Sync chart from pieced-operator 0.1.42

deploy/helm/pieced-operator/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: pieced-operator
 description: PieCed IT tenant lifecycle operator
-version: 0.1.39
-appVersion: "0.1.39"
+version: 0.1.42
+appVersion: "0.1.42"
 type: application

deploy/helm/pieced-operator/templates/crds/pieced.ch_piecedtenants.yaml

@@ -87,6 +87,18 @@ spec:
                 suspend:
                   type: boolean
                   description: Stops reconciliation without deleting resources.
+                openClawImage:
+                  type: object
+                  description: >
+                    Per-tenant override for the OpenClaw container image
+                    tag. When unset, the operator uses the platform
+                    default from the pieced-openclaw-config ConfigMap.
+                    Set by platform admins via the portal; customer-
+                    facing onboarding does not expose this field.
+                  properties:
+                    tag:
+                      type: string
+                      description: Image tag (e.g. "2026.4.22").
             status:
               type: object
               properties:

deploy/helm/pieced-operator/templates/openclaw-config-cm.yaml

@@ -0,0 +1,25 @@
+{{/*
+Platform-wide default OpenClaw image tag. Used by the operator when a
+PiecedTenant has no explicit `spec.openClawImage.tag` override.
+
+Tag-only by design — see internal/openclawconfig/loader.go for
+rationale (single image-selector field avoids SSA field-ownership
+ambiguity). For reproducibility-critical deployments, pin by using
+an immutable release tag.
+
+If `defaultTag` is empty (or this ConfigMap doesn't exist), the
+operator falls back to a hardcoded built-in version.
+
+Tenants without an `openClawImage` override automatically follow
+changes to this ConfigMap on the next reconcile — the operator
+watches it and re-enqueues affected tenants.
+*/}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: pieced-openclaw-config
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: pieced-operator
+data:
+  defaultTag: {{ .Values.openClaw.defaultTag | quote }}

deploy/helm/pieced-operator/values.yaml

@@ -1,6 +1,6 @@
 image:
   repository: registry.c5ai.ch/pieced/pieced-operator
-  tag: "0.1.39"
+  tag: "0.1.42"
   pullPolicy: IfNotPresent
 
 imagePullSecrets:
@@ -56,3 +56,23 @@ serviceAccount:
 # Network policy — restrict operator egress to only what it needs
 networkPolicy:
   enabled: true
+
+# OpenClaw image default (Feature: per-tenant version overrides).
+#
+# Materialised as the `pieced-openclaw-config` ConfigMap, which the
+# operator reads on every reconcile. Per-tenant overrides set via the
+# portal (PiecedTenant.spec.openClawImage.tag) take precedence over
+# this default for the affected tenants.
+#
+# We support tag-only (not digest) by design — a single image-selector
+# field avoids SSA field-ownership ambiguity when switching values,
+# and the downstream OpenClaw operator handles a tag-only image spec
+# unambiguously. For reproducibility-critical deployments, pin by
+# using an immutable release tag.
+#
+# Empty defaultTag falls back to the operator's built-in version.
+# Admins can edit this value at runtime via the portal admin UI;
+# the resulting ConfigMap edits trigger reconciles for every tenant
+# that doesn't have its own override.
+openClaw:
+  defaultTag: "2026.4.22"