fix(bundle): align CSV env var with Makefile and remove Machine example

Makefile

@@ -116,6 +116,7 @@ bundle: manifests
 	@OPERATOR_IMAGE=$(OPERATOR_IMAGE) \
 	COMPUTE_PCRS_IMAGE=$(COMPUTE_PCRS_IMAGE) \
 	REG_SERVER_IMAGE=$(REG_SERVER_IMAGE) \
+	TRUSTEE_IMAGE=$(TRUSTEE_IMAGE) \
 	scripts/generate-bundle-prod.sh -v $(TAG) -n $(NAMESPACE) $(if $(PREVIOUS_CSV),-p $(PREVIOUS_CSV))
 
 bundle-image: bundle

bundle/static/manifests/trusted-cluster-operator.clusterserviceversion.yaml

@@ -16,19 +16,9 @@ metadata:
           },
           "spec": {
             "trusteeImage": "quay.io/trusted-execution-clusters/key-broker-service:tpm-verifier-built-in-as-20250711",
-            "pcrsComputeImage": "quay.io/trusted-execution-clusters/compute-pcrs:latest",
-            "registerServerImage": "quay.io/trusted-execution-clusters/registration-server:latest"
-          }
-        },
-        {
-          "apiVersion": "trusted-execution-clusters.io/v1alpha1",
-          "kind": "Machine",
-          "metadata": {
-            "name": "example-machine"
-          },
-          "spec": {
-            "id": "c3e3e3e3-c3e3-c3e3-c3e3-c3e3e3e3e3e3",
-            "address": "192.168.1.100"
+            "pcrsComputeImage": "quay.io/trusted-execution-clusters/compute-pcrs:0.1.0",
+            "registerServerImage": "quay.io/trusted-execution-clusters/registration-server:0.1.0",
+            "publicTrusteeAddr": "<trustee-address>"
           }
         },
         {
@@ -43,21 +33,20 @@ metadata:
         }
       ]
     olm.skipRange: ">=0.0.0 <1.0.0"
-    containerImage: "quay.io/trusted-execution-clusters/trusted-cluster-operator:v0.1.0"
+    containerImage: "quay.io/trusted-execution-clusters/trusted-cluster-operator:0.1.0"
     capabilities: Basic Install
   name: trusted-cluster-operator.v0.1.0
   namespace: placeholder
 spec:
   displayName: Trusted Execution Cluster Operator
-  description: An operator to manage trusted execution cluster, which are Kubernetes cluster that can attest their integrity to a relying party
+  description: An operator to manage a trusted execution cluster, which is a Kubernetes cluster that can attest its integrity to a relying party
   version: 0.1.0
   minKubeVersion: "1.27.0"
   provider:
     name: Red Hat
   icon:
     - base64data: "<base64 PNG>"
       mediatype: "image/png"
-  # replaces: trusted-cluster-operator.vX.Y.Z # Uncomment and set this to the previous CSV name when updating the operator.
 
   maturity: alpha
   installModes:
@@ -69,6 +58,15 @@ spec:
       supported: false
     - type: AllNamespaces
       supported: false
+  relatedImages:
+    - name: trusted-cluster-operator
+      image: quay.io/trusted-execution-clusters/trusted-cluster-operator:0.1.0
+    - name: compute-pcrs
+      image: quay.io/trusted-execution-clusters/compute-pcrs:0.1.0
+    - name: registration-server
+      image: quay.io/trusted-execution-clusters/registration-server:0.1.0
+    - name: trustee
+      image: quay.io/trusted-execution-clusters/key-broker-service:tpm-verifier-built-in-as-20250711
   install:
     strategy: deployment
     spec:
@@ -82,19 +80,19 @@ spec:
             replicas: 1
             selector:
               matchLabels:
-                name: trusted-cluster-operator
+                app: trusted-cluster-operator
             template:
               metadata:
                 labels:
-                  name: trusted-cluster-operator
+                  app: trusted-cluster-operator
               spec:
                 securityContext:
                   runAsNonRoot: true
                   runAsUser: 65534
                 serviceAccountName: trusted-cluster-operator
                 containers:
                   - name: trusted-cluster-operator
-                    image: quay.io/trusted-execution-clusters/trusted-cluster-operator:v0.1.0
+                    image: quay.io/trusted-execution-clusters/trusted-cluster-operator:0.1.0
                     command:
                       - /usr/bin/operator
                     imagePullPolicy: IfNotPresent
@@ -109,10 +107,6 @@ spec:
                             fieldPath: metadata.name
                       - name: OPERATOR_NAME
                         value: "trusted-cluster-operator"
-                      - name: COMPUTE_PCRS_IMAGE
-                        value: "quay.io/trusted-execution-clusters/compute-pcrs:v0.1.0"
-                      - name: REGISTER_SERVER_IMAGE
-                        value: "quay.io/trusted-execution-clusters/registration-server:v0.1.0"
                     resources:
                       limits:
                         cpu: 500m

scripts/generate-bundle-prod.sh

@@ -22,7 +22,7 @@ done
 [[ -z "$BUNDLE_VERSION" ]] && { echo "Error: bundle version cannot be empty"; exit 1; }
 
 # Required environment variables
-for var in OPERATOR_IMAGE COMPUTE_PCRS_IMAGE REG_SERVER_IMAGE; do
+for var in OPERATOR_IMAGE COMPUTE_PCRS_IMAGE REG_SERVER_IMAGE TRUSTEE_IMAGE; do
     : "${!var:?Please export $var}"
 done
 
@@ -32,7 +32,7 @@ BUNDLE_MANIFESTS="${BUNDLE_DIR}/manifests"
 BUNDLE_METADATA="${BUNDLE_DIR}/metadata"
 CSV_TEMPLATE="${PROJECT_ROOT}/bundle/static/manifests/trusted-cluster-operator.clusterserviceversion.yaml"
 ANNOTATIONS_TEMPLATE="${PROJECT_ROOT}/bundle/static/metadata/annotations.yaml"
-RBAC_ROLE_FILE="${PROJECT_ROOT}/config/rbac/role.yaml"
+RBAC_ROLE_FILE="${PROJECT_ROOT}/config/rbac/base/role.yaml"
 
 echo "=> Cleaning previous bundle..."
 rm -rf "${BUNDLE_MANIFESTS}" "${BUNDLE_METADATA}"
@@ -41,9 +41,13 @@ mkdir -p "${BUNDLE_MANIFESTS}" "${BUNDLE_METADATA}"
 echo "=> Copying CRDs and static assets..."
 shopt -s nullglob
 cp "${PROJECT_ROOT}/config/crd"/*.yaml "${BUNDLE_MANIFESTS}/"
-cp "${PROJECT_ROOT}/config/rbac"/*.yaml "${BUNDLE_MANIFESTS}/"
+cp "${PROJECT_ROOT}/config/rbac/base"/*.yaml "${BUNDLE_MANIFESTS}/"
 rm -f "${BUNDLE_MANIFESTS}/kustomization.yaml"
 rm -f "${BUNDLE_MANIFESTS}/service_account.yaml"
+# Remove operator's main RBAC files - these are defined in CSV's clusterPermissions instead
+# This prevents OLM from creating duplicate ClusterRoles and ClusterRoleBindings
+rm -f "${BUNDLE_MANIFESTS}/role.yaml"
+rm -f "${BUNDLE_MANIFESTS}/role_binding.yaml"
 cp "$CSV_TEMPLATE" "${BUNDLE_MANIFESTS}/"
 cp "$ANNOTATIONS_TEMPLATE" "${BUNDLE_METADATA}/"
 
@@ -58,10 +62,11 @@ yq -i ".metadata.annotations.containerImage = \"${OPERATOR_IMAGE}\"" "$CSV_FILE"
 # Patch deployment container image
 yq -i ".spec.install.spec.deployments[0].spec.template.spec.containers[0].image = \"${OPERATOR_IMAGE}\"" "$CSV_FILE"
 
-# Patch environment variables
-for env_var in COMPUTE_PCRS_IMAGE REG_SERVER_IMAGE; do
-  yq -i "(.spec.install.spec.deployments[0].spec.template.spec.containers[0].env[] | select(.name == \"$env_var\")).value = \"${!env_var}\"" "$CSV_FILE"
-done
+# Patch relatedImages section for air-gapped environments
+yq -i "(.spec.relatedImages[] | select(.name == \"trusted-cluster-operator\")).image = \"${OPERATOR_IMAGE}\"" "$CSV_FILE"
+yq -i "(.spec.relatedImages[] | select(.name == \"compute-pcrs\")).image = \"${COMPUTE_PCRS_IMAGE}\"" "$CSV_FILE"
+yq -i "(.spec.relatedImages[] | select(.name == \"registration-server\")).image = \"${REG_SERVER_IMAGE}\"" "$CSV_FILE"
+yq -i "(.spec.relatedImages[] | select(.name == \"trustee\")).image = \"${TRUSTEE_IMAGE}\"" "$CSV_FILE"
 
 # Patch RBAC rules
 yq -i ".spec.install.spec.clusterPermissions[0].rules = load(\"${RBAC_ROLE_FILE}\").rules" "$CSV_FILE"