openshift
diff --git a/‎pkg/controller/external_secrets/certificate.go‎
Lines changed: 14 additions & 13 deletions b/‎pkg/controller/external_secrets/certificate.go‎
Lines changed: 14 additions & 13 deletions
diff --git a/‎pkg/controller/external_secrets/certificate_test.go‎
Lines changed: 2 additions & 2 deletions b/‎pkg/controller/external_secrets/certificate_test.go‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎pkg/controller/external_secrets/deployments.go‎
Lines changed: 3 additions & 8 deletions b/‎pkg/controller/external_secrets/deployments.go‎
Lines changed: 3 additions & 8 deletions
diff --git a/‎pkg/controller/external_secrets/networkpolicy.go‎
Lines changed: 4 additions & 15 deletions b/‎pkg/controller/external_secrets/networkpolicy.go‎
Lines changed: 4 additions & 15 deletions
diff --git a/‎pkg/controller/external_secrets/networkpolicy_test.go‎
Lines changed: 2 additions & 2 deletions b/‎pkg/controller/external_secrets/networkpolicy_test.go‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎pkg/controller/external_secrets/rbacs.go‎
Lines changed: 56 additions & 52 deletions b/‎pkg/controller/external_secrets/rbacs.go‎
Lines changed: 56 additions & 52 deletions
diff --git a/‎pkg/controller/external_secrets/secret.go‎
Lines changed: 16 additions & 26 deletions b/‎pkg/controller/external_secrets/secret.go‎
Lines changed: 16 additions & 26 deletions
diff --git a/‎pkg/controller/external_secrets/secret_test.go‎
Lines changed: 3 additions & 3 deletions b/‎pkg/controller/external_secrets/secret_test.go‎
Lines changed: 3 additions & 3 deletions
@@ -64,24 +64,25 @@ func (r *Reconciler) createOrApplyCertificate(esc *operatorv1alpha1.ExternalSecr
 		return common.FromClientError(err, "failed to check %s certificate resource already exists", certificateName)
 	}
 
-	if exist && recon {
+	if !exist {
+		return r.createWithFallback(desired, resourceMetadata, certificateName, esc)
+	}
+
+	if recon {
 		r.eventRecorder.Eventf(esc, corev1.EventTypeWarning, "ResourceAlreadyExists", "%s certificate resource already exists, maybe from previous installation", certificateName)
 	}
-	if exist && common.HasObjectChanged(desired, fetched, &resourceMetadata) {
-		r.log.V(1).Info("certificate has been modified, updating to desired state", "name", certificateName)
-		common.RemoveObsoleteAnnotations(desired, resourceMetadata)
-		if err := r.UpdateWithRetry(r.ctx, desired); err != nil {
-			return common.FromClientError(err, "failed to update %s certificate resource", certificateName)
-		}
-		r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "certificate resource %s reconciled back to desired state", certificateName)
-	} else {
+
+	if !common.HasObjectChanged(desired, fetched, &resourceMetadata) {
 		r.log.V(4).Info("certificate resource already exists and is in expected state", "name", certificateName)
+		return nil
 	}
-	if !exist {
-		if err := r.createWithFallback(desired, resourceMetadata, certificateName, esc); err != nil {
-			return err
-		}
+
+	r.log.V(1).Info("certificate has been modified, updating to desired state", "name", certificateName)
+	common.RemoveObsoleteAnnotations(desired, resourceMetadata)
+	if err := r.UpdateWithRetry(r.ctx, desired); err != nil {
+		return common.FromClientError(err, "failed to update %s certificate resource", certificateName)
 	}
+	r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "certificate resource %s reconciled back to desired state", certificateName)
 
 	return nil
 }
 
@@ -124,8 +124,8 @@ func TestCreateOrApplyCertificates(t *testing.T) {
 				esc.Spec.ControllerConfig.CertProvider.CertManager.IssuerRef.Name = testIssuerName
 				esc.Spec.ControllerConfig.CertProvider.CertManager.IssuerRef.Kind = issuerKind
 			},
-			recon:                 false,
-			wantUserConfigErr:     true,
+			recon:                  false,
+			wantUserConfigErr:      true,
 			wantUserConfigNotFound: true,
 		},
 		{
 
