[WIP]: Feature Implementation of Egress proxy network policy.

[siddhibhor-56]

Ep Link

Tested using custom workflow workflow link on ambient code platform.

Summary by CodeRabbit

• New Features

  • Configurable network policy management for proxy egress with modes "Managed" (default) or "Unmanaged".
  • When Managed, the operator creates/deletes a proxy-egress NetworkPolicy; user-defined policies are auto-prefixed for clear identification.
  • Migration: on first reconcile after upgrade, legacy/stale network policies are cleaned up.

• Tests

  • Added unit and e2e tests for proxy egress behavior, proxy port extraction, create/update/delete flows, and migration cleanup.

• Chores

  • RBAC updated to allow deleting NetworkPolicies.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: siddhibhor-56
Once this PR has been reviewed and has the lgtm label, please assign swghosh for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b4d5e72a-0247-4c7c-9691-0e77d1d9accb

📥 Commits

Reviewing files that changed from the base of the PR and between 52bad5d and 720831b.

📒 Files selected for processing (3)

• bundle/manifests/openshift-external-secrets-operator.clusterserviceversion.yaml
• config/rbac/role.yaml
• pkg/controller/external_secrets/controller.go

✅ Files skipped from review due to trivial changes (1)

• config/rbac/role.yaml

---

Walkthrough

Adds a new NetworkPolicyManagementMode type and a networkPolicyAllowProxyEgressAll field to proxy config (default Managed), implements controller reconciliation for an operator-managed proxy-egress NetworkPolicy plus migration/pruning and user-policy name prefixing, and updates CRDs, unit tests, and e2e tests accordingly.

Changes

Network Policy Management System

Layer / File(s)	Summary
Data Shape & API Types api/v1alpha1/meta.go	Adds type NetworkPolicyManagementMode string, constants Managed/Unmanaged, and ProxyConfig.NetworkPolicyAllowProxyEgressAll field (enum, default Managed).
CRD Schema Definition config/crd/bases/...externalsecretsconfigs.yaml, config/crd/bases/...externalsecretsmanagers.yaml	Exposes networkPolicyAllowProxyEgressAll in CRD schemas with enum {Managed,Unmanaged} and default Managed.
Constants pkg/controller/external_secrets/constants.go	Adds proxyEgressNetworkPolicyName, migrationCompleteAnnotation, and userNetworkPolicyPrefix constants used by reconciliation and migration logic.
Core Reconciliation Logic pkg/controller/external_secrets/networkpolicy.go	Reconciler now creates/updates or deletes eso-sys-proxy-egress-core based on effective proxy and management mode; extracts proxy port from proxy URLs with scheme defaults and HTTPS precedence; prefixes user-supplied NetworkPolicies with eso-user-; performs migration pruning of legacy unprefixed policies and sets migration-complete annotation.
Unit Tests pkg/controller/external_secrets/networkpolicy_test.go	Adds tests: TestShouldManageProxyEgress, TestGetProxyPort, TestCreateOrApplyProxyEgressNetworkPolicy, TestCleanupMigratedNetworkPolicies; updates existing tests to expect eso-user- prefixed policy names and adjusted error messages.
API Defaulting/Validation Tests api/v1alpha1/tests/.../externalsecretsconfig.testsuite.yaml	Adds onCreate/onUpdate cases validating allowed values, defaulting to Managed, invalid-value rejection, and preservation on update.
Test Suite Updates api/v1alpha1/tests/.../externalsecretsmanager.testsuite.yaml	Adds expected globalConfig.networkPolicyAllowProxyEgressAll: Managed in relevant expected outputs.
E2E Tests test/e2e/e2e_test.go	Adds "Proxy Egress NetworkPolicy" context: cases for absence when no proxy, creation with correct port when Managed, deletion when switched to Unmanaged, prefixing of user policies, and assertion that migration-complete annotation is set after first reconcile.
RBAC / CSV config/rbac/role.yaml, pkg/controller/external_secrets/controller.go, bundle/manifests/...clusterserviceversion.yaml	Grants delete permission for networkpolicies in RBAC and updates controller RBAC marker and CSV accordingly.

Sequence Diagram

sequenceDiagram
    participant Controller as Controller
    participant ESC as ExternalSecretsConfig
    participant K8s as KubernetesAPI
    participant Parser as ProxyParser

    Controller->>ESC: Read proxy config & management mode
    ESC-->>Controller: Return config & mode

    alt Proxy configured AND Managed
        Controller->>Parser: Parse proxy URL(s) (https preferred)
        Parser-->>Controller: Return proxy port
        Controller->>K8s: Create/Update `eso-sys-proxy-egress-core` with egress rule for port
        K8s-->>Controller: Confirm created/updated
    else Proxy missing OR Unmanaged
        Controller->>K8s: Delete `eso-sys-proxy-egress-core` if exists
        K8s-->>Controller: Confirm deleted/absent
    end

    Controller->>K8s: Reconcile user NetworkPolicies with `eso-user-` prefix
    K8s-->>Controller: User policies reconciled

    alt First reconcile (no migration annotation)
        Controller->>K8s: List & delete legacy unprefixed policies
        K8s-->>Controller: Legacy policies removed
        Controller->>ESC: Patch migration-complete annotation
        ESC-->>Controller: Annotation persisted
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title '[WIP]: Feature Implementation of Egress proxy network policy' is directly related to the changeset, which implements proxy egress NetworkPolicy management with new configuration modes and reconciliation logic.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All test names are stable and deterministic. No dynamic information in test titles. Tests use static, descriptive strings without pod names, UUIDs, timestamps, or other variable data.
Test Structure And Quality	✅ Passed	Tests have single responsibility and proper cleanup. Appropriate timeouts on cluster operations. Meaningful assertion messages present. Consistent with repository test patterns.
Microshift Test Compatibility	✅ Passed	New e2e tests use only standard Kubernetes APIs (networking.k8s.io/v1 NetworkPolicy, core/v1) and custom CRDs. No OpenShift-specific or MicroShift-incompatible APIs detected.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	All 5 new e2e tests in "Proxy Egress NetworkPolicy" context are SNO-compatible. None make multi-node assumptions; all operate in a single namespace testing NetworkPolicy CRUD and annotations.
Topology-Aware Scheduling Compatibility	✅ Passed	No scheduling constraints introduced. PR adds NetworkPolicy configuration and proxy egress logic only. No affinity rules, topology constraints, or topology-incompatible patterns found.
Ote Binary Stdout Contract	✅ Passed	No init/main/BeforeSuite functions. All logging in receiver methods. Tests use proper Ginkgo v2 structure.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	New e2e tests have no IPv4 assumptions or external connectivity. Tests use .test.example.com domain and only verify NetworkPolicy object creation/deletion without actual connections.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.12.1)

Error: build linters: unable to load custom analyzer "kubeapilinter": bin/kube-api-linter.so, plugin: not implemented
The command is terminated due to an error: build linters: unable to load custom analyzer "kubeapilinter": bin/kube-api-linter.so, plugin: not implemented

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

test/e2e/e2e_test.go (1)

869-872: 💤 Low value

Consider using Consistently to verify the unprefixed policy never exists.

The synchronous Get at line 870 might pass spuriously if checked at the exact moment before the controller has fully reconciled. Using Consistently would provide stronger guarantees that the unprefixed policy is never created.

♻️ Suggested improvement

-			By(fmt.Sprintf("Verifying unprefixed name '%s' does not exist as a separate object", userPolicyName))
-			_, err = clientset.NetworkingV1().NetworkPolicies(operandNamespace).Get(ctx, userPolicyName, metav1.GetOptions{})
-			Expect(err).To(HaveOccurred(), "unprefixed '%s' should not exist as a K8s object", userPolicyName)
+			By(fmt.Sprintf("Verifying unprefixed name '%s' does not exist as a separate object", userPolicyName))
+			Consistently(func(g Gomega) {
+				_, err := clientset.NetworkingV1().NetworkPolicies(operandNamespace).Get(ctx, userPolicyName, metav1.GetOptions{})
+				g.Expect(err).To(HaveOccurred(), "unprefixed '%s' should not exist as a K8s object", userPolicyName)
+			}, 10*time.Second, 2*time.Second).Should(Succeed())

