The unifiedpush-operator runs in the same cluster as the UPS instances that it creates, so there's no need for its communication with UPS to leave the cluster and then come back in through the router and have to authenticate.

We just need to create an additional Service (internal only, not exposed through a Route) that targets the UPS port (8080) in the pod rather than the oauth-proxy port. Then the operator interacts with UPS through that Service.