feat: add auto-detect for OpenShift platform

Signed-off-by: Kevin Conner <[email protected]>

Author: knrc

.github/workflows/main.yml

@@ -237,8 +237,6 @@ jobs:
         run: make dev-images && cat config/default/images.env
 
       - name: Deploy operator container
-        env:
-          OPENSHIFT: false
         run: make deploy
 
       - name: Wait for operator to be ready
@@ -338,7 +336,6 @@ jobs:
         env:
           TEST_BASE_CATALOG: registry.redhat.io/redhat/redhat-operator-index:${{ vars.OLM_INDEX_VERSION }}
           TEST_TARGET_CATALOG: ${{ env.CATALOG_IMG }}
-          OPENSHIFT: false
         run: go test -p 1 ./test/e2e/... -tags=upgrade -timeout 20m
 
       - name: Archive test artifacts
@@ -403,8 +400,6 @@ jobs:
         run: make dev-images && cat config/default/images.env
 
       - name: Deploy operator container
-        env:
-          OPENSHIFT: false
         run: make deploy
 
       - name: Wait for operator to be ready
@@ -499,7 +494,6 @@ jobs:
       - name: Run tests
         env:
           TEST_MANAGER_IMAGE: ${{ env.IMG }}
-          OPENSHIFT: false
         run: make install && go test ./test/e2e/... -tags=custom_install -p 1 -timeout 20m
 
       - name: Archive test artifacts
@@ -582,8 +576,6 @@ jobs:
         run: make dev-images generate && cat config/default/images.env
 
       - name: Deploy operator container
-        env:
-          OPENSHIFT: false
         run: make deploy
 
       - name: Wait for operator to be ready

Makefile

@@ -83,12 +83,7 @@ CONTAINER_TOOL ?= docker
 SHELL = /usr/bin/env bash -o pipefail
 .SHELLFLAGS = -ec
 
-OPENSHIFT ?= true
-
-CONFIG_DEFAULT=config/env/kubernetes
-ifeq ($(OPENSHIFT), true)
-CONFIG_DEFAULT=config/env/openshift
-endif
+CONFIG_DEFAULT=config/default
 
 .PHONY: all
 all: build

cmd/main.go

@@ -20,7 +20,6 @@ import (
 	"crypto/tls"
 	"flag"
 	"os"
-	"strconv"
 
 	appconfig "github.com/securesign/operator/internal/config"
 	"github.com/securesign/operator/internal/controller"
@@ -102,6 +101,7 @@ func main() {
 		"If set, HTTP/2 will be enabled for the metrics and webhook servers")
 	flag.Int64Var(&appconfig.CreateTreeDeadline, "create-tree-deadline", appconfig.CreateTreeDeadline, "The time allowance (in seconds) for the create tree job to run before failing.")
 	utils.BoolFlagOrEnv(&appconfig.Openshift, "openshift", "OPENSHIFT", false, "Enable to ensures the operator applies OpenShift specific configurations.")
+	utils.StringFlagOrEnv(&appconfig.OpenshiftAPIServerName, "openshift-apiserver-name", "OPENSHIFT_APISERVER_NAME", "openshift-apiserver", "The OpenShift API Server name.")
 	utils.RelatedImageFlag("trillian-log-signer-image", images.TrillianLogSigner, "The image used for trillian log signer.")
 	utils.RelatedImageFlag("trillian-log-server-image", images.TrillianServer, "The image used for trillian log server.")
 	utils.RelatedImageFlag("trillian-db-image", images.TrillianDb, "The image used for trillian's database.")
@@ -126,6 +126,18 @@ func main() {
 
 	ctrl.SetLogger(klog.NewKlogr())
 
+	if !utils.IsFlagProvided("openshift", "OPENSHIFT") {
+		openshift, err := kubernetes.DetectOpenShiftPlatform(setupLog, appconfig.OpenshiftAPIServerName)
+		if err != nil {
+			setupLog.Info("Platform auto-detection failed, falling back to kubernetes", "error", err)
+			openshift = false
+		}
+		appconfig.Openshift = openshift
+		setupLog.Info("Platform auto-detected", "openshift", appconfig.Openshift)
+	} else {
+		setupLog.Info("Platform explicitly configured via flag/env", "openshift", appconfig.Openshift)
+	}
+
 	// if the enable-http2 flag is false (the default), http/2 should be disabled
 	// due to its vulnerabilities. More specifically, disabling http/2 will
 	// prevent from being vulnerable to the HTTP/2 Stream Cancelation and
@@ -222,8 +234,6 @@ func main() {
 		os.Exit(1)
 	}
 
-	setupLog.WithName("IsOpenshift").Info(strconv.FormatBool(appconfig.Openshift))
-
 	setupLog.Info("starting manager")
 	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
 		setupLog.Error(err, "problem running manager")

config/env/kubernetes/kustomization.yaml

@@ -68,6 +68,14 @@ rules:
   - persistentvolumeclaims/finalizers
   verbs:
   - update
+- apiGroups:
+  - apiregistration.k8s.io
+  resources:
+  - apiservices
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - apps
   resources:

config/env/openshift/kustomization.yaml

@@ -23,6 +23,7 @@ require (
 	k8s.io/apimachinery v0.34.1
 	k8s.io/client-go v0.34.1
 	k8s.io/klog/v2 v2.130.1
+	k8s.io/kube-aggregator v0.34.1
 	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4
 	sigs.k8s.io/controller-runtime v0.22.3
 	sigs.k8s.io/yaml v1.6.0

config/env/openshift/manager_openshift_patch.yaml

@@ -243,6 +243,8 @@ k8s.io/client-go v0.34.1 h1:ZUPJKgXsnKwVwmKKdPfw4tB58+7/Ik3CrjOEhsiZ7mY=
 k8s.io/client-go v0.34.1/go.mod h1:kA8v0FP+tk6sZA0yKLRG67LWjqufAoSHA2xVGKw9Of8=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
+k8s.io/kube-aggregator v0.34.1 h1:WNLV0dVNoFKmuyvdWLd92iDSyD/TSTjqwaPj0U9XAEU=
+k8s.io/kube-aggregator v0.34.1/go.mod h1:RU8j+5ERfp0h+gIvWtxRPfsa5nK7rboDm8RST8BJfYQ=
 k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE=
 k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
 k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=

config/rbac/role.yaml

@@ -1,6 +1,7 @@
 package config
 
 var (
-	CreateTreeDeadline int64 = 1200
-	Openshift          bool
+	CreateTreeDeadline     int64 = 1200
+	Openshift              bool
+	OpenshiftAPIServerName string
 )