operator-framework
diff --git a/‎helm/olmv1/templates/00-namespace.yml‎
Lines changed: 8 additions & 2 deletions b/‎helm/olmv1/templates/00-namespace.yml‎
Lines changed: 8 additions & 2 deletions
diff --git a/‎helm/olmv1/templates/06-role-olmv1-system-catalogd-manager-role.yml‎
Lines changed: 0 additions & 1 deletion b/‎helm/olmv1/templates/06-role-olmv1-system-catalogd-manager-role.yml‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎helm/olmv1/templates/08-role-olmv1-system-operator-controller-manager-role.yml‎
Lines changed: 0 additions & 1 deletion b/‎helm/olmv1/templates/08-role-olmv1-system-operator-controller-manager-role.yml‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml‎
Lines changed: 6 additions & 42 deletions b/‎helm/olmv1/templates/29-deployment-olmv1-system-catalogd-controller-manager.yml‎
Lines changed: 6 additions & 42 deletions
diff --git a/‎helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml‎
Lines changed: 5 additions & 42 deletions b/‎helm/olmv1/templates/30-deployment-olmv1-system-operator-controller-controller-manager.yml‎
Lines changed: 5 additions & 42 deletions
diff --git a/‎helm/olmv1/templates/_helpers.tpl‎
Lines changed: 0 additions & 11 deletions b/‎helm/olmv1/templates/_helpers.tpl‎
Lines changed: 0 additions & 11 deletions
diff --git a/‎helm/olmv1/values.yaml‎
Lines changed: 50 additions & 28 deletions b/‎helm/olmv1/values.yaml‎
Lines changed: 50 additions & 28 deletions
@@ -5,12 +5,18 @@ metadata:
   annotations:
     {{- include "olmv1.annotations" . | nindent 4 }}
     {{- with .Values.namespaces.olmv1.annotations }}
-      {{- toYaml . | nindent 4 }}
+      {{- toYamlPretty . | nindent 4 }}
     {{- end }}
   labels:
     app.kubernetes.io/name: olmv1
+    pod-security.kubernetes.io/audit: {{ .Values.namespaces.olmv1.podSecurityProfile }}
+    pod-security.kubernetes.io/audit-version: latest
+    pod-security.kubernetes.io/enforce: {{ .Values.namespaces.olmv1.podSecurityProfile }}
+    pod-security.kubernetes.io/enforce-version: latest
+    pod-security.kubernetes.io/warn: {{ .Values.namespaces.olmv1.podSecurityProfile }}
+    pod-security.kubernetes.io/warn-version: latest
     {{- include "olmv1.labels" . | nindent 4 }}
     {{- with .Values.namespaces.olmv1.labels }}
-      {{- toYaml . | nindent 4 }}
+      {{- toYamlPretty . | nindent 4 }}
     {{- end }}
   name: {{ .Values.namespaces.olmv1.name }}
@@ -19,5 +19,4 @@ rules:
       - get
       - list
       - watch
-  {{- include "olmv1.catalogd.role.rules" . | nindent 2 }}
 {{- end }}
@@ -31,5 +31,4 @@ rules:
       - get
       - list
       - watch
-  {{- include "olmv1.operatorController.role.rules" . | nindent 2 }}
 {{- end }}
@@ -33,25 +33,6 @@ spec:
         {{- toYamlPretty . | nindent 8 }}
         {{- end }}
     spec:
-      {{- if .Values.components.catalogd.deployment.priorityClassName }}
-      priorityClassName: {{ .Values.components.catalogd.deployment.priorityClassName }}
-      {{- end }}
-      affinity:
-        nodeAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            nodeSelectorTerms:
-              - matchExpressions:
-                  - key: kubernetes.io/arch
-                    operator: In
-                    values:
-                      - amd64
-                      - arm64
-                      - ppc64le
-                      - s390x
-                  - key: kubernetes.io/os
-                    operator: In
-                    values:
-                      - linux
       containers:
         - args:
             {{- if not .Values.features.tilt.enabled }}
@@ -83,7 +64,6 @@ spec:
           {{- toYamlPretty . | nindent 12 }}
           {{- end }}
           image: "{{ .Values.components.catalogd.deployment.image }}"
-          imagePullPolicy: {{ .Values.components.catalogd.deployment.imagePullPolicy }}
           {{- if not .Values.features.tilt.enabled }}
           livenessProbe:
             httpGet:
@@ -105,11 +85,6 @@ spec:
             requests:
               cpu: 100m
               memory: 200Mi
-          {{- with .Values.securityContext }}
-          securityContext:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
