From 0291194315e0c1dd50cc7c3684492ccda6e60ed3 Mon Sep 17 00:00:00 2001 From: Bryce Palmer Date: Tue, 16 Jun 2026 15:34:06 -0400 Subject: [PATCH 1/3] poc: deploying upstream component Signed-off-by: Bryce Palmer --- .../workload/sync_openshift_oauth_apiserver.go | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/pkg/operator/workload/sync_openshift_oauth_apiserver.go b/pkg/operator/workload/sync_openshift_oauth_apiserver.go index ad22d5eca..212fbbc58 100644 --- a/pkg/operator/workload/sync_openshift_oauth_apiserver.go +++ b/pkg/operator/workload/sync_openshift_oauth_apiserver.go @@ -4,6 +4,7 @@ import ( "context" "encoding/json" "fmt" + "os" "regexp" "strconv" "strings" @@ -240,9 +241,17 @@ func (c *OAuthAPIServerWorkload) syncStandardDeployment(ctx context.Context, ope // log level verbosity is taken from the spec always args["v"] = []string{loglevelToKlog(operatorSpec.LogLevel)} + imageToUse := c.targetImagePullSpec + if upstreamImage := os.Getenv("UPSTREAM_OIDC_COMPONENT_IMAGE"); upstreamImage != "" { + imageToUse = upstreamImage + + // configure the API endpoint on the upstream component + args["authenticate-path"] = []string{"/apis/oauth.openshift.io/v1/tokenreviews"} + } + // use string replacer for simple things r := strings.NewReplacer( - "${IMAGE}", c.targetImagePullSpec, + "${IMAGE}", imageToUse, "${REVISION}", strconv.Itoa(int(operatorStatus.LatestAvailableRevision)), ) From 2660b691c31efd302eb12ba400328af81ded9ac3 Mon Sep 17 00:00:00 2001 From: Bryce Palmer Date: Wed, 17 Jun 2026 10:08:02 -0400 Subject: [PATCH 2/3] fixup! change the right deployment generation method... Signed-off-by: Bryce Palmer --- .../sync_openshift_oauth_apiserver.go | 23 +++++++++++-------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/pkg/operator/workload/sync_openshift_oauth_apiserver.go b/pkg/operator/workload/sync_openshift_oauth_apiserver.go index 212fbbc58..ad0437f26 100644 --- a/pkg/operator/workload/sync_openshift_oauth_apiserver.go +++ b/pkg/operator/workload/sync_openshift_oauth_apiserver.go @@ -241,17 +241,9 @@ func (c *OAuthAPIServerWorkload) syncStandardDeployment(ctx context.Context, ope // log level verbosity is taken from the spec always args["v"] = []string{loglevelToKlog(operatorSpec.LogLevel)} - imageToUse := c.targetImagePullSpec - if upstreamImage := os.Getenv("UPSTREAM_OIDC_COMPONENT_IMAGE"); upstreamImage != "" { - imageToUse = upstreamImage - - // configure the API endpoint on the upstream component - args["authenticate-path"] = []string{"/apis/oauth.openshift.io/v1/tokenreviews"} - } - // use string replacer for simple things r := strings.NewReplacer( - "${IMAGE}", imageToUse, + "${IMAGE}", c.targetImagePullSpec, "${REVISION}", strconv.Itoa(int(operatorStatus.LatestAvailableRevision)), ) @@ -358,9 +350,20 @@ func (c *OAuthAPIServerWorkload) syncExternalOIDCDeployment(ctx context.Context, // log level verbosity is taken from the spec always args["v"] = []string{loglevelToKlog(operatorSpec.LogLevel)} + imageToUse := c.targetImagePullSpec + klog.Info("UPSTREAM_OIDC_COMPONENT_IMAGE", os.Getenv("UPSTREAM_OIDC_COMPONENT_IMAGE")) + if upstreamImage := os.Getenv("UPSTREAM_OIDC_COMPONENT_IMAGE"); len(upstreamImage) > 0 { + imageToUse = upstreamImage + + klog.Info("using UPSTREAM_OIDC_COMPONENT_IMAGE", os.Getenv("UPSTREAM_OIDC_COMPONENT_IMAGE")) + + // configure the API endpoint on the upstream component + args["authenticate-path"] = []string{"/apis/oauth.openshift.io/v1/tokenreviews"} + } + // use string replacer for simple things r := strings.NewReplacer( - "${IMAGE}", c.targetImagePullSpec, + "${IMAGE}", imageToUse, "${REVISION}", strconv.Itoa(int(operatorStatus.LatestAvailableRevision)), ) From 66628380c3cfce09774143a09c46e2ea06f9625e Mon Sep 17 00:00:00 2001 From: Bryce Palmer Date: Wed, 17 Jun 2026 11:41:24 -0400 Subject: [PATCH 3/3] wip: changes to get padlok image to work Signed-off-by: Bryce Palmer --- bindata/oauth-apiserver/externaloidc-deploy.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bindata/oauth-apiserver/externaloidc-deploy.yaml b/bindata/oauth-apiserver/externaloidc-deploy.yaml index d81b31c76..27f480a13 100644 --- a/bindata/oauth-apiserver/externaloidc-deploy.yaml +++ b/bindata/oauth-apiserver/externaloidc-deploy.yaml @@ -38,7 +38,7 @@ spec: - name: oauth-apiserver terminationMessagePolicy: FallbackToLogsOnError image: ${IMAGE} - imagePullPolicy: IfNotPresent + imagePullPolicy: Always command: ["/bin/bash", "-ec"] args: - | @@ -46,7 +46,7 @@ spec: echo "Copying system trust bundle" cp -f /var/run/configmaps/trusted-ca-bundle/tls-ca-bundle.pem /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem fi - exec oauth-apiserver external-oidc \ + exec padlok run \ --secure-port=8443 \ --tls-private-key-file=/var/run/secrets/serving-cert/tls.key \ --tls-cert-file=/var/run/secrets/serving-cert/tls.crt \