feat: add crossplane-system

[tim-stasse]

No description provided.

[strangiato]

What are your thoughts on moving this into an operator folder to follow the same pattern as the rest of our examples?

Obviously, this isn't installing from OperatorHub but I could see that being something we may have available in a future date and we could swap to that without needing to change the folder structure too much.

Also, can you add a readme for this?

[tim-stasse]

I considered adding it to an operator folder, but didn't simply because crossplane doesn't use an operator, it's a helm chart. Happy to follow the convention here if there's strong opinions about it (I don't have one).

[gferreir]

#A few technical observations to complement @strangiato's review:

Bug — Paths in README don't match the actual directory structure

The README was written with operator/overlays/stable paths, but the PR doesn't create an operator/ subdirectory. Every usage example points to a path that doesn't exist:

• operator/overlays/stable → should be overlays/stable
• oc apply -k crossplane-system/operator/overlays/<channel> → oc apply -k crossplane-system/overlays/<channel>
• Same for the remote URL and kustomization resource examples

This may be related to the still-open discussion with @strangiato about the operator/ folder — if the plan is to add that subfolder, the README would be correct, but the directories need to be created first. Otherwise, the README needs to be updated to match the current structure.

Helm chart version not pinned

overlays/stable/kustomization.yaml installs Crossplane without a fixed version:

helmCharts:
- name: crossplane
  repo: https://charts.crossplane.io/stable
  # missing: version: "x.y.z"

Without a pinned version, each kustomize build may pull a different chart version — this breaks the reproducibility guarantee that GitOps depends on.

--enable-helm not documented

helmCharts: in Kustomize requires kustomize build --enable-helm. The built-in oc apply -k does not support this flag, so users following the README commands verbatim will hit an unexplained error. Worth adding a note about this requirement, and how to handle it in ArgoCD (kustomize.buildOptions: --enable-helm in argocd-cm).

Minor: the RoleBinding in base/role-binding.yaml has no namespace: in its metadata. The stable overlay doesn't set a global namespace either, so the binding's namespace depends on the kubectl/oc context at apply time — could be made explicit with namespace: crossplane-system.

The SCC choice (nonroot-v2) and the cluster-monitoring label on the namespace look correct.

Happy to help test once the path issues are resolved.