Skip to content

F159693: Layer7 Operator support for OTK Dual GW Ephemeral #92

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ab-sub wants to merge 5 commits into
base: main
Choose a base branch
from
Open

F159693: Layer7 Operator support for OTK Dual GW Ephemeral #92

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
1be9213
adding changes to support dual gateway requirements in otk
ab-sub Dec 22, 2025
a53e107
reverting unintenteded changes
ab-sub Dec 22, 2025
6ef94c1
segregating certificate & key sync operations
ab-sub Dec 23, 2025
089de63
adding readme with in depth details
ab-sub Dec 23, 2025
1846943
some additional changes wrt customization repos
ab-sub Dec 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions api/v1/gateway_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -360,17 +360,32 @@ type Otk struct {
// This configures a relationship between DMZ and Internal Gateways.
InternalOtkGatewayReference string `json:"internalGatewayReference,omitempty"`
// InternalGatewayPort defaults to 9443 or graphmanDynamicSync port
// This port is used when the Internal gateway is external (not managed by operator)
InternalGatewayPort int `json:"internalGatewayPort,omitempty"`
// OTKPort is used in Single mode - sets the otk.port cluster-wide property and in Dual-Mode
// sets host_oauth2_auth_server port in #OTK Client Context Variables
// TODO: Make this an array for many dmz deployments to one internal
DmzOtkGatewayReference string `json:"dmzGatewayReference,omitempty"`
// DmzGatewayPort defaults to 9443 or graphmanDynamicSync port
// This port is used when the DMZ gateway is external (not managed by operator)
DmzGatewayPort int `json:"dmzGatewayPort,omitempty"`
// OTKPort defaults to 8443
OTKPort int `json:"port,omitempty"`
// MaintenanceTasks for the OTK database are disabled by default
MaintenanceTasks OtkMaintenanceTasks `json:"maintenanceTasks,omitempty"`
// RuntimeSyncIntervalSeconds how often OTK Gateways should be updated in internal/dmz mode
RuntimeSyncIntervalSeconds int `json:"runtimeSyncIntervalSeconds,omitempty"`
// SyncIntervalSeconds determines how often DMZ and Internal gateways should update certificates
// Defaults to RuntimeSyncIntervalSeconds if not specified, or 10 seconds if neither is set
SyncIntervalSeconds int `json:"syncIntervalSeconds,omitempty"`
// DmzKeySecret is a reference to a kubernetes.io/tls Secret containing the DMZ private key and certificate
DmzKeySecret string `json:"dmzKeySecret,omitempty"`
// InternalKeySecret is a reference to a kubernetes.io/tls Secret containing the Internal private key and certificate
InternalKeySecret string `json:"internalKeySecret,omitempty"`
// DmzAuthSecret is a reference to a Secret containing username and password for DMZ authentication
DmzAuthSecret string `json:"dmzAuthSecret,omitempty"`
// InternalAuthSecret is a reference to a Secret containing username and password for Internal authentication
InternalAuthSecret string `json:"internalAuthSecret,omitempty"`
}

// OtkMaintenanceTasks are included in the install bundle as disabled scheduled tasks
Expand Down Expand Up @@ -893,6 +908,8 @@ type ExternalKey struct {
// only one key usage type is allowed
// SSL | CA | AUDIT_SIGNING | AUDIT_VIEWER
KeyUsageType KeyUsageType `json:"keyUsageType,omitempty"`
// Otk indicates that this key usage was specific for OTK
Otk bool `json:"otk,omitempty"`
}

type KeyUsageType string
Expand Down
32 changes: 30 additions & 2 deletions config/crd/bases/security.brcmlabs.com_gateways.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1589,6 +1589,10 @@ spec:
description: Name of the kubernetes.io/tls Secret which
already exists in Kubernetes
type: string
otk:
description: Otk indicates that this key usage was specific
for OTK
type: boolean
type: object
type: array
externalSecrets:
Expand Down Expand Up @@ -4003,9 +4007,21 @@ spec:
description: Type of OTK Database
type: string
type: object
dmzAuthSecret:
description: DmzAuthSecret is a reference to a Secret containing
username and password...
type: string
dmzGatewayPort:
description: |-
DmzGatewayPort defaults to 9443 or graphmanDynamicSync port
This port is...
type: integer
dmzGatewayReference:
description: OTKPort is used in Single mode - sets the otk.
type: string
dmzKeySecret:
description: DmzKeySecret is a reference to a kubernetes.
type: string
enabled:
description: Enable or disable the OTK initContainer
type: boolean
Expand Down Expand Up @@ -4142,14 +4158,22 @@ spec:
type: string
type: object
type: object
internalAuthSecret:
description: InternalAuthSecret is a reference to a Secret
containing username and...
type: string
internalGatewayPort:
description: InternalGatewayPort defaults to 9443 or graphmanDynamicSync
port
description: |-
InternalGatewayPort defaults to 9443 or graphmanDynamicSync port
This port...
type: integer
internalGatewayReference:
description: InternalOtkGatewayReference to an Operator managed
Gateway deployment that...
type: string
internalKeySecret:
description: InternalKeySecret is a reference to a kubernetes.
type: string
maintenanceTasks:
description: MaintenanceTasks for the OTK database are disabled
by default
Expand Down Expand Up @@ -4202,6 +4226,10 @@ spec:
items:
type: string
type: array
syncIntervalSeconds:
description: SyncIntervalSeconds determines how often DMZ
and Internal gateways should...
type: integer
type:
description: Type of OTK installation single, internal or
dmz
Expand Down
Loading
Loading