ESO:418 updated the enhancement proposal to include the network policy for proxy#1998
Open
siddhibhor-56 wants to merge 2 commits intoopenshift:masterfrom
Open
ESO:418 updated the enhancement proposal to include the network policy for proxy#1998siddhibhor-56 wants to merge 2 commits intoopenshift:masterfrom
siddhibhor-56 wants to merge 2 commits intoopenshift:masterfrom
Conversation
Contributor
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
bharath-b-rh
reviewed
May 7, 2026
Contributor
bharath-b-rh
left a comment
bharath-b-rh
left a comment
There was a problem hiding this comment.
Also, please bring in the changes suggested in analysis doc to here.
| tracking-link: | ||
| - https://issues.redhat.com/browse/ESO-165 | ||
| - https://issues.redhat.com/browse/ESO-70 | ||
| - https://redhat.atlassian.net/browse/RFE-8516 |
Contributor
There was a problem hiding this comment.
nit: Why not https://issues.redhat.com/browse/ESO-418?
| - As an administrator, I want to configure and manage egress rules for `external-secrets` operands via the operator API or CRDs, so I can control which external services they are allowed to access. | ||
| - As an administrator on a proxy-configured cluster, I want the operator to automatically allow ESO pods to reach the proxy server, so I do not have to manually create egress NetworkPolicies after every install or upgrade. | ||
| - As an administrator who manages proxy egress manually, I want to set `spec.appConfig.proxy.networkPolicyAllowProxyEgressAll: Unmanaged` to disable the operator's automatic proxy egress policy, so I retain full control over proxy traffic rules. | ||
| - As a cluster administrator upgrading from an older release, I want the operator to clean up legacy unprefixed NetworkPolicy objects after it has applied the new prefixed ones, so there are no stale or duplicate policies left behind. |
Contributor
There was a problem hiding this comment.
Suggested change
| - As a cluster administrator upgrading from an older release, I want the operator to clean up legacy unprefixed NetworkPolicy objects after it has applied the new prefixed ones, so there are no stale or duplicate policies left behind. | |
| - As a developer after upgrading from an older release, I want the operator to clean up legacy unprefixed NetworkPolicy objects after it has applied the new prefixed ones, so there are no stale or redundant policies left behind. |
| - Ensure that metrics collection for all components remains functional. | ||
| - Ensure the API server can communicate with the `webhook` for admission control. | ||
| - Automatically create a proxy-egress allow policy when an effective proxy is configured, controlled by `spec.appConfig.proxy.networkPolicyAllowProxyEgressAll` (default `Managed`). | ||
| - Introduce a stable `eso-sys-` / `eso-user-` naming scheme for all operator-managed NetworkPolicy objects to enable unambiguous ownership and safe pruning. |
Contributor
There was a problem hiding this comment.
Suggested change
| - Introduce a stable `eso-sys-` / `eso-user-` naming scheme for all operator-managed NetworkPolicy objects to enable unambiguous ownership and safe pruning. | |
| - Introduce a stable naming scheme (eso-sys- / eso-user-) for all operator-managed NetworkPolicy objects. This ensures unambiguous ownership and prevents naming overlaps with default policies, which currently lead to reconciliation conflicts |
| - Ensure the API server can communicate with the `webhook` for admission control. | ||
| - Automatically create a proxy-egress allow policy when an effective proxy is configured, controlled by `spec.appConfig.proxy.networkPolicyAllowProxyEgressAll` (default `Managed`). | ||
| - Introduce a stable `eso-sys-` / `eso-user-` naming scheme for all operator-managed NetworkPolicy objects to enable unambiguous ownership and safe pruning. | ||
| - Migrate legacy unprefixed NetworkPolicy names to the new scheme on upgrade and clean up stale objects without leaving gaps in coverage. |
Contributor
There was a problem hiding this comment.
Suggested change
| - Migrate legacy unprefixed NetworkPolicy names to the new scheme on upgrade and clean up stale objects without leaving gaps in coverage. | |
| - Handle the migration of legacy, unprefixed NetworkPolicies to the new naming scheme during upgrades. This includes cleaning up stale objects while ensuring no gaps in traffic coverage during the transition. |
|
|
||
| - This enhancement does not propose creating a generic, cluster-wide policy management solution. The policies are specific to `external-secrets`. | ||
| - We are not introducing AdminNetworkPolicy at this stage, as standard NetworkPolicy objects are sufficient for this scope and can be managed directly by the operator. | ||
| - Creating a user-facing option to disable these policies is not in scope, as they represent a baseline security posture. |
Contributor
There was a problem hiding this comment.
Any reason why this was removed?
Contributor
Author
There was a problem hiding this comment.
because we can disable the proxy Np through the CR , hence removed it.
| - This enhancement does not propose creating a generic, cluster-wide policy management solution. The policies are specific to `external-secrets`. | ||
| - We are not introducing AdminNetworkPolicy at this stage, as standard NetworkPolicy objects are sufficient for this scope and can be managed directly by the operator. | ||
| - Creating a user-facing option to disable these policies is not in scope, as they represent a baseline security posture. | ||
| - `spec.appConfig.proxy.networkPolicyAllowProxyEgressAll` does not affect non-proxy clusters — `getProxyConfiguration()` returns nil there and no proxy policy is ever created regardless of the field value. |
Contributor
There was a problem hiding this comment.
Why is this a non-goal?
Contributor
Author
There was a problem hiding this comment.
This can be removed from non-goals
| 4. **Proxy Egress Policy (conditional):** After applying the static operand policies, the reconciler evaluates whether an automatic proxy egress allow policy should be created in the `external-secrets` namespace. The policy is created only when **both** conditions hold: | ||
|
|
||
| * `spec.appConfig.proxy.networkPolicyAllowProxyEgressAll` is `Managed` (the default). | ||
| * `getProxyConfiguration()` returns a non-nil result - i.e., an effective proxy is actually configured on the cluster. |
Contributor
There was a problem hiding this comment.
Please rephrase accordingly
Suggested change
| * `getProxyConfiguration()` returns a non-nil result - i.e., an effective proxy is actually configured on the cluster. | |
| * Proxy is configured in ExternalSecretsManager or ExternalSecretsConfig or in the OpenShift cluster. |
| egress: | ||
| - ports: | ||
| - protocol: TCP | ||
| port: <proxy-port> # set at reconcile time from getProxyConfiguration() |
Contributor
There was a problem hiding this comment.
The EP should also talk about, how the port will be arrived at like when an URL is provided without port, and arriving at 443 as default for https and 80 as default for http.
Contributor
Author
There was a problem hiding this comment.
Add a section for this
ambient-code Bot
pushed a commit
to siddhibhor-56/external-secrets-operator
that referenced
this pull request
May 7, 2026
Adds a new 'Proxy Egress NetworkPolicy' context to the E2E suite covering EP #1998 controller behavior: - No proxy configured → eso-sys-proxy-egress-core absent - Proxy + Managed → eso-sys-proxy-egress-core created with correct port - Managed → Unmanaged transition → NP deleted - User-defined NP names get eso-user- prefix in K8s object name - Migration complete annotation set after first reconcile Ref: openshift/enhancements#1998 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
ambient-code Bot
pushed a commit
to siddhibhor-56/external-secrets-operator
that referenced
this pull request
May 8, 2026
…etworkPolicyAllowProxyEgressAll - Move 5 ESC proxy egress tests from onUpdate to onCreate (they lacked required 'updated' field, causing 'Object Kind is missing' errors) - Add logLevel: 1 to expected in ESC onUpdate proxy egress test (API server defaults logLevel when appConfig is present) - Add networkPolicyAllowProxyEgressAll: Managed to 5 ESM test expected blocks where proxy is configured (field defaulted by kubebuilder marker) Fixes 11 CI unit test failures in PR openshift#144. Ref: openshift/enhancements#1998 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
ambient-code Bot
pushed a commit
to siddhibhor-56/external-secrets-operator
that referenced
this pull request
May 8, 2026
… response The networkPolicyAllowProxyEgressAll invalid-value test triggers two simultaneous validation errors (enum rejection + CEL null check), causing the API server to wrap them in brackets: `is invalid: [err1, err2]`. The previous expectedError included the `is invalid: ` prefix which no longer matches the bracketed form `is invalid: [`. Drop the object-level prefix and match only the field-level error substring, which is present in both single and multi-error responses. Ref: openshift/enhancements#1998 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Contributor
|
@siddhibhor-56: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
ambient-code Bot
pushed a commit
to siddhibhor-56/external-secrets-operator
that referenced
this pull request
May 8, 2026
…ale and proxy egress NPs The EP-1998 controller implementation calls r.Delete on NetworkPolicies in two places: cleanupMigratedNetworkPolicies (pruning stale entries) and createOrApplyProxyEgressNetworkPolicy (removing the policy when proxy is not configured). Without delete permission, these calls fail with 403, causing reconcile to abort before reaching createOrApplyDeployments. This blocked the env var test from seeing LOG_LEVEL applied to the deployment. Ref: openshift/enhancements#1998 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
external-secrets-network-policyenhancement to add proxy egressNetworkPolicysupport;spec.appConfig.proxy.networkPolicyAllowProxyEgressAllcontrols automatic creation ofeso-sys-proxy-egress-core, built at runtime using the port fromgetProxyConfiguration().spec.appConfig.proxy.networkPolicyAllowProxyEgressAllfield to control whether the operator auto-creates the proxy egress policy withmanagedandunmanagedoptions default tomanaged.cleanupMigratedNetworkPolicies()to prune legacy unprefixedNetworkPolicynames on upgrade, driven by label and name-based listing and a one-time migration-complete annotation on the CR.