Merge pull request #149 from bharath-b-rh/eso-396

ESO-396: Mount user configured trustedCABundle on external-secrets core controller

Author: openshift-merge-bot[bot]

api/v1alpha1/external_secrets_config_types.go

@@ -162,8 +162,9 @@ type ControllerConfig struct {
 
 	// trustedCABundle references a ConfigMap containing PEM-encoded CA certificates for the external-secrets core controller to trust when making outbound TLS connections.
 	// If specified, this bundle is used for all outbound TLS traffic, including connections to external secret management systems and configured proxies.
-	// The ConfigMap must exist in the external-secrets operand namespace.
-	// When omitted, external providers fall back to standard system certificates, while proxy connections use the OpenShift trusted CA bundle by default.
+	// The ConfigMap must exist in the external-secrets operand namespace and must not carry the CNO inject-trusted-cabundle label when proxy is configured.
+	// When omitted, external providers use standard system certificates. When proxy is configured, proxy TLS connections use the operator-managed
+	// OpenShift trusted CA bundle injected by the Cluster Network Operator.
 	// +optional
 	TrustedCABundle *ConfigMapKeyReference `json:"trustedCABundle,omitempty"`
 }

api/v1alpha1/groupversion_info.go

@@ -28,6 +28,9 @@ var (
 	// GroupVersion is group version used to register these objects.
 	GroupVersion = schema.GroupVersion{Group: "operator.openshift.io", Version: "v1alpha1"}
 
+	// ExternalSecretsConfigGVR is the GroupVersionResource for ExternalSecretsConfig.
+	ExternalSecretsConfigGVR = GroupVersion.WithResource("externalsecretsconfigs")
+
 	// SchemeBuilder is used to add go types to the GroupVersionKind scheme.
 	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}
 

api/v1alpha1/meta.go

@@ -112,11 +112,9 @@ type ProxyConfig struct {
 	// +optional
 	NoProxy string `json:"noProxy,omitempty"`
 
-	// NetworkPolicyProvisioning defines the management strategy for the proxy egress rule.
-	// When set to Managed, the operator automatically provisions and maintains
-	// a NetworkPolicy allowing traffic to the configured proxy.
-	// If no proxy is configured, no NetworkPolicy will be created
-	// regardless of this setting.
+	// networkPolicyProvisioning defines the management strategy for the proxy egress rule.
+	// When set to Managed, the operator automatically provisions and maintains a NetworkPolicy allowing traffic to the configured proxy.
+	// If no proxy is configured, no NetworkPolicy will be created regardless of this setting.
 	// +kubebuilder:validation:Enum=Managed;Unmanaged
 	// +kubebuilder:default=Managed
 	// +optional

bindata/external-secrets/networkpolicy_allow-dns.yaml

@@ -33,4 +33,4 @@ spec:
         - protocol: UDP
           port: 53
   policyTypes:
-      - Egress
+      - Egress

bundle/manifests/operator.openshift.io_externalsecretsconfigs.yaml

@@ -1037,11 +1037,9 @@ spec:
                       networkPolicyProvisioning:
                         default: Managed
                         description: |-
-                          NetworkPolicyProvisioning defines the management strategy for the proxy egress rule.
-                          When set to Managed, the operator automatically provisions and maintains
-                          a NetworkPolicy allowing traffic to the configured proxy.
-                          If no proxy is configured, no NetworkPolicy will be created
-                          regardless of this setting.
+                          networkPolicyProvisioning defines the management strategy for the proxy egress rule.
+                          When set to Managed, the operator automatically provisions and maintains a NetworkPolicy allowing traffic to the configured proxy.
+                          If no proxy is configured, no NetworkPolicy will be created regardless of this setting.
                         enum:
                         - Managed
                         - Unmanaged
@@ -1774,8 +1772,9 @@ spec:
                     description: |-
                       trustedCABundle references a ConfigMap containing PEM-encoded CA certificates for the external-secrets core controller to trust when making outbound TLS connections.
                       If specified, this bundle is used for all outbound TLS traffic, including connections to external secret management systems and configured proxies.
-                      The ConfigMap must exist in the external-secrets operand namespace.
-                      When omitted, external providers fall back to standard system certificates, while proxy connections use the OpenShift trusted CA bundle by default.
+                      The ConfigMap must exist in the external-secrets operand namespace and must not carry the CNO inject-trusted-cabundle label when proxy is configured.
+                      When omitted, external providers use standard system certificates. When proxy is configured, proxy TLS connections use the operator-managed
+                      OpenShift trusted CA bundle injected by the Cluster Network Operator.
                     properties:
                       key:
                         default: ca-bundle.crt

