From 60020453bb104acd6cf3d6bbbf29657247795fdc Mon Sep 17 00:00:00 2001
From: Justin Kulikauskas <jkulikau@redhat.com>
Date: Tue, 10 Dec 2024 16:47:47 -0500
Subject: [PATCH] Configure Compliance Operator for ROSA HCP

As mentioned in the Compliance Operator documentation, when installed on
ROSA hosted control planes, a special node selector must be configured
for the operator to run. This update uses conditionals to only make this
configuration only on those clusters.

Refs:
 - https://issues.redhat.com/browse/ACM-14161

Signed-off-by: Justin Kulikauskas <jkulikau@redhat.com>
(cherry picked from commit b57156c0da872300e4e0680fd103f11130ced13c)
---
 .../policy-compliance-operator-install.yaml                 | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/stable/CA-Security-Assessment-and-Authorization/policy-compliance-operator-install.yaml b/stable/CA-Security-Assessment-and-Authorization/policy-compliance-operator-install.yaml
index 4f61312f..72a11716 100644
--- a/stable/CA-Security-Assessment-and-Authorization/policy-compliance-operator-install.yaml
+++ b/stable/CA-Security-Assessment-and-Authorization/policy-compliance-operator-install.yaml
@@ -51,3 +51,9 @@ spec:
             namespace: openshift-compliance
             source: redhat-operators
             sourceNamespace: openshift-marketplace
+            # Conditionally configure a nodeSelector for installing on ROSA hosted control planes
+            config: '{{ if and (eq "ROSA" (fromClusterClaim
+              "product.open-cluster-management.io")) (eq "true"
+              (fromClusterClaim "hostedcluster.hypershift.openshift.io"))
+              }}{"nodeSelector":{"node-role.kubernetes.io/worker":""} }{{ else
+              }}{{ "{}" | toLiteral }}{{ end }}'