fix(bundle): remove unused CSV env vars, add relatedImages, improve examples

yalzhang · yalzhang · commit 604a02a4499c · 2026-01-09T19:51:29.000+08:00
- Remove unused env vars COMPUTE_PCRS_IMAGE and REG_SERVER_IMAGE from CSV
  deployment spec since the operator never reads them at runtime (images
  come from TrustedExecutionCluster CR spec)
- Add relatedImages section for air-gapped environment support
- Update generate-bundle-prod.sh to patch relatedImages with OPERATOR_IMAGE,
  COMPUTE_PCRS_IMAGE, REG_SERVER_IMAGE, and TRUSTEE_IMAGE instead of
  patching deployment env vars
- Update Makefile to pass TRUSTEE_IMAGE to bundle generation
- Remove Machine from alm-examples as it's auto-created by register-server,
  not user-facing
- Add publicTrusteeAddr field to TrustedExecutionCluster example
- Normalize image tags from v0.1.0 to 0.1.0 (standard container format)
- Update matchLabels from 'name' to 'app: trusted-cluster-operator' for
  consistency with operator deployment

Signed-off-by: Yalan Zhang &lt;yalzhang@redhat.com&gt;
diff --git a/Makefile b/Makefile
@@ -113,6 +113,7 @@ bundle: manifests
 	@OPERATOR_IMAGE=$(OPERATOR_IMAGE) \
 	COMPUTE_PCRS_IMAGE=$(COMPUTE_PCRS_IMAGE) \
 	REG_SERVER_IMAGE=$(REG_SERVER_IMAGE) \
+	TRUSTEE_IMAGE=$(TRUSTEE_IMAGE) \
 	scripts/generate-bundle-prod.sh -v $(TAG) -n $(NAMESPACE) $(if $(PREVIOUS_CSV),-p $(PREVIOUS_CSV))
 
 bundle-image: bundle
diff --git a/bundle/static/manifests/trusted-cluster-operator.clusterserviceversion.yaml b/bundle/static/manifests/trusted-cluster-operator.clusterserviceversion.yaml
@@ -16,19 +16,9 @@ metadata:
           },
           "spec": {
             "trusteeImage": "quay.io/trusted-execution-clusters/key-broker-service:tpm-verifier-built-in-as-20250711",
-            "pcrsComputeImage": "quay.io/trusted-execution-clusters/compute-pcrs:latest",
-            "registerServerImage": "quay.io/trusted-execution-clusters/registration-server:latest"
-          }
-        },
-        {
-          "apiVersion": "trusted-execution-clusters.io/v1alpha1",
-          "kind": "Machine",
-          "metadata": {
-            "name": "example-machine"
-          },
-          "spec": {
-            "id": "c3e3e3e3-c3e3-c3e3-c3e3-c3e3e3e3e3e3",
-            "address": "192.168.1.100"
+            "pcrsComputeImage": "quay.io/trusted-execution-clusters/compute-pcrs:0.1.0",
+            "registerServerImage": "quay.io/trusted-execution-clusters/registration-server:0.1.0",
+            "publicTrusteeAddr": "<trustee-address>"
           }
         },
         {
@@ -43,21 +33,20 @@ metadata:
         }
       ]
     olm.skipRange: ">=0.0.0 <1.0.0"
-    containerImage: "quay.io/trusted-execution-clusters/trusted-cluster-operator:v0.1.0"
+    containerImage: "quay.io/trusted-execution-clusters/trusted-cluster-operator:0.1.0"
     capabilities: Basic Install
   name: trusted-cluster-operator.v0.1.0
   namespace: placeholder
 spec:
   displayName: Trusted Execution Cluster Operator
-  description: An operator to manage trusted execution cluster, which are Kubernetes cluster that can attest their integrity to a relying party
+  description: An operator to manage a trusted execution cluster, which is a Kubernetes cluster that can attest its integrity to a relying party
   version: 0.1.0
   minKubeVersion: "1.27.0"
   provider:
     name: Red Hat
   icon:
     - base64data: "<base64 PNG>"
       mediatype: "image/png"
-  # replaces: trusted-cluster-operator.vX.Y.Z # Uncomment and set this to the previous CSV name when updating the operator.
 
