From b44a54eb6f23ef1ca694fe5de67d0cefc133fa98 Mon Sep 17 00:00:00 2001
From: Chris Sibbitt <csibbitt@redhat.com>
Date: Fri, 8 Sep 2023 15:13:58 -0400
Subject: [PATCH 1/2] Relax pod admission controls when using a local catalog
 index

See https://docs.openshift.com/container-platform/4.13/operators/admin/olm-managing-custom-catalogs.html#olm-catalog-sources-and-psa_olm-managing-custom-catalogs
---
 build/stf-run-ci/tasks/create_catalog.yml |  2 ++
 build/stf-run-ci/tasks/main.yml           | 14 ++++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/build/stf-run-ci/tasks/create_catalog.yml b/build/stf-run-ci/tasks/create_catalog.yml
index 3ad667c4e..9cba5505d 100644
--- a/build/stf-run-ci/tasks/create_catalog.yml
+++ b/build/stf-run-ci/tasks/create_catalog.yml
@@ -140,6 +140,8 @@
         image: "{{ stf_index_image_path }}"
         publisher: CloudOps
         sourceType: grpc
+        grpcPodConfig:
+          securityContextConfig: legacy
         updateStrategy:
           registryPoll:
             interval: 1m
diff --git a/build/stf-run-ci/tasks/main.yml b/build/stf-run-ci/tasks/main.yml
index f62739541..090f01759 100644
--- a/build/stf-run-ci/tasks/main.yml
+++ b/build/stf-run-ci/tasks/main.yml
@@ -107,6 +107,20 @@
     tags:
       - deploy
 
+- when: __deploy_from_index_enabled | bool or __deploy_from_bundles_enabled | bool
+  name: Relax the pod security admission controls to allow local catalog index registry pods
+  k8s:
+    definition:
+      apiVersion: v1
+      kind: Namespace
+      metadata:
+        name: "{{ namespace }}"
+        labels:
+          security.openshift.io/scc.podSecurityLabelSync: "false"
+          pod-security.kubernetes.io/enforce: baseline
+          pod-security.kubernetes.io/audit: restricted
+          pod-security.kubernetes.io/warn: restricted
+
 - when: __deploy_from_index_enabled | bool
   tags:
     - create_bundles

From 1e76691c82093cb3d54530447c037328eaf45e97 Mon Sep 17 00:00:00 2001
From: Chris Sibbitt <csibbitt@redhat.com>
Date: Tue, 19 Sep 2023 10:06:06 -0400
Subject: [PATCH 2/2] Fix FQCN lint

---
 build/stf-run-ci/tasks/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build/stf-run-ci/tasks/main.yml b/build/stf-run-ci/tasks/main.yml
index db1f9f7a4..44157f075 100644
--- a/build/stf-run-ci/tasks/main.yml
+++ b/build/stf-run-ci/tasks/main.yml
@@ -126,7 +126,7 @@
 
 - when: __deploy_from_index_enabled | bool or __deploy_from_bundles_enabled | bool
   name: Relax the pod security admission controls to allow local catalog index registry pods
-  k8s:
+  kubernetes.core.k8s:
     definition:
       apiVersion: v1
       kind: Namespace