Enable OKP support

This commit adds the first step in supporting OKP for OpenStack
Lightspeed.

Two new configuration sections were added: "okp" and "dev". The "okp"
section holds configurations that are more final to the deployment where
the "dev" is an easy to way for developers to test the feature while
tests/developing it.

The options available in "okp" section are:

- offline: Whether OKP should be in "offline" mode or not.
- accessKey: The OKP access key to decrypt the paid content in the image

The options available in the "dev" section are:

- feature_flags: This is a list of features that operator wants to expose
  to be enabled. The value "okp" in the list will deploy OKP.
- okp_chunk_filter_query: This is where we can tweak the OKP filter to
  filter by product, version etc...

Signed-off-by: Lucas Alvares Gomes <lucasagomes@gmail.com>

Author: umago

api/v1beta1/openstacklightspeed_types.go

@@ -21,6 +21,7 @@ import (
 	"github.com/openstack-k8s-operators/lib-common/modules/common/util"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
 )
 
 const (
@@ -45,10 +46,36 @@ const (
 	// ConsoleContainerImagePF5 is the fall-back console image for PatternFly 5 (OCP < 4.19)
 	ConsoleContainerImagePF5 = "registry.redhat.io/openshift-lightspeed/lightspeed-console-plugin-pf5-rhel9:1.0.12"
 
+	// OKPContainerImage is the fall-back container image for OKP (Offline Knowledge Portal)
+	OKPContainerImage = "registry.redhat.io/offline-knowledge-portal/rhokp-rhel9:latest"
+
 	// MaxTokensForResponseDefault is the default maximum number of tokens that should be used for response
 	MaxTokensForResponseDefault = 2048
 )
 
+// DevSpec is the internal structure for the Dev field. Not exposed in the CRD.
+// May change at any time without backward compatibility.
+type DevSpec struct {
+	FeatureFlags        []string `json:"featureFlags,omitempty"`
+	OKPChunkFilterQuery string   `json:"okpChunkFilterQuery,omitempty"`
+}
+
+// OKPSpec defines configuration for the Offline Knowledge Portal (OKP).
+type OKPSpec struct {
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default=true
+	// Offline controls how source URLs are resolved.
+	// When true, uses parent_id (offline/Mimir-style).
+	// When false, uses reference_url (online).
+	Offline *bool `json:"offline,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	// AccessKey is the name of the Secret containing the access key for the OKP server.
+	// The secret must contain a key named "access_key".
+	// An access key can be obtained from https://access.redhat.com/offline/access
+	AccessKey string `json:"accessKey,omitempty"`
+}
+
 // DatabaseSpec defines configuration for persistent PostgreSQL storage.
 type DatabaseSpec struct {
 	// +kubebuilder:validation:Optional
@@ -84,6 +111,16 @@ type OpenStackLightspeedSpec struct {
 	// When omitted, an emptyDir volume is used (data is lost on pod reschedule).
 	// When set, a PersistentVolumeClaim is created and mounted.
 	Database *DatabaseSpec `json:"database,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	// OKP configures the Offline Knowledge Portal (OKP) RAG source.
+	OKP *OKPSpec `json:"okp,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:pruning:PreserveUnknownFields
+	// Dev contains developer/experimental configuration.
+	// This section is not part of the stable API and may change at any time without backward compatibility.
+	Dev runtime.RawExtension `json:"dev,omitempty"`
 }
 
 // LoggingConfig defines logging configuration for OpenStackLightspeed components
@@ -242,6 +279,7 @@ type OpenStackLightspeedDefaults struct {
 	PostgresImageURL     string
 	ConsoleImageURL      string
 	ConsoleImagePF5URL   string
+	OKPImageURL          string
 	MaxTokensForResponse int
 }
 
@@ -263,6 +301,8 @@ func SetupDefaults() {
 			"RELATED_IMAGE_CONSOLE_IMAGE_URL_DEFAULT", ConsoleContainerImage),
 		ConsoleImagePF5URL: util.GetEnvVar(
 			"RELATED_IMAGE_CONSOLE_PF5_IMAGE_URL_DEFAULT", ConsoleContainerImagePF5),
+		OKPImageURL: util.GetEnvVar(
+			"RELATED_IMAGE_OKP_IMAGE_URL_DEFAULT", OKPContainerImage),
 		MaxTokensForResponse: MaxTokensForResponseDefault,
 	}
 

api/v1beta1/zz_generated.deepcopy.go

@@ -69,6 +69,12 @@ spec:
                     pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
                     x-kubernetes-int-or-string: true
                 type: object
+              dev:
+                description: |-
+                  Dev contains developer/experimental configuration.
+                  This section is not part of the stable API and may change at any time without backward compatibility.
+                type: object
+                x-kubernetes-preserve-unknown-fields: true
               enableOCPRAG:
                 default: false
                 description: Enables automatic OCP documentation based on cluster
@@ -155,6 +161,24 @@ spec:
                   Allows forcing a specific OCP version instead of auto-detection.
                   Format should be like "4.15", "4.16", etc.
                 type: string
+              okp:
+                description: OKP configures the Offline Knowledge Portal (OKP) RAG
+                  source.
+                properties:
+                  accessKey:
+                    description: |-
+                      AccessKey is the name of the Secret containing the access key for the OKP server.
+                      The secret must contain a key named "access_key".
+                      An access key can be obtained from https://access.redhat.com/offline/access
+                    type: string
+                  offline:
+                    default: true
+                    description: |-
+                      Offline controls how source URLs are resolved.
+                      When true, uses parent_id (offline/Mimir-style).
+                      When false, uses reference_url (online).
+                    type: boolean
+                type: object
               ragImage:
                 description: ContainerImage for the OpenStack Lightspeed RAG container
                   (will be set to environmental default if empty)

bundle/manifests/lightspeed.openstack.org_openstacklightspeeds.yaml

@@ -25,7 +25,7 @@ metadata:
       ]
     capabilities: Basic Install
     categories: AI/Machine Learning
-    createdAt: "2026-05-28T16:28:23Z"
+    createdAt: "2026-06-11T09:06:59Z"
     description: AI-powered virtual assistant for Red Hat OpenStack Services on OpenShift
     features.operators.openshift.io/cnf: "false"
     features.operators.openshift.io/cni: "false"
@@ -299,6 +299,8 @@ spec:
                   value: quay.io/lightspeed-core/lightspeed-to-dataverse-exporter:latest
                 - name: RELATED_IMAGE_POSTGRES_IMAGE_URL_DEFAULT
                   value: registry.redhat.io/rhel9/postgresql-16:latest
+                - name: RELATED_IMAGE_OKP_IMAGE_URL_DEFAULT
+                  value: registry.redhat.io/offline-knowledge-portal/rhokp-rhel9:latest
                 image: quay.io/openstack-lightspeed/operator:latest
                 livenessProbe:
                   httpGet:
@@ -366,6 +368,7 @@ spec:
           - ""
           resources:
           - configmaps
+          - services
           verbs:
           - create
           - delete
@@ -378,7 +381,6 @@ spec:
           - ""
           resources:
           - persistentvolumeclaims
-          - services
           verbs:
           - create
           - get
@@ -415,6 +417,7 @@ spec:
           - deployments
           verbs:
           - create
+          - delete
           - get
           - list
           - patch
@@ -479,4 +482,6 @@ spec:
     name: exporter-image-url-default
   - image: registry.redhat.io/rhel9/postgresql-16:latest
     name: postgres-image-url-default
+  - image: registry.redhat.io/offline-knowledge-portal/rhokp-rhel9:latest
+    name: okp-image-url-default
   version: 0.0.1

bundle/manifests/openstack-lightspeed-operator.clusterserviceversion.yaml

@@ -69,6 +69,12 @@ spec:
                     pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
                     x-kubernetes-int-or-string: true
                 type: object
+              dev:
+                description: |-
+                  Dev contains developer/experimental configuration.
+                  This section is not part of the stable API and may change at any time without backward compatibility.
+                type: object
+                x-kubernetes-preserve-unknown-fields: true
               enableOCPRAG:
                 default: false
                 description: Enables automatic OCP documentation based on cluster
@@ -155,6 +161,24 @@ spec:
                   Allows forcing a specific OCP version instead of auto-detection.
                   Format should be like "4.15", "4.16", etc.
                 type: string
+              okp:
+                description: OKP configures the Offline Knowledge Portal (OKP) RAG
+                  source.
+                properties:
+                  accessKey:
+                    description: |-
+                      AccessKey is the name of the Secret containing the access key for the OKP server.
+                      The secret must contain a key named "access_key".
+                      An access key can be obtained from https://access.redhat.com/offline/access
+                    type: string
+                  offline:
+                    default: true
+                    description: |-
+                      Offline controls how source URLs are resolved.
+                      When true, uses parent_id (offline/Mimir-style).
+                      When false, uses reference_url (online).
+                    type: boolean
+                type: object
               ragImage:
                 description: ContainerImage for the OpenStack Lightspeed RAG container
                   (will be set to environmental default if empty)

config/crd/bases/lightspeed.openstack.org_openstacklightspeeds.yaml

@@ -81,6 +81,8 @@ spec:
             value: quay.io/lightspeed-core/lightspeed-to-dataverse-exporter:latest
           - name: RELATED_IMAGE_POSTGRES_IMAGE_URL_DEFAULT
             value: registry.redhat.io/rhel9/postgresql-16:latest
+          - name: RELATED_IMAGE_OKP_IMAGE_URL_DEFAULT
+            value: registry.redhat.io/offline-knowledge-portal/rhokp-rhel9:latest
         securityContext:
           allowPrivilegeEscalation: false
           capabilities:

config/manager/manager.yaml

@@ -100,6 +100,7 @@ rules:
   - ""
   resources:
   - configmaps
+  - services
   verbs:
   - create
   - delete
@@ -112,7 +113,6 @@ rules:
   - ""
   resources:
   - persistentvolumeclaims
-  - services
   verbs:
   - create
   - get
@@ -149,6 +149,7 @@ rules:
   - deployments
   verbs:
   - create
+  - delete
   - get
   - list
   - patch

config/rbac/role.yaml

@@ -15,3 +15,10 @@ spec:
   # database:
   #   size: "5Gi"
   #   class: "my-storage-class"
+  # Uncomment to enable OKP (Offline Knowledge Portal) as an Inline RAG source:
+  # okp:
+  #   accessKey: okp-access-key-secret
+  # dev:
+  #   featureFlags:
+  #     - okp
+  #   okpChunkFilterQuery: "product:(*openstack* OR *openshift*)"

config/samples/api_v1beta1_openstacklightspeed.yaml

@@ -6,4 +6,5 @@ export RELATED_IMAGE_POSTGRES_IMAGE_URL_DEFAULT="registry.redhat.io/rhel9/postgr
 # the automated pipeline for building OGX-compatible vector database images
 # is ready.
 export RELATED_IMAGE_OPENSTACK_LIGHTSPEED_IMAGE_URL_DEFAULT="quay.io/openstack-lightspeed/rag-content:alpha-ogx-os-docs-2025.2"
+export RELATED_IMAGE_OKP_IMAGE_URL_DEFAULT="registry.redhat.io/offline-knowledge-portal/rhokp-rhel9:latest"
 export WATCH_NAMESPACE="openstack-lightspeed"

hack/env.sh

@@ -19,11 +19,14 @@ package controller
 import (
 	"context"
 	_ "embed"
+	"encoding/json"
 	"errors"
 	"fmt"
+	"slices"
 	"strings"
 
 	common_helper "github.com/openstack-k8s-operators/lib-common/modules/common/helper"
+	apiv1beta1 "github.com/openstack-lightspeed/operator/api/v1beta1"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	k8s_errors "k8s.io/apimachinery/pkg/api/errors"
@@ -126,6 +129,43 @@ func isDeploymentReady(deploy *appsv1.Deployment) bool {
 		deploy.Status.Replicas == replicas
 }
 
+// generateOKPSelectorLabels returns selector labels for OKP components.
+func generateOKPSelectorLabels() map[string]string {
+	return map[string]string{
+		"app.kubernetes.io/component":  "okp-server",
+		"app.kubernetes.io/managed-by": "openstack-lightspeed-operator",
+		"app.kubernetes.io/name":       "openstack-lightspeed-okp-server",
+		"app.kubernetes.io/part-of":    "openstack-lightspeed",
+	}
+}
+
+// parseDevConfig unmarshals the Dev RawExtension into a DevSpec.
+// Returns a zero-value DevSpec and an error on malformed input.
+func parseDevConfig(instance *apiv1beta1.OpenStackLightspeed) (apiv1beta1.DevSpec, error) {
+	var config apiv1beta1.DevSpec
+	if len(instance.Spec.Dev.Raw) > 0 {
+		if err := json.Unmarshal(instance.Spec.Dev.Raw, &config); err != nil {
+			return config, err
+		}
+	}
+	return config, nil
+}
+
+// isOKPEnabled returns true if the "okp" feature flag is present in the dev config.
+func isOKPEnabled(instance *apiv1beta1.OpenStackLightspeed) bool {
+	config, _ := parseDevConfig(instance)
+	return slices.Contains(config.FeatureFlags, "okp")
+}
+
+// getOKPChunkFilterQuery returns the chunk filter query from the dev config, or the default.
+func getOKPChunkFilterQuery(instance *apiv1beta1.OpenStackLightspeed) string {
+	config, _ := parseDevConfig(instance)
+	if config.OKPChunkFilterQuery != "" {
+		return config.OKPChunkFilterQuery
+	}
+	return OKPDefaultChunkFilterQuery
+}
+
 // getDeployment retrieves deployment from the cluster
 func getDeployment(ctx context.Context, h *common_helper.Helper, name string, namespace string) (*appsv1.Deployment, error) {
 	deployment := &appsv1.Deployment{}