adds the changes for dns and port selector

siddhibhor-56 · siddhibhor-56 · commit fca9509d5072 · 2025-10-17T20:25:05.000+05:30
diff --git a/api/v1alpha1/external_secrets_config_types.go b/api/v1alpha1/external_secrets_config_types.go
@@ -131,8 +131,13 @@ type ControllerConfig struct {
 	// If this field is not provided, external-secrets components will be isolated
 	// with deny-all network policies, which will prevent proper operation.
 	//
+	// +kubebuilder:validation:XValidation:rule="oldSelf.all(op, self.exists(p, p.name == op.name && p.componentName == op.componentName))",message="name and componentName fields in networkPolicies are immutable"
+	// +kubebuilder:validation:MinItems:=0
+	// +kubebuilder:validation:MaxItems:=50
 	// +kubebuilder:validation:Optional
-	// +optional
+	// +listType=map
+	// +listMapKey=name
+	// +listMapKey=componentName
 	NetworkPolicies []NetworkPolicy `json:"networkPolicies,omitempty"`
 }
 
@@ -245,7 +250,7 @@ type NetworkPolicy struct {
 	// egress is a list of egress rules to be applied to the selected pods. Outgoing traffic
 	// is allowed if there are no NetworkPolicies selecting the pod (and cluster policy
 	// otherwise allows the traffic), OR if the traffic matches at least one egress rule
-	// across all of the NetworkPolicy objects whose podSelector matches the pod. If
+	// across all the NetworkPolicy objects whose podSelector matches the pod. If
 	// this field is empty then this NetworkPolicy limits all outgoing traffic (and serves
 	// solely to ensure that the pods it selects are isolated by default).
 	// The operator will automatically handle ingress rules based on the current running ports.
diff --git a/bindata/external-secrets/networkpolicy_allow-api-server-egress-for-bitwarden-sever.yaml b/bindata/external-secrets/networkpolicy_allow-api-server-egress-for-bitwarden-sever.yaml
@@ -20,8 +20,10 @@ spec:
     - ports:
         - protocol: TCP
           port: 9998