@@ -85,10 +85,9 @@ func (r *Reconciler) createOrApplyDeploymentFromAsset(esc *operatorv1alpha1.Exte
 	}
 
 	if !exist {
-		if err := r.Create(r.ctx, deployment); err != nil {
-			return common.FromClientError(err, "failed to create %s deployment resource", deploymentName)
+		if err := r.createWithFallback(deployment, resourceMetadata, deploymentName, esc); err != nil {
+			return err
 		}
-		r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "deployment resource %s created", deploymentName)
 		return trustedCAErr
 	}
 
@@ -108,11 +107,7 @@ func (r *Reconciler) createOrApplyDeploymentFromAsset(esc *operatorv1alpha1.Exte
 	}
 	r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "deployment resource %s updated", deploymentName)
 
-	if trustedCAErr != nil {
-		return trustedCAErr
-	}
-
-	return nil
+	return trustedCAErr
 }
 
 func (r *Reconciler) getDeploymentObject(assetName string, esc *operatorv1alpha1.ExternalSecretsConfig, resourceMetadata common.ResourceMetadata) (*appsv1.Deployment, error) {
 
@@ -132,11 +132,7 @@ func (r *Reconciler) createOrApplyCustomNetworkPolicy(esc *operatorv1alpha1.Exte
 	}
 
 	if !exists {
-		if err := r.Create(r.ctx, networkPolicy); err != nil {
-			return common.FromClientError(err, "failed to create network policy %s", networkPolicyName)
-		}
-		r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "NetworkPolicy %s created", networkPolicyName)
-		return nil
+		return r.createWithFallback(networkPolicy, resourceMetadata, networkPolicyName, esc)
 	}
 
 	if externalSecretsConfigCreateRecon {
@@ -174,11 +170,7 @@ func (r *Reconciler) createOrApplyNetworkPolicyFromAsset(esc *operatorv1alpha1.E
 	}
 
 	if !exists {
-		if err := r.Create(r.ctx, networkPolicy); err != nil {
-			return common.FromClientError(err, "failed to create network policy %s", networkPolicyName)
-		}
-		r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "NetworkPolicy %s created", networkPolicyName)
-		return nil
+		return r.createWithFallback(networkPolicy, resourceMetadata, networkPolicyName, esc)
 	}
 
 	if externalSecretsConfigCreateRecon {
@@ -278,12 +270,9 @@ func (r *Reconciler) reconcileProxyEgressPolicy(esc *operatorv1alpha1.ExternalSe
 	}
 
 	np := buildProxyEgressNetworkPolicy(r.proxyConfig, namespace, resourceMetadata)
+
 	if !exists {
-		if err := r.Create(r.ctx, np); err != nil {
-			return common.FromClientError(err, "failed to create proxy egress network policy %s", npName)
-		}
-		r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "proxy egress NetworkPolicy %s created", npName)
-		return nil
+		return r.createWithFallback(np, resourceMetadata, npName, esc)
 	}
 
 	if recon {
 
@@ -145,7 +145,7 @@ func TestCreateOrApplyStaticNetworkPolicies(t *testing.T) {
 					return nil
 				})
 			},
-			wantErr: "failed to create network policy external-secrets/eso-sys-deny-all-traffic: test client error",
+			wantErr: "failed to create NetworkPolicy external-secrets/eso-sys-deny-all-traffic: test client error",
 		},
 		{
 			name: "network policy exists check fails",
@@ -343,7 +343,7 @@ func TestCreateOrApplyCustomNetworkPolicies(t *testing.T) {
 					},
 				}
 			},
-			wantErr: "failed to create network policy external-secrets/eso-user-test-fail-policy: test client error",
+			wantErr: "failed to create NetworkPolicy external-secrets/eso-user-test-fail-policy: test client error",
 		},
 		{
 			name: "custom network policy updated successfully",
 
@@ -111,24 +111,25 @@ func (r *Reconciler) createOrApplyClusterRole(esc *operatorv1alpha1.ExternalSecr
 		return common.FromClientError(err, "failed to check %s clusterrole resource already exists", clusterRoleName)
 	}
 
