feat: Add configurable Ingress hostname template for non-OpenShift clusters

Introduces --ingress-host-template flag (INGRESS_HOST_TEMPLATE env var) to control
default Ingress hostnames on non-OpenShift clusters. The default "%[1]s.local" preserves
existing behavior. CI is configured with "%[1]s.%[2]s.traefik.me" to produce
namespace-unique hostnames, eliminating Ingress hostname collisions between e2e test
namespaces that caused Konflux pipeline timeouts.

Refs: SECURESIGN-3862
Signed-off-by: Tomas Turek <tturek@redhat.com>

Author: osmman

.github/workflows/main.yml

@@ -15,6 +15,7 @@ env:
   CATALOG_IMG: ghcr.io/securesign/secure-sign-operator-fbc:dev-${{ github.sha }}
   NEW_OLM_CHANNEL: rhtas-operator.v1.5.0
   OCP_VERSION: ${{ vars.OLM_INDEX_VERSION }}
+  INGRESS_HOST_TEMPLATE: '%[1]s.%[2]s.traefik.me'
 
 jobs:
   build-operator:
@@ -244,9 +245,14 @@ jobs:
         run: |
           kubectl wait --for=condition=available deployment/rhtas-operator-controller-manager --timeout=120s -n openshift-rhtas-operator
 
+      - name: Configure Ingress hostname template
+        run: |
+          kubectl set env deployment/rhtas-operator-controller-manager -n openshift-rhtas-operator INGRESS_HOST_TEMPLATE="${INGRESS_HOST_TEMPLATE}"
+          kubectl rollout status deployment/rhtas-operator-controller-manager -n openshift-rhtas-operator --timeout=120s
+
       - name: Add service hosts to /etc/hosts
         run: |
-          sudo echo "127.0.0.1 fulcio-server.local tuf.local rekor-server.local keycloak-internal.keycloak-system.svc rekor-search-ui.local cli-server.local tsa-server.local" | sudo tee -a /etc/hosts
+          sudo echo "127.0.0.1 keycloak-internal.keycloak-system.svc" | sudo tee -a /etc/hosts
       - name: Install cosign
         run: go install github.com/sigstore/cosign/v3/cmd/cosign@v3.0.5
 
@@ -327,7 +333,7 @@ jobs:
 
       - name: Add service hosts to /etc/hosts
         run: |
-          sudo echo "127.0.0.1 fulcio-server.local tuf.local rekor-server.local keycloak-internal.keycloak-system.svc rekor-search-ui.local cli-server.local tsa-server.local" | sudo tee -a /etc/hosts
+          sudo echo "127.0.0.1 keycloak-internal.keycloak-system.svc" | sudo tee -a /etc/hosts
       - name: Install cosign
         #keep upgrade scenario on cosign v2 (latest released version does not support cosign v3)
         run: go install github.com/sigstore/cosign/v2/cmd/cosign@v2.4.0
@@ -409,9 +415,14 @@ jobs:
         run: |
           kubectl wait --for=condition=available deployment/rhtas-operator-controller-manager --timeout=120s -n openshift-rhtas-operator
 
+      - name: Configure Ingress hostname template
+        run: |
+          kubectl set env deployment/rhtas-operator-controller-manager -n openshift-rhtas-operator INGRESS_HOST_TEMPLATE="${INGRESS_HOST_TEMPLATE}"
+          kubectl rollout status deployment/rhtas-operator-controller-manager -n openshift-rhtas-operator --timeout=120s
+
       - name: Add service hosts to /etc/hosts
         run: |
-          sudo echo "127.0.0.1 fulcio-server.local tuf.local rekor-server.local keycloak-internal.keycloak-system.svc rekor-search-ui.local cli-server.local tsa-server.local" | sudo tee -a /etc/hosts
+          sudo echo "127.0.0.1 keycloak-internal.keycloak-system.svc" | sudo tee -a /etc/hosts
 
       - name: Install cosign
         run: go install github.com/sigstore/cosign/v3/cmd/cosign@v3.0.5
@@ -489,7 +500,7 @@ jobs:
 
       - name: Add service hosts to /etc/hosts
         run: |
-          sudo echo "127.0.0.1 fulcio-server.local tuf.local rekor-server.local rekor-search-ui.local cli-server.local" | sudo tee -a /etc/hosts
+          echo "# service hosts added here if needed"
 
       - name: Replace images
         run: make dev-images generate && cat config/default/images.env
@@ -573,7 +584,7 @@ jobs:
 
       - name: Add service hosts to /etc/hosts
         run: |
-          sudo echo "127.0.0.1 fulcio-server.local tuf.local rekor-server.local rekor-search-ui.local tsa-server.local cli-server.local ${{ steps.kind.outputs.oidc_host }}" | sudo tee -a /etc/hosts
+          sudo echo "127.0.0.1 ${{ steps.kind.outputs.oidc_host }}" | sudo tee -a /etc/hosts
 
