Merge pull request #156 from bharath-b-rh/eso-452

ESO-452: Add ExternalSecretsManager features and refine reconcile error handling

Author: openshift-merge-bot[bot]

api/v1alpha1/external_secrets_manager_types.go

@@ -61,6 +61,17 @@ type ExternalSecretsManagerSpec struct {
 	// globalConfig is for configuring the behavior of deployments that are managed by external secrets-operator.
 	// +optional
 	GlobalConfig *GlobalConfig `json:"globalConfig,omitempty"`
+
+	// features configures optional capabilities across deployments managed by the external-secrets-operator,
+	// including the operator itself and any current or future operands.
+	// Each entry is uniquely identified by name and can be individually enabled or disabled.
+	// This field can have a maximum of 1 entry.
+	// +kubebuilder:validation:MinItems:=0
+	// +kubebuilder:validation:MaxItems:=1
+	// +optional
+	// +listType=map
+	// +listMapKey=name
+	Features []Feature `json:"features,omitempty"`
 }
 
 // GlobalConfig is for configuring the external-secrets-operator behavior.
@@ -76,6 +87,26 @@ type GlobalConfig struct {
 	Labels map[string]string `json:"labels,omitempty"`
 }
 
+// Feature configures an optional capability that is applied by the external-secrets-operator across its managed deployments.
+type Feature struct {
+	// name identifies the optional feature to configure.
+	// Currently, the only supported value is UnsafeAllowGenericTargets.
+	// +kubebuilder:validation:Enum:=UnsafeAllowGenericTargets
+	// +required
+	//nolint:kubeapilinter // Name is a listMapKey and must not have omitempty for proper patch identification
+	Name FeatureName `json:"name"`
+
+	// mode controls whether the feature is active.
+	// When set to Enabled, the operator applies the configuration associated with the named feature to the relevant managed deployments.
+	// For UnsafeAllowGenericTargets, this passes the `--unsafe-allow-generic-targets` flag to the external-secrets core controller,
+	// allowing ExternalSecret resources to target Kubernetes resources other than Secrets (for example, ConfigMaps or custom resources).
+	// Warning: Generic targets require additional RBAC permissions on the affected operand; enabling this feature without the appropriate permissions will cause reconciliation failures.
+	// +kubebuilder:validation:Enum:=Enabled;Disabled
+	// +kubebuilder:default:=Disabled
+	// +optional
+	Mode Mode `json:"mode,omitempty"`
+}
+
 // ExternalSecretsManagerStatus is the most recently observed status of the ExternalSecretsManager.
 type ExternalSecretsManagerStatus struct {
 	// controllerStatuses holds the observed conditions of the controllers part of the operator.

api/v1alpha1/meta.go

@@ -162,3 +162,12 @@ const (
 	// Disabled indicates the optional configuration is disabled.
 	Disabled Mode = "Disabled"
 )
+
+// FeatureName identifies an optional feature that can be configured on the ExternalSecretsManager and applied by the external-secrets-operator.
+type FeatureName string
+
+const (
+	// UnsafeAllowGenericTargets configures the external-secrets core controller to run with the `--unsafe-allow-generic-targets` startup flag,
+	// which allows ExternalSecret resources to sync data into Kubernetes resources other than Secrets.
+	UnsafeAllowGenericTargets FeatureName = "UnsafeAllowGenericTargets"
+)

api/v1alpha1/tests/externalsecretsmanager.operator.openshift.io/externalsecretsmanager.testsuite.yaml

@@ -225,6 +225,85 @@ tests:
               httpsProxy: ""
               networkPolicyProvisioning: Managed
               noProxy: ""
+    - name: Should be able to create ExternalSecretsManager with UnsafeAllowGenericTargets feature enabled
+      resourceName: cluster
+      initial: |
+        apiVersion: operator.openshift.io/v1alpha1
+        kind: ExternalSecretsManager
+        spec:
+          features:
+            - name: UnsafeAllowGenericTargets
+              mode: Enabled
+      expected: |
+        apiVersion: operator.openshift.io/v1alpha1
+        kind: ExternalSecretsManager
+        spec:
+          features:
+            - name: UnsafeAllowGenericTargets
+              mode: Enabled
+    - name: Should default feature mode to Disabled when omitted
+      resourceName: cluster
+      initial: |
+        apiVersion: operator.openshift.io/v1alpha1
+        kind: ExternalSecretsManager
+        spec:
+          features:
+            - name: UnsafeAllowGenericTargets
+      expected: |
+        apiVersion: operator.openshift.io/v1alpha1
+        kind: ExternalSecretsManager
+        spec:
+          features:
+            - name: UnsafeAllowGenericTargets
+              mode: Disabled
+    - name: Should be able to create ExternalSecretsManager with UnsafeAllowGenericTargets feature disabled
+      resourceName: cluster
+      initial: |
+        apiVersion: operator.openshift.io/v1alpha1
+        kind: ExternalSecretsManager
+        spec:
+          features:
+            - name: UnsafeAllowGenericTargets
+              mode: Disabled
+      expected: |
+        apiVersion: operator.openshift.io/v1alpha1
+        kind: ExternalSecretsManager
+        spec:
+          features:
+            - name: UnsafeAllowGenericTargets
+              mode: Disabled
+    - name: Should fail with invalid feature name
+      resourceName: cluster
+      initial: |
+        apiVersion: operator.openshift.io/v1alpha1
+        kind: ExternalSecretsManager
+        spec:
+          features:
+            - name: InvalidFeature
+              mode: Enabled
+      expectedError: 'spec.features[0].name: Unsupported value: "InvalidFeature": supported values: "UnsafeAllowGenericTargets"'
+    - name: Should fail with invalid feature mode
+      resourceName: cluster
+      initial: |
+        apiVersion: operator.openshift.io/v1alpha1
+        kind: ExternalSecretsManager
+        spec:
+          features:
+            - name: UnsafeAllowGenericTargets
+              mode: InvalidMode
+      expectedError: 'spec.features[0].mode: Unsupported value: "InvalidMode": supported values: "Enabled", "Disabled"'
+    - name: Should fail with too many features
+      resourceName: cluster
+      initial: |
+        apiVersion: operator.openshift.io/v1alpha1
+        kind: ExternalSecretsManager
+        spec:
+          features:
+            - name: UnsafeAllowGenericTargets
+              mode: Enabled
+            - name: UnsafeAllowGenericTargets
+              mode: Disabled
+      expectedError: 'spec.features: Too many: 2: must have at most 1'
   onUpdate:
     - name: Should be able to add global config after creation
       resourceName: cluster
@@ -378,4 +457,64 @@ tests:
             tolerations:
               - key: "node-role.kubernetes.io/master"
                 operator: "Exists"
-                effect: "NoSchedule"
+                effect: "NoSchedule"
+    - name: Should be able to add UnsafeAllowGenericTargets feature after creation
+      resourceName: cluster
+      initial: |
+        apiVersion: operator.openshift.io/v1alpha1
+        kind: ExternalSecretsManager
+        spec: {}
+      updated: |
+        apiVersion: operator.openshift.io/v1alpha1
+        kind: ExternalSecretsManager
+        spec:
+          features:
+            - name: UnsafeAllowGenericTargets
+              mode: Enabled
+      expected: |
+        apiVersion: operator.openshift.io/v1alpha1
+        kind: ExternalSecretsManager
+        spec:
+          features:
+            - name: UnsafeAllowGenericTargets
+              mode: Enabled
+    - name: Should be able to disable UnsafeAllowGenericTargets feature
+      resourceName: cluster
+      initial: |
+        apiVersion: operator.openshift.io/v1alpha1
+        kind: ExternalSecretsManager
+        spec:
+          features:
+            - name: UnsafeAllowGenericTargets
+              mode: Enabled
+      updated: |
+        apiVersion: operator.openshift.io/v1alpha1
+        kind: ExternalSecretsManager
+        spec:
+          features:
+            - name: UnsafeAllowGenericTargets
+              mode: Disabled
+      expected: |
+        apiVersion: operator.openshift.io/v1alpha1
+        kind: ExternalSecretsManager
+        spec:
+          features:
+            - name: UnsafeAllowGenericTargets
+              mode: Disabled
+    - name: Should fail to update with invalid feature mode
+      resourceName: cluster
+      initial: |
+        apiVersion: operator.openshift.io/v1alpha1
+        kind: ExternalSecretsManager
+        spec:
+          features:
+            - name: UnsafeAllowGenericTargets
+              mode: Disabled
+      updated: |
+        apiVersion: operator.openshift.io/v1alpha1
+        kind: ExternalSecretsManager
+        spec:
+          features:
+            - name: UnsafeAllowGenericTargets
+              mode: InvalidMode
+      expectedError: 'spec.features[0].mode: Unsupported value: "InvalidMode": supported values: "Enabled", "Disabled"'

api/v1alpha1/zz_generated.deepcopy.go

@@ -220,7 +220,7 @@ metadata:
     categories: Security
     console.openshift.io/disable-operand-delete: "true"
     containerImage: openshift.io/external-secrets-operator:latest
-    createdAt: "2026-06-15T10:39:51Z"
+    createdAt: "2026-06-18T12:03:02Z"
     features.operators.openshift.io/cnf: "false"
     features.operators.openshift.io/cni: "false"
     features.operators.openshift.io/csi: "false"

bundle/manifests/openshift-external-secrets-operator.clusterserviceversion.yaml

@@ -58,6 +58,44 @@ spec:
           spec:
             description: spec is the specification of the desired behavior
             properties:
+              features:
+                description: |-
+                  features configures optional capabilities across deployments managed by the external-secrets-operator,
+                  including the operator itself and any current or future operands.
+                  Each entry is uniquely identified by name and can be individually enabled or disabled.
+                  This field can have a maximum of 1 entry.
+                items:
+                  description: Feature configures an optional capability that is applied
+                    by the external-secrets-operator across its managed deployments.
+                  properties:
+                    mode:
+                      default: Disabled
+                      description: |-
+                        mode controls whether the feature is active.
+                        When set to Enabled, the operator applies the configuration associated with the named feature to the relevant managed deployments.
+                        For UnsafeAllowGenericTargets, this passes the `--unsafe-allow-generic-targets` flag to the external-secrets core controller,
+                        allowing ExternalSecret resources to target Kubernetes resources other than Secrets (for example, ConfigMaps or custom resources).
+                        Warning: Generic targets require additional RBAC permissions on the affected operand; enabling this feature without the appropriate permissions will cause reconciliation failures.
+                      enum:
+                      - Enabled
+                      - Disabled
+                      type: string
+                    name:
+                      description: |-
+                        name identifies the optional feature to configure.
+                        Currently, the only supported value is UnsafeAllowGenericTargets.
+                      enum:
+                      - UnsafeAllowGenericTargets
+                      type: string
+                  required:
+                  - name
+                  type: object
+                maxItems: 1
+                minItems: 0
+                type: array
+                x-kubernetes-list-map-keys:
+                - name
+                x-kubernetes-list-type: map
               globalConfig:
                 description: globalConfig is for configuring the behavior of deployments
                   that are managed by external secrets-operator.

bundle/manifests/operator.openshift.io_externalsecretsmanagers.yaml

@@ -99,10 +99,10 @@ require (
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/apiserver v0.35.6 // indirect
 	k8s.io/component-base v0.35.6 // indirect
-	k8s.io/component-helpers v0.35.0 // indirect
+	k8s.io/component-helpers v0.35.6 // indirect
 	k8s.io/controller-manager v0.35.6 // indirect
 	k8s.io/kube-openapi v0.0.0-20260317180543-43fb72c5454a // indirect
-	k8s.io/kubelet v0.32.1 // indirect
+	k8s.io/kubelet v0.32.2 // indirect
 	k8s.io/kubernetes v1.35.6 // indirect
 	k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2 // indirect
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.34.0 // indirect

cmd/external-secrets-operator/go.mod

@@ -241,16 +241,16 @@ k8s.io/client-go v0.35.6 h1:qZQv9a5B4YlIpXhFBwsI9qPOOJC6Z8lk9lkEWmrmus8=
 k8s.io/client-go v0.35.6/go.mod h1:LOO6N1EhxdQAzYIZ/73cJVyb3gixrMY6ZDJcJ/ANfsY=
 k8s.io/component-base v0.35.6 h1:dTkck9uefkIrKn7wRCEYiDWNUvHd8UdwZCcVafmHgL4=
 k8s.io/component-base v0.35.6/go.mod h1:qcNKrspACsqR+vgUJXkWzwtgUGkURcnrus41o92jjpk=
-k8s.io/component-helpers v0.35.0 h1:wcXv7HJRksgVjM4VlXJ1CNFBpyDHruRI99RrBtrJceA=
-k8s.io/component-helpers v0.35.0/go.mod h1:ahX0m/LTYmu7fL3W8zYiIwnQ/5gT28Ex4o2pymF63Co=
+k8s.io/component-helpers v0.35.6 h1:AEGfqbEWjSM6Tkjtwslv2vQIGIiehvnAVoTDg74QQ0s=
+k8s.io/component-helpers v0.35.6/go.mod h1:zog+ILMcmModWjoT1Vsom8sg8IW81mkzom2C/U1lgcs=
 k8s.io/controller-manager v0.35.6 h1:NjgU2q6hrrHdT5/mn0tMOHYK5IB5QIVq9QnxUb4iDvU=
 k8s.io/controller-manager v0.35.6/go.mod h1:Jq+7QZNSzGoiFaKnobvc0VszFHea6nJyI4U/wgiYOyo=
 k8s.io/klog/v2 v2.140.0 h1:Tf+J3AH7xnUzZyVVXhTgGhEKnFqye14aadWv7bzXdzc=
 k8s.io/klog/v2 v2.140.0/go.mod h1:o+/RWfJ6PwpnFn7OyAG3QnO47BFsymfEfrz6XyYSSp0=
 k8s.io/kube-openapi v0.0.0-20260317180543-43fb72c5454a h1:xCeOEAOoGYl2jnJoHkC3hkbPJgdATINPMAxaynU2Ovg=
 k8s.io/kube-openapi v0.0.0-20260317180543-43fb72c5454a/go.mod h1:uGBT7iTA6c6MvqUvSXIaYZo9ukscABYi2btjhvgKGZ0=
-k8s.io/kubelet v0.32.1 h1:bB91GvMsZb+LfzBxnjPEr1Fal/sdxZtYphlfwAaRJGw=
-k8s.io/kubelet v0.32.1/go.mod h1:4sAEZ6PlewD0GroV3zscY7llym6kmNNTVmUI/Qshm6w=
+k8s.io/kubelet v0.32.2 h1:WFTSYdt3BB1aTApDuKNI16x/4MYqqX8WBBBBh3KupDg=
+k8s.io/kubelet v0.32.2/go.mod h1:cC1ms5RS+lu0ckVr6AviCQXHLSPKEBC3D5oaCBdTGkI=
 k8s.io/kubernetes v1.35.6 h1:Kh9V2tfdF+yNVZ1UX5lVfd1zNpa94vdIkfhyAmWXzQI=
 k8s.io/kubernetes v1.35.6/go.mod h1:fPfnQs8GtfrLQ+KuOcpvwQ+mV17jVcgdvPL6ZHxKp10=
 k8s.io/utils v0.0.0-20260210185600-b8788abfbbc2 h1:AZYQSJemyQB5eRxqcPky+/7EdBj0xi3g0ZcxxJ7vbWU=

cmd/external-secrets-operator/go.sum

@@ -58,6 +58,44 @@ spec:
           spec:
             description: spec is the specification of the desired behavior
             properties:
+              features:
+                description: |-
+                  features configures optional capabilities across deployments managed by the external-secrets-operator,
+                  including the operator itself and any current or future operands.
+                  Each entry is uniquely identified by name and can be individually enabled or disabled.
+                  This field can have a maximum of 1 entry.
+                items:
+                  description: Feature configures an optional capability that is applied
+                    by the external-secrets-operator across its managed deployments.
+                  properties:
+                    mode:
+                      default: Disabled
+                      description: |-
+                        mode controls whether the feature is active.
+                        When set to Enabled, the operator applies the configuration associated with the named feature to the relevant managed deployments.
+                        For UnsafeAllowGenericTargets, this passes the `--unsafe-allow-generic-targets` flag to the external-secrets core controller,
+                        allowing ExternalSecret resources to target Kubernetes resources other than Secrets (for example, ConfigMaps or custom resources).
+                        Warning: Generic targets require additional RBAC permissions on the affected operand; enabling this feature without the appropriate permissions will cause reconciliation failures.
+                      enum:
+                      - Enabled
+                      - Disabled
+                      type: string
+                    name:
+                      description: |-
+                        name identifies the optional feature to configure.
+                        Currently, the only supported value is UnsafeAllowGenericTargets.
+                      enum:
+                      - UnsafeAllowGenericTargets
+                      type: string
+                  required:
+                  - name
+                  type: object
+                maxItems: 1
+                minItems: 0
+                type: array
+                x-kubernetes-list-map-keys:
+                - name
+                x-kubernetes-list-type: map
               globalConfig:
                 description: globalConfig is for configuring the behavior of deployments
                   that are managed by external secrets-operator.