openshift
diff --git a/‎Dockerfile‎
Lines changed: 1 addition & 11 deletions b/‎Dockerfile‎
Lines changed: 1 addition & 11 deletions
diff --git a/‎api/v1alpha1/external_secrets_types.go‎
Lines changed: 2 additions & 0 deletions b/‎api/v1alpha1/external_secrets_types.go‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎bindata/external-secrets/external-secrets-namespace.yaml‎
Lines changed: 4 additions & 0 deletions b/‎bindata/external-secrets/external-secrets-namespace.yaml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎bundle/manifests/external-secrets-operator.clusterserviceversion.yaml‎
Lines changed: 91 additions & 1 deletion b/‎bundle/manifests/external-secrets-operator.clusterserviceversion.yaml‎
Lines changed: 91 additions & 1 deletion
diff --git a/‎bundle/manifests/operator.openshift.io_externalsecrets.yaml‎
Lines changed: 11 additions & 0 deletions b/‎bundle/manifests/operator.openshift.io_externalsecrets.yaml‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎cmd/external-secrets-operator/main.go‎
Lines changed: 12 additions & 15 deletions b/‎cmd/external-secrets-operator/main.go‎
Lines changed: 12 additions & 15 deletions
diff --git a/‎config/crd/bases/operator.openshift.io_externalsecrets.yaml‎
Lines changed: 7 additions & 3 deletions b/‎config/crd/bases/operator.openshift.io_externalsecrets.yaml‎
Lines changed: 7 additions & 3 deletions
@@ -4,17 +4,7 @@ ARG TARGETOS
 ARG TARGETARCH
 
 WORKDIR /workspace
-# Copy the Go Modules manifests
-COPY go.mod go.mod
-COPY go.sum go.sum
-# cache deps before building and copying source so that we don't need to re-download as much
-# and so that source changes don't invalidate our downloaded layer
-RUN go mod download
-
-# Copy the go source
-COPY cmd/external-secrets-operator/main.go cmd/external-secrets-operator/main.go
-COPY api/ api/
-COPY pkg/controller/ pkg/controller/
+COPY . .
 
 # Build
 # the GOARCH has not a default value to allow the binary be built according to the host where the command
 
@@ -120,10 +120,12 @@ type ExternalSecretsConfig struct {
 
 // ControllerConfig is for configuring the operator for setting up
 // defaults to install external-secrets.
+// +kubebuilder:validation:XValidation:rule="!has(oldSelf.namespace) && !has(self.namespace) || has(oldSelf.namespace) && has(self.namespace)",message="namespace may only be configured during creation"
 type ControllerConfig struct {
 	// namespace is for configuring the namespace to install the external-secret operand.
 	// +kubebuilder:validation:Optional
 	// +kubebuilder:default:="external-secrets"
+	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="namespace is immutable once set"
 	Namespace string `json:"namespace,omitempty"`
 
 	// labels to apply to all resources created for external-secrets deployment.
 
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: external-secrets
@@ -33,7 +33,7 @@ metadata:
     categories: Security
     console.openshift.io/disable-operand-delete: "true"
     containerImage: ""
-    createdAt: "2025-05-27T10:56:51Z"
+    createdAt: "2025-06-02T08:50:05Z"
     features.operators.openshift.io/cnf: "false"
     features.operators.openshift.io/cni: "false"
     features.operators.openshift.io/csi: "false"
@@ -175,6 +175,7 @@ spec:
         - apiGroups:
           - ""
           resources:
+          - configmaps
           - events
           - secrets
           - serviceaccounts
@@ -187,6 +188,22 @@ spec:
           - patch
           - update
           - watch
+        - apiGroups:
+          - ""
+          resources:
+          - endpoints
+          - namespaces
+          verbs:
+          - create
+          - get
+          - list
+          - watch
+        - apiGroups:
+          - ""
+          resources:
+          - serviceaccounts/token
+          verbs:
+          - create
         - apiGroups:
           - admissionregistration.k8s.io
           resources:
@@ -199,6 +216,18 @@ spec:
           - patch
           - update
           - watch
+        - apiGroups:
+          - apiextensions.k8s.io
+          resources:
+          - customresourcedefinitions
+          verbs:
+          - create
+          - delete
+          - get
+          - list
+          - patch
+          - update
+          - watch
         - apiGroups:
           - apps
           resources:
@@ -235,10 +264,71 @@ spec:
           - patch
           - update
           - watch
+        - apiGroups:
+          - external-secrets.io
+          resources:
+          - clusterexternalsecrets
+          - clustersecretstores
+          - externalsecrets
+          - pushsecrets
+          - secretstores
+          verbs:
+          - create
+          - delete
+          - deletecollection
+          - get
+          - list
+          - patch
+          - update
+          - watch
+        - apiGroups:
+          - external-secrets.io
+          resources:
+          - clusterexternalsecrets/finalizers
+          - clusterexternalsecrets/status
+          - clustersecretstores/finalizers
+          - clustersecretstores/status
+          - externalsecrets/finalizers
+          - externalsecrets/status
+          - pushsecrets/finalizers
+          - pushsecrets/status
+          - secretstores/finalizers
+          - secretstores/status
+          verbs:
+          - get
+          - patch
+          - update
+        - apiGroups:
+          - generators.external-secrets.io
+          resources:
+          - acraccesstokens
+          - clustergenerators
+          - ecrauthorizationtokens
+          - fakes
+          - gcraccesstokens
+          - generatorstates
+          - githubaccesstokens
+          - grafanas
+          - passwords
+          - quayaccesstokens
+          - stssessiontokens
+          - uuids
+          - vaultdynamicsecrets
+          - webhooks
+          verbs:
+          - create
+          - delete
+          - deletecollection
+          - get
+          - list
+          - patch
+          - update
+          - watch
         - apiGroups:
           - operator.openshift.io
           resources:
           - externalsecrets
+          - externalsecretsmanagers
           verbs:
           - create
           - delete
 
@@ -63,7 +63,14 @@ spec:
                     description: namespace is for configuring the namespace to install
                       the external-secret operand.
                     type: string
+                    x-kubernetes-validations:
+                    - message: namespace is immutable once set
+                      rule: self == oldSelf
                 type: object
+                x-kubernetes-validations:
+                - message: namespace may only be configured during creation
+                  rule: '!has(oldSelf.namespace) && !has(self.namespace) || has(oldSelf.namespace)
+                    && has(self.namespace)'
               externalSecretsConfig:
                 description: externalSecretsConfig is for configuring the external-secrets
                   behavior.
@@ -1278,6 +1285,10 @@ spec:
                 x-kubernetes-list-map-keys:
                 - type
                 x-kubernetes-list-type: map
+              externalSecretsImage:
+                description: externalSecretsImage is the name of the image and the
+                  tag used for deploying external-secrets.
+                type: string
             type: object
         type: object
         x-kubernetes-validations:
 
@@ -21,20 +21,21 @@ import (
 	"flag"
 	"os"
 
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/klog/v2/textlogger"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
-	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 	"sigs.k8s.io/controller-runtime/pkg/metrics/filters"
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 
-	zaplog "go.uber.org/zap"
-	"go.uber.org/zap/zapcore"
-
 	certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
+
 	operatorv1alpha1 "github.com/openshift/external-secrets-operator/api/v1alpha1"
 	externalsecretscontroller "github.com/openshift/external-secrets-operator/pkg/controller"
 	// +kubebuilder:scaffold:imports
@@ -47,9 +48,12 @@ var (
 
 func init() {
 	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
+	utilruntime.Must(appsv1.AddToScheme(scheme))
+	utilruntime.Must(corev1.AddToScheme(scheme))
+	utilruntime.Must(rbacv1.AddToScheme(scheme))
+	utilruntime.Must(certmanagerv1.AddToScheme(scheme))
 
 	utilruntime.Must(operatorv1alpha1.AddToScheme(scheme))
-	utilruntime.Must(certmanagerv1.AddToScheme(scheme))
 	// +kubebuilder:scaffold:scheme
 }
 
@@ -73,16 +77,8 @@ func main() {
 		"If set, HTTP/2 will be enabled for the metrics and webhook servers")
 	flag.IntVar(&logLevel, "v", 1, "operator log verbosity")
 
-	opts := zap.Options{
-		Development: true,
-		ZapOpts:     []zaplog.Option{zaplog.AddCaller()},
-		TimeEncoder: zapcore.ISO8601TimeEncoder,
-		Level:       zaplog.NewAtomicLevelAt(zapcore.Level(logLevel)),
-	}
-	opts.BindFlags(flag.CommandLine)
-	flag.Parse()
-
-	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))
+	logConfig := textlogger.NewConfig(textlogger.Verbosity(logLevel))
+	ctrl.SetLogger(textlogger.NewLogger(logConfig))
 
 	// if the enable-http2 flag is false (the default), http/2 should be disabled
 	// due to its vulnerabilities. More specifically, disabling http/2 will
@@ -134,6 +130,7 @@ func main() {
 		HealthProbeBindAddress: probeAddr,
 		LeaderElection:         enableLeaderElection,
 		LeaderElectionID:       "de6a4747.operator.openshift.io",
+		Logger:                 ctrl.Log.WithName("operator-manager"),
 	})
 	if err != nil {
 		setupLog.Error(err, "failed to create controller manager")
 
@@ -63,7 +63,14 @@ spec:
                     description: namespace is for configuring the namespace to install
                       the external-secret operand.
                     type: string
+                    x-kubernetes-validations:
+                    - message: namespace is immutable once set
+                      rule: self == oldSelf
                 type: object
+                x-kubernetes-validations:
+                - message: namespace may only be configured during creation
+                  rule: '!has(oldSelf.namespace) && !has(self.namespace) || has(oldSelf.namespace)
+                    && has(self.namespace)'
               externalSecretsConfig:
                 description: externalSecretsConfig is for configuring the external-secrets
                   behavior.
@@ -1282,9 +1289,6 @@ spec:
                 description: externalSecretsImage is the name of the image and the
                   tag used for deploying external-secrets.
                 type: string
-              serviceAccount:
-                description: serviceAccount created by the controller for the external-secrets.
-                type: string
             type: object
         type: object
         x-kubernetes-validations: