CAAPIM · Gazza7205 · Mar 27, 2026 · Dec 22, 2025 · Dec 22, 2025 · Dec 23, 2025
diff --git a/.github/check_image_tags.sh b/.github/check_image_tags.sh
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
diff --git a/Makefile b/Makefile
@@ -222,7 +222,7 @@ run: manifests generate fmt vet ## Run a controller from your host.
 
 .PHONY: docker-build
 docker-build: dockerfile #test ## Build docker image with the manager.
-	$(CONTAINER_TOOL) build -f operator.Dockerfile -t ${IMG} .
+	$(CONTAINER_TOOL) build -t ${IMG} -f operator.Dockerfile --build-arg COPYRIGHT="${COPYRIGHT}" --build-arg AUTHOR="layer7" --build-arg TITLE="layer7-operator" --build-arg VERSION="${IMAGE_TAG}" --build-arg CREATED="${CREATED}"  .
 
 .PHONY: docker-push
 docker-push: ## Push docker image with the manager.

diff --git a/api/v1/gateway_types.go b/api/v1/gateway_types.go
@@ -117,6 +117,8 @@ type GatewayStatus struct {
 	LastAppliedExternalSecrets map[string][]string `json:"lastAppliedExternalSecrets,omitempty"`
 	// LastAppliedExternalCerts
 	LastAppliedExternalCerts map[string][]string `json:"lastAppliedExternalCerts,omitempty"`
+	// LastAppliedOtkFipsCerts tracks which OTK FIPS user certificates have been applied
+	LastAppliedOtkFipsCerts map[string][]string `json:"lastAppliedOtkFipsCerts,omitempty"`
 }
 
 // GatewayState tracks the status of Gateway Resources
@@ -342,6 +344,9 @@ type PortalReference struct {
 type Otk struct {
 	// Enable or disable the OTK initContainer
 	Enabled bool `json:"enabled,omitempty"`
+	// ManageCrossNamespace allows a cluster-wide layer7 operator to manage internal/dmz gateways across namespaces
+	// this is limited to a single kubernetes cluster.
+	ManageCrossNamespace bool `json:"manageCrossNamespace,omitempty"`
 	// InitContainerImage for the initContainer
 	InitContainerImage string `json:"initContainerImage,omitempty"`
 	// InitContainerImagePullPolicy
@@ -356,21 +361,27 @@ type Otk struct {
 	Overrides OtkOverrides `json:"overrides,omitempty"`
 	// A list of subSolutionKitNames - all,internal or dmz cover the primary use cases for the OTK. Only use if directed by support
 	SubSolutionKitNames []string `json:"subSolutionKitNames,omitempty"`
-	// InternalOtkGatewayReference to an Operator managed Gateway deployment that is configured with otk.type: internal
-	// This configures a relationship between DMZ and Internal Gateways.
-	InternalOtkGatewayReference string `json:"internalGatewayReference,omitempty"`
-	// InternalGatewayPort defaults to 9443 or graphmanDynamicSync port
-	InternalGatewayPort int `json:"internalGatewayPort,omitempty"`
-	// OTKPort is used in Single mode - sets the otk.port cluster-wide property and in Dual-Mode
-	// sets host_oauth2_auth_server port in #OTK Client Context Variables
-	// TODO: Make this an array for many dmz deployments to one internal
-	DmzOtkGatewayReference string `json:"dmzGatewayReference,omitempty"`
 	// OTKPort defaults to 8443
 	OTKPort int `json:"port,omitempty"`
 	// MaintenanceTasks for the OTK database are disabled by default
 	MaintenanceTasks OtkMaintenanceTasks `json:"maintenanceTasks,omitempty"`
-	// RuntimeSyncIntervalSeconds how often OTK Gateways should be updated in internal/dmz mode
-	RuntimeSyncIntervalSeconds int `json:"runtimeSyncIntervalSeconds,omitempty"`
+	//InternalOTKGateway reference if type is dmz
+	InternalOTKGateway GatewayReference `json:"internalGateway,omitempty"`
+	//DmzOTKGateway reference if type is internal
+	DmzOTKGateway GatewayReference `json:"dmzGateway,omitempty"`
+	// FipsCertificates is a list of certificate references for FIPS user management
+	// on Internal gateways. Each entry references a Secret or ConfigMap containing
+	// leaf certificates for DMZ gateway mTLS client authentication.
+	FipsCertificates []OtkFipsCertificate `json:"fipsCertificates,omitempty"`
+}
+
+type OtkFipsCertificate struct {
+	// Enabled or disabled
+	Enabled bool `json:"enabled,omitempty"`
+	// Name of the Secret or ConfigMap
+	Name string `json:"name,omitempty"`
+	// Type of the referenced resource: "secret" or "configmap"
+	Type string `json:"type,omitempty"`
 }
 
 // OtkMaintenanceTasks are included in the install bundle as disabled scheduled tasks
@@ -380,6 +391,19 @@ type OtkMaintenanceTasks struct {
 	Enabled bool `json:"enabled,omitempty"`
 }
 
+type GatewayReference struct {
+	// Name of the gateway
+	// if managing otk gateways across namespaces this must match the referenced gateway CR
+	Name string `json:"name,omitempty"`
+	// Namespace of the referenced gateway if managing gateways cross namespace (optional)
+	Namespace string `json:"namespace,omitempty"`
+	// Url of the target gateway
+	// used for post-installation gateway policy configuration
+	Url string `json:"url,omitempty"`
+	// Port of the target gateway
+	Port int `json:"port,omitempty"`
+}
+
 type OtkOverrides struct {
 	// Enable or disable otk overrides
 	Enabled bool `json:"enabled,omitempty"`
@@ -893,6 +917,8 @@ type ExternalKey struct {
 	// only one key usage type is allowed
 	// SSL | CA | AUDIT_SIGNING | AUDIT_VIEWER
 	KeyUsageType KeyUsageType `json:"keyUsageType,omitempty"`
+	// Otk indicates that this key usage was specific for OTK
+	//Otk bool `json:"otk,omitempty"`
 }
 
 type KeyUsageType string

diff --git a/api/v1/zz_generated.deepcopy.go b/api/v1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/security.brcmlabs.com_gateways.yaml b/config/crd/bases/security.brcmlabs.com_gateways.yaml
@@ -4003,12 +4003,47 @@ spec:
                             description: Type of OTK Database
                             type: string
                         type: object
-                      dmzGatewayReference:
-                        description: OTKPort is used in Single mode - sets the otk.
-                        type: string
+                      dmzGateway:
+                        description: DmzOTKGateway reference if type is internal
+                        properties:
+                          name:
+                            description: |-
+                              Name of the gateway
+                              if managing otk gateways across namespaces this must...
+                            type: string
+                          namespace:
+                            description: Namespace of the referenced gateway if managing
+                              gateways cross namespace...
+                            type: string
+                          port:
+                            description: Port of the target gateway
+                            type: integer
+                          url:
+                            description: |-
+                              Url of the target gateway
+                              used for post-installation gateway policy...
+                            type: string
+                        type: object
                       enabled:
                         description: Enable or disable the OTK initContainer
                         type: boolean
+                      fipsCertificates:
+                        description: FipsCertificates is a list of certificate references
+                          for FIPS user...
+                        items:
+                          properties:
+                            enabled:
+                              description: Enabled or disabled
+                              type: boolean
+                            name:
+                              description: Name of the Secret or ConfigMap
+                              type: string
+                            type:
+                              description: 'Type of the referenced resource: "secret"
+                                or "configmap"'
+                              type: string
+                          type: object
+                        type: array
                       initContainerImage:
                         description: InitContainerImage for the initContainer
                         type: string
@@ -4142,14 +4177,27 @@ spec:
                                 type: string
                             type: object
                         type: object
-                      internalGatewayPort:
-                        description: InternalGatewayPort defaults to 9443 or graphmanDynamicSync
-                          port
-                        type: integer
-                      internalGatewayReference:
-                        description: InternalOtkGatewayReference to an Operator managed
-                          Gateway deployment that...
-                        type: string
+                      internalGateway:
+                        description: InternalOTKGateway reference if type is dmz
+                        properties:
+                          name:
+                            description: |-
+                              Name of the gateway
+                              if managing otk gateways across namespaces this must...
+                            type: string
+                          namespace:
+                            description: Namespace of the referenced gateway if managing
+                              gateways cross namespace...
+                            type: string
+                          port:
+                            description: Port of the target gateway
+                            type: integer
+                          url:
+                            description: |-
+                              Url of the target gateway
+                              used for post-installation gateway policy...
+                            type: string
+                        type: object
                       maintenanceTasks:
                         description: MaintenanceTasks for the OTK database are disabled
                           by default
@@ -4158,6 +4206,10 @@ spec:
                             description: Enable or disable database maintenance tasks
                             type: boolean
                         type: object
+                      manageCrossNamespace:
+                        description: ManageCrossNamespace allows a cluster-wide layer7
+                          operator to manage...
+                        type: boolean
                       overrides:
                         description: Overrides default OTK install functionality
                         properties:
@@ -4192,10 +4244,6 @@ spec:
                       port:
                         description: OTKPort defaults to 8443
                         type: integer
-                      runtimeSyncIntervalSeconds:
-                        description: RuntimeSyncIntervalSeconds how often OTK Gateways
-                          should be updated in...
-                        type: integer
                       subSolutionKitNames:
                         description: A list of subSolutionKitNames - all,internal
                           or dmz cover the primary use...
@@ -6479,6 +6527,14 @@ spec:
                 items:
                   type: string
                 type: array
+              lastAppliedOtkFipsCerts:
+                additionalProperties:
+                  items:
+                    type: string
+                  type: array
+                description: LastAppliedOtkFipsCerts tracks which OTK FIPS user certificates
+                  have been...
+                type: object
               managementPod:
                 description: Management Pod is a Gateway with a special annotation
                   is used as a...