-          terminationMessagePolicy: FallbackToLogsOnError
           volumeMounts:
             {{- if .Values.components.e2e.enabled }}
             - mountPath: /e2e-coverage
@@ -127,14 +102,12 @@ spec:
               readOnly: true
             {{- end }}
             {{- with .Values.components.catalogd.deployment.volumeMounts }}
-              {{- toYaml . | nindent 12 }}
+              {{- toYamlPretty . | nindent 12 }}
             {{- end }}
-      {{- with .Values.podSecurityContext }}
-      securityContext:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
+          {{- with .Values.deployments.containerSpec }}
+          {{- toYamlPretty . | nindent 10 }}
+          {{- end }}
       serviceAccountName: catalogd-controller-manager
-      terminationGracePeriodSeconds: 10
       volumes:
         {{- if .Values.components.e2e.enabled }}
         - name: e2e-coverage-volume
@@ -160,16 +133,7 @@ spec:
         {{- with .Values.components.catalogd.deployment.volumes }}
           {{- toYaml . | nindent 8 }}
         {{- end }}
-      {{- with .Values.components.catalogd.deployment.nodeSelector }}
-      nodeSelector:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.components.catalogd.deployment.affinity }}
-      affinity:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.components.catalogd.deployment.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
+      {{- with .Values.deployments.templateSpec }}
+      {{- toYamlPretty . | nindent 6 }}
       {{- end }}
 {{- end }}
@@ -32,25 +32,6 @@ spec:
         {{- toYamlPretty . | nindent 8 }}
         {{- end }}
     spec:
-      {{- if .Values.components.operatorController.deployment.priorityClassName }}
-      priorityClassName: {{ .Values.components.operatorController.deployment.priorityClassName }}
-      {{- end }}
-      affinity:
-        nodeAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            nodeSelectorTerms:
-              - matchExpressions:
-                  - key: kubernetes.io/arch
-                    operator: In
-                    values:
-                      - amd64
-                      - arm64
-                      - ppc64le
-                      - s390x
-                  - key: kubernetes.io/os
-                    operator: In
-                    values:
-                      - linux
       containers:
         - args:
             - --health-probe-bind-address=:8081
@@ -92,8 +73,6 @@ spec:
           {{- toYamlPretty . | nindent 12 }}
           {{- end }}
           image: "{{ .Values.components.operatorController.deployment.image }}"
-          image: quay.io/operator-framework/operator-controller:devel
-          imagePullPolicy: {{ .Values.components.operatorController.deployment.imagePullPolicy }}
           {{- if not .Values.features.tilt.enabled }}
           livenessProbe:
             httpGet:
@@ -115,11 +94,6 @@ spec:
             requests:
               cpu: 10m
               memory: 64Mi
-          {{- with .Values.securityContext }}
-          securityContext:
-            {{- toYaml . | nindent 12 }}
-          {{- end }}
-          terminationMessagePolicy: FallbackToLogsOnError
           volumeMounts:
             {{- if .Values.components.e2e.enabled }}
             - mountPath: /etc/containers
@@ -139,12 +113,10 @@ spec:
             {{- with .Values.components.operatorController.deployment.volumeMounts }}
               {{- toYaml . | nindent 12 }}
             {{- end }}
-      {{- with .Values.podSecurityContext }}
-      securityContext:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
+          {{- with .Values.deployments.containerSpec }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
       serviceAccountName: operator-controller-controller-manager
-      terminationGracePeriodSeconds: 10
       volumes:
         {{- if .Values.components.e2e.enabled }}
         - configMap:
@@ -174,16 +146,7 @@ spec:
         {{- with .Values.components.operatorController.deployment.volumes }}
           {{- toYaml . | nindent 8 }}
         {{- end }}
-      {{- with .Values.components.operatorController.deployment.nodeSelector }}
