Bankdata · stiidk · Apr 14, 2026 · Apr 13, 2026 · Apr 13, 2026 · Apr 13, 2026
@@ -222,9 +222,6 @@ type OPAControlPlaneConfig struct {
 	SystemDatasourceChanged string `json:"systemDatasourceChanged,omitempty"`
 	// LibraryDatasourceChanged is the URL to be called when a library datasource has changed.
 	LibraryDatasourceChanged string `json:"libraryDatasourceChanged,omitempty"`
-
-	// DecisionAPIConfig contains configuration for which api OPAs should use to and how
-	DecisionAPIConfig *DecisionAPIConfig `json:"decisionAPIConfig,omitempty"`
 }
 
 // UserCredentialHandler defines the structure of possible user credential handlers
@@ -266,17 +263,20 @@ type GitCredentials struct {
 
 // OPAConfig contains default configuration for the opa config generated by the styra-controller
 type OPAConfig struct {
-	DecisionLogs           DecisionLog      `json:"decisionLogs,omitempty" yaml:"decisionLogs,omitempty"`
-	Metrics                MetricsConfig    `json:"metrics,omitempty" yaml:"metrics,omitempty"`
-	PersistBundle          bool             `json:"persist_bundle,omitempty" yaml:"persist_bundle,omitempty"`
-	PersistBundleDirectory string           `json:"persist_bundle_directory,omitempty" yaml:"persist_bundle_directory,omitempty"` //nolint:lll
-	BundleServer           *OPABundleServer `json:"bundleServer,omitempty" yaml:"bundleServer,omitempty"`
+	DecisionLogs           DecisionLog        `json:"decisionLogs,omitempty" yaml:"decisionLogs,omitempty"`
+	Metrics                MetricsConfig      `json:"metrics,omitempty" yaml:"metrics,omitempty"`
+	PersistBundle          bool               `json:"persist_bundle,omitempty" yaml:"persist_bundle,omitempty"`
+	PersistBundleDirectory string             `json:"persist_bundle_directory,omitempty" yaml:"persist_bundle_directory,omitempty"` //nolint:lll
+	BundleServer           *OPABundleServer   `json:"bundleServer,omitempty" yaml:"bundleServer,omitempty"`
+	DecisionAPIConfig      *DecisionAPIConfig `json:"decisionAPIConfig,omitempty" yaml:"decisionAPIConfig,omitempty"`
 }
 
 // OPABundleServer contains configuration for the OPA bundle server
 type OPABundleServer struct {
-	URL  string `json:"url,omitempty" yaml:"url,omitempty"`
-	Path string `json:"path,omitempty" yaml:"path,omitempty"`
+	Name      string `json:"name,omitempty" yaml:"name,omitempty"`
+	URL       string `json:"url,omitempty" yaml:"url,omitempty"`
+	Path      string `json:"path,omitempty" yaml:"path,omitempty"`
+	TokenPath string `json:"tokenPath,omitempty" yaml:"tokenPath,omitempty"`
 }
 
 // MetricsConfig contains configuration for OPA metrics
@@ -301,7 +301,9 @@ type DecisionLog struct {
 
 // DecisionAPIConfig contains configuration for decision log dispatch
 type DecisionAPIConfig struct {
+	Name       string               `json:"name,omitempty"`
 	ServiceURL string               `json:"serviceUrl,omitempty"`
+	TokenPath  string               `json:"tokenPath,omitempty"`
 	Reporting  DecisionLogReporting `json:"reporting,omitempty"`
 }
 

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.20.0
+    controller-gen.kubebuilder.io/version: v0.20.1
   name: libraries.styra.bankdata.dk
 spec:
   group: styra.bankdata.dk

@@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.20.0
+    controller-gen.kubebuilder.io/version: v0.20.1
   name: systems.styra.bankdata.dk
 spec:
   group: styra.bankdata.dk

@@ -531,26 +531,34 @@ func (r *SystemReconciler) reconcileOPAConfigMapForOCP(
 			WithSystemCondition(v1beta1.ConditionTypeOPAConfigMapUpdated)
 	}
 
+	bundleServiceCredentials := &ocp.ServiceCredentials{
+		S3: &ocp.S3Signing{
+			S3EnvironmentCredentials: map[string]ocp.EmptyStruct{},
+		}}
+	if r.Config.OPA.BundleServer.TokenPath != "" {
+		bundleServiceCredentials = &ocp.ServiceCredentials{
+			Bearer: &ocp.Bearer{
+				TokenPath: r.Config.OPA.BundleServer.TokenPath,
+			},
+		}
+	}
+
 	opaconf := ocp.OPAConfig{
 		BundleService: &ocp.OPAServiceConfig{
-			Name: "s3",
-			URL:  bundleURL,
-			Credentials: &ocp.ServiceCredentials{
-				S3: &ocp.S3Signing{
-					S3EnvironmentCredentials: map[string]ocp.EmptyStruct{},
-				},
-			},
+			Name:        r.Config.OPA.BundleServer.Name,
+			URL:         bundleURL,
+			Credentials: bundleServiceCredentials,
 		},
 		LogService: &ocp.OPAServiceConfig{
-			Name: "logs",
-			URL:  r.Config.OPAControlPlaneConfig.DecisionAPIConfig.ServiceURL,
+			Name: r.Config.OPA.DecisionAPIConfig.Name,
+			URL:  r.Config.OPA.DecisionAPIConfig.ServiceURL,
 			Credentials: &ocp.ServiceCredentials{
 				Bearer: &ocp.Bearer{
-					TokenPath: "/run/secrets/kubernetes.io/serviceaccount/token",
+					TokenPath: r.Config.OPA.DecisionAPIConfig.TokenPath,
 				},
 			},
 		},
-		DecisionLogReporting: r.Config.OPAControlPlaneConfig.DecisionAPIConfig.Reporting,
+		DecisionLogReporting: r.Config.OPA.DecisionAPIConfig.Reporting,
 		BundleResource:       fmt.Sprintf("bundles/%s/bundle.tar.gz", uniqueName),
 		UniqueName:           uniqueName,
 		Namespace:            system.Namespace,

@@ -155,14 +155,6 @@ var _ = ginkgo.BeforeSuite(func() {
 						OCPConfigSecretName: "s3-credentials",
 					},
 				},
-				DecisionAPIConfig: &configv2alpha2.DecisionAPIConfig{
-					ServiceURL: "log-api-url",
-					Reporting: configv2alpha2.DecisionLogReporting{
-						MaxDelaySeconds:      60,
-						MinDelaySeconds:      5,
-						UploadSizeLimitBytes: 1024,
-					},
-				},
 			},
 			UserCredentialHandler: &configv2alpha2.UserCredentialHandler{
 				S3: &configv2alpha2.S3Handler{
@@ -175,8 +167,20 @@ var _ = ginkgo.BeforeSuite(func() {
 			},
 			OPA: configv2alpha2.OPAConfig{
 				BundleServer: &configv2alpha2.OPABundleServer{
-					URL:  "https://s3-url2",
-					Path: "/test-bucket",
+					Name:      "bundle-server",
+					URL:       "https://bundle-server-url",
+					Path:      "/test-bucket",
+					TokenPath: "token-path-bundle-server",
+				},
+				DecisionAPIConfig: &configv2alpha2.DecisionAPIConfig{
+					Name:       "decision-api",
+					ServiceURL: "decision-api-url",
+					TokenPath:  "token-path-decision-api",
+					Reporting: configv2alpha2.DecisionLogReporting{
+						MaxDelaySeconds:      60,
+						MinDelaySeconds:      5,
+						UploadSizeLimitBytes: 1024,
+					},
 				},
 			},
 		},

@@ -2817,28 +2817,28 @@ var _ = ginkgo.Describe("SystemReconciler.ReconcileOCPSystem", ginkgo.Label("int
 			expectedYAML := `bundles:
   authz:
     resource: bundles/default-ocp-system/bundle.tar.gz
-    service: s3
+    service: bundle-server
 decision_logs:
   reporting:
     max_delay_seconds: 60
     min_delay_seconds: 5
     upload_size_limit_bytes: 1024
   resource_path: /logs
-  service: logs
+  service: decision-api
 labels:
   namespace: default
   unique-name: default-ocp-system
 services:
 - credentials:
-    s3_signing:
-      environment_credentials: {}
-  name: s3
-  url: https://s3-url2/test-bucket
+    bearer:
+      token_path: token-path-bundle-server
+  name: bundle-server
+  url: https://bundle-server-url/test-bucket
 - credentials:
     bearer:
-      token_path: /run/secrets/kubernetes.io/serviceaccount/token
-  name: logs
-  url: log-api-url
+      token_path: token-path-decision-api
+  name: decision-api
+  url: decision-api-url
 `
 
 			if err := yaml.Unmarshal([]byte(actualYAML), &actualMap); err != nil {