Skip to content

[release-v1.38] CI-1933: enable OpenShift Ingress→Route for the manager#4791

Merged
rene-dekker merged 2 commits into
tigera:release-v1.38from
rene-dekker:auto-pick-of-#4763-release-v1.38
May 8, 2026
Merged

[release-v1.38] CI-1933: enable OpenShift Ingress→Route for the manager#4791
rene-dekker merged 2 commits into
tigera:release-v1.38from
rene-dekker:auto-pick-of-#4763-release-v1.38

Conversation

@rene-dekker
Copy link
Copy Markdown
Member

@rene-dekker rene-dekker commented May 8, 2026

Backport of #4763 to release-v1.38.

Summary

  • Name the manager Service's 9443 port https. OpenShift's ingress-to-route conversion needs a named target port.
  • When the Authentication CR uses the OpenShift IDP, render an Opaque Secret tigera-ca-public in calico-system containing tls.crt from the operator CA (tigera-ca-private). Cleaned up automatically when the IDP changes or the Authentication CR is removed.

Conflict resolution

  • authentication_controller.go: kept install variable name (master used installationSpec); added new TigeraCAKeyPair field; reformatted alignment.
  • manager.go: kept v1.38's TigeraComponentPolicyPrefix and lowercase managerPort (master used CalicoComponentPolicyPrefix and exported ManagerPort); added the new ManagerPortName constant and Name on the Service port.
  • dex.go: kept TigeraComponentPolicyPrefix + "allow-tigera-dex" (master used CalicoComponentPolicyPrefix + "dex"); added new TigeraCAPublicSecretName constant. Rest of the patch (config field, Objects() branch, helper method) applied cleanly.
Add a named "https" port on the calico-manager Service and, when the OpenShift IDP is configured, publish a tigera-ca-public Secret in calico-system so OpenShift's Ingress→Route conversion can produce a reencrypt Route fronting the manager.

@rene-dekker @claude
CI-1933: enable OpenShift Ingress→Route for the manager
8b759b6 
Two small render changes so customers can front the manager Service with a
networking.k8s.io/v1 Ingress and let OpenShift's ingress-to-route controller
auto-generate a reencrypt Route:

- manager Service: name the 9443 port "https". The conversion needs a named
  target port.
- when the Authentication CR uses the OpenShift IDP, render an Opaque Secret
  "tigera-ca-public" in calico-system holding tls.crt copied from the operator
  CA (tigera-ca-private). Customers reference it via
  route.openshift.io/destination-ca-certificate-secret on the Ingress.
  Cleaned up automatically when the IDP changes or the Authentication CR is
  removed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@rene-dekker rene-dekker requested a review from a team as a code owner May 8, 2026 15:53
@marvin-tigera marvin-tigera added this to the v1.38.14 milestone May 8, 2026
@rene-dekker @claude
fixup: render tigera-ca-public in manager namespace
bee46d9 
The original PR rendered the secret in calico-system. On v1.38 the manager
Service is in tigera-manager, and OpenShift's ingress-to-route controller
does a same-namespace lookup against the Ingress, so the secret has to live
alongside the Service.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@rene-dekker rene-dekker merged commit c5f13fa into tigera:release-v1.38 May 8, 2026
2 checks passed
@rene-dekker rene-dekker deleted the auto-pick-of-#4763-release-v1.38 branch May 8, 2026 18:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Brian-McM Brian-McM Brian-McM approved these changes

Assignees

No one assigned

Labels

docs-pr-required release-note-required

Projects

None yet

Milestone

v1.38.14

Development

Successfully merging this pull request may close these issues.

3 participants

@rene-dekker @Brian-McM @marvin-tigera