bundle/manifests/operator.openshift.io_externalsecretsmanagers.yaml

@@ -1072,11 +1072,9 @@ spec:
                       networkPolicyProvisioning:
                         default: Managed
                         description: |-
-                          NetworkPolicyProvisioning defines the management strategy for the proxy egress rule.
-                          When set to Managed, the operator automatically provisions and maintains
-                          a NetworkPolicy allowing traffic to the configured proxy.
-                          If no proxy is configured, no NetworkPolicy will be created
-                          regardless of this setting.
+                          networkPolicyProvisioning defines the management strategy for the proxy egress rule.
+                          When set to Managed, the operator automatically provisions and maintains a NetworkPolicy allowing traffic to the configured proxy.
+                          If no proxy is configured, no NetworkPolicy will be created regardless of this setting.
                         enum:
                         - Managed
                         - Unmanaged

config/crd/bases/operator.openshift.io_externalsecretsconfigs.yaml

@@ -1037,11 +1037,9 @@ spec:
                       networkPolicyProvisioning:
                         default: Managed
                         description: |-
-                          NetworkPolicyProvisioning defines the management strategy for the proxy egress rule.
-                          When set to Managed, the operator automatically provisions and maintains
-                          a NetworkPolicy allowing traffic to the configured proxy.
-                          If no proxy is configured, no NetworkPolicy will be created
-                          regardless of this setting.
+                          networkPolicyProvisioning defines the management strategy for the proxy egress rule.
+                          When set to Managed, the operator automatically provisions and maintains a NetworkPolicy allowing traffic to the configured proxy.
+                          If no proxy is configured, no NetworkPolicy will be created regardless of this setting.
                         enum:
                         - Managed
                         - Unmanaged
@@ -1774,8 +1772,9 @@ spec:
                     description: |-
                       trustedCABundle references a ConfigMap containing PEM-encoded CA certificates for the external-secrets core controller to trust when making outbound TLS connections.
                       If specified, this bundle is used for all outbound TLS traffic, including connections to external secret management systems and configured proxies.
-                      The ConfigMap must exist in the external-secrets operand namespace.
-                      When omitted, external providers fall back to standard system certificates, while proxy connections use the OpenShift trusted CA bundle by default.
+                      The ConfigMap must exist in the external-secrets operand namespace and must not carry the CNO inject-trusted-cabundle label when proxy is configured.
+                      When omitted, external providers use standard system certificates. When proxy is configured, proxy TLS connections use the operator-managed
+                      OpenShift trusted CA bundle injected by the Cluster Network Operator.
                     properties:
                       key:
                         default: ca-bundle.crt

config/crd/bases/operator.openshift.io_externalsecretsmanagers.yaml

@@ -1072,11 +1072,9 @@ spec:
                       networkPolicyProvisioning:
                         default: Managed
                         description: |-
-                          NetworkPolicyProvisioning defines the management strategy for the proxy egress rule.
-                          When set to Managed, the operator automatically provisions and maintains
-                          a NetworkPolicy allowing traffic to the configured proxy.
-                          If no proxy is configured, no NetworkPolicy will be created
-                          regardless of this setting.
+                          networkPolicyProvisioning defines the management strategy for the proxy egress rule.
+                          When set to Managed, the operator automatically provisions and maintains a NetworkPolicy allowing traffic to the configured proxy.
+                          If no proxy is configured, no NetworkPolicy will be created regardless of this setting.
                         enum:
                         - Managed
                         - Unmanaged

