Merge pull request #21734 from ahardin-rh/issue-21396

Issue 21396 fix

Author: ahardin-rh

modules/olm-enabling-operator-restricted-network.adoc

@@ -12,28 +12,79 @@ for your Operator to run properly in a restricted network environment:
 require to perform their functions.
 * Reference all specified images by a digest (SHA) and not by a tag.
 
-.Prerequisites
+You must use SHA references to related images in two places in the Operator's
+CSV:
 
-* An Operator project with a CSV
-
-.Procedure
-
-* In your Operator's CSV, define a list of any related images:
+* in `spec.relatedImages`:
 +
 [source,yaml]
 ----
-kind: ClusterServiceVersion
-metadata:
-  name: etcd-operator
-spec:
 ...
+spec:
   relatedImages: <1>
-  - name: default
-    image: quay.io/coreos/etcd@sha256:12345 <2>
-  - name: etcd-2.1.5
-    image: quay.io/coreos/etcd@sha256:12345 <2>
-  - name: etcd-3.1.1
-    image: quay.io/coreos/etcd@sha256:12345 <2>
+    - name: etcd-operator <2>
+      value: quay.io/etcd-operator/operator@sha256:d134a9865524c29fcf75bbc4469013bc38d8a15cb5f41acfddb6b9e492f556e4 <3>
+    - name: etcd-image
+      value: quay.io/etcd-operator/etcd@sha256:13348c15263bd8838ec1d5fc4550ede9860fcbb0f843e48cbccec07810eebb68
+...
 ----
 <1> Create a `relatedImages` section and set the list of related images.
+<2> Specify a unique identifier for the image.
+<3> Specify each image by a digest (SHA), not by an image tag.
+
+* in the `env` section of the Operators Deployments when declaring environment
+variables that inject the image that the Operator should use:
++
+[source,yaml]
+----
+spec:
+  install:
+    spec:
+      deployments:
+      - name: etcd-operator-v3.1.1
+        spec:
+          replicas: 1
+          selector:
+            matchLabels:
+              name: etcd-operator
+          strategy:
+            type: Recreate
+          template:
+            metadata:
+              labels:
+                name: etcd-operator
+            spec:
+              containers:
+              - args:
+                - /opt/etcd/bin/etcd_operator_run.sh
+                env:
+                - name: WATCH_NAMESPACE
+                  valueFrom:
+                    fieldRef:
+                      fieldPath: metadata.annotations['olm.targetNamespaces']
+                - name: ETCD_OPERATOR_DEFAULT_ETCD_IMAGE <1>
+                  value: quay.io/etcd-operator/etcd@sha256:13348c15263bd8838ec1d5fc4550ede9860fcbb0f843e48cbccec07810eebb68 <2>
+                - name: ETCD_LOG_LEVEL
+                  value: INFO
+                image: quay.io/etcd-operator/operator@sha256:d134a9865524c29fcf75bbc4469013bc38d8a15cb5f41acfddb6b9e492f556e4 <3>
+                imagePullPolicy: IfNotPresent
+                livenessProbe:
+                  httpGet:
+                    path: /healthy
+                    port: 8080
+                  initialDelaySeconds: 10
+                  periodSeconds: 30
+                name: etcd-operator
+                readinessProbe:
+                  httpGet:
+                    path: /ready
+                    port: 8080
+                  initialDelaySeconds: 10
+                  periodSeconds: 30
+                resources: {}
+              serviceAccountName: etcd-operator
+    strategy: deployment
+----
+<1> Inject the images referenced by the Operator via environment variables.
 <2> Specify each image by a digest (SHA), not by an image tag.
+<3> Also reference the Operator container image by a digest (SHA), not by an image tag.