Merge pull request #146 from siddhibhor-56/feature/ep-1834-controller-networkpolicy

openshift-merge-bot[bot] · web-flow · commit 86b890f136be · 2026-06-12T11:58:23.000Z
ESO-437: Implement NetworkPolicy auto-creation for configured proxy
diff --git a/api/v1alpha1/external_secrets_config_types.go b/api/v1alpha1/external_secrets_config_types.go
@@ -311,8 +311,9 @@ type NetworkPolicy struct {
 	// Name is the logical identifier for this network policy entry.
 	// The operator prepends "eso-user-" to this value when creating the Kubernetes
 	// NetworkPolicy object (e.g. "allow-egress" becomes "eso-user-allow-egress").
+	// Maximum length is 243 to accommodate the prefix within the 253-character Kubernetes name limit.
 	// +kubebuilder:validation:MinLength:=1
-	// +kubebuilder:validation:MaxLength:=253
+	// +kubebuilder:validation:MaxLength:=243
 	// +required
 	//nolint:kubeapilinter // Name is a listMapKey and must not have omitempty for proper patch identification
 	Name string `json:"name"`
diff --git a/api/v1alpha1/tests/externalsecretsconfig.operator.openshift.io/externalsecretsconfig.testsuite.yaml b/api/v1alpha1/tests/externalsecretsconfig.operator.openshift.io/externalsecretsconfig.testsuite.yaml
@@ -1481,7 +1481,7 @@ tests:
                   - to:
                       - ipBlock:
                           cidr: 10.0.0.0/8
-      expectedError: "ExternalSecretsConfig.operator.openshift.io \"cluster\" is invalid: [spec.controllerConfig.networkPolicies[0].name: Too long: may not be more than 253 bytes, <nil>: Invalid value: \"null\": some validation rules were not checked because the object was invalid; correct the existing errors to complete validation]"
+      expectedError: "ExternalSecretsConfig.operator.openshift.io \"cluster\" is invalid: [spec.controllerConfig.networkPolicies[0].name: Too long: may not be more than 243 bytes, <nil>: Invalid value: \"null\": some validation rules were not checked because the object was invalid; correct the existing errors to complete validation]"
     - name: Should fail with duplicate name and componentName in networkPolicies
       resourceName: cluster
       initial: |
diff --git a/bindata/external-secrets/networkpolicy_allow-api-server-and-webhook-traffic.yaml b/bindata/external-secrets/networkpolicy_allow-api-server-and-webhook-traffic.yaml
@@ -1,7 +1,7 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: allow-api-server-egress-for-webhook
+  name: eso-sys-allow-api-server-egress-for-webhook
   namespace: external-secrets
   labels:
     app.kubernetes.io/name: external-secrets-webhook
diff --git a/bindata/external-secrets/networkpolicy_allow-api-server-egress-for-bitwarden-sever.yaml b/bindata/external-secrets/networkpolicy_allow-api-server-egress-for-bitwarden-sever.yaml
@@ -1,7 +1,7 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: allow-api-server-egress-for-bitwarden-server
+  name: eso-sys-allow-api-server-egress-for-bitwarden-server
   namespace: external-secrets
   labels:
     app.kubernetes.io/name: bitwarden-sdk-server
diff --git a/bindata/external-secrets/networkpolicy_allow-api-server-egress-for-cert-controller-traffic.yaml b/bindata/external-secrets/networkpolicy_allow-api-server-egress-for-cert-controller-traffic.yaml
@@ -1,7 +1,7 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: allow-api-server-egress-for-cert-controller
+  name: eso-sys-allow-api-server-egress-for-cert-controller
   namespace: external-secrets
   labels:
     app.kubernetes.io/name: external-secrets-cert-controller
diff --git a/bindata/external-secrets/networkpolicy_allow-api-server-egress-for-main-controller-traffic.yaml b/bindata/external-secrets/networkpolicy_allow-api-server-egress-for-main-controller-traffic.yaml
@@ -1,7 +1,7 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: allow-api-server-egress-for-main-controller
+  name: eso-sys-allow-api-server-egress-for-main-controller
   namespace: external-secrets
   labels:
     app.kubernetes.io/name: external-secrets
diff --git a/bindata/external-secrets/networkpolicy_allow-dns.yaml b/bindata/external-secrets/networkpolicy_allow-dns.yaml
@@ -6,7 +6,7 @@ metadata:
     app.kubernetes.io/instance: external-secrets
     app.kubernetes.io/version: "v1.1.0"
     app.kubernetes.io/managed-by: external-secrets-operator
-  name: allow-to-dns
+  name: eso-sys-allow-to-dns
 spec:
   podSelector:
     matchExpressions:
diff --git a/bindata/external-secrets/networkpolicy_deny-all.yaml b/bindata/external-secrets/networkpolicy_deny-all.yaml
@@ -1,7 +1,7 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: deny-all-traffic
+  name: eso-sys-deny-all-traffic
   namespace: external-secrets
   labels:
     app.kubernetes.io/name: external-secrets
diff --git a/bundle/manifests/openshift-external-secrets-operator.clusterserviceversion.yaml b/bundle/manifests/openshift-external-secrets-operator.clusterserviceversion.yaml
@@ -605,6 +605,7 @@ spec:
           - networkpolicies
           verbs:
           - create
+          - delete
           - get
           - list
           - update
diff --git a/bundle/manifests/operator.openshift.io_externalsecretsconfigs.yaml b/bundle/manifests/operator.openshift.io_externalsecretsconfigs.yaml
@@ -1748,7 +1748,8 @@ spec:
                             Name is the logical identifier for this network policy entry.
                             The operator prepends "eso-user-" to this value when creating the Kubernetes
                             NetworkPolicy object (e.g. "allow-egress" becomes "eso-user-allow-egress").
-                          maxLength: 253
+                            Maximum length is 243 to accommodate the prefix within the 253-character Kubernetes name limit.
+                          maxLength: 243
                           minLength: 1
                           type: string
                       required:
diff --git a/config/crd/bases/operator.openshift.io_externalsecretsconfigs.yaml b/config/crd/bases/operator.openshift.io_externalsecretsconfigs.yaml
@@ -1748,7 +1748,8 @@ spec:
                             Name is the logical identifier for this network policy entry.
                             The operator prepends "eso-user-" to this value when creating the Kubernetes
                             NetworkPolicy object (e.g. "allow-egress" becomes "eso-user-allow-egress").
-                          maxLength: 253
+                            Maximum length is 243 to accommodate the prefix within the 253-character Kubernetes name limit.
+                          maxLength: 243
                           minLength: 1
                           type: string
                       required:
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -181,6 +181,7 @@ rules:
   - networkpolicies
   verbs:
   - create
+  - delete
   - get
   - list
   - update
diff --git a/docs/api_reference.md b/docs/api_reference.md
@@ -481,7 +481,7 @@ _Appears in:_
 
 | Field | Description | Default | Validation |
 | --- | --- | --- | --- |
-| `name` _string_ | Name is the logical identifier for this network policy entry.<br />The operator prepends "eso-user-" to this value when creating the Kubernetes<br />NetworkPolicy object (e.g. "allow-egress" becomes "eso-user-allow-egress"). |  | MaxLength: 253 <br />MinLength: 1 <br /> |
+| `name` _string_ | Name is the logical identifier for this network policy entry.<br />The operator prepends "eso-user-" to this value when creating the Kubernetes<br />NetworkPolicy object (e.g. "allow-egress" becomes "eso-user-allow-egress").<br />Maximum length is 243 to accommodate the prefix within the 253-character Kubernetes name limit. |  | MaxLength: 243 <br />MinLength: 1 <br /> |
 | `componentName` _[ComponentName](#componentname)_ | componentName specifies which external-secrets component this network policy applies to. |  | Enum: [ExternalSecretsCoreController BitwardenSDKServer] <br /> |
 | `egress` _[NetworkPolicyEgressRule](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#networkpolicyegressrule-v1-networking) array_ | egress is a list of egress rules to be applied to the selected pods. Outgoing traffic<br />is allowed if there are no NetworkPolicies selecting the pod (and cluster policy<br />otherwise allows the traffic), OR if the traffic matches at least one egress rule<br />across all the NetworkPolicy objects whose podSelector matches the pod. If<br />this field is empty then this NetworkPolicy limits all outgoing traffic (and serves<br />solely to ensure that the pods it selects are isolated by default).<br />The operator will automatically handle ingress rules based on the current running ports. |  |  |
 
diff --git a/pkg/controller/external_secrets/configmap.go b/pkg/controller/external_secrets/configmap.go
@@ -19,7 +19,10 @@ import (
 // This function ensures the correct labels are present so that CNO can manage the CA bundle
 // content as expected.
 func (r *Reconciler) ensureTrustedCABundleConfigMap(esc *operatorv1alpha1.ExternalSecretsConfig, resourceMetadata common.ResourceMetadata) error {
-	proxyConfig := r.getProxyConfiguration(esc)
+	proxyConfig, err := r.getProxyConfiguration(esc)
+	if err != nil {
+		return fmt.Errorf("failed to get proxy configuration: %w", err)
+	}
 