-      nodeSelector:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.components.operatorController.deployment.affinity }}
-      affinity:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.components.operatorController.deployment.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
+      {{- with .Values.deployments.templateSpec }}
+      {{- toYamlPretty . | nindent 6 }}
       {{- end }}
 {{- end }}
@@ -46,24 +46,13 @@ olm.operatorframework.io/feature-set: {{ .Values.featureSet -}}{{- if .Values.co
 {{/*
 Insertion of additional rules for RBAC
 */}}
-{{- define "olmv1.catalogd.role.rules" -}}
-{{- with .Values.components.catalogd.rules }}
-{{- toYamlPretty . }}
-{{- end }}
-{{- end }}
 
 {{- define "olmv1.catalogd.clusterRole.rules" -}}
 {{- with .Values.components.catalogd.clusterRole.rules }}
 {{- toYamlPretty . }}
 {{- end }}
 {{- end }}
 
-{{- define "olmv1.operatorController.role.rules" -}}
-{{- with .Values.components.operatorController.role.rules }}
-{{- toYamlPretty . }}
-{{- end }}
-{{- end }}
-
 {{- define "olmv1.operatorController.clusterRole.rules" -}}
 {{- with .Values.components.operatorController.clusterRole.rules }}
 {{- toYamlPretty . }}
 
@@ -8,16 +8,11 @@ components:
     enabled: true
     deployment:
       image: quay.io/operator-framework/operator-controller:devel
-      imagePullPolicy: IfNotPresent
       volumeMounts: []
       volumes: []
-      affinity: {}
-      nodeSelector: {}
-      tolerations: []
       podArguments: []
       podLabels: {}
       podAnnotations: {}
-      priorityClassName: ""
       env: []
     service:
       annotations: {}
@@ -29,23 +24,16 @@ components:
     enabled: true
     deployment:
       image: quay.io/operator-framework/catalogd:devel
-      imagePullPolicy: IfNotPresent
       volumeMounts: []
       volumes: []
-      affinity: {}
-      nodeSelector: {}
-      tolerations: []
       podArguments: []
       podLabels: {}
       podAnnotations: {}
-      priorityClassName: ""
       env: []
     service:
       annotations: {}
     clusterRole:
       rules: []
-    role:
-      rules: []
     webhook:
       annotations: {}
   certManager:
@@ -74,23 +62,57 @@ featureSet: standard
 namespaces:
   olmv1:
     name: olmv1-system
-    labels:
-      pod-security.kubernetes.io/enforce: restricted
-      pod-security.kubernetes.io/enforce-version: latest
+    podSecurityProfile: restricted
+    labels: {}
     annotations: {}
   certManager:
     name: cert-manager
 
-# Pod-level security context
-podSecurityContext:
-  runAsNonRoot: true
-  seccompProfile:
-    type: RuntimeDefault
-
-# Container-level security context
-securityContext:
-  allowPrivilegeEscalation: false
-  capabilities:
-    drop:
-      - ALL
-  readOnlyRootFilesystem: true
+# Common deployment values for operator-controller and catalogd
+deployments:
+  templateSpec:
+    affinity:
+      nodeAffinity:
+        requiredDuringSchedulingIgnoredDuringExecution:
+          nodeSelectorTerms:
+            - matchExpressions:
+                - key: kubernetes.io/arch
+                  operator: In
+                  values:
+                    - amd64
+                    - arm64
+                    - ppc64le
+                    - s390x
+                - key: kubernetes.io/os
+                  operator: In
+                  values:
+                    - linux
+    nodeSelector:
+      kubernetes.io/os: linux
+      node-role.kubernetes.io/control-plane: ""
+    securityContext:
+      runAsNonRoot: true
+      seccompProfile:
+        type: RuntimeDefault
+    terminationGracePeriodSeconds: 10
+    tolerations:
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/control-plane
+        operator: Exists
+      - effect: NoExecute
+        key: node.kubernetes.io/unreachable
+        operator: Exists
+        tolerationSeconds: 120
+      - effect: NoExecute
+        key: node.kubernetes.io/not-ready
+        operator: Exists
+        tolerationSeconds: 120
+  containerSpec:
+    imagePullPolicy: IfNotPresent
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+          - ALL
+      readOnlyRootFilesystem: true
+    terminationMessagePolicy: FallbackToLogsOnError