make it openshift compatible

.github/workflows/build-test.yaml

@@ -26,7 +26,7 @@ jobs:
           filters: |
             codechange:
               - ".github/workflows/build-test.yaml"
-              - "Dockerfile"
+              - "Dockerfile.openshift"
               - "go.mod"
               - "go.sum"
               - "cmd/**"
@@ -66,7 +66,8 @@ jobs:
       - uses: "authzed/actions/docker-build@main"
         with:
           push: false
-          tags: "authzed/spicedb-operator:ci"
+          file: Dockerfile.openshift
+          tags: "spicedb-operator:ci"
           buildx: false
           qemu: false
 

Dockerfile.openshift

@@ -0,0 +1,21 @@
+FROM registry.access.redhat.com/ubi8/ubi-minimal:8.9-1161 AS builder
+ARG TARGETARCH
+USER root
+RUN microdnf install -y tar gzip make which
+# install platform specific go version
+RUN curl -O -J  https://dl.google.com/go/go1.22.0.linux-${TARGETARCH}.tar.gz
+RUN tar -C /usr/local -xzf go1.22.0.linux-${TARGETARCH}.tar.gz
+RUN ln -s /usr/local/go/bin/go /usr/local/bin/go
+
+WORKDIR /go/src/app
+ENV CGO_ENABLED=0
+
+COPY go.mod go.sum ./
+COPY . .
+RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg/mod go build ./cmd/...
+
+FROM cgr.dev/chainguard/static:latest
+
+COPY --from=builder /go/src/app/validated-update-graph.yaml /opt/operator/config.yaml
+COPY --from=builder /go/src/app/spicedb-operator /usr/local/bin/spicedb-operator
+ENTRYPOINT ["spicedb-operator"]

build_deploy.sh

@@ -0,0 +1,22 @@
+set -exv
+
+IMAGE="quay.io/cloudservices/spicedb-operator"
+IMAGE_TAG=$(git rev-parse --short=7 HEAD)
+GIT_COMMIT=$(git rev-parse --short HEAD)
+
+if [[ -z "$QUAY_USER" || -z "$QUAY_TOKEN" ]]; then
+    echo "QUAY_USER and QUAY_TOKEN must be set"
+    exit 1
+fi
+
+if [[ -z "$RH_REGISTRY_USER" || -z "$RH_REGISTRY_TOKEN" ]]; then
+    echo "RH_REGISTRY_USER and RH_REGISTRY_TOKEN  must be set"
+    exit 1
+fi
+
+DOCKER_CONF="$PWD/.docker"
+mkdir -p "$DOCKER_CONF"
+docker --config="$DOCKER_CONF" login -u="$QUAY_USER" -p="$QUAY_TOKEN" quay.io
+docker --config="$DOCKER_CONF" login -u="$RH_REGISTRY_USER" -p="$RH_REGISTRY_TOKEN" registry.redhat.io
+docker --config="$DOCKER_CONF" build --build-arg GIT_COMMIT=$GIT_COMMIT --no-cache -t "${IMAGE}:${IMAGE_TAG}" .
+docker --config="$DOCKER_CONF" push "${IMAGE}:${IMAGE_TAG}"

config/operator_openshift.yaml

@@ -0,0 +1,106 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    kubernetes.io/metadata.name: spicedb-operator
+  name: spicedb-operator
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: spicedb-operator
+    app.kubernetes.io/instance: spicedb-operator
+  name: spicedb-operator
+  namespace: spicedb-operator
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: spicedb-operator
+  strategy:
+    rollingUpdate:
+      maxSurge: 25%
+      maxUnavailable: 25%
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: spicedb-operator
+        app.kubernetes.io/instance: spicedb-operator
+    spec:
+      containers:
+        - args:
+          - run
+          - -v=4
+          - --crd=false
+          - --config
+          - /opt/operator/config.yaml
+          image: ghcr.io/authzed/spicedb-operator:latest
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 8080
+              scheme: HTTP
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 15
+          name: spicedb-operator
+          ports:
+            - containerPort: 8080
+              name: prometheus
+              protocol: TCP
+          readinessProbe:
+            httpGet:
+              path: /healthz
+              port: 8080
+              scheme: HTTP
+            periodSeconds: 1
+            successThreshold: 1
+            timeoutSeconds: 15
+          resources:
+            limits:
+              cpu: "250m"
+              memory: "128Mi"
+            requests:
+              cpu: "20m"
+              memory: "32Mi"
+          securityContext:
+            runAsUser: 1001330000
+            runAsGroup: 1001330000
+            runAsNonRoot: true
+            readOnlyRootFilesystem: true
+            seccompProfile:
+              type: RuntimeDefault
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+          terminationMessagePolicy: FallbackToLogsOnError
+      securityContext:
+        runAsUser: 1001330000
+        runAsGroup: 1001330000
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccountName: spicedb-operator
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: spicedb-operator
+  namespace: spicedb-operator
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: spicedb-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: spicedb-operator
+subjects:
+  - kind: ServiceAccount
+    name: spicedb-operator
+    namespace: spicedb-operator