - Use a lightweight ``crate-control`` sidecar for SQL execution instead of
+    ``pod_exec`` to comply with OpenShift's restricted security policies.
+  - Create OpenShift-specific SecurityContextConstraints (SCC) and ServiceAccounts
+    to allow CrateDB to run with the required ``SYS_CHROOT`` capability.
+  - Skip privileged init containers and adjust security contexts for compatibility
+    with OpenShift's security model.
+  - Disable ``blockOwnerDeletion`` on PVC owner references to work with OpenShift's
+    restricted RBAC permissions.
+
+* Refactored SQL execution logic to support both traditional ``pod_exec`` and
+  sidecar-based approaches, with automatic fallback based on available resources.
+
+* Updated RBAC permissions to include ``serviceaccounts`` and OpenShift
+  ``securitycontextconstraints`` resources.
+
 2.58.0 (2026-02-16)
 -------------------
 

README.rst

@@ -79,7 +79,7 @@ Previous versions might work, but the operator will not attempt to set a license
 
 
 🎉 Features
-==========
+===========
 
 - "all equal nodes" cluster setup
 - "master + data nodes" cluster setup
@@ -90,6 +90,7 @@ Previous versions might work, but the operator will not attempt to set a license
 - custom cluster settings
 - custom storage classes
 - region/zone awareness for AWS and Azure
+- OpenShift support (Red Hat OpenShift Container Platform 4.x)
 
 💽 Installation
 ===============
@@ -110,6 +111,23 @@ dependency of the `Operator Helm Chart`_.
 To override the environment variables from values.yaml, please refer to
 the `configuration documentation`_.
 
+Installation on OpenShift
+-------------------------
+
+When installing on Red Hat OpenShift Container Platform, additional configuration
+is required, after adding the Helm repo:
+
+.. code-block:: console
+
+   helm install crate-operator crate-operator/crate-operator \
+      --set env.CRATEDB_OPERATOR_CLOUD_PROVIDER=openshift \
+      --set env.CRATEDB_OPERATOR_CRATE_CONTROL_IMAGE=your-registry/crate-control:latest \
+      --namespace crate-operator \
+      --create-namespace
+
+Replace ``your-registry/crate-control:latest`` with the location of your built
+crate-control sidecar image. See the `OpenShift documentation`_ for details.
+
 Installation with kubectl
 -------------------------
 
@@ -151,3 +169,4 @@ Please refer to the `Working on the operator`_ section of the documentation.
 .. _Working on the operator: ./docs/source/development.rst
 .. _CRD Helm Chart: ./deploy/charts/crate-operator-crds/README.md
 .. _Operator Helm Chart: ./deploy/charts/crate-operator/README.md
+.. _OpenShift documentation: ./docs/source/openshift.rst