 	// Only create ConfigMap if proxy is configured
 	if proxyConfig == nil {
diff --git a/pkg/controller/external_secrets/constants.go b/pkg/controller/external_secrets/constants.go
@@ -81,6 +81,22 @@ const (
 	webhookContainerName        = "webhook"
 	certControllerContainerName = "cert-controller"
 	bitwardenContainerName      = "bitwarden-sdk-server"
+
+	// systemNetworkPolicyPrefix is prepended to all operator-managed static network policy names.
+	systemNetworkPolicyPrefix = "eso-sys-"
+
+	// userNetworkPolicyPrefix is prepended to user-defined network policy names from the CR spec.
+	userNetworkPolicyPrefix = "eso-user-"
+
+	// TODO Remove after 3 releases(in v1.5.0) once the migration from
+	// unprefixed to eso-sys-/eso-user- network policy names is no longer needed.
+	//
+	// skipNPCleanupAnnotation marks that the one-time migration cleanup of unprefixed
+	// network policies has already run, so subsequent reconciles can skip it.
+	skipNPCleanupAnnotation = "externalsecretsconfig.operator.openshift.io/skip-np-cleanup-check"
+
+	// proxyEgressPolicyName is the Kubernetes object name for the automatic proxy egress policy.
+	proxyEgressPolicyName = systemNetworkPolicyPrefix + "allow-proxy-egress"
 )
 
 var (
@@ -134,7 +150,7 @@ const (
 	allowWebhookTrafficAssetName                  = "external-secrets/networkpolicy_allow-api-server-and-webhook-traffic.yaml"
 	allowCertControllerTrafficAssetName           = "external-secrets/networkpolicy_allow-api-server-egress-for-cert-controller-traffic.yaml"
 	allowBitwardenServerTrafficAssetName          = "external-secrets/networkpolicy_allow-api-server-egress-for-bitwarden-sever.yaml"
-	allowDnsTrafficAsserName                      = "external-secrets/networkpolicy_allow-dns.yaml"
+	allowDNSTrafficAssetName                      = "external-secrets/networkpolicy_allow-dns.yaml"
 )
 
 var (
diff --git a/pkg/controller/external_secrets/controller.go b/pkg/controller/external_secrets/controller.go
@@ -104,7 +104,7 @@ type Reconciler struct {
 // +kubebuilder:rbac:groups="",resources=events;secrets;services;serviceaccounts,verbs=get;list;watch;create;update;delete;patch
 // +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;create;update
 // +kubebuilder:rbac:groups=cert-manager.io,resources=certificates;clusterissuers;issuers,verbs=get;list;watch;create;update
-// +kubebuilder:rbac:groups=networking.k8s.io,resources=networkpolicies,verbs=get;list;watch;create;update
+// +kubebuilder:rbac:groups=networking.k8s.io,resources=networkpolicies,verbs=get;list;watch;create;update;delete
 // +kubebuilder:rbac:groups="",resources=namespaces,verbs=get;list;watch;create;update;patch
 
 // +kubebuilder:rbac:groups="",resources=endpoints,verbs=get;list;watch
diff --git a/pkg/controller/external_secrets/deployments.go b/pkg/controller/external_secrets/deployments.go
@@ -470,7 +470,10 @@ func updateSecretVolumeConfig(deployment *appsv1.Deployment, volumeName, secretN
 
 // updateProxyConfiguration applies all proxy-related configuration to the deployment.
 func (r *Reconciler) updateProxyConfiguration(deployment *appsv1.Deployment, esc *operatorv1alpha1.ExternalSecretsConfig) error {
-	proxyConfig := r.getProxyConfiguration(esc)
+	proxyConfig, err := r.getProxyConfiguration(esc)
+	if err != nil {
+		return fmt.Errorf("failed to get proxy configuration: %w", err)
+	}
 
 	r.updateProxyEnvironmentVariables(deployment, proxyConfig)
 	if err := r.updateTrustedCABundleVolumes(deployment, proxyConfig); err != nil {
@@ -508,15 +511,16 @@ func (r *Reconciler) setProxyEnvVars(container *corev1.Container, proxyConfig *o
 	if proxyConfig == nil {
 		return
 	}
-	if container.Env == nil {
-		container.Env = []corev1.EnvVar{}
-	}
 
 	setEnvVar := func(name, value string) {
 		if value == "" {
 			return
 		}
 
+		if container.Env == nil {
+			container.Env = []corev1.EnvVar{}
+		}
+
 		// Check if the environment variable already exists
 		for i, env := range container.Env {
 			if env.Name == name {
diff --git a/pkg/controller/external_secrets/networkpolicy.go b/pkg/controller/external_secrets/networkpolicy.go
diff --git a/pkg/controller/external_secrets/networkpolicy_test.go b/pkg/controller/external_secrets/networkpolicy_test.go
diff --git a/pkg/controller/external_secrets/utils.go b/pkg/controller/external_secrets/utils.go
diff --git a/pkg/operator/assets/bindata.go b/pkg/operator/assets/bindata.go
diff --git a/test/e2e/e2e_test.go b/test/e2e/e2e_test.go

-Original file line number
+Diff line change
           - networkpolicies
           verbs:
           - create
 +          - delete
           - get
           - list
           - update