docs/api_reference.md

@@ -221,7 +221,7 @@ _Appears in:_
 | `annotations` _object (keys:string, values:string)_ | annotations are for adding custom annotations to all the resources created for external-secrets deployment.<br />The annotations are merged with any default annotations set by the operator. User-specified annotations take precedence over defaults in case of conflicts.<br />Annotation keys containing domains `kubernetes.io/`, `openshift.io/`, `cert-manager.io/` or `k8s.io/` (including subdomains like `*.kubernetes.io/`) are not allowed. |  | MaxProperties: 20 <br />MinProperties: 0 <br /> |
 | `networkPolicies` _[NetworkPolicy](#networkpolicy) array_ | networkPolicies specifies the list of network policy configurations<br />to be applied to external-secrets pods.<br />Each entry allows specifying a name for the generated NetworkPolicy object,<br />along with its full Kubernetes NetworkPolicy definition.<br />The operator prepends "eso-user-" to the provided name when creating the Kubernetes object.<br />If this field is not provided, external-secrets components will be isolated<br />with deny-all network policies, which will prevent proper operation. |  | MaxItems: 50 <br />MinItems: 0 <br /> |
 | `componentConfigs` _[ComponentConfig](#componentconfig) array_ | componentConfigs allows specifying deployment-level configuration overrides for individual external-secrets components. This field enables fine-grained control over deployment settings for each component independently.<br />Each component can only have one configuration entry. |  | MaxItems: 4 <br />MinItems: 0 <br /> |
-| `trustedCABundle` _[ConfigMapKeyReference](#configmapkeyreference)_ | trustedCABundle references a ConfigMap containing PEM-encoded CA certificates for the external-secrets core controller to trust when making outbound TLS connections.<br />If specified, this bundle is used for all outbound TLS traffic, including connections to external secret management systems and configured proxies.<br />The ConfigMap must exist in the external-secrets operand namespace.<br />When omitted, external providers fall back to standard system certificates, while proxy connections use the OpenShift trusted CA bundle by default. |  |  |
+| `trustedCABundle` _[ConfigMapKeyReference](#configmapkeyreference)_ | trustedCABundle references a ConfigMap containing PEM-encoded CA certificates for the external-secrets core controller to trust when making outbound TLS connections.<br />If specified, this bundle is used for all outbound TLS traffic, including connections to external secret management systems and configured proxies.<br />The ConfigMap must exist in the external-secrets operand namespace and must not carry the CNO inject-trusted-cabundle label when proxy is configured.<br />When omitted, external providers use standard system certificates. When proxy is configured, proxy TLS connections use the operator-managed<br />OpenShift trusted CA bundle injected by the Cluster Network Operator. |  |  |
 
 
 #### ControllerStatus
@@ -568,7 +568,7 @@ _Appears in:_
 | `httpProxy` _string_ | httpProxy is the URL of the proxy for HTTP requests.<br />This field can have a maximum of 2048 characters. |  | MaxLength: 2048 <br />MinLength: 0 <br /> |
 | `httpsProxy` _string_ | httpsProxy is the URL of the proxy for HTTPS requests.<br />This field can have a maximum of 2048 characters. |  | MaxLength: 2048 <br />MinLength: 0 <br /> |
 | `noProxy` _string_ | noProxy is a comma-separated list of hostnames and/or CIDRs and/or IPs for which the proxy should not be used.<br />This field can have a maximum of 4096 characters. |  | MaxLength: 4096 <br />MinLength: 0 <br /> |
-| `networkPolicyProvisioning` _[ManagementState](#managementstate)_ | NetworkPolicyProvisioning defines the management strategy for the proxy egress rule.<br />When set to Managed, the operator automatically provisions and maintains<br />a NetworkPolicy allowing traffic to the configured proxy.<br />If no proxy is configured, no NetworkPolicy will be created<br />regardless of this setting. | Managed | Enum: [Managed Unmanaged] <br /> |
+| `networkPolicyProvisioning` _[ManagementState](#managementstate)_ | networkPolicyProvisioning defines the management strategy for the proxy egress rule.<br />When set to Managed, the operator automatically provisions and maintains a NetworkPolicy allowing traffic to the configured proxy.<br />If no proxy is configured, no NetworkPolicy will be created regardless of this setting. | Managed | Enum: [Managed Unmanaged] <br /> |
 
 
 #### SecretReference

pkg/controller/commontest/utils.go

@@ -6,19 +6,20 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	operatorv1alpha1 "github.com/openshift/external-secrets-operator/api/v1alpha1"
+	"github.com/openshift/external-secrets-operator/pkg/controller/common"
 )
 
 const (
 	// TestExternalSecretsConfigResourceName is the name for ExternalSecretsConfig test CR.
-	TestExternalSecretsConfigResourceName = "cluster"
+	TestExternalSecretsConfigResourceName = common.ExternalSecretsConfigObjectName
 
 	// TestExternalSecretsImageName is the sample image name for external-secrets operand.
 	TestExternalSecretsImageName = "registry.redhat.io/external-secrets-operator/external-secrets-operator-rhel9"
 
 	// TestBitwardenImageName is the sample image name for bitwarden-sdk-server.
 	TestBitwardenImageName = "registry.stage.redhat.io/external-secrets-operator/bitwarden-sdk-server-rhel9"
 
-	// TestExternalSecretsNamespace is the sample namespace name for external-secrets deployment.
+	// TestExternalSecretsNamespace is the namespace name for external-secrets deployment.
 	TestExternalSecretsNamespace = "external-secrets"
 
 	// TestCRDName can be used for sample CRD resources.