Adds the controller for the Operand's Network Policy

Author: siddhibhor-56

api/v1alpha1/external_secrets_config_types.go

@@ -1,6 +1,7 @@
 package v1alpha1
 
 import (
+	networkingv1 "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -67,6 +68,19 @@ type ExternalSecretsConfigSpec struct {
 	// controllerConfig is for specifying the configurations for the controller to use while installing the `external-secrets` operand and the plugins.
 	// +kubebuilder:validation:Optional
 	ControllerConfig ControllerConfig `json:"controllerConfig,omitempty"`
+
+	// networkPolicies specifies the list of network policy configurations
+	// to be applied to external-secrets pods.
+	//
+	// Each entry allows specifying a name for the generated NetworkPolicy object,
+	// along with its full Kubernetes NetworkPolicy definition.
+	//
+	// If this field is not provided, external-secrets components will be isolated
+	// with deny-all network policies, which will prevent proper operation.
+	//
+	// +kubebuilder:validation:Optional
+	// +optional
+	NetworkPolicies []NetworkPolicy `json:"networkPolicies,omitempty"`
 }
 
 // ExternalSecretsConfigStatus is the most recently observed status of the ExternalSecretsConfig.
@@ -201,3 +215,40 @@ type CertProvidersConfig struct {
 	// +kubebuilder:validation:Optional
 	CertManager *CertManagerConfig `json:"certManager,omitempty"`
 }
+
+// ComponentName represents the different external-secrets components that can have network policies applied.
+type ComponentName string
+
+const (
+	// CoreController represents the external-secrets component
+	CoreController ComponentName = "ExternalSecretsCoreController"
+
+	// BitwardenSDKServer represents the bitwarden-sdk-server component
+	BitwardenSDKServer ComponentName = "BitwardenSDKServer"
+)
+
+// NetworkPolicy represents a custom network policy configuration for operator-managed components.
+// It includes a name for identification and the network policy rules to be enforced.
+type NetworkPolicy struct {
+	// name is a unique identifier for this network policy configuration.
+	// This name will be used as part of the generated NetworkPolicy resource name.
+	// +kubebuilder:validation:Required
+	// +required
+	Name string `json:"name"`
+
+	// componentName specifies which external-secrets component this network policy applies to.
+	// +kubebuilder:validation:Enum:=ExternalSecretsCoreController;BitwardenSDKServer
+	// +kubebuilder:validation:Required
+	ComponentName ComponentName `json:"componentName"`
+
+	// egress is a list of egress rules to be applied to the selected pods. Outgoing traffic
+	// is allowed if there are no NetworkPolicies selecting the pod (and cluster policy
+	// otherwise allows the traffic), OR if the traffic matches at least one egress rule
+	// across all of the NetworkPolicy objects whose podSelector matches the pod. If
+	// this field is empty then this NetworkPolicy limits all outgoing traffic (and serves
+	// solely to ensure that the pods it selects are isolated by default).
+	// The operator will automatically handle ingress rules based on the current running ports.
+	// +optional
+	// +listType=atomic
+	Egress []networkingv1.NetworkPolicyEgressRule `json:"egress,omitempty" protobuf:"bytes,3,rep,name=egress"`
+}

api/v1alpha1/zz_generated.deepcopy.go

@@ -0,0 +1,27 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-api-server-egress-for-bitwarden-sever
+  namespace: external-secrets
+  labels:
+    app.kubernetes.io/name: bitwarden-sdk-server
+    app.kubernetes.io/instance: external-secrets
+    app.kubernetes.io/version: "v0.19.0"
+    app.kubernetes.io/managed-by: external-secrets-operator
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: external-secrets-bitwarden-server
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    # Allow External Secrets Controller to communicate with Bitwarden SDK Server
+    - ports:
+        - protocol: TCP
+          port: 9998
+  # Allow access to Kubernetes API server
+  egress:
+    - ports:
+        - protocol: TCP
+          port: 6443

bindata/external-secrets/networkpolicy-allow-bitwarden-server-traffic.yaml

@@ -0,0 +1,20 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-api-server-egress-for-cert-controller
+  namespace: external-secrets
+  labels:
+    app.kubernetes.io/name: external-secrets-cert-controller
+    app.kubernetes.io/instance: external-secrets
+    app.kubernetes.io/version: "v0.19.0"
+    app.kubernetes.io/managed-by: external-secrets-operator
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: external-secrets-cert-controller
+  policyTypes:
+    - Egress
+  egress:
+    - ports:
+        - protocol: TCP
+          port: 6443

bindata/external-secrets/networkpolicy-allow-cert-controller-traffic.yaml

@@ -0,0 +1,20 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-api-server-egress
+  namespace: external-secrets
+  labels:
+    app.kubernetes.io/name: external-secrets
+    app.kubernetes.io/instance: external-secrets
+    app.kubernetes.io/version: "v0.19.0"
+    app.kubernetes.io/managed-by: external-secrets-operator
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: external-secrets
+  policyTypes:
+    - Egress
+  egress:
+    - ports:
+        - protocol: TCP
+          port: 6443

bindata/external-secrets/networkpolicy-allow-main-controller-traffic.yaml

@@ -0,0 +1,26 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-api-server-egress-for-webhook
+  namespace: external-secrets
+  labels:
+    app.kubernetes.io/name: external-secrets-webhook
+    app.kubernetes.io/instance: external-secrets
+    app.kubernetes.io/version: "v0.19.0"
+    app.kubernetes.io/managed-by: external-secrets-operator
+    external-secrets.io/component: webhook
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: external-secrets-webhook
+  policyTypes:
+    - Egress
+    - Ingress
+  egress:
+    - ports:
+        - protocol: TCP
+          port: 6443
+  ingress:
+    - ports:
+        - protocol: TCP
+          port: 10250

bindata/external-secrets/networkpolicy-allow-webhook-traffic.yaml

@@ -0,0 +1,15 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: deny-all-traffic
+  namespace: external-secrets
+  labels:
+    app.kubernetes.io/name: external-secrets
+    app.kubernetes.io/instance: external-secrets
+    app.kubernetes.io/version: "v0.19.0"
+    app.kubernetes.io/managed-by: external-secrets-operator
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress

bindata/external-secrets/networkpolicy-deny-all.yaml

@@ -578,6 +578,18 @@ spec:
           - patch
           - update
           - watch
+        - apiGroups:
+          - networking.k8s.io
+          resources:
+          - networkpolicies
+          verbs:
+          - create
+          - delete
+          - get
+          - list
+          - patch
+          - update
+          - watch
         - apiGroups:
           - operator.openshift.io
           resources: