Skip to content

US1050174: PK setup for DMZ & Internal Part 2 #87

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ab-sub wants to merge 4 commits into
base: feature/F153865
Choose a base branch
from
Open

US1050174: PK setup for DMZ & Internal Part 2 #87

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
8bc18ce
enabling operator to read external private key & cert for Dual GW use…
ab-sub Aug 11, 2025
bbc2a6e
updates to accept external key for OTK dmz & internal GWs
ab-sub Oct 15, 2025
20fba78
Merge branch 'feature/F153865' into feature/US1038579-PK-setup-for-DM…
ab-sub Oct 23, 2025
193dd22
parking changes to fix existing minor issues in duql gw otk deployment
ab-sub Oct 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions api/v1/gateway_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -323,6 +323,7 @@ type Otk struct {
MaintenanceTasks OtkMaintenanceTasks `json:"maintenanceTasks,omitempty"`
// RuntimeSyncIntervalSeconds how often OTK Gateways should be updated in internal/dmz mode
RuntimeSyncIntervalSeconds int `json:"runtimeSyncIntervalSeconds,omitempty"`
ExternalKeys []ExternalKey `json:"externalKeys,omitempty"`
}

// OtkMaintenanceTasks are included in the install bundle as disabled scheduled tasks
Expand Down Expand Up @@ -845,6 +846,8 @@ type ExternalKey struct {
// only one key usage type is allowed
// SSL | CA | AUDIT_SIGNING | AUDIT_VIEWER
KeyUsageType KeyUsageType `json:"keyUsageType,omitempty"`
// Identifies if the key usage was specific for OTK
Otk bool `json:"otk,omitempty"`
}

type KeyUsageType string
Expand Down
5 changes: 5 additions & 0 deletions api/v1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

28 changes: 28 additions & 0 deletions bundle/manifests/security.brcmlabs.com_gateways.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3791,6 +3791,34 @@ spec:
type: object
otk:
properties:
externalKeys:
items:
description: |-
ExternalKey is a reference to an existing TLS Secret in Kubernetes
The Laye
properties:
otk:
description: Identifies if the key usage was specific for OTK
type: boolean
alias:
description: |-
Alias overrides the key name that is stored in the Gateway
This is useful f
type: string
enabled:
description: Enabled or disabled
type: boolean
keyUsageType:
description: |-
KeyUsageType allows keys to be marked as special purpose
only one key usage
type: string
name:
description: Name of the kubernetes.io/tls Secret which
already exists in Kubernetes
type: string
type: object
type: array
database:
description: Database configuration
properties:
Expand Down
28 changes: 28 additions & 0 deletions charts/layer7-operator/crds/gateway-crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3790,6 +3790,34 @@ spec:
type: object
otk:
properties:
externalKeys:
items:
description: |-
ExternalKey is a reference to an existing TLS Secret in Kubernetes
The Laye
properties:
otk:
description: Identifies if the key usage was specific for OTK
type: boolean
alias:
description: |-
Alias overrides the key name that is stored in the Gateway
This is useful f
type: string
enabled:
description: Enabled or disabled
type: boolean
keyUsageType:
description: |-
KeyUsageType allows keys to be marked as special purpose
only one key usage
type: string
name:
description: Name of the kubernetes.io/tls Secret which
already exists in Kubernetes
type: string
type: object
type: array
database:
description: Database configuration
properties:
Expand Down
33 changes: 33 additions & 0 deletions config/crd/bases/security.brcmlabs.com_gateways.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1588,6 +1588,10 @@ spec:
description: Name of the kubernetes.io/tls Secret which
already exists in Kubernetes
type: string
otk:
description: Identifies if the key usage was specific for
OTK
type: boolean
type: object
type: array
externalSecrets:
Expand Down Expand Up @@ -4002,6 +4006,35 @@ spec:
enabled:
description: Enable or disable the OTK initContainer
type: boolean
externalKeys:
items:
description: |-
ExternalKey is a reference to an existing TLS Secret in Kubernetes
The Laye
properties:
alias:
description: |-
Alias overrides the key name that is stored in the Gateway
This is useful f
type: string
enabled:
description: Enabled or disabled
type: boolean
keyUsageType:
description: |-
KeyUsageType allows keys to be marked as special purpose
only one key usage
type: string
name:
description: Name of the kubernetes.io/tls Secret which
already exists in Kubernetes
type: string
otk:
description: Identifies if the key usage was specific
for OTK
type: boolean
type: object
type: array
initContainerImage:
description: InitContainerImage for the initContainer
type: string
Expand Down
28 changes: 28 additions & 0 deletions deploy/cw-bundle.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3798,6 +3798,34 @@ spec:
type: object
otk:
properties:
externalKeys:
items:
description: |-
ExternalKey is a reference to an existing TLS Secret in Kubernetes
The Laye
properties:
otk:
description: Identifies if the key usage was specific for OTK
type: boolean
alias:
description: |-
Alias overrides the key name that is stored in the Gateway
This is useful f
type: string
enabled:
description: Enabled or disabled
type: boolean
keyUsageType:
description: |-
KeyUsageType allows keys to be marked as special purpose
only one key usage
type: string
name:
description: Name of the kubernetes.io/tls Secret which
already exists in Kubernetes
type: string
type: object
type: array
database:
description: Database configuration
properties:
Expand Down
16 changes: 16 additions & 0 deletions example/base/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,3 +68,19 @@ secretGenerator:
# - ./resources/secrets/tls/tls.key
# type: "kubernetes.io/tls"

# Create a secret for the OTK Dual Gateway Private Keys
# Uncomment this section to create your own key & certificate for the DMZ Gateway
# - name: otkdmztls
# files:
# - ./resources/secrets/tls/dmztls.crt
# - ./resources/secrets/tls/dmztls.key
# type: "kubernetes.io/tls"

# Uncomment this section to create your own key & certificate for the Internal Gateway
# - name: otkinternaltls
# files:
# - ./resources/secrets/tls/internaltls.crt
# - ./resources/secrets/tls/internaltls.key
# type: "kubernetes.io/tls"


14 changes: 14 additions & 0 deletions example/gateway/otk/otk-dmz.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,20 @@ spec:
enabled: true
type: dynamic
encryption: {}
externalKeys:
- name: otkdmztls
alias: test
keyUsageType: SSL
enabled: true
externalCerts:
- name: otkinternaltls
enabled: true
trustAnchor: true
revocationCheckPolicyType: USE_DEFAULT
trustedFor:
- "SSL"
- "SIGNING_SERVER_CERTS"
# verifyHostname: true
bootstrap:
script:
enabled: true
Expand Down
14 changes: 14 additions & 0 deletions example/gateway/otk/otk-internal.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,20 @@ spec:
enabled: true
type: dynamic
encryption: {}
externalKeys:
- name: otkinternaltls
alias: test
keyUsageType: SSL
enabled: true
externalCerts:
- name: otkdmztls
enabled: true
trustAnchor: true
revocationCheckPolicyType: USE_DEFAULT
trustedFor:
- "SSL"
- "SIGNING_SERVER_CERTS"
# verifyHostname: true
bootstrap:
script:
enabled: true
Expand Down
94 changes: 67 additions & 27 deletions pkg/gateway/deployment.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ func NewDeployment(gw *securityv1.Gateway, platform string) *appsv1.Deployment {
var image string = gw.Spec.App.Image
defaultMode := int32(0755)
optional := false
optionalTrue := true
ports := []corev1.ContainerPort{}

defaultUser := int64(1001)
Expand Down Expand Up @@ -895,41 +896,80 @@ func NewDeployment(gw *securityv1.Gateway, platform string) *appsv1.Deployment {
}
}

if otkInstallInitContainer {
initContainers = append(initContainers, corev1.Container{
Name: "otk-install-init",
Image: otkInitContainerImage,
ImagePullPolicy: otkInitContainerImagePullPolicy,
SecurityContext: &otkInitContainerSecurityContext,
VolumeMounts: otkInitContainerVolumeMounts,
EnvFrom: []corev1.EnvFromSource{
{
ConfigMapRef: &corev1.ConfigMapEnvSource{
LocalObjectReference: corev1.LocalObjectReference{
Name: gw.Name + "-otk-shared-init-config",
if gw.Spec.App.Otk.Type == securityv1.OtkTypeDMZ {
if otkInstallInitContainer {
initContainers = append(initContainers, corev1.Container{
Name: "otk-install-init",
Image: otkInitContainerImage,
ImagePullPolicy: otkInitContainerImagePullPolicy,
SecurityContext: &otkInitContainerSecurityContext,
VolumeMounts: otkInitContainerVolumeMounts,
EnvFrom: []corev1.EnvFromSource{
{
ConfigMapRef: &corev1.ConfigMapEnvSource{
LocalObjectReference: corev1.LocalObjectReference{
Name: gw.Name + "-otk-shared-init-config",
},
},
},
},
{
ConfigMapRef: &corev1.ConfigMapEnvSource{
LocalObjectReference: corev1.LocalObjectReference{
Name: gw.Name + "-otk-install-init-config",
{
ConfigMapRef: &corev1.ConfigMapEnvSource{
LocalObjectReference: corev1.LocalObjectReference{
Name: gw.Name + "-otk-install-init-config",
},
Optional: &optional,
},
},
{
SecretRef: &corev1.SecretEnvSource{
LocalObjectReference: corev1.LocalObjectReference{
Name: otkInitContainerSecret,
},
Optional: &optionalTrue,
},
Optional: &optional,
},
},
{
SecretRef: &corev1.SecretEnvSource{
LocalObjectReference: corev1.LocalObjectReference{
Name: otkInitContainerSecret,
TerminationMessagePath: corev1.TerminationMessagePathDefault,
TerminationMessagePolicy: corev1.TerminationMessageReadFile,
})
}
} else {
if otkInstallInitContainer {
initContainers = append(initContainers, corev1.Container{
Name: "otk-install-init",
Image: otkInitContainerImage,
ImagePullPolicy: otkInitContainerImagePullPolicy,
SecurityContext: &otkInitContainerSecurityContext,
VolumeMounts: otkInitContainerVolumeMounts,
EnvFrom: []corev1.EnvFromSource{
{
ConfigMapRef: &corev1.ConfigMapEnvSource{
LocalObjectReference: corev1.LocalObjectReference{
Name: gw.Name + "-otk-shared-init-config",
},
},
},
{
ConfigMapRef: &corev1.ConfigMapEnvSource{
LocalObjectReference: corev1.LocalObjectReference{
Name: gw.Name + "-otk-install-init-config",
},
Optional: &optional,
},
},
{
SecretRef: &corev1.SecretEnvSource{
LocalObjectReference: corev1.LocalObjectReference{
Name: otkInitContainerSecret,
},
Optional: &optional,
},
Optional: &optional,
},
},
},
TerminationMessagePath: corev1.TerminationMessagePathDefault,
TerminationMessagePolicy: corev1.TerminationMessageReadFile,
})
TerminationMessagePath: corev1.TerminationMessagePathDefault,
TerminationMessagePolicy: corev1.TerminationMessageReadFile,
})
}
}

if otkDbInitContainer && gw.Spec.App.Otk.Database.Type != securityv1.OtkDatabaseTypeCassandra && (gw.Spec.App.Otk.Type == securityv1.OtkTypeInternal || gw.Spec.App.Otk.Type == securityv1.OtkTypeSingle) {
Expand Down
10 changes: 0 additions & 10 deletions pkg/gateway/reconcile/cron.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,16 +72,6 @@ func registerJobs(ctx context.Context, params Params) {
if err != nil {
params.Log.V(2).Info("otk policy sync job already registered", "name", params.Instance.Name, "namespace", params.Instance.Namespace)
}
if params.Instance.Spec.App.Otk.Type == securityv1.OtkTypeDMZ || params.Instance.Spec.App.Otk.Type == securityv1.OtkTypeInternal {
_, err = s.Every(otkSyncInterval).Seconds().Tag(params.Instance.Name+"-"+params.Instance.Namespace+"-sync-otk-certificates").Do(syncOtkCertificates, ctx, params)
if err != nil {
params.Log.V(2).Info("otk certificate sync job already registered", "name", params.Instance.Name, "namespace", params.Instance.Namespace)
}
_, err = s.Every(otkSyncInterval).Seconds().Tag(params.Instance.Name+"-"+params.Instance.Namespace+"-sync-otk-certificate-secret").Do(manageCertificateSecrets, ctx, params)
if err != nil {
params.Log.V(2).Info("otk certificate secret sync job already registered", "name", params.Instance.Name, "namespace", params.Instance.Namespace)
}
}
}
}

Expand Down
2 changes: 1 addition & 1 deletion pkg/gateway/reconcile/deployment.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -141,7 +141,7 @@ func setLabels(ctx context.Context, params Params, dep *appsv1.Deployment) (*app

if params.Instance.Spec.App.Otk.Enabled && !params.Instance.Spec.App.Management.Database.Enabled {
configMaps = append(configMaps, params.Instance.Name+"-otk-shared-init-config", params.Instance.Name+"-otk-install-init-config")
if params.Instance.Spec.App.Otk.Database.Type != securityv1.OtkDatabaseTypeCassandra {
if params.Instance.Spec.App.Otk.Database.Type != securityv1.OtkDatabaseTypeCassandra && params.Instance.Spec.App.Otk.Type != securityv1.OtkTypeDMZ {
configMaps = append(configMaps, params.Instance.Name+"-otk-db-init-config")
}
}
Expand Down
1 change: 1 addition & 0 deletions pkg/gateway/reconcile/externalkeys.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ import (
func ExternalKeys(ctx context.Context, params Params) error {
gateway := params.Instance
if len(gateway.Spec.App.ExternalKeys) == 0 && len(gateway.Status.LastAppliedExternalKeys) == 0 {
//if (len(gateway.Spec.App.ExternalKeys) == 0 || len(gateway.Spec.App.Otk.ExternalKeys) == 0) && len(gateway.Status.LastAppliedExternalKeys) == 0 {
return nil
}

Expand Down
Loading