add helm value for seccomp profile image

charts/radix-operator/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: radix-operator
-version: 1.37.0
+version: 1.37.1
 appVersion: 1.57.0
 kubeVersion: ">=1.24.0"
 description: Radix Operator

charts/radix-operator/templates/seccomp-profile-cm.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: {{ .Values.seccompProfile.configMapName }}
+  name: {{ .Values.seccompProfile.installer.configMapName }}
   namespace: kube-system
   annotations:
     description: "configmap with seccomp profile suitable for running buildah. It's a copy of the moby container runtime's default seccomp profile, but with the addition of two syscalls: clone3 and unshare. https://github.com/moby/moby/blob/b335e3d305be86bd28089a057d8be6a346445549/profiles/seccomp/default.json"

charts/radix-operator/templates/seccomp-profile-daemonset.yaml

@@ -1,16 +1,16 @@
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
-  name: {{ .Values.seccompProfile.daemonSetName }}
+  name: {{ .Values.seccompProfile.installer.daemonSetName }}
   namespace: kube-system
 spec:
   selector:
     matchLabels:
-      app: {{ .Values.seccompProfile.daemonSetName }}
+      app: {{ .Values.seccompProfile.installer.daemonSetName }}
   template:
     metadata:
       labels:
-        app: {{ .Values.seccompProfile.daemonSetName }}
+        app: {{ .Values.seccompProfile.installer.daemonSetName }}
     spec:
       affinity:
         nodeAffinity:
@@ -22,7 +22,7 @@ spec:
                 values: ["system"]
       containers:
         - name: file-copy-container
-          image: alpine
+          image: {{ .Values.seccompProfile.installer.image }}
           command: ["sh", "-c"]
           args: ["while true; do if ! diff -q /configmap-data/{{ .Values.seccompProfile.fileNameOnNode }} /hostpath/{{ .Values.seccompProfile.fileNameOnNode }} > /dev/null 2>&1; then echo \"$(date ''+%H:%M'') - Changes\" && cp /configmap-data/{{ .Values.seccompProfile.fileNameOnNode }} /hostpath/; else echo \"$(date ''+%H:%M'') - No changes\"; fi; sleep 60; done"]
           volumeMounts:
@@ -31,16 +31,16 @@ spec:
             - name: configmap-volume
               mountPath: /configmap-data
               readOnly: true
-          {{- if .Values.seccompProfile.resources }}
+          {{- if .Values.seccompProfile.installer.resources }}
           resources:
-            {{- toYaml .Values.seccompProfile.resources | nindent 12 }}
+            {{- toYaml .Values.seccompProfile.installer.resources | nindent 12 }}
           {{- end}}
       volumes:
         - name: hostpath-volume
           hostPath:
             path: /var/lib/kubelet/seccomp
         - name: configmap-volume
           configMap:
-            name: {{ .Values.seccompProfile.configMapName }}
+            name: {{ .Values.seccompProfile.installer.configMapName }}
       tolerations:
         - operator: Exists

charts/radix-operator/values.yaml

@@ -167,16 +167,18 @@ oauthProxyDefaultIssuerUrl: https://login.microsoftonline.com/3aa4a235-b6e2-48d5
 oauthProxyImage: quay.io/oauth2-proxy/oauth2-proxy:v7.2.0
 
 seccompProfile:
-  configMapName: "seccomp-allow-buildah"
-  daemonSetName: copy-seccomp-profile
   fileNameOnNode: allow-buildah.json
-  resources:
-    limits:
-      cpu: 10m
-      memory: 10Mi
-    requests:
-      cpu: 10m
-      memory: 10Mi
+  installer:
+    image: docker.io/alpine:3.20
+    configMapName: "seccomp-allow-buildah"
+    daemonSetName: copy-seccomp-profile
+    resources:
+      limits:
+        cpu: 10m
+        memory: 10Mi
+      requests:
+        cpu: 10m
+        memory: 10Mi
 
 # Ref https://kubernetes.io/docs/concepts/security/pod-security-standards/ for docs and valid values for level and version
 podSecurityStandard: