Guessing here... but might this be due to the docker image having an internal nat layer? In other words, is the IP address that the UNA is actually using within the docker container the same as the docker address on the outside facing OpenWrt?
If the docker container is routing, you'll have to use L3 adoption methods to get your devices connected to UNA.
Docker with the option -p/ports default binds to all ips (0.0.0.0/0). With an Ip (as we did) we can tell docker to only bind to a specific ip. I guess ap/network discovery of the unifi controller only works when listening on all ips…
In my example I only bound the web interface to my Ip. If you use Unifi guest portal HTTPS and HTTP you probably also have to bind them to your ip.
@Hudra thank you, your suggestion worked for UAPs, however the dumb USW-Flex-Mini could still not be adopted with the settings you recommended (while working fine in lxc container). When I've tried to enable the host network_mode like @trendy has suggested, the USW-Flex-Mini was adopted, but I have to enter 2FA every time I login now and I can't ssh into the controller. Any ideas?
I don't know about the 2FA, I am using local login only with user/pass. Regarding SSH I'd say it is conflicting with 22 on OpenWrt. Since you are on host mode all ports are directly bound on OpenWrt. So maybe you could change the port to 2222.
you're mixing IP binding and all-binding things which in my experience will confuse unifi devices.
I suggest to use IP:port:port syntax for all ports. obviously IP should be set within unifi controller too as the inform ip to override the internal IP (i.e. the docker container's IP) by default unifi controller advertise.
Looks like @grrr2 is correct that all port bindings should have explicit IP. I've removed the host network mode and added the IP to all the bindings and everything works! Thanks to @Hudra, @psherman, @trendy and @grrr2 guiding this thread to a successful conclusion!