   maturity: alpha
   installModes:
@@ -69,6 +58,15 @@ spec:
       supported: false
     - type: AllNamespaces
       supported: false
+  relatedImages:
+    - name: trusted-cluster-operator
+      image: quay.io/trusted-execution-clusters/trusted-cluster-operator:0.1.0
+    - name: compute-pcrs
+      image: quay.io/trusted-execution-clusters/compute-pcrs:0.1.0
+    - name: registration-server
+      image: quay.io/trusted-execution-clusters/registration-server:0.1.0
+    - name: trustee
+      image: quay.io/trusted-execution-clusters/key-broker-service:tpm-verifier-built-in-as-20250711
   install:
     strategy: deployment
     spec:
@@ -82,19 +80,19 @@ spec:
             replicas: 1
             selector:
               matchLabels:
-                name: trusted-cluster-operator
+                app: trusted-cluster-operator
             template:
               metadata:
                 labels:
-                  name: trusted-cluster-operator
+                  app: trusted-cluster-operator
               spec:
                 securityContext:
                   runAsNonRoot: true
                   runAsUser: 65534
                 serviceAccountName: trusted-cluster-operator
                 containers:
                   - name: trusted-cluster-operator
-                    image: quay.io/trusted-execution-clusters/trusted-cluster-operator:v0.1.0
+                    image: quay.io/trusted-execution-clusters/trusted-cluster-operator:0.1.0
                     command:
                       - /usr/bin/operator
                     imagePullPolicy: IfNotPresent
@@ -109,10 +107,6 @@ spec:
                             fieldPath: metadata.name
                       - name: OPERATOR_NAME
                         value: "trusted-cluster-operator"
-                      - name: COMPUTE_PCRS_IMAGE
-                        value: "quay.io/trusted-execution-clusters/compute-pcrs:v0.1.0"
-                      - name: REGISTER_SERVER_IMAGE
-                        value: "quay.io/trusted-execution-clusters/registration-server:v0.1.0"
                     resources:
                       limits:
                         cpu: 500m
diff --git a/scripts/generate-bundle-prod.sh b/scripts/generate-bundle-prod.sh
@@ -22,7 +22,7 @@ done
 [[ -z "$BUNDLE_VERSION" ]] && { echo "Error: bundle version cannot be empty"; exit 1; }
 
 # Required environment variables
-for var in OPERATOR_IMAGE COMPUTE_PCRS_IMAGE REG_SERVER_IMAGE; do
+for var in OPERATOR_IMAGE COMPUTE_PCRS_IMAGE REG_SERVER_IMAGE TRUSTEE_IMAGE; do
     : "${!var:?Please export $var}"
 done
 
@@ -58,10 +58,11 @@ yq -i ".metadata.annotations.containerImage = \"${OPERATOR_IMAGE}\"" "$CSV_FILE"
 # Patch deployment container image
 yq -i ".spec.install.spec.deployments[0].spec.template.spec.containers[0].image = \"${OPERATOR_IMAGE}\"" "$CSV_FILE"
 
-# Patch environment variables
-for env_var in COMPUTE_PCRS_IMAGE REG_SERVER_IMAGE; do
-  yq -i "(.spec.install.spec.deployments[0].spec.template.spec.containers[0].env[] | select(.name == \"$env_var\")).value = \"${!env_var}\"" "$CSV_FILE"
-done
+# Patch relatedImages section for air-gapped environments
+yq -i "(.spec.relatedImages[] | select(.name == \"trusted-cluster-operator\")).image = \"${OPERATOR_IMAGE}\"" "$CSV_FILE"
+yq -i "(.spec.relatedImages[] | select(.name == \"compute-pcrs\")).image = \"${COMPUTE_PCRS_IMAGE}\"" "$CSV_FILE"
+yq -i "(.spec.relatedImages[] | select(.name == \"registration-server\")).image = \"${REG_SERVER_IMAGE}\"" "$CSV_FILE"
+yq -i "(.spec.relatedImages[] | select(.name == \"trustee\")).image = \"${TRUSTEE_IMAGE}\"" "$CSV_FILE"
 
 # Patch RBAC rules
 yq -i ".spec.install.spec.clusterPermissions[0].rules = load(\"${RBAC_ROLE_FILE}\").rules" "$CSV_FILE"