       - name: Replace images
         run: make dev-images generate && cat config/default/images.env
@@ -585,6 +596,11 @@ jobs:
         run: |
           kubectl wait --for=condition=available deployment/rhtas-operator-controller-manager --timeout=120s -n openshift-rhtas-operator
 
+      - name: Configure Ingress hostname template
+        run: |
+          kubectl set env deployment/rhtas-operator-controller-manager -n openshift-rhtas-operator INGRESS_HOST_TEMPLATE="${INGRESS_HOST_TEMPLATE}"
+          kubectl rollout status deployment/rhtas-operator-controller-manager -n openshift-rhtas-operator --timeout=120s
+
       - name: Install securesign
         run: |
           sed -i 's#https://your-oidc-issuer-url#http://${{ steps.kind.outputs.oidc_host }}/realms/trusted-artifact-signer#' config/samples/rhtas_v1alpha1_securesign.yaml
@@ -602,7 +618,7 @@ jobs:
           export FULCIO_URL=$(kubectl get fulcio -o jsonpath='{.items[0].status.url}' -n ${{ env.TEST_NAMESPACE }})
           
           export CLI_STRATEGY=cli_server
-          export CLI_SERVER_URL="http://cli-server.local"
+          export CLI_SERVER_URL="http://cli-server.openshift-rhtas-operator.traefik.me"
           
           cd e2e
           source ./tas-env-variables.sh

cmd/main.go

@@ -102,6 +102,9 @@ func main() {
 	flag.Int64Var(&appconfig.CreateTreeDeadline, "create-tree-deadline", appconfig.CreateTreeDeadline, "The time allowance (in seconds) for the create tree job to run before failing.")
 	utils.BoolFlagOrEnv(&appconfig.Openshift, "openshift", "OPENSHIFT", false, "Enable to ensures the operator applies OpenShift specific configurations.")
 	utils.StringFlagOrEnv(&appconfig.OpenshiftAPIServerName, "openshift-apiserver-name", "OPENSHIFT_APISERVER_NAME", "openshift-apiserver", "The OpenShift API Server name.")
+	utils.StringFlagOrEnv(&appconfig.IngressHostTemplate, "ingress-host-template", "INGRESS_HOST_TEMPLATE", appconfig.IngressHostTemplate,
+		"Default hostname template for non-OpenShift Ingress resources when ExternalAccess.Host is not set. "+
+			"Uses Go fmt.Sprintf with %[1]s=service name, %[2]s=namespace. Ignored on OpenShift.")
 	utils.RelatedImageFlag("trillian-log-signer-image", images.TrillianLogSigner, "The image used for trillian log signer.")
 	utils.RelatedImageFlag("trillian-log-server-image", images.TrillianServer, "The image used for trillian log server.")
 	utils.RelatedImageFlag("trillian-db-image", images.TrillianDb, "The image used for trillian's database.")

internal/config/config.go

@@ -4,4 +4,5 @@ var (
 	CreateTreeDeadline     int64 = 1200
 	Openshift              bool
 	OpenshiftAPIServerName string
+	IngressHostTemplate    = "%[1]s.local"
 )

internal/utils/kubernetes/common.go

@@ -86,7 +86,7 @@ func CalculateHostname(ctx context.Context, client client.Client, svcName, ns st
 		}
 		return fmt.Sprintf("%s-%s.%s", svcName, ns, ingress.Spec.Domain), nil
 	}
-	return svcName + ".local", nil
+	return fmt.Sprintf(config.IngressHostTemplate, svcName, ns), nil
 }
 
 func FindByLabelSelector(ctx context.Context, c client.Client, list client.ObjectList, namespace, labelSelector string) error {

internal/utils/kubernetes/common_test.go

@@ -0,0 +1,135 @@
+package kubernetes
+
+import (
+	"context"
+	"testing"
+
+	configv1 "github.com/openshift/api/config/v1"
+	"github.com/securesign/operator/internal/config"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+)
+
+func TestCalculateHostname(t *testing.T) {
+	tests := []struct {
+		name     string
+		template string
+		svcName  string
+		ns       string
+		expected string
+	}{
+		{
+			name:     "default template produces static .local hostname",
+			template: "%[1]s.local",
+			svcName:  "rekor-server",
+			ns:       "test-ns",
+			expected: "rekor-server.local",
+		},
+		{
+			name:     "namespace-scoped template includes namespace",
+			template: "%[1]s.%[2]s.traefik.me",
+			svcName:  "rekor-server",
+			ns:       "test-ns",
+			expected: "rekor-server.test-ns.traefik.me",
+		},
+		{
+			name:     "custom template with different format",
+			template: "%[1]s-%[2]s.example.com",
+			svcName:  "fulcio-server",
+			ns:       "my-namespace",
+			expected: "fulcio-server-my-namespace.example.com",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			original := config.IngressHostTemplate
+			origOpenshift := config.Openshift
+			t.Cleanup(func() {
+				config.IngressHostTemplate = original
+				config.Openshift = origOpenshift
+			})
+
+			config.IngressHostTemplate = tt.template
+			config.Openshift = false
+
+			result, err := CalculateHostname(context.Background(), nil, tt.svcName, tt.ns)
+			if err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+			if result != tt.expected {
+				t.Errorf("got %q, want %q", result, tt.expected)
+			}
+		})
+	}
+}
+
+func TestCalculateHostname_OpenShift(t *testing.T) {
+	scheme := runtime.NewScheme()
+	utilruntime.Must(configv1.AddToScheme(scheme))
+
+	tests := []struct {
+		name     string
+		domain   string
+		svcName  string
+		ns       string
+		expected string
+	}{
+		{
+			name:     "OpenShift hostname includes namespace and cluster domain",
+			domain:   "apps.cluster.example.com",
+			svcName:  "rekor-server",
+			ns:       "test-ns",
+			expected: "rekor-server-test-ns.apps.cluster.example.com",
+		},
+		{
+			name:     "OpenShift hostname with different service and namespace",
+			domain:   "apps.ocp.internal",
+			svcName:  "fulcio-server",
+			ns:       "secure-sign",
+			expected: "fulcio-server-secure-sign.apps.ocp.internal",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			origOpenshift := config.Openshift
+			t.Cleanup(func() { config.Openshift = origOpenshift })
+			config.Openshift = true
+
+			cli := fake.NewClientBuilder().
+				WithScheme(scheme).
+				WithObjects(&configv1.Ingress{
+					ObjectMeta: metav1.ObjectMeta{Name: "cluster"},
+					Spec:       configv1.IngressSpec{Domain: tt.domain},
+				}).
+				Build()
+
+			result, err := CalculateHostname(context.Background(), cli, tt.svcName, tt.ns)
+			if err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+			if result != tt.expected {
+				t.Errorf("got %q, want %q", result, tt.expected)
+			}
+		})
+	}
+}
+
+func TestCalculateHostname_OpenShift_MissingIngress(t *testing.T) {
+	scheme := runtime.NewScheme()
+	utilruntime.Must(configv1.AddToScheme(scheme))
+
+	origOpenshift := config.Openshift
+	t.Cleanup(func() { config.Openshift = origOpenshift })
+	config.Openshift = true
+
+	cli := fake.NewClientBuilder().WithScheme(scheme).Build()
+
+	_, err := CalculateHostname(context.Background(), cli, "rekor-server", "test-ns")
+	if err == nil {
+		t.Fatal("expected error when cluster Ingress is missing, got nil")
+	}
+}

test/e2e/custom_install/suite_test.go

@@ -99,6 +99,10 @@ func managerPod(ns string, opts ...optManagerPod) *v1.Pod {
 							Name:  "OPENSHIFT",
 							Value: support.EnvOrDefault("OPENSHIFT", "false"),
 						},
+						{
+							Name:  "INGRESS_HOST_TEMPLATE",
+							Value: support.EnvOrDefault("INGRESS_HOST_TEMPLATE", "%[1]s.local"),
+						},
 					},
 					LivenessProbe: &v1.Probe{
 						ProbeHandler: v1.ProbeHandler{

test/e2e/support/kubernetes/olm/olm.go

@@ -3,6 +3,7 @@ package olm
 import (
 	"context"
 	"fmt"
+	"os"
 	"strconv"
 	"strings"
 
@@ -113,12 +114,7 @@ func OlmInstaller(ctx context.Context, cli client.Client, catalogImage, ns, pack
 				Package:                packageName,
 				Channel:                channel,
 				Config: &v1alpha1.SubscriptionConfig{
-					Env: []coreV1.EnvVar{
-						{
-							Name:  "OPENSHIFT",
-							Value: strconv.FormatBool(ocp),
-						},
-					},
+					Env: subscriptionEnv(ocp),
 				},
 			},
 		},
@@ -132,3 +128,19 @@ func OlmInstaller(ctx context.Context, cli client.Client, catalogImage, ns, pack
 
 	return subscription, catalog, nil
 }
+
+func subscriptionEnv(ocp bool) []coreV1.EnvVar {
+	env := []coreV1.EnvVar{
+		{
+			Name:  "OPENSHIFT",
+			Value: strconv.FormatBool(ocp),
+		},
+	}
+	if v, ok := os.LookupEnv("INGRESS_HOST_TEMPLATE"); ok {
+		env = append(env, coreV1.EnvVar{
+			Name:  "INGRESS_HOST_TEMPLATE",
+			Value: v,
+		})
+	}
+	return env
+}