Sync chart from pieced-operator 0.1.39

deploy/helm/pieced-operator/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: pieced-operator
 description: PieCed IT tenant lifecycle operator
-version: 0.1.31
+version: 0.1.39
-appVersion: "0.1.31"
+appVersion: "0.1.39"
 type: application

deploy/helm/pieced-operator/templates/crds/pieced.ch_piecedtenants.yaml

@@ -123,6 +123,25 @@ spec:
                   type: array
                   items:
                     type: string
+                suspendedAt:
+                  type: string
+                  format: date-time
+                warnings:
+                  type: array
+                  items:
+                    type: object
+                    required:
+                      - source
+                    properties:
+                      source:
+                        type: string
+                      reason:
+                        type: string
+                      message:
+                        type: string
+                      since:
+                        type: string
+                        format: date-time
                 observedGeneration:
                   type: integer
                   format: int64

deploy/helm/pieced-operator/templates/rbac.yaml

@@ -8,9 +8,17 @@ metadata:
     app.kubernetes.io/name: pieced-operator
 rules:
   # --- PiecedTenant CRD ---
+  # `delete` is required so the operator can self-initiate the post-
+  # 60-day cleanup of suspended tenants (Bug 37b). Without it, the
+  # `r.Delete(ctx, tenant)` call in the suspend block fails with a
+  # 403 every reconcile cycle while the tenant sits past its
+  # retention window. Until then this verb wasn't strictly needed —
+  # the customer/portal initiated CR deletes, and the operator's
+  # finalizer ran cleanup; only with operator-initiated deletion did
+  # the missing verb become a problem.
   - apiGroups: ["pieced.ch"]
     resources: ["piecedtenants"]
-    verbs: ["get", "list", "watch", "update", "patch"]
+    verbs: ["get", "list", "watch", "update", "patch", "delete"]
   - apiGroups: ["pieced.ch"]
     resources: ["piecedtenants/status"]
     verbs: ["get", "update", "patch"]
@@ -34,29 +42,34 @@ rules:
     verbs: ["create", "patch"]
 
   # --- Capsule Tenant ---
+  # `patch` is required for server-side apply (SSA) — controller-runtime's
+  # `client.Apply` uses HTTP PATCH with content-type application/apply-patch+yaml.
+  # We keep `update` for backwards-compat in case any code path still does
+  # replace-style writes (currently none). Same applies to all unstructured
+  # resources below.
   - apiGroups: ["capsule.clastix.io"]
     resources: ["tenants"]
-    verbs: ["get", "list", "watch", "create", "update", "delete"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
 
   # --- ESO SecretStore ---
   - apiGroups: ["external-secrets.io"]
     resources: ["secretstores"]
-    verbs: ["get", "list", "watch", "create", "update", "delete"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
 
   # --- ESO ExternalSecret ---
   - apiGroups: ["external-secrets.io"]
     resources: ["externalsecrets"]
-    verbs: ["get", "list", "watch", "create", "update", "delete"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
 
   # --- Cilium CiliumNetworkPolicy ---
   - apiGroups: ["cilium.io"]
     resources: ["ciliumnetworkpolicies"]
-    verbs: ["get", "list", "watch", "create", "update", "delete"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
 
   # --- OpenClaw OpenClawInstance ---
   - apiGroups: ["openclaw.rocks"]
     resources: ["openclawinstances"]
-    verbs: ["get", "list", "watch", "create", "update", "delete"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
 
   # --- Leader election (coordination) ---
   - apiGroups: ["coordination.k8s.io"]

deploy/helm/pieced-operator/values.yaml

@@ -1,6 +1,6 @@
 image:
   repository: registry.c5ai.ch/pieced/pieced-operator
-  tag: "0.1.31"
+  tag: "0.1.39"
   pullPolicy: IfNotPresent
 
 imagePullSecrets: