OSDOCS-20263 created RNs for ESO 1-2

wgabor0427 · wgabor0427 · commit f7dd31637a11 · 2026-06-18T16:18:06.000-04:00
diff --git a/modules/external-secrets-operator-rn-1-2.adoc b/modules/external-secrets-operator-rn-1-2.adoc
@@ -0,0 +1,50 @@
+:_mod-docs-content-type: REFERENCE
+[id="external-secrets-operator-rn-1-2_{context}"]
+= Release notes for {external-secrets-operator} 1.2.0 (General Availability)
+
+[role="_abstract"]
+{external-secrets-operator} version 1.2.0 is based on the upstream external-secrets project, version v0.20.4. For more information, see the link:https://https://github.com/external-secrets/external-secrets/tree/v0.20.4[external-secrets project release notes for v0.20.4].
+
+Issued: 2026-06-22
+
+The following advisories are available for the {external-secrets-operator} 1.2.0:
+
+* link:https://access.redhat.com/errata/RHBA-2026:5554[RHBA-2026:5554]
+* link:https://access.redhat.com/errata/RHBA-2026:5555[RHBA-2026:5555]
+* link:https://access.redhat.com/errata/RHBA-2026:5557[RHBA-2026:5558] 
+* link:https://access.redhat.com/errata/RHBA-2026:5589[RHBA-2026:5589]
+
+[id="external-secrets-operator-1-2-0-features-enhancements_{context}"]
+== New features and enhancements
+
+*Automatic cleanup of legacy operator-managed network policies is now available for {external-secrets-operator-short}*
+
+With this release, the {external-secrets-operator-short} removes stale operator-managed `NetworkPolicy` resources during upgrades. The cleanup deletes legacy unprefixed policies and `eso-user-*` policies that are no longer in the desired configuration, unless you use the skip annotation to prevent migration cleanup.
+
+*Automatic proxy egress network policy management is now available for {external-secrets-operator-short}*
+
+With this release, when a cluster HTTP or HTTPS proxy is configured and the `spec.applicationConfig.proxy.networkPolicyProvisioning` is `Managed` which is the default, the Operator automatically creates and reconciles the `eso-sys-proxy-egress-core` `NetworkPolicy` using the port from the configured proxy URL.
+
+*Standardized network policy naming is now available for {external-secrets-operator-short}*
+
+With this release, operator-managed static network policies use the `eso-sys-` prefix and user-configured policies in `spec.controllerConfig.networkPolicies` use the `eso-user-` prefix, making operator-owned policies easier to identify and manage.
+
+*Support for user-provided trusted CA bundles on the {external-secrets-operator-short} core controller*
+
+With this release, you can configure the {external-secrets-operator} to trust custom Certificate Authority (CA) certificates when the `external-secrets` core controller makes outbound transport layer socket (TLS) connections to external secret management systems, such as HashiCorp Vault or AWS Secrets Manager.
+
+To use this feature, create a ConfigMap in the operand namespace containing one or more PEM-encoded CA certificates, and reference it in the `ExternalSecretsConfig` custom resource under `spec.controllerConfig.trustedCABundle`. The Operator validates the bundle on every reconcile and mounts it as a volume only on the core controller deployment. The webhook and cert-controller deployments are not affected.
+
+If the referenced ConfigMap is missing or contains invalid data, the Operator sets the `ExternalSecretsConfig` status to `Degraded` and emits a warning event describing the problem. The Operator recovers automatically when the ConfigMap is created or corrected, without requiring a spec change.
+
+If proxy is configured and the ConfigMap carries the Cluster Network Operator inject-trusted-cabundle label, the user bundle mount is skipped because the proxy TLS connections already use the {product-title} trusted CA bundle injected by the Cluster Network Operator.
+
+For more information, see link:https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html-single/security_and_compliance/index#external-secrets-operator-config-trusted-ca[Configuring a trusted CA bundle for the External Secrets Operator for Red Hat OpenShift].
+
+
+[id="external-secrets-operator-1-2-0-bug-fixes_{context}"]
+== Fixed issues
+
+* Before this update, if the `app=external-secrets` managed label was externally removed from a resource that the {external-secrets-operator} owns, the resource fell out of the label-filtered informer cache. Subsequent reconciliation attempts to create the resource received an `AlreadyExists` error, causing the controller to enter a permanent error loop. With this release, the controller detects this cache-miss condition and restores the managed labels and annotations directly on the API server using an uncached client, without interrupting the operand. (link:https://issues.redhat.com/browse/ESO-237[ESO-237])
+
+
diff --git a/security/external_secrets_operator/external-secrets-operator-release-notes.adoc b/security/external_secrets_operator/external-secrets-operator-release-notes.adoc
@@ -13,6 +13,9 @@ These release notes track the development of {external-secrets-operator-short}.
 
 For more information, see xref:../../security/external_secrets_operator/index.adoc#external-secrets-operator-about[{external-secrets-operator-short} overview].
 
+// ESO RN 1.2
+include::modules/external-secrets-operator-rn-1-2.adoc[leveloffset=+1]
+
 // ESO RN 1.1
 include::modules/external-secrets-operator-rn-1-1.adoc[leveloffset=+1]
 