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/e2e/e2e_test.go` around lines 869 - 872, Replace the one-off synchronous
Get call that checks for the absence of the unprefixed policy with a Gomega
Consistently assertion so the test verifies the object never appears over time;
specifically, wrap the call to
clientset.NetworkingV1().NetworkPolicies(operandNamespace).Get(ctx,
userPolicyName, metav1.GetOptions{}) (and its returned error) in a Consistently
block (using an appropriate timeout and poll interval) and assert that the error
always occurs (Expect(err).To(HaveOccurred())), referencing userPolicyName,
operandNamespace, ctx and the Get call to locate the code to change.

pkg/controller/external_secrets/networkpolicy.go (1)

248-253: 💤 Low value

Consider handling NotFound error gracefully during deletion.

If the NetworkPolicy is deleted by another actor between the Exists check and the Delete call, this could return an error. While the reconciliation will likely succeed on retry, ignoring NotFound errors during deletion is a common resilience pattern.

♻️ Suggested improvement

 		if exists {
 			r.log.V(1).Info("Proxy egress policy no longer needed, deleting", "name", npName)
 			if err := r.Delete(r.ctx, fetched); err != nil {
+				if k8serrors.IsNotFound(err) {
+					return nil
+				}
 				return common.FromClientError(err, "failed to delete proxy egress network policy %s", npName)
 			}
 			r.eventRecorder.Eventf(esc, corev1.EventTypeNormal, "Reconciled", "NetworkPolicy %s deleted", npName)
 		}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/controller/external_secrets/networkpolicy.go` around lines 248 - 253, The
delete path for the proxy egress NetworkPolicy should treat a NotFound error as
non-fatal: after calling r.Delete(fetched) in the block that logs "Proxy egress
policy no longer needed, deleting" (use symbols r.Delete, fetched, npName,
r.log, r.eventRecorder), check the returned error with apierrors.IsNotFound(err)
(import "k8s.io/apimachinery/pkg/api/errors") and ignore/log it (e.g.,
r.log.V(1).Info("NetworkPolicy already deleted", "name", npName)) instead of
returning; only wrap-and-return other errors via common.FromClientError so
transient races where another actor already deleted the NetworkPolicy do not
cause a reconcile failure.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@api/v1alpha1/tests/externalsecretsconfig.operator.openshift.io/externalsecretsconfig.testsuite.yaml`:
- Around line 1729-1814: The test cases named like "Should accept
networkPolicyAllowProxyEgressAll set to Managed/Unmanaged", "Should default
networkPolicyAllowProxyEgressAll to Managed when proxy is set without the
field", "Should fail with invalid value for networkPolicyAllowProxyEgressAll",
and "Should accept proxy config with all fields including
networkPolicyAllowProxyEgressAll" are currently placed under onUpdate without an
updated manifest; move these create-style cases into onCreate (or add an
explicit updated manifest per case) so they exercise create/default behavior
rather than update behavior—locate the entries with resourceName: cluster and
kind: ExternalSecretsConfig in the test suite and either change their parent
block to onCreate or provide an updated: | YAML payload for each to represent
the post-update state.

In `@pkg/controller/external_secrets/constants.go`:
- Around line 78-80: The code concatenates userNetworkPolicyPrefix ("eso-user-")
to user-provided names in buildNetworkPolicyFromConfig which can exceed
Kubernetes' 253-char DNS-1123 subdomain limit; enforce a max user name length of
244 characters (253 - len("eso-user-")) or apply deterministic
truncation/hashing before concatenation. Update buildNetworkPolicyFromConfig to
validate the incoming name length (or truncate/hash it) and produce a final name
<=253 chars, and align the CRD validation (external_secrets_config_types.go) to
cap the user-provided name to 244 characters so reconcilers never try to create
too-long NetworkPolicy names.

---

Nitpick comments:
In `@pkg/controller/external_secrets/networkpolicy.go`:
- Around line 248-253: The delete path for the proxy egress NetworkPolicy should
treat a NotFound error as non-fatal: after calling r.Delete(fetched) in the
block that logs "Proxy egress policy no longer needed, deleting" (use symbols
r.Delete, fetched, npName, r.log, r.eventRecorder), check the returned error
with apierrors.IsNotFound(err) (import "k8s.io/apimachinery/pkg/api/errors") and
ignore/log it (e.g., r.log.V(1).Info("NetworkPolicy already deleted", "name",
npName)) instead of returning; only wrap-and-return other errors via
common.FromClientError so transient races where another actor already deleted
the NetworkPolicy do not cause a reconcile failure.

In `@test/e2e/e2e_test.go`:
- Around line 869-872: Replace the one-off synchronous Get call that checks for
the absence of the unprefixed policy with a Gomega Consistently assertion so the
test verifies the object never appears over time; specifically, wrap the call to
clientset.NetworkingV1().NetworkPolicies(operandNamespace).Get(ctx,
userPolicyName, metav1.GetOptions{}) (and its returned error) in a Consistently
block (using an appropriate timeout and poll interval) and assert that the error
always occurs (Expect(err).To(HaveOccurred())), referencing userPolicyName,
operandNamespace, ctx and the Get call to locate the code to change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 453d2949-13e2-4cd7-88cb-44c93795a333

📥 Commits

Reviewing files that changed from the base of the PR and between 2a65cb8 and 8789ab8.

📒 Files selected for processing (8)

• api/v1alpha1/meta.go
• api/v1alpha1/tests/externalsecretsconfig.operator.openshift.io/externalsecretsconfig.testsuite.yaml
• config/crd/bases/operator.openshift.io_externalsecretsconfigs.yaml
• config/crd/bases/operator.openshift.io_externalsecretsmanagers.yaml
• pkg/controller/external_secrets/constants.go
• pkg/controller/external_secrets/networkpolicy.go
• pkg/controller/external_secrets/networkpolicy_test.go
• test/e2e/e2e_test.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

python - <<'PY'
import re, pathlib
prefix = "eso-user-"
crd_path = "config/crd/bases/operator.openshift.io_externalsecretsconfigs.yaml"
text = pathlib.Path(crd_path).read_text()

m = re.search(r'networkPolicies:\n(?:.*\n)*?\s+name:\n(?:.*\n)*?\s+maxLength:\s*(\d+)', text)
crd_max = int(m.group(1)) if m else None

print("CRD maxLength for user policy name:", crd_max)
print("Prefix length:", len(prefix))
print("Max safe user name length with prefix:", 253 - len(prefix))
if crd_max is not None and crd_max > 253 - len(prefix):
    print("MISMATCH: prefixed name can exceed Kubernetes metadata.name limit (253).")
PY

Repository: openshift/external-secrets-operator

Length of output: 252

---

🏁 Script executed:

# 1. Find where userNetworkPolicyPrefix is used
rg "userNetworkPolicyPrefix" -A 5 -B 2

Repository: openshift/external-secrets-operator

Length of output: 7102

---

🏁 Script executed:

# 2. Search for NetworkPolicy creation/name generation logic
rg -i "networkpolicy" --type go -A 3 -B 1 | head -100

Repository: openshift/external-secrets-operator

Length of output: 11502

---

🏁 Script executed:

# 3. Check CRD validation for networkPolicies more thoroughly
cat config/crd/bases/operator.openshift.io_externalsecretsconfigs.yaml | grep -A 30 "networkPolicies:" | head -50

Repository: openshift/external-secrets-operator

Length of output: 2202

---

🏁 Script executed:

# 4. Look for any existing name validation or truncation logic
rg "maxUserNameLen|truncat|255|253" --type go

Repository: openshift/external-secrets-operator

Length of output: 50392

---

🏁 Script executed:

# Get the buildNetworkPolicyFromConfig implementation
sed -n '/func (r \*Reconciler) buildNetworkPolicyFromConfig/,/^func /p' pkg/controller/external_secrets/networkpolicy.go | head -80

Repository: openshift/external-secrets-operator

Length of output: 1196

---

🏁 Script executed:

# Check if there's any name length validation in the codebase
rg "len.*Name|Name.*len|maxLength|validate.*name" pkg/controller/external_secrets --type go -A 2 -B 2

Repository: openshift/external-secrets-operator

Length of output: 1356

---

🏁 Script executed:

# Get the full networkPolicies CRD definition to see if there's validation we missed
cat config/crd/bases/operator.openshift.io_externalsecretsconfigs.yaml | grep -A 80 "networkPolicies:" | grep -A 60 "name:"

Repository: openshift/external-secrets-operator

Length of output: 61

---

🏁 Script executed:

# Search for the name field in networkPolicies section of the CRD
grep -A 150 "networkPolicies:" config/crd/bases/operator.openshift.io_externalsecretsconfigs.yaml | grep -A 30 "name:"

Repository: openshift/external-secrets-operator

Length of output: 61

---

🏁 Script executed:

# Check if there's any existing validation or constraints on the combined name
rg "userNetworkPolicyPrefix.*Name|Name.*userNetworkPolicyPrefix" pkg/controller/external_secrets --type go -B 5 -A 5

Repository: openshift/external-secrets-operator

Length of output: 5934

---

🏁 Script executed:

# Look for any validation functions or checks that might constrain names
rg "validation|Validate|validate" pkg/controller/external_secrets/networkpolicy.go --type go

Repository: openshift/external-secrets-operator

Length of output: 61

---

🏁 Script executed:

# Read the CRD file directly and find the networkPolicies section
cat config/crd/bases/operator.openshift.io_externalsecretsconfigs.yaml | head -500 | tail -100

Repository: openshift/external-secrets-operator

Length of output: 7322

---

🏁 Script executed:

# Try to find the exact maxLength constraint in the CRD
rg "maxLength" config/crd/bases/operator.openshift.io_externalsecretsconfigs.yaml -B 3 -A 1

Repository: openshift/external-secrets-operator

Length of output: 3513

---

🏁 Script executed:

# Check the operator API types to see the NetworkPolicy struct definition
find . -name "*.go" -path "*/api/*" -o -name "types.go" | xargs rg "type NetworkPolicy struct" -A 15 2>/dev/null | head -50

Repository: openshift/external-secrets-operator

Length of output: 4758

---

Prefixing user NetworkPolicy names exceeds Kubernetes name limits.

The CRD allows user-provided policy names up to 253 characters (api/v1alpha1/external_secrets_config_types.go), but buildNetworkPolicyFromConfig directly concatenates the 9-character prefix without validation. This creates names up to 262 characters, exceeding Kubernetes' DNS-1123 subdomain limit of 253 characters, causing NetworkPolicy creation to fail at reconcile time.

Enforce a maximum user name length of 244 characters (253 - 9 for prefix) and align CRD validation accordingly. Alternatively, apply deterministic truncation or hashing before creating the NetworkPolicy object.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/controller/external_secrets/constants.go` around lines 78 - 80, The code
concatenates userNetworkPolicyPrefix ("eso-user-") to user-provided names in
buildNetworkPolicyFromConfig which can exceed Kubernetes' 253-char DNS-1123
subdomain limit; enforce a max user name length of 244 characters (253 -
len("eso-user-")) or apply deterministic truncation/hashing before
concatenation. Update buildNetworkPolicyFromConfig to validate the incoming name
length (or truncate/hash it) and produce a final name <=253 chars, and align the
CRD validation (external_secrets_config_types.go) to cap the user-provided name
to 244 characters so reconcilers never try to create too-long NetworkPolicy
names.

[openshift-ci]

@siddhibhor-56: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-operator	720831b	link	true	/test e2e-operator
ci/prow/verify	720831b	link	true	/test verify

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.