-	if exist && recon {
+	if !exist {
+		return r.createWithFallback(obj, resourceMetadata, clusterRoleName, esc)
+	}
+
+	if recon {
 		r.eventRecorder.Eventf(esc, corev1.EventTypeWarning, "ResourceAlreadyExists", "%s clusterrole resource already exists, maybe from previous installation", clusterRoleName)
 	}
-	if exist && common.HasObjectChanged(obj, fetched, &resourceMetadata) {
-		r.log.V(1).Info("clusterrole has been modified, updating to desired state", "name", clusterRoleName)
-		common.RemoveObsoleteAnnotations(obj, resourceMetadata)
-		if err := r.UpdateWithRetry(r.ctx, obj); err != nil {
-			return common.FromClientError(err, "failed to update %s clusterrole resource", clusterRoleName)
-		}
-		r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "clusterrole resource %s reconciled back to desired state", clusterRoleName)
-	} else {
+
+	if !common.HasObjectChanged(obj, fetched, &resourceMetadata) {
 		r.log.V(4).Info("clusterrole resource already exists and is in expected state", "name", clusterRoleName)
+		return nil
 	}
-	if !exist {
-		if err := r.createWithFallback(obj, resourceMetadata, clusterRoleName, esc); err != nil {
-			return err
-		}
+
+	r.log.V(1).Info("clusterrole has been modified, updating to desired state", "name", clusterRoleName)
+	common.RemoveObsoleteAnnotations(obj, resourceMetadata)
+	if err := r.UpdateWithRetry(r.ctx, obj); err != nil {
+		return common.FromClientError(err, "failed to update %s clusterrole resource", clusterRoleName)
 	}
+	r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "clusterrole resource %s reconciled back to desired state", clusterRoleName)
 
 	return nil
 }
@@ -156,24 +157,25 @@ func (r *Reconciler) createOrApplyClusterRoleBinding(esc *operatorv1alpha1.Exter
 		return common.FromClientError(err, "failed to check %s clusterrolebinding resource already exists", clusterRoleBindingName)
 	}
 
-	if exist && recon {
+	if !exist {
+		return r.createWithFallback(obj, resourceMetadata, clusterRoleBindingName, esc)
+	}
+
+	if recon {
 		r.eventRecorder.Eventf(esc, corev1.EventTypeWarning, "ResourceAlreadyExists", "%s clusterrolebinding resource already exists, maybe from previous installation", clusterRoleBindingName)
 	}
-	if exist && common.HasObjectChanged(obj, fetched, &resourceMetadata) {
-		r.log.V(1).Info("clusterrolebinding has been modified, updating to desired state", "name", clusterRoleBindingName)
-		common.RemoveObsoleteAnnotations(obj, resourceMetadata)
-		if err := r.UpdateWithRetry(r.ctx, obj); err != nil {
-			return common.FromClientError(err, "failed to update %s clusterrolebinding resource", clusterRoleBindingName)
-		}
-		r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "clusterrolebinding resource %s reconciled back to desired state", clusterRoleBindingName)
-	} else {
+
+	if !common.HasObjectChanged(obj, fetched, &resourceMetadata) {
 		r.log.V(4).Info("clusterrolebinding resource already exists and is in expected state", "name", clusterRoleBindingName)
+		return nil
 	}
-	if !exist {
-		if err := r.createWithFallback(obj, resourceMetadata, clusterRoleBindingName, esc); err != nil {
-			return err
-		}
+
+	r.log.V(1).Info("clusterrolebinding has been modified, updating to desired state", "name", clusterRoleBindingName)
+	common.RemoveObsoleteAnnotations(obj, resourceMetadata)
+	if err := r.UpdateWithRetry(r.ctx, obj); err != nil {
+		return common.FromClientError(err, "failed to update %s clusterrolebinding resource", clusterRoleBindingName)
 	}
+	r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "clusterrolebinding resource %s reconciled back to desired state", clusterRoleBindingName)
 
 	return nil
 }
@@ -199,24 +201,25 @@ func (r *Reconciler) createOrApplyRole(esc *operatorv1alpha1.ExternalSecretsConf
 		return common.FromClientError(err, "failed to check %s role resource already exists", roleName)
 	}
 
-	if exist && recon {
+	if !exist {
+		return r.createWithFallback(obj, resourceMetadata, roleName, esc)
+	}
+
+	if recon {
 		r.eventRecorder.Eventf(esc, corev1.EventTypeWarning, "ResourceAlreadyExists", "%s role resource already exists, maybe from previous installation", roleName)
 	}
-	if exist && common.HasObjectChanged(obj, fetched, &resourceMetadata) {
-		r.log.V(1).Info("role has been modified, updating to desired state", "name", roleName)
-		common.RemoveObsoleteAnnotations(obj, resourceMetadata)
-		if err := r.UpdateWithRetry(r.ctx, obj); err != nil {
-			return common.FromClientError(err, "failed to update %s role resource", roleName)
-		}
-		r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "role resource %s reconciled back to desired state", roleName)
-	} else {
+
+	if !common.HasObjectChanged(obj, fetched, &resourceMetadata) {
 		r.log.V(4).Info("role resource already exists and is in expected state", "name", roleName)
+		return nil
 	}
-	if !exist {
-		if err := r.createWithFallback(obj, resourceMetadata, roleName, esc); err != nil {
-			return err
-		}
+
+	r.log.V(1).Info("role has been modified, updating to desired state", "name", roleName)
+	common.RemoveObsoleteAnnotations(obj, resourceMetadata)
+	if err := r.UpdateWithRetry(r.ctx, obj); err != nil {
+		return common.FromClientError(err, "failed to update %s role resource", roleName)
 	}
+	r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "role resource %s reconciled back to desired state", roleName)
 
 	return nil
 }
@@ -241,24 +244,25 @@ func (r *Reconciler) createOrApplyRoleBinding(esc *operatorv1alpha1.ExternalSecr
 		return common.FromClientError(err, "failed to check %s rolebinding resource already exists", roleBindingName)
 	}
 
-	if exist && recon {
+	if !exist {
+		return r.createWithFallback(obj, resourceMetadata, roleBindingName, esc)
+	}
+
+	if recon {
 		r.eventRecorder.Eventf(esc, corev1.EventTypeWarning, "ResourceAlreadyExists", "%s rolebinding resource already exists, maybe from previous installation", roleBindingName)
 	}
-	if exist && common.HasObjectChanged(obj, fetched, &resourceMetadata) {
-		r.log.V(1).Info("rolebinding has been modified, updating to desired state", "name", roleBindingName)
-		common.RemoveObsoleteAnnotations(obj, resourceMetadata)
-		if err := r.UpdateWithRetry(r.ctx, obj); err != nil {
-			return common.FromClientError(err, "failed to update %s rolebinding resource", roleBindingName)
-		}
-		r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "rolebinding resource %s reconciled back to desired state", roleBindingName)
-	} else {
+
+	if !common.HasObjectChanged(obj, fetched, &resourceMetadata) {
 		r.log.V(4).Info("rolebinding resource already exists and is in expected state", "name", roleBindingName)
+		return nil
 	}
-	if !exist {
-		if err := r.createWithFallback(obj, resourceMetadata, roleBindingName, esc); err != nil {
-			return err
-		}
+
+	r.log.V(1).Info("rolebinding has been modified, updating to desired state", "name", roleBindingName)
+	common.RemoveObsoleteAnnotations(obj, resourceMetadata)
+	if err := r.UpdateWithRetry(r.ctx, obj); err != nil {
+		return common.FromClientError(err, "failed to update %s rolebinding resource", roleBindingName)
 	}
+	r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "rolebinding resource %s reconciled back to desired state", roleBindingName)
 
 	return nil
 }
 
@@ -4,7 +4,6 @@ import (
 	"fmt"
 
 	corev1 "k8s.io/api/core/v1"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	operatorv1alpha1 "github.com/openshift/external-secrets-operator/api/v1alpha1"
@@ -29,38 +28,29 @@ func (r *Reconciler) createOrApplySecret(esc *operatorv1alpha1.ExternalSecretsCo
 		return common.FromClientError(err, "failed to check %s secret resource already exists", secretName)
 	}
 
-	if exist && recon {
+	if !exist {
+		// NOTE: This Secret cannot use the generic createWithFallback helper because
+		// its Data field is managed by the external-secrets cert-controller, which injects
+		// TLS content at runtime. On AlreadyExists we use a JSON patch that touches only
+		// metadata, leaving cert-controller-managed TLS certificates untouched.
+		return r.createWithMetadataFallback(desired, resourceMetadata, secretName, esc)
+	}
+
+	if recon {
 		r.eventRecorder.Eventf(esc, corev1.EventTypeWarning, "ResourceAlreadyExists", "%s secret resource already exists, maybe from previous installation", secretName)
 	}
 
-	if exist && common.ObjectMetadataModified(desired, fetched, &resourceMetadata) {
-		r.log.V(1).Info("secret has been modified, patching metadata to desired state", "name", secretName)
-		if err := r.patchResourceMetadata(desired, resourceMetadata); err != nil {
-			return common.FromClientError(err, "failed to patch %s secret resource metadata", secretName)
-		}
-		r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "secret resource %s reconciled back to desired state", secretName)
-	} else {
+	if !common.ObjectMetadataModified(desired, fetched, &resourceMetadata) {
 		r.log.V(4).Info("secret resource already exists and is in expected state", "name", secretName)
+		return nil
 	}
 
-	if !exist {
-		// NOTE: This Secret cannot use the generic createWithFallback helper because
-		// its Data field is managed by the external-secrets cert-controller, which injects
-		// TLS content at runtime. On AlreadyExists we use a MergePatch that touches only
-		// metadata, leaving cert-controller-managed TLS certificates untouched.
-		if err := r.Create(r.ctx, desired); err != nil {
-			if !apierrors.IsAlreadyExists(err) {
-				return common.FromClientError(err, "failed to create %s secret resource", secretName)
-			}
-			r.log.V(1).Info("secret exists on API server but absent from label-filtered cache, patching metadata", "name", secretName)
-			if patchErr := r.patchResourceMetadata(desired, resourceMetadata); patchErr != nil {
-				return common.FromClientError(patchErr, "failed to patch %s secret resource metadata", secretName)
-			}
-			r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "secret resource %s restored to desired state", secretName)
-			return nil
-		}
-		r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "secret resource %s created", secretName)
+	r.log.V(1).Info("secret has been modified, patching metadata to desired state", "name", secretName)
+	if err := r.patchResourceMetadata(desired, resourceMetadata); err != nil {
+		return common.FromClientError(err, "failed to patch Secret %s metadata", secretName)
 	}
+	r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "secret resource %s reconciled back to desired state", secretName)
+
 	return nil
 }
 
 
@@ -113,7 +113,7 @@ func TestCreateOrApplySecret(t *testing.T) {
 					return nil
 				})
 			},
-			wantErr: fmt.Sprintf("failed to patch %s/%s secret resource metadata: %s", commontest.TestExternalSecretsNamespace, testValidateSecretResourceName, commontest.ErrTestClient),
+			wantErr: fmt.Sprintf("failed to patch Secret %s/%s metadata: %s", commontest.TestExternalSecretsNamespace, testValidateSecretResourceName, commontest.ErrTestClient),
 		},
 		{
 			// Regression test: when the managed label is removed from the Secret, the object
@@ -151,7 +151,7 @@ func TestCreateOrApplySecret(t *testing.T) {
 					return commontest.ErrTestClient
 				})
 			},
-			wantErr: fmt.Sprintf("failed to patch %s/%s secret resource metadata: %s", commontest.TestExternalSecretsNamespace, testValidateSecretResourceName, commontest.ErrTestClient),
+			wantErr: fmt.Sprintf("failed to patch Secret %s/%s metadata: %s", commontest.TestExternalSecretsNamespace, testValidateSecretResourceName, commontest.ErrTestClient),
 		},
 		{
 			name: "reconciliation of secret which already exists in expected state",
@@ -195,7 +195,7 @@ func TestCreateOrApplySecret(t *testing.T) {
 					return nil
 				})
 			},
-			wantErr: fmt.Sprintf("failed to create %s/%s secret resource: %s", commontest.TestExternalSecretsNamespace, testValidateSecretResourceName, commontest.ErrTestClient),
+			wantErr: fmt.Sprintf("failed to create Secret %s/%s: %s", commontest.TestExternalSecretsNamespace, testValidateSecretResourceName, commontest.ErrTestClient),
 		},
 		{
 			name: "successful secret creation",
Original file line number	Diff line number	Diff line change
`@@ -85,10 +85,9 @@ func (r Reconciler) createOrApplyDeploymentFromAsset(esc operatorv1alpha1.Exte`
`85`	`85`	`}`
`86`	`86`
`87`	`87`	`if !exist {`
`88`		`- if err := r.Create(r.ctx, deployment); err != nil {`
`89`		`- return common.FromClientError(err, "failed to create %s deployment resource", deploymentName)`
	`88`	`+ if err := r.createWithFallback(deployment, resourceMetadata, deploymentName, esc); err != nil {`
	`89`	`+ return err`
`90`	`90`	`}`
`91`		`- r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "deployment resource %s created", deploymentName)`
`92`	`91`	`return trustedCAErr`
`93`	`92`	`}`
`94`	`93`
`@@ -108,11 +107,7 @@ func (r Reconciler) createOrApplyDeploymentFromAsset(esc operatorv1alpha1.Exte`
`108`	`107`	`}`
`109`	`108`	`r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "deployment resource %s updated", deploymentName)`
`110`	`109`
`111`		`- if trustedCAErr != nil {`
`112`		`- return trustedCAErr`
`113`		`- }`
`114`		`-`
`115`		`- return nil`
	`110`	`+ return trustedCAErr`
`116`	`111`	`}`
`117`	`112`
`118`	`113`	`func (r Reconciler) getDeploymentObject(assetName string, esc operatorv1alpha1.ExternalSecretsConfig, resourceMetadata common.ResourceMetadata) (*appsv1.Deployment, error) {`
Original file line number	Diff line number	Diff line change
`@@ -132,11 +132,7 @@ func (r Reconciler) createOrApplyCustomNetworkPolicy(esc operatorv1alpha1.Exte`
`132`	`132`	`}`
`133`	`133`
`134`	`134`	`if !exists {`
`135`		`- if err := r.Create(r.ctx, networkPolicy); err != nil {`
`136`		`- return common.FromClientError(err, "failed to create network policy %s", networkPolicyName)`
`137`		`- }`
`138`		`- r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "NetworkPolicy %s created", networkPolicyName)`
`139`		`- return nil`
	`135`	`+ return r.createWithFallback(networkPolicy, resourceMetadata, networkPolicyName, esc)`
`140`	`136`	`}`
`141`	`137`
`142`	`138`	`if externalSecretsConfigCreateRecon {`
`@@ -174,11 +170,7 @@ func (r Reconciler) createOrApplyNetworkPolicyFromAsset(esc operatorv1alpha1.E`
`174`	`170`	`}`
`175`	`171`
`176`	`172`	`if !exists {`
`177`		`- if err := r.Create(r.ctx, networkPolicy); err != nil {`
`178`		`- return common.FromClientError(err, "failed to create network policy %s", networkPolicyName)`
`179`		`- }`
`180`		`- r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "NetworkPolicy %s created", networkPolicyName)`
`181`		`- return nil`
	`173`	`+ return r.createWithFallback(networkPolicy, resourceMetadata, networkPolicyName, esc)`
`182`	`174`	`}`
`183`	`175`
`184`	`176`	`if externalSecretsConfigCreateRecon {`
`@@ -278,12 +270,9 @@ func (r Reconciler) reconcileProxyEgressPolicy(esc operatorv1alpha1.ExternalSe`
`278`	`270`	`}`
`279`	`271`
`280`	`272`	`np := buildProxyEgressNetworkPolicy(r.proxyConfig, namespace, resourceMetadata)`
	`273`	`+`
`281`	`274`	`if !exists {`
`282`		`- if err := r.Create(r.ctx, np); err != nil {`
`283`		`- return common.FromClientError(err, "failed to create proxy egress network policy %s", npName)`
`284`		`- }`
`285`		`- r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "proxy egress NetworkPolicy %s created", npName)`
`286`		`- return nil`
	`275`	`+ return r.createWithFallback(np, resourceMetadata, npName, esc)`
`287`	`276`	`}`
`288`	`277`
`289`	`278`	`if recon {`
Original file line number	Diff line number	Diff line change
`@@ -145,7 +145,7 @@ func TestCreateOrApplyStaticNetworkPolicies(t *testing.T) {`
`145`	`145`	`return nil`
`146`	`146`	`})`
`147`	`147`	`},`
`148`		`- wantErr: "failed to create network policy external-secrets/eso-sys-deny-all-traffic: test client error",`
	`148`	`+ wantErr: "failed to create NetworkPolicy external-secrets/eso-sys-deny-all-traffic: test client error",`
`149`	`149`	`},`
`150`	`150`	`{`
`151`	`151`	`name: "network policy exists check fails",`
`@@ -343,7 +343,7 @@ func TestCreateOrApplyCustomNetworkPolicies(t *testing.T) {`
`343`	`343`	`},`
`344`	`344`	`}`
`345`	`345`	`},`
`346`		`- wantErr: "failed to create network policy external-secrets/eso-user-test-fail-policy: test client error",`
	`346`	`+ wantErr: "failed to create NetworkPolicy external-secrets/eso-user-test-fail-policy: test client error",`
`347`	`347`	`},`
`348`	`348`	`{`
`349`	`349`	`name: "custom network policy updated successfully",`