review changes

Author: siddhibhor-56

api/v1alpha1/external_secrets_config_types.go

@@ -68,19 +68,6 @@ type ExternalSecretsConfigSpec struct {
 	// controllerConfig is for specifying the configurations for the controller to use while installing the `external-secrets` operand and the plugins.
 	// +kubebuilder:validation:Optional
 	ControllerConfig ControllerConfig `json:"controllerConfig,omitempty"`
-
-	// networkPolicies specifies the list of network policy configurations
-	// to be applied to external-secrets pods.
-	//
-	// Each entry allows specifying a name for the generated NetworkPolicy object,
-	// along with its full Kubernetes NetworkPolicy definition.
-	//
-	// If this field is not provided, external-secrets components will be isolated
-	// with deny-all network policies, which will prevent proper operation.
-	//
-	// +kubebuilder:validation:Optional
-	// +optional
-	NetworkPolicies []NetworkPolicy `json:"networkPolicies,omitempty"`
 }
 
 // ExternalSecretsConfigStatus is the most recently observed status of the ExternalSecretsConfig.
@@ -134,6 +121,19 @@ type ControllerConfig struct {
 	// +kubebuilder:validation:Maximum:=18000
 	// +kubebuilder:validation:Optional
 	PeriodicReconcileInterval uint32 `json:"periodicReconcileInterval,omitempty"`
+
+	// networkPolicies specifies the list of network policy configurations
+	// to be applied to external-secrets pods.
+	//
+	// Each entry allows specifying a name for the generated NetworkPolicy object,
+	// along with its full Kubernetes NetworkPolicy definition.
+	//
+	// If this field is not provided, external-secrets components will be isolated
+	// with deny-all network policies, which will prevent proper operation.
+	//
+	// +kubebuilder:validation:Optional
+	// +optional
+	NetworkPolicies []NetworkPolicy `json:"networkPolicies,omitempty"`
 }
 
 // BitwardenSecretManagerProvider is for enabling the bitwarden secrets manager provider and for setting up the additional service required for connecting with the bitwarden server.
@@ -232,8 +232,9 @@ const (
 type NetworkPolicy struct {
 	// name is a unique identifier for this network policy configuration.
 	// This name will be used as part of the generated NetworkPolicy resource name.
+	// +kubebuilder:validation:MinLength:=1
+	// +kubebuilder:validation:MaxLength:=253
 	// +kubebuilder:validation:Required
-	// +required
 	Name string `json:"name"`
 
 	// componentName specifies which external-secrets component this network policy applies to.
@@ -248,7 +249,7 @@ type NetworkPolicy struct {
 	// this field is empty then this NetworkPolicy limits all outgoing traffic (and serves
 	// solely to ensure that the pods it selects are isolated by default).
 	// The operator will automatically handle ingress rules based on the current running ports.
-	// +optional
-	// +listType=atomic
+	// +kubebuilder:validation:Required
+	//+listType=atomic
 	Egress []networkingv1.NetworkPolicyEgressRule `json:"egress,omitempty" protobuf:"bytes,3,rep,name=egress"`
 }

api/v1alpha1/zz_generated.deepcopy.go

@@ -23,4 +23,15 @@ spec:
   ingress:
     - ports:
         - protocol: TCP
-          port: 10250
+          port: 10250
+    # Allow Prometheus/monitoring to scrape metrics
+    - from:
+      - namespaceSelector:
+          matchLabels:
+            openshift.io/cluster-monitoring: "true"
+      - namespaceSelector:
+          matchLabels:
+            name: openshift-monitoring
+      ports:
+        - protocol: TCP
+          port: 8080

bindata/external-secrets/networkpolicy-allow-webhook-traffic.yaml renamed to bindata/external-secrets/networkpolicy_allow-api-server-and-webhook-traffic.yaml

@@ -1,7 +1,7 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: allow-api-server-egress-for-bitwarden-sever
+  name: allow-api-server-egress-for-bitwarden-server
   namespace: external-secrets
   labels:
     app.kubernetes.io/name: bitwarden-sdk-server
@@ -11,7 +11,7 @@ metadata:
 spec:
   podSelector:
     matchLabels:
-      app.kubernetes.io/name: external-secrets-bitwarden-server
+      app.kubernetes.io/name: bitwarden-sdk-server
   policyTypes:
     - Ingress
     - Egress

bindata/external-secrets/networkpolicy-allow-bitwarden-server-traffic.yaml renamed to bindata/external-secrets/networkpolicy_allow-api-server-egress-for-bitwarden-sever.yaml

@@ -14,7 +14,20 @@ spec:
       app.kubernetes.io/name: external-secrets-cert-controller
   policyTypes:
     - Egress
+    - Ingress
   egress:
     - ports:
         - protocol: TCP
-          port: 6443
+          port: 6443
+  ingress:
+    # Allow Prometheus/monitoring to scrape metrics
+    - from:
+      - namespaceSelector:
+          matchLabels:
+            openshift.io/cluster-monitoring: "true"
+      - namespaceSelector:
+          matchLabels:
+            name: openshift-monitoring
+      ports:
+        - protocol: TCP
+          port: 8080

bindata/external-secrets/networkpolicy-allow-cert-controller-traffic.yaml renamed to bindata/external-secrets/networkpolicy_allow-api-server-egress-for-cert-controller-traffic.yaml

@@ -1,7 +1,7 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: allow-api-server-egress
+  name: allow-api-server-egress-for-main-controller
   namespace: external-secrets
   labels:
     app.kubernetes.io/name: external-secrets
@@ -14,7 +14,20 @@ spec:
       app.kubernetes.io/name: external-secrets
   policyTypes:
     - Egress
+    - Ingress
   egress:
     - ports:
         - protocol: TCP
-          port: 6443
+          port: 6443
+  ingress:
+    # Allow Prometheus/monitoring to scrape metrics
+    - from:
+      - namespaceSelector:
+          matchLabels:
+            openshift.io/cluster-monitoring: "true"
+      - namespaceSelector:
+          matchLabels:
+            name: openshift-monitoring
+      ports:
+        - protocol: TCP
+          port: 8080

bindata/external-secrets/networkpolicy-allow-main-controller-traffic.yaml renamed to bindata/external-secrets/networkpolicy_allow-api-server-egress-for-main-controller-traffic.yaml

@@ -220,7 +220,7 @@ metadata:
     categories: Security
     console.openshift.io/disable-operand-delete: "true"
     containerImage: openshift.io/external-secrets-operator:latest
-    createdAt: "2025-10-07T03:20:14Z"
+    createdAt: "2025-10-09T11:13:16Z"
     features.operators.openshift.io/cnf: "false"
     features.operators.openshift.io/cni: "false"
     features.operators.openshift.io/csi: "false"
@@ -584,10 +584,8 @@ spec:
           - networkpolicies
           verbs:
           - create
-          - delete
           - get
           - list
-          - patch
           - update
           - watch
         - apiGroups:
@@ -735,7 +733,7 @@ spec:
                   value: :8443
                 - name: METRICS_SECURE
                   value: "true"
-                image: openshift.io/external-secrets-operator:latest
+                image: quay.io/rh-ee-sbhor/external-secrets-operator:dev
                 imagePullPolicy: Always
                 livenessProbe:
                   httpGet: