From f182211601eb038c86818b2412f957365de1a15f Mon Sep 17 00:00:00 2001 From: pieced-ci Date: Sun, 10 May 2026 19:23:49 +0000 Subject: [PATCH] Sync chart from pieced-operator 0.1.40 --- deploy/helm/pieced-operator/Chart.yaml | 4 +-- .../crds/pieced.ch_piecedtenants.yaml | 12 +++++++++ .../templates/openclaw-config-cm.yaml | 25 +++++++++++++++++++ deploy/helm/pieced-operator/values.yaml | 22 +++++++++++++++- 4 files changed, 60 insertions(+), 3 deletions(-) create mode 100644 deploy/helm/pieced-operator/templates/openclaw-config-cm.yaml diff --git a/deploy/helm/pieced-operator/Chart.yaml b/deploy/helm/pieced-operator/Chart.yaml index fb28af4..b087e10 100644 --- a/deploy/helm/pieced-operator/Chart.yaml +++ b/deploy/helm/pieced-operator/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: pieced-operator description: PieCed IT tenant lifecycle operator -version: 0.1.39 -appVersion: "0.1.39" +version: 0.1.40 +appVersion: "0.1.40" type: application diff --git a/deploy/helm/pieced-operator/templates/crds/pieced.ch_piecedtenants.yaml b/deploy/helm/pieced-operator/templates/crds/pieced.ch_piecedtenants.yaml index a6f90de..a0fccde 100644 --- a/deploy/helm/pieced-operator/templates/crds/pieced.ch_piecedtenants.yaml +++ b/deploy/helm/pieced-operator/templates/crds/pieced.ch_piecedtenants.yaml @@ -87,6 +87,18 @@ spec: suspend: type: boolean description: Stops reconciliation without deleting resources. + openClawImage: + type: object + description: > + Per-tenant override for the OpenClaw container image + tag. When unset, the operator uses the platform + default from the pieced-openclaw-config ConfigMap. + Set by platform admins via the portal; customer- + facing onboarding does not expose this field. + properties: + tag: + type: string + description: Image tag (e.g. "2026.4.22"). status: type: object properties: diff --git a/deploy/helm/pieced-operator/templates/openclaw-config-cm.yaml b/deploy/helm/pieced-operator/templates/openclaw-config-cm.yaml new file mode 100644 index 0000000..8797763 --- /dev/null +++ b/deploy/helm/pieced-operator/templates/openclaw-config-cm.yaml @@ -0,0 +1,25 @@ +{{/* +Platform-wide default OpenClaw image tag. Used by the operator when a +PiecedTenant has no explicit `spec.openClawImage.tag` override. + +Tag-only by design — see internal/openclawconfig/loader.go for +rationale (single image-selector field avoids SSA field-ownership +ambiguity). For reproducibility-critical deployments, pin by using +an immutable release tag. + +If `defaultTag` is empty (or this ConfigMap doesn't exist), the +operator falls back to a hardcoded built-in version. + +Tenants without an `openClawImage` override automatically follow +changes to this ConfigMap on the next reconcile — the operator +watches it and re-enqueues affected tenants. +*/}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: pieced-openclaw-config + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: pieced-operator +data: + defaultTag: {{ .Values.openClaw.defaultTag | quote }} diff --git a/deploy/helm/pieced-operator/values.yaml b/deploy/helm/pieced-operator/values.yaml index f9b2176..891f70c 100644 --- a/deploy/helm/pieced-operator/values.yaml +++ b/deploy/helm/pieced-operator/values.yaml @@ -1,6 +1,6 @@ image: repository: registry.c5ai.ch/pieced/pieced-operator - tag: "0.1.39" + tag: "0.1.40" pullPolicy: IfNotPresent imagePullSecrets: @@ -56,3 +56,23 @@ serviceAccount: # Network policy — restrict operator egress to only what it needs networkPolicy: enabled: true + +# OpenClaw image default (Feature: per-tenant version overrides). +# +# Materialised as the `pieced-openclaw-config` ConfigMap, which the +# operator reads on every reconcile. Per-tenant overrides set via the +# portal (PiecedTenant.spec.openClawImage.tag) take precedence over +# this default for the affected tenants. +# +# We support tag-only (not digest) by design — a single image-selector +# field avoids SSA field-ownership ambiguity when switching values, +# and the downstream OpenClaw operator handles a tag-only image spec +# unambiguously. For reproducibility-critical deployments, pin by +# using an immutable release tag. +# +# Empty defaultTag falls back to the operator's built-in version. +# Admins can edit this value at runtime via the portal admin UI; +# the resulting ConfigMap edits trigger reconciles for every tenant +# that doesn't have its own override. +openClaw: + defaultTag: "2026.4.22"