Compare commits
3 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| f182211601 | |||
| 5d46d3ada0 | |||
| e98dd8b0a2 |
@@ -1,6 +1,6 @@
|
||||
apiVersion: v2
|
||||
name: pieced-operator
|
||||
description: PieCed IT tenant lifecycle operator
|
||||
version: 0.1.37
|
||||
appVersion: "0.1.37"
|
||||
version: 0.1.40
|
||||
appVersion: "0.1.40"
|
||||
type: application
|
||||
|
||||
@@ -87,6 +87,18 @@ spec:
|
||||
suspend:
|
||||
type: boolean
|
||||
description: Stops reconciliation without deleting resources.
|
||||
openClawImage:
|
||||
type: object
|
||||
description: >
|
||||
Per-tenant override for the OpenClaw container image
|
||||
tag. When unset, the operator uses the platform
|
||||
default from the pieced-openclaw-config ConfigMap.
|
||||
Set by platform admins via the portal; customer-
|
||||
facing onboarding does not expose this field.
|
||||
properties:
|
||||
tag:
|
||||
type: string
|
||||
description: Image tag (e.g. "2026.4.22").
|
||||
status:
|
||||
type: object
|
||||
properties:
|
||||
|
||||
@@ -0,0 +1,25 @@
|
||||
{{/*
|
||||
Platform-wide default OpenClaw image tag. Used by the operator when a
|
||||
PiecedTenant has no explicit `spec.openClawImage.tag` override.
|
||||
|
||||
Tag-only by design — see internal/openclawconfig/loader.go for
|
||||
rationale (single image-selector field avoids SSA field-ownership
|
||||
ambiguity). For reproducibility-critical deployments, pin by using
|
||||
an immutable release tag.
|
||||
|
||||
If `defaultTag` is empty (or this ConfigMap doesn't exist), the
|
||||
operator falls back to a hardcoded built-in version.
|
||||
|
||||
Tenants without an `openClawImage` override automatically follow
|
||||
changes to this ConfigMap on the next reconcile — the operator
|
||||
watches it and re-enqueues affected tenants.
|
||||
*/}}
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: pieced-openclaw-config
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app.kubernetes.io/name: pieced-operator
|
||||
data:
|
||||
defaultTag: {{ .Values.openClaw.defaultTag | quote }}
|
||||
@@ -8,9 +8,17 @@ metadata:
|
||||
app.kubernetes.io/name: pieced-operator
|
||||
rules:
|
||||
# --- PiecedTenant CRD ---
|
||||
# `delete` is required so the operator can self-initiate the post-
|
||||
# 60-day cleanup of suspended tenants (Bug 37b). Without it, the
|
||||
# `r.Delete(ctx, tenant)` call in the suspend block fails with a
|
||||
# 403 every reconcile cycle while the tenant sits past its
|
||||
# retention window. Until then this verb wasn't strictly needed —
|
||||
# the customer/portal initiated CR deletes, and the operator's
|
||||
# finalizer ran cleanup; only with operator-initiated deletion did
|
||||
# the missing verb become a problem.
|
||||
- apiGroups: ["pieced.ch"]
|
||||
resources: ["piecedtenants"]
|
||||
verbs: ["get", "list", "watch", "update", "patch"]
|
||||
verbs: ["get", "list", "watch", "update", "patch", "delete"]
|
||||
- apiGroups: ["pieced.ch"]
|
||||
resources: ["piecedtenants/status"]
|
||||
verbs: ["get", "update", "patch"]
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
image:
|
||||
repository: registry.c5ai.ch/pieced/pieced-operator
|
||||
tag: "0.1.37"
|
||||
tag: "0.1.40"
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
imagePullSecrets:
|
||||
@@ -56,3 +56,23 @@ serviceAccount:
|
||||
# Network policy — restrict operator egress to only what it needs
|
||||
networkPolicy:
|
||||
enabled: true
|
||||
|
||||
# OpenClaw image default (Feature: per-tenant version overrides).
|
||||
#
|
||||
# Materialised as the `pieced-openclaw-config` ConfigMap, which the
|
||||
# operator reads on every reconcile. Per-tenant overrides set via the
|
||||
# portal (PiecedTenant.spec.openClawImage.tag) take precedence over
|
||||
# this default for the affected tenants.
|
||||
#
|
||||
# We support tag-only (not digest) by design — a single image-selector
|
||||
# field avoids SSA field-ownership ambiguity when switching values,
|
||||
# and the downstream OpenClaw operator handles a tag-only image spec
|
||||
# unambiguously. For reproducibility-critical deployments, pin by
|
||||
# using an immutable release tag.
|
||||
#
|
||||
# Empty defaultTag falls back to the operator's built-in version.
|
||||
# Admins can edit this value at runtime via the portal admin UI;
|
||||
# the resulting ConfigMap edits trigger reconciles for every tenant
|
||||
# that doesn't have its own override.
|
||||
openClaw:
|
||||
defaultTag: "2026.4.22"
|
||||
|
||||
Reference in New Issue
Block a user