ESO-49: Implement the functionality to ensure RBAC specific resources stay in desired state

Author: bharath-b-rh

Dockerfile

@@ -4,17 +4,7 @@ ARG TARGETOS
 ARG TARGETARCH
 
 WORKDIR /workspace
-# Copy the Go Modules manifests
-COPY go.mod go.mod
-COPY go.sum go.sum
-# cache deps before building and copying source so that we don't need to re-download as much
-# and so that source changes don't invalidate our downloaded layer
-RUN go mod download
-
-# Copy the go source
-COPY cmd/external-secrets-operator/main.go cmd/external-secrets-operator/main.go
-COPY api/ api/
-COPY pkg/controller/ pkg/controller/
+COPY . .
 
 # Build
 # the GOARCH has not a default value to allow the binary be built according to the host where the command

bundle/manifests/external-secrets-operator.clusterserviceversion.yaml

@@ -33,7 +33,7 @@ metadata:
     categories: Security
     console.openshift.io/disable-operand-delete: "true"
     containerImage: ""
-    createdAt: "2025-05-27T10:56:51Z"
+    createdAt: "2025-06-02T08:50:05Z"
     features.operators.openshift.io/cnf: "false"
     features.operators.openshift.io/cni: "false"
     features.operators.openshift.io/csi: "false"
@@ -175,6 +175,7 @@ spec:
         - apiGroups:
           - ""
           resources:
+          - configmaps
           - events
           - secrets
           - serviceaccounts
@@ -187,6 +188,22 @@ spec:
           - patch
           - update
           - watch
+        - apiGroups:
+          - ""
+          resources:
+          - endpoints
+          - namespaces
+          verbs:
+          - create
+          - get
+          - list
+          - watch
+        - apiGroups:
+          - ""
+          resources:
+          - serviceaccounts/token
+          verbs:
+          - create
         - apiGroups:
           - admissionregistration.k8s.io
           resources:
@@ -199,6 +216,18 @@ spec:
           - patch
           - update
           - watch
+        - apiGroups:
+          - apiextensions.k8s.io
+          resources:
+          - customresourcedefinitions
+          verbs:
+          - create
+          - delete
+          - get
+          - list
+          - patch
+          - update
+          - watch
         - apiGroups:
           - apps
           resources:
@@ -235,10 +264,71 @@ spec:
           - patch
           - update
           - watch
+        - apiGroups:
+          - external-secrets.io
+          resources:
+          - clusterexternalsecrets
+          - clustersecretstores
+          - externalsecrets
+          - pushsecrets
+          - secretstores
+          verbs:
+          - create
+          - delete
+          - deletecollection
+          - get
+          - list
+          - patch
+          - update
+          - watch
+        - apiGroups:
+          - external-secrets.io
+          resources:
+          - clusterexternalsecrets/finalizers
+          - clusterexternalsecrets/status
+          - clustersecretstores/finalizers
+          - clustersecretstores/status
+          - externalsecrets/finalizers
+          - externalsecrets/status
+          - pushsecrets/finalizers
+          - pushsecrets/status
+          - secretstores/finalizers
+          - secretstores/status
+          verbs:
+          - get
+          - patch
+          - update
+        - apiGroups:
+          - generators.external-secrets.io
+          resources:
+          - acraccesstokens
+          - clustergenerators
+          - ecrauthorizationtokens
+          - fakes
+          - gcraccesstokens
+          - generatorstates
+          - githubaccesstokens
+          - grafanas
+          - passwords
+          - quayaccesstokens
+          - stssessiontokens
+          - uuids
+          - vaultdynamicsecrets
+          - webhooks
+          verbs:
+          - create
+          - delete
+          - deletecollection
+          - get
+          - list
+          - patch
+          - update
+          - watch
         - apiGroups:
           - operator.openshift.io
           resources:
           - externalsecrets
+          - externalsecretsmanagers
           verbs:
           - create
           - delete

bundle/manifests/operator.openshift.io_externalsecrets.yaml

@@ -1285,6 +1285,10 @@ spec:
                 x-kubernetes-list-map-keys:
                 - type
                 x-kubernetes-list-type: map
+              externalSecretsImage:
+                description: externalSecretsImage is the name of the image and the
+                  tag used for deploying external-secrets.
+                type: string
             type: object
         type: object
         x-kubernetes-validations:

cmd/external-secrets-operator/main.go

@@ -21,20 +21,21 @@ import (
 	"flag"
 	"os"
 
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/klog/v2/textlogger"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
-	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 	"sigs.k8s.io/controller-runtime/pkg/metrics/filters"
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 
-	zaplog "go.uber.org/zap"
-	"go.uber.org/zap/zapcore"
-
 	certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
+
 	operatorv1alpha1 "github.com/openshift/external-secrets-operator/api/v1alpha1"
 	externalsecretscontroller "github.com/openshift/external-secrets-operator/pkg/controller"
 	// +kubebuilder:scaffold:imports
@@ -47,9 +48,12 @@ var (
 
 func init() {
 	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
+	utilruntime.Must(appsv1.AddToScheme(scheme))
+	utilruntime.Must(corev1.AddToScheme(scheme))
+	utilruntime.Must(rbacv1.AddToScheme(scheme))
+	utilruntime.Must(certmanagerv1.AddToScheme(scheme))
 
 	utilruntime.Must(operatorv1alpha1.AddToScheme(scheme))
-	utilruntime.Must(certmanagerv1.AddToScheme(scheme))
 	// +kubebuilder:scaffold:scheme
 }
 
@@ -73,16 +77,8 @@ func main() {
 		"If set, HTTP/2 will be enabled for the metrics and webhook servers")
 	flag.IntVar(&logLevel, "v", 1, "operator log verbosity")
 
-	opts := zap.Options{
-		Development: true,
-		ZapOpts:     []zaplog.Option{zaplog.AddCaller()},
-		TimeEncoder: zapcore.ISO8601TimeEncoder,
-		Level:       zaplog.NewAtomicLevelAt(zapcore.Level(logLevel)),
-	}
-	opts.BindFlags(flag.CommandLine)
-	flag.Parse()
-
-	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
+	logConfig := textlogger.NewConfig(textlogger.Verbosity(logLevel))
+	ctrl.SetLogger(textlogger.NewLogger(logConfig))
 
 	// if the enable-http2 flag is false (the default), http/2 should be disabled
 	// due to its vulnerabilities. More specifically, disabling http/2 will
@@ -134,6 +130,7 @@ func main() {
 		HealthProbeBindAddress: probeAddr,
 		LeaderElection:         enableLeaderElection,
 		LeaderElectionID:       "de6a4747.operator.openshift.io",
+		Logger:                 ctrl.Log.WithName("operator-manager"),
 	})
 	if err != nil {
 		setupLog.Error(err, "failed to create controller manager")

config/crd/bases/operator.openshift.io_externalsecrets.yaml

@@ -1289,9 +1289,6 @@ spec:
                 description: externalSecretsImage is the name of the image and the
                   tag used for deploying external-secrets.
                 type: string
-              serviceAccount:
-                description: serviceAccount created by the controller for the external-secrets.
-                type: string
             type: object
         type: object
         x-kubernetes-validations:

config/rbac/role.yaml

@@ -7,6 +7,7 @@ rules:
 - apiGroups:
   - ""
   resources:
+  - configmaps
   - events
   - secrets
   - serviceaccounts
@@ -19,6 +20,22 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - endpoints
+  - namespaces
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts/token
+  verbs:
+  - create
 - apiGroups:
   - admissionregistration.k8s.io
   resources:
@@ -31,6 +48,18 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - apps
   resources:
@@ -67,10 +96,71 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - external-secrets.io
+  resources:
+  - clusterexternalsecrets
+  - clustersecretstores
+  - externalsecrets
+  - pushsecrets
+  - secretstores
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - external-secrets.io
+  resources:
+  - clusterexternalsecrets/finalizers
+  - clusterexternalsecrets/status
+  - clustersecretstores/finalizers
+  - clustersecretstores/status
+  - externalsecrets/finalizers
+  - externalsecrets/status
+  - pushsecrets/finalizers
+  - pushsecrets/status
+  - secretstores/finalizers
+  - secretstores/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - generators.external-secrets.io
+  resources:
+  - acraccesstokens
+  - clustergenerators
+  - ecrauthorizationtokens
+  - fakes
+  - gcraccesstokens
+  - generatorstates
+  - githubaccesstokens
+  - grafanas
+  - passwords
+  - quayaccesstokens
+  - stssessiontokens
+  - uuids
+  - vaultdynamicsecrets
+  - webhooks
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - operator.openshift.io
   resources:
   - externalsecrets
+  - externalsecretsmanagers
   verbs:
   - create
   - delete

go.mod

@@ -5,7 +5,7 @@ go 1.23.6
 require (
 	github.com/cert-manager/cert-manager v1.16.4
 	github.com/go-bindata/go-bindata v3.1.2+incompatible
-	github.com/go-logr/logr v1.4.2
+	github.com/go-logr/logr v1.4.3
 	github.com/golangci/golangci-lint v1.59.1
 	github.com/maxbrunsfeld/counterfeiter/v6 v6.11.2
 	github.com/onsi/ginkgo/v2 v2.22.0
@@ -15,7 +15,9 @@ require (
 	k8s.io/api v0.32.1
 	k8s.io/apimachinery v0.32.1
 	k8s.io/client-go v0.32.1
+	k8s.io/klog/v2 v2.130.1
 	k8s.io/kubernetes v1.32.1
+	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738
 	sigs.k8s.io/controller-runtime v0.20.1
 	sigs.k8s.io/controller-runtime/tools/setup-envtest v0.0.0-20250308055145-5fe7bb3edc86
 	sigs.k8s.io/controller-tools v0.16.1
@@ -275,11 +277,9 @@ require (
 	k8s.io/component-base v0.32.1 // indirect
 	k8s.io/component-helpers v0.32.1 // indirect
 	k8s.io/controller-manager v0.32.1 // indirect
-	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kms v0.32.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f // indirect
 	k8s.io/kubelet v0.32.1 //indirect
-	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect
 	mvdan.cc/gofumpt v0.6.0 // indirect
 	mvdan.cc/unparam v0.0.0-20240528143540-8a5130ca722f // indirect
 	sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.1 // indirect