feat: add OpenShift overlay with AuthBridge configs, SCC, and Istio shared trust#387
Open
Ygnas wants to merge 2 commits into
Open
feat: add OpenShift overlay with AuthBridge configs, SCC, and Istio shared trust#387Ygnas wants to merge 2 commits into
Ygnas wants to merge 2 commits into
Conversation
…hared trust Add a kustomize overlay (config/openshift) that composes the base operator deployment with OpenShift-specific resources: AuthBridge sidecar configuration: - authbridge-runtime-config ConfigMap (JWT validation, token exchange) - envoy-config ConfigMap (inbound/outbound listeners with ext_proc) - spiffe-helper-config ConfigMap (SVID and JWT SVID file output) Security: - kagenti-authbridge SCC allowing CSI volumes (csi.spiffe.io) - ClusterRole and ClusterRoleBinding for SCC delegation - Runtime SCC RoleBinding creation per agent namespace Istio shared trust (cert-manager): - Self-signed root CA ClusterIssuer and Certificate - Intermediate CA Certificates for istio-system and openshift-ingress Operator wiring: - Makefile targets: deploy-openshift, undeploy-openshift, manifests-openshift - POD_NAMESPACE env injection via manager webhook patch - Dynamic ClusterDefaultsNamespace resolved from operator pod namespace Signed-off-by: Ignas Baranauskas <ibaranau@redhat.com>
Ygnas
force-pushed
the
feat/kustomize-openshift-overlay
branch
from
4012c3f to
8b3f8cc
Compare
ChristianZaccaria
suggested changes
May 29, 2026
Contributor
ChristianZaccaria
left a comment
ChristianZaccaria
left a comment
There was a problem hiding this comment.
Overall looks good, great work !!
- Move SetClusterDefaultsNamespace before buildConfigMapCacheNamespaces so the manager cache watches the correct operator namespace instead of the hardcoded default - Add strategic merge patches for OpenShift overlay to replace local-dev keycloak.localtest.me URLs with in-cluster keycloak-service.keycloak.svc endpoints - Patch authbridge-runtime-config issuer, keycloak_url, and keycloak_realm for both inbound and outbound pipelines - Patch spiffe-helper-config jwt_audience to use in-cluster URL Signed-off-by: Ignas Baranauskas <ibaranau@redhat.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add a kustomize overlay (config/openshift) that composes the base operator deployment with OpenShift-specific resources:
AuthBridge sidecar configuration:
Security:
Istio shared trust (cert-manager):
Operator wiring:
Related issue(s)
(Optional) Testing Instructions
Fixes #