Expose Routes externally with front door (#1031)

Originating issue: [IBMPrivateCloud/roadmap#66643](https://github.ibm.com/IBMPrivateCloud/roadmap/issues/66643)

---------

Signed-off-by: Rob Hundley <[email protected]>

Author: rwhundley

api/operator/v1alpha1/authentication_types.go

@@ -115,43 +115,49 @@ type ClientRegistrationSpec struct {
 	Resources     *corev1.ResourceRequirements `json:"resources,omitempty"`
 }
 
+type IngressConfig struct {
+	Hostname *string `json:"hostname,omitempty"`
+	Secret   *string `json:"secret,omitempty"`
+}
+
 type ConfigSpec struct {
-	ClusterCADomain             string `json:"clusterCADomain"`
-	DefaultAdminUser            string `json:"defaultAdminUser"`
-	DefaultAdminPassword        string `json:"defaultAdminPassword"`
-	ScimAdminUser               string `json:"scimAdminUser"`
-	ScimAdminPassword           string `json:"scimAdminPassword"`
-	ClusterName                 string `json:"clusterName"`
-	ClusterInternalAddress      string `json:"clusterInternalAddress"`
-	ClusterExternalAddress      string `json:"clusterExternalAddress"`
-	WLPClientID                 string `json:"wlpClientID"`
-	WLPClientSecret             string `json:"wlpClientSecret"`
-	AuthUniqueHosts             string `json:"authUniqueHosts"`
-	WLPClientRegistrationSecret string `json:"wlpClientRegistrationSecret"`
-	InstallType                 string `json:"installType"`
-	IsOpenshiftEnv              bool   `json:"isOpenshiftEnv"`
-	OpenshiftPort               int32  `json:"openshiftPort"`
-	ICPPort                     int32  `json:"icpPort"`
-	FIPSEnabled                 bool   `json:"fipsEnabled"`
-	ROKSEnabled                 bool   `json:"roksEnabled"`
-	IBMCloudSaas                bool   `json:"ibmCloudSaas,omitempty"`
-	OnPremMultipleDeploy        bool   `json:"onPremMultipleDeploy,omitempty"`
-	SaasClientRedirectUrl       string `json:"saasClientRedirectUrl,omitempty"`
-	NONCEEnabled                bool   `json:"nonceEnabled"`
-	XFrameDomain                string `json:"xframeDomain,omitempty"`
-	PreferredLogin              string `json:"preferredLogin,omitempty"`
-	DefaultLogin                string `json:"defaultLogin,omitempty"`
-	ROKSURL                     string `json:"roksURL"`
-	ROKSUserPrefix              string `json:"roksUserPrefix"`
-	EnableImpersonation         bool   `json:"enableImpersonation"`
-	BootstrapUserId             string `json:"bootstrapUserId,omitempty"`
-	ProviderIssuerURL           string `json:"providerIssuerURL,omitempty"`
-	ClaimsSupported             string `json:"claimsSupported,omitempty"`
-	ClaimsMap                   string `json:"claimsMap,omitempty"`
-	ScopeClaim                  string `json:"scopeClaim,omitempty"`
-	OIDCIssuerURL               string `json:"oidcIssuerURL"`
-	AttrMappingFromConfig       bool   `json:"attrMappingFromConfig,omitempty"`
-	ZenFrontDoor                bool   `json:"zenFrontDoor,omitempty"`
+	ClusterCADomain             string         `json:"clusterCADomain"`
+	DefaultAdminUser            string         `json:"defaultAdminUser"`
+	DefaultAdminPassword        string         `json:"defaultAdminPassword"`
+	ScimAdminUser               string         `json:"scimAdminUser"`
+	ScimAdminPassword           string         `json:"scimAdminPassword"`
+	ClusterName                 string         `json:"clusterName"`
+	ClusterInternalAddress      string         `json:"clusterInternalAddress"`
+	ClusterExternalAddress      string         `json:"clusterExternalAddress"`
+	WLPClientID                 string         `json:"wlpClientID"`
+	WLPClientSecret             string         `json:"wlpClientSecret"`
+	AuthUniqueHosts             string         `json:"authUniqueHosts"`
+	WLPClientRegistrationSecret string         `json:"wlpClientRegistrationSecret"`
+	InstallType                 string         `json:"installType"`
+	IsOpenshiftEnv              bool           `json:"isOpenshiftEnv"`
+	OpenshiftPort               int32          `json:"openshiftPort"`
+	ICPPort                     int32          `json:"icpPort"`
+	FIPSEnabled                 bool           `json:"fipsEnabled"`
+	ROKSEnabled                 bool           `json:"roksEnabled"`
+	IBMCloudSaas                bool           `json:"ibmCloudSaas,omitempty"`
+	OnPremMultipleDeploy        bool           `json:"onPremMultipleDeploy,omitempty"`
+	SaasClientRedirectUrl       string         `json:"saasClientRedirectUrl,omitempty"`
+	NONCEEnabled                bool           `json:"nonceEnabled"`
+	XFrameDomain                string         `json:"xframeDomain,omitempty"`
+	PreferredLogin              string         `json:"preferredLogin,omitempty"`
+	DefaultLogin                string         `json:"defaultLogin,omitempty"`
+	ROKSURL                     string         `json:"roksURL"`
+	ROKSUserPrefix              string         `json:"roksUserPrefix"`
+	EnableImpersonation         bool           `json:"enableImpersonation"`
+	BootstrapUserId             string         `json:"bootstrapUserId,omitempty"`
+	ProviderIssuerURL           string         `json:"providerIssuerURL,omitempty"`
+	ClaimsSupported             string         `json:"claimsSupported,omitempty"`
+	ClaimsMap                   string         `json:"claimsMap,omitempty"`
+	ScopeClaim                  string         `json:"scopeClaim,omitempty"`
+	OIDCIssuerURL               string         `json:"oidcIssuerURL"`
+	AttrMappingFromConfig       bool           `json:"attrMappingFromConfig,omitempty"`
+	ZenFrontDoor                bool           `json:"zenFrontDoor,omitempty"`
+	Ingress                     *IngressConfig `json:"ingress,omitempty"`
 }
 
 type ManagedResourceStatus struct {
@@ -309,6 +315,18 @@ func (a *Authentication) HasNoDBSchemaVersion() bool {
 	return !a.HasDBSchemaVersion()
 }
 
+func (a *Authentication) HasCustomIngressHostname() bool {
+	return a.Spec.Config.Ingress != nil && a.Spec.Config.Ingress.Hostname != nil && *a.Spec.Config.Ingress.Hostname != ""
+}
+
+func (a *Authentication) HasCustomIngressCertificate() bool {
+	return a.Spec.Config.Ingress != nil && a.Spec.Config.Ingress.Secret != nil && *a.Spec.Config.Ingress.Secret != ""
+}
+
+func (a *Authentication) HasCustomIngress() bool {
+	return a.HasCustomIngressHostname() || a.HasCustomIngressCertificate()
+}
+
 func (a *Authentication) GetDBSchemaVersion() string {
 	annotations := a.GetAnnotations()
 	if version, ok := annotations[AnnotationAuthDBSchemaVersion]; ok {

api/operator/v1alpha1/zz_generated.deepcopy.go

@@ -152,7 +152,7 @@ metadata:
     categories: Security
     certified: "false"
     containerImage: icr.io/cpopen/ibm-iam-operator:4.13.0
-    createdAt: "2025-07-01T14:35:22Z"
+    createdAt: "2025-07-08T01:10:36Z"
     description: The IAM operator provides a simple Kubernetes CRD-Based API to manage the lifecycle of IAM services. With this operator, you can simply deploy and upgrade the IAM services
     features.operators.openshift.io/disconnected: "true"
     features.operators.openshift.io/fips-compliant: "true"

bundle/manifests/ibm-iam-operator.clusterserviceversion.yaml

@@ -203,6 +203,14 @@ spec:
                   icpPort:
                     format: int32
                     type: integer
+                  ingress:
+                    properties:
+                      hostname:
+                        type: string
+                      secret:
+                        type: string
+                    type: object
+                    x-kubernetes-preserve-unknown-fields: true
                   installType:
                     type: string
                   isOpenshiftEnv:

bundle/manifests/operator.ibm.com_authentications.yaml

@@ -244,6 +244,14 @@ spec:
                     type: boolean
                   attrMappingFromConfig:
                     type: boolean
+                  ingress:
+                    properties:
+                      hostname:
+                        type: string
+                      secret:
+                        type: string
+                    type: object
+                    x-kubernetes-preserve-unknown-fields: true
                 required:
                 - authUniqueHosts
                 - clusterCADomain

config/crd/bases/operator.ibm.com_authentications.yaml

@@ -202,6 +202,14 @@ spec:
                   icpPort:
                     format: int32
                     type: integer
+                  ingress:
+                    properties:
+                      hostname:
+                        type: string
+                      secret:
+                        type: string
+                    type: object
+                    x-kubernetes-preserve-unknown-fields: true
                   installType:
                     type: string
                   isOpenshiftEnv:

helm-cluster-scoped/templates/00_operator.ibm.com_authentications.yaml

@@ -403,3 +403,63 @@ func NewSecondaryReconcilerFn(req ctrl.Request, fn subreconciler.FnWithRequest)
 		return fn(ctx, req)
 	}
 }
+
+// Subreconcilers implements Subreconciler
+type Subreconcilers []Subreconciler
+
+var _ Subreconciler = Subreconcilers{}
+
+func (s Subreconcilers) Reconcile(ctx context.Context) (result *ctrl.Result, err error) {
+	results := []*ctrl.Result{}
+	errs := []error{}
+	for _, reconciler := range s {
+		result, err = reconciler.Reconcile(ctx)
+		results = append(results, result)
+		errs = append(errs, err)
+	}
+	return ReduceSubreconcilerResultsAndErrors(results, errs)
+}
+
+type subreconcilers struct {
+	Subreconcilers
+	strategy func(*subreconcilers, context.Context) (*ctrl.Result, error)
+}
+
+func (s *subreconcilers) Reconcile(ctx context.Context) (result *ctrl.Result, err error) {
+	return s.strategy(s, ctx)
+}
+
+func NewStrictSubreconcilers(fns ...Subreconciler) *subreconcilers {
+	return &subreconcilers{
+		Subreconcilers: fns,
+		strategy:       strictReconcile,
+	}
+}
+
+func NewLazySubreconcilers(fns ...Subreconciler) *subreconcilers {
+	return &subreconcilers{
+		Subreconcilers: fns,
+		strategy:       lazyReconcile,
+	}
+}
+
+func strictReconcile(s *subreconcilers, ctx context.Context) (result *ctrl.Result, err error) {
+	for _, reconciler := range s.Subreconcilers {
+		result, err = reconciler.Reconcile(ctx)
+		if err != nil {
+			return
+		}
+	}
+	return
+}
+
+func lazyReconcile(s *subreconcilers, ctx context.Context) (result *ctrl.Result, err error) {
+	results := []*ctrl.Result{}
+	errs := []error{}
+	for _, reconciler := range s.Subreconcilers {
+		result, err = reconciler.Reconcile(ctx)
+		results = append(results, result)
+		errs = append(errs, err)
+	}
+	return ReduceSubreconcilerResultsAndErrors(results, errs)
+}

internal/controller/common/secondary.go

@@ -50,7 +50,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
 	operatorv1alpha1 "github.com/IBM/ibm-iam-operator/api/operator/v1alpha1"
-	zenv1 "github.com/IBM/ibm-iam-operator/internal/api/zen.cpd.ibm.com/v1"
 	"github.com/opdev/subreconciler"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 )
@@ -365,6 +364,10 @@ func (r *AuthenticationReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 		return subreconciler.Evaluate(subResult, err)
 	}
 
+	if subResult, err := r.syncClientHostnames(ctx, req); subreconciler.ShouldHaltOrRequeue(subResult, err) {
+		return subreconciler.Evaluate(subResult, err)
+	}
+
 	return subreconciler.Evaluate(subreconciler.DoNotRequeue())
 }
 
@@ -385,9 +388,6 @@ func (r *AuthenticationReconciler) SetupWithManager(mgr ctrl.Manager) error {
 	if ctrlcommon.ClusterHasOpenShiftConfigGroupVerison(&r.DiscoveryClient) {
 		authCtrl.Watches(&routev1.Route{}, handler.EnqueueRequestForOwner(mgr.GetScheme(), mgr.GetRESTMapper(), &operatorv1alpha1.Authentication{}, handler.OnlyControllerOwner()))
 	}
-	if ctrlcommon.ClusterHasZenExtensionGroupVersion(&r.DiscoveryClient) {
-		authCtrl.Watches(&zenv1.ZenExtension{}, handler.EnqueueRequestForOwner(mgr.GetScheme(), mgr.GetRESTMapper(), &operatorv1alpha1.Authentication{}, handler.OnlyControllerOwner()))
-	}
 	if ctrlcommon.ClusterHasOperandRequestAPIResource(&r.DiscoveryClient) {
 		authCtrl.Watches(&operatorv1alpha1.OperandRequest{}, handler.EnqueueRequestForOwner(mgr.GetScheme(), mgr.GetRESTMapper(), &operatorv1alpha1.Authentication{}, handler.OnlyControllerOwner()))
 	}