APS-4053 Edge Server infrastructure tooling (helm/oci)

[ikethecoder]

Summary

This PR introduces a complete SDX (Secure Data Exchange) Edge infrastructure, including a custom Kong Gateway data plane image, Helm chart for deployment, and CI/CD automation.

45 commits | 16 files changed | +1,696 additions

---

Key Components Added

1. SDX Kong Gateway Image (sdx/image/Dockerfile)

• Custom Kong Gateway 3.9.1 data plane image
• Integrates 15+ custom plugins including:
  • Trust and verification plugins: trust-jwks, trust-ledger, trust-registry, trust-sign, trust-timestamp, trust-verify-digest, trust-verify-signature
  • Authentication plugins: mtls-auth, mtls-acl, jwt-keycloak, oidc, oidc-consumer, openid-authzen
  • Additional plugins: dpop, response-signer, token-exchange, kong-spec-expose, kong-upstream-jwt
• Multi-arch support (linux/arm64, linux/amd64)
• Configured for hybrid deployment mode with PKI-based mTLS
• Custom plugin priority updates for proper request flow

2. Helm Chart (sdx/chart/sdx-edge/)

Complete deployment package including:

• Kong Data Plane: HTTP/2.0 proxy with certificate management
• Fluentbit: Log aggregation and forwarding
• Prometheus: Monitoring and metrics collection
• Certificate Bootstrap Job: Initial certificate provisioning from approved CA
• Certificate Renewal Job: Automated certificate renewal
• OpenShift Integration: Network policies and passthrough routes
• Secrets Management: TLS certificates and signing keys

3. CI/CD Pipeline (.github/workflows/sdx-image.yaml)

• Automated Docker image builds on images/* branches
• Multi-platform support (ARM64, AMD64)
• Publishes to GitHub Container Registry (ghcr.io)
• Tagged with commit SHA for version tracking

4. Configuration & Documentation

• Deployment guide with Helm installation instructions
• Environment variable configuration for certificates and networking
• OpenShift-specific networking policies
• Git ignore rules for sensitive certificate files

---

Recent Refactoring (Last 5 commits)

• Network policy adjustments
• Secrets template updates
• Template organization and structure improvements
• Documentation updates

---

Deployment Model

The SDX Edge operates as:

• Kong data plane connecting to a remote control plane
• mTLS-secured cluster communication using PKI certificates
• OpenShift HAProxy passthrough for ingress
• Automated certificate lifecycle management via Jobs

---

Test Plan

• Verify Docker image builds successfully for both architectures
• Deploy Helm chart to test environment
• Confirm certificate bootstrap job completes successfully
• Test Kong data plane connectivity to control plane
• Validate mTLS authentication between components
• Verify Fluentbit log forwarding
• Check Prometheus metrics collection
• Test certificate renewal job execution
• Validate OpenShift route and network policies

---

🤖 Generated with Claude Code