Sync chart from pieced-operator 0.1.43

deploy/helm/pieced-operator/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: pieced-operator
 description: PieCed IT tenant lifecycle operator
-version: 0.1.14
+version: 0.1.43
-appVersion: "0.1.14"
+appVersion: "0.1.43"
 type: application

deploy/helm/pieced-operator/templates/crds/pieced.ch_piecedtenants.yaml

@@ -87,6 +87,18 @@ spec:
                 suspend:
                   type: boolean
                   description: Stops reconciliation without deleting resources.
+                openClawImage:
+                  type: object
+                  description: >
+                    Per-tenant override for the OpenClaw container image
+                    tag. When unset, the operator uses the platform
+                    default from the pieced-openclaw-config ConfigMap.
+                    Set by platform admins via the portal; customer-
+                    facing onboarding does not expose this field.
+                  properties:
+                    tag:
+                      type: string
+                      description: Image tag (e.g. "2026.4.22").
             status:
               type: object
               properties:
@@ -123,6 +135,25 @@ spec:
                   type: array
                   items:
                     type: string
+                suspendedAt:
+                  type: string
+                  format: date-time
+                warnings:
+                  type: array
+                  items:
+                    type: object
+                    required:
+                      - source
+                    properties:
+                      source:
+                        type: string
+                      reason:
+                        type: string
+                      message:
+                        type: string
+                      since:
+                        type: string
+                        format: date-time
                 observedGeneration:
                   type: integer
                   format: int64

deploy/helm/pieced-operator/templates/openclaw-config-cm.yaml

@@ -0,0 +1,25 @@
+{{/*
+Platform-wide default OpenClaw image tag. Used by the operator when a
+PiecedTenant has no explicit `spec.openClawImage.tag` override.
+
+Tag-only by design — see internal/openclawconfig/loader.go for
+rationale (single image-selector field avoids SSA field-ownership
+ambiguity). For reproducibility-critical deployments, pin by using
+an immutable release tag.
+
+If `defaultTag` is empty (or this ConfigMap doesn't exist), the
+operator falls back to a hardcoded built-in version.
+
+Tenants without an `openClawImage` override automatically follow
+changes to this ConfigMap on the next reconcile — the operator
+watches it and re-enqueues affected tenants.
+*/}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: pieced-openclaw-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: pieced-operator
+data:
+  defaultTag: {{ .Values.openClaw.defaultTag | quote }}

deploy/helm/pieced-operator/templates/rbac.yaml

@@ -8,9 +8,17 @@ metadata:
     app.kubernetes.io/name: pieced-operator
 rules:
   # --- PiecedTenant CRD ---
+  # `delete` is required so the operator can self-initiate the post-
+  # 60-day cleanup of suspended tenants (Bug 37b). Without it, the
+  # `r.Delete(ctx, tenant)` call in the suspend block fails with a
+  # 403 every reconcile cycle while the tenant sits past its
+  # retention window. Until then this verb wasn't strictly needed —
+  # the customer/portal initiated CR deletes, and the operator's
+  # finalizer ran cleanup; only with operator-initiated deletion did
+  # the missing verb become a problem.
   - apiGroups: ["pieced.ch"]
     resources: ["piecedtenants"]
-    verbs: ["get", "list", "watch", "update", "patch"]
+    verbs: ["get", "list", "watch", "update", "patch", "delete"]
   - apiGroups: ["pieced.ch"]
     resources: ["piecedtenants/status"]
     verbs: ["get", "update", "patch"]
@@ -34,29 +42,34 @@ rules:
     verbs: ["create", "patch"]
 
   # --- Capsule Tenant ---
+  # `patch` is required for server-side apply (SSA) — controller-runtime's
+  # `client.Apply` uses HTTP PATCH with content-type application/apply-patch+yaml.
+  # We keep `update` for backwards-compat in case any code path still does
+  # replace-style writes (currently none). Same applies to all unstructured
+  # resources below.
   - apiGroups: ["capsule.clastix.io"]
     resources: ["tenants"]
-    verbs: ["get", "list", "watch", "create", "update", "delete"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
 
   # --- ESO SecretStore ---
   - apiGroups: ["external-secrets.io"]
     resources: ["secretstores"]
-    verbs: ["get", "list", "watch", "create", "update", "delete"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
 
   # --- ESO ExternalSecret ---
   - apiGroups: ["external-secrets.io"]
     resources: ["externalsecrets"]
-    verbs: ["get", "list", "watch", "create", "update", "delete"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
 
   # --- Cilium CiliumNetworkPolicy ---
   - apiGroups: ["cilium.io"]
     resources: ["ciliumnetworkpolicies"]
-    verbs: ["get", "list", "watch", "create", "update", "delete"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
 
   # --- OpenClaw OpenClawInstance ---
   - apiGroups: ["openclaw.rocks"]
     resources: ["openclawinstances"]
-    verbs: ["get", "list", "watch", "create", "update", "delete"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
 
   # --- Leader election (coordination) ---
   - apiGroups: ["coordination.k8s.io"]

deploy/helm/pieced-operator/values.yaml

@@ -1,6 +1,6 @@
 image:
   repository: registry.c5ai.ch/pieced/pieced-operator
-  tag: "0.1.14"
+  tag: "0.1.43"
   pullPolicy: IfNotPresent
 
 imagePullSecrets:
@@ -56,3 +56,23 @@ serviceAccount:
 # Network policy — restrict operator egress to only what it needs
 networkPolicy:
   enabled: true
+
+# OpenClaw image default (Feature: per-tenant version overrides).
+#
+# Materialised as the `pieced-openclaw-config` ConfigMap, which the
+# operator reads on every reconcile. Per-tenant overrides set via the
+# portal (PiecedTenant.spec.openClawImage.tag) take precedence over
+# this default for the affected tenants.
+#
+# We support tag-only (not digest) by design — a single image-selector
+# field avoids SSA field-ownership ambiguity when switching values,
+# and the downstream OpenClaw operator handles a tag-only image spec
+# unambiguously. For reproducibility-critical deployments, pin by
+# using an immutable release tag.
+#
+# Empty defaultTag falls back to the operator's built-in version.
+# Admins can edit this value at runtime via the portal admin UI;
+# the resulting ConfigMap edits trigger reconciles for every tenant
+# that doesn't have its own override.
+openClaw:
+  defaultTag: "2026.4.22"