(manifests): populate pod security configs dynamically

This PR:
* introduces a chart value that decides if the --set-workload-user-id flag to true
or false for the catalog-operator container
* introduces chart values to fill in the psa enforce level/version for the namespaces
Closes #2827

Signed-off-by: Anik Bhattacharjee <[email protected]>

Author: anik120

deploy/chart/templates/0000_50_olm_00-namespace.yaml

@@ -3,14 +3,18 @@ kind: Namespace
 metadata:
   name: {{ .Values.namespace }}
   labels: 
-    pod-security.kubernetes.io/enforce: restricted
-    pod-security.kubernetes.io/enforce-version: latest
+    {{- if .Values.namespace_psa }}
+    pod-security.kubernetes.io/enforce: {{ .Values.namespace_psa.enforceLevel }}
+    pod-security.kubernetes.io/enforce-version: {{ .Values.namespace_psa.enforceVersion }}
+    {{- end }}
 
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
   name: {{ .Values.operator_namespace }}
   labels:
-    pod-security.kubernetes.io/enforce: baseline
-    pod-security.kubernetes.io/enforce-version: latest
+    {{- if .Values.operator_namespace_psa }}
+    pod-security.kubernetes.io/enforce: {{ .Values.namespace_psa.enforceLevel }}
+    pod-security.kubernetes.io/enforce-version: {{ .Values.namespace_psa.enforceVersion }}
+    {{- end }}

deploy/chart/templates/0000_50_olm_08-catalog-operator.deployment.yaml

@@ -84,8 +84,11 @@ spec:
           - --client-ca
           - /profile-collector-cert/tls.crt
           {{- end }}
-          - --set-workload-user-id
-          - "true"
+          {{- if eq .Values.catalog.setWorkloadUserID true }}
+          - --set-workload-user-id=true
+          {{- else }}
+          - --set-workload-user-id=false
+          {{ end }}
           image: {{ .Values.catalog.image.ref }}
           imagePullPolicy: {{ .Values.catalog.image.pullPolicy }}
           ports:

deploy/chart/values.yaml

@@ -1,7 +1,15 @@
 rbacApiVersion: rbac.authorization.k8s.io
 namespace: operator-lifecycle-manager
+# see https://kubernetes.io/docs/concepts/security/pod-security-admission/ for more details
+namespace_psa: 
+  enforceLevel: restricted
+  enforceVersion: '"v1.24"'
 catalog_namespace: operator-lifecycle-manager
 operator_namespace: operators
+# see https://kubernetes.io/docs/concepts/security/pod-security-admission/ for more details
+operator_namespace_psa: 
+  enforceLevel: baseline
+  enforceVersion: '"v1.24"'
 minKubeVersion: 1.11.0
 writeStatusName: '""'
 imagestream: false
@@ -25,6 +33,7 @@ olm:
      memory: 160Mi
 
 catalog:
+  setWorkloadUserID: true
   replicaCount: 1
   commandArgs: --configmapServerImage=quay.io/operator-framework/configmap-operator-registry:latest
   image:

deploy/upstream/values.yaml

@@ -1,8 +1,16 @@
 installType: upstream
 rbacApiVersion: rbac.authorization.k8s.io
 namespace: olm
+# see https://kubernetes.io/docs/concepts/security/pod-security-admission/ for more details
+namespace_psa: 
+  enforceLevel: restricted
+  enforceVersion: '"v1.24"'
 catalog_namespace: olm
 operator_namespace: operators
+# see https://kubernetes.io/docs/concepts/security/pod-security-admission/ for more details
+operator_namespace_psa: 
+  enforceLevel: baseline
+  enforceVersion: '"v1.24"'
 imagestream: false
 writeStatusName: '""'
 writePackageServerStatusName: ""
@@ -14,6 +22,7 @@ olm:
   service:
     internalPort: 8080
 catalog:
+  setWorkloadUserID: true
   replicaCount: 1
   image:
     ref: quay.io/operator-framework/olm@sha256:e74b2ac57963c7f3ba19122a8c31c9f2a0deb3c0c5cac9e5323ccffd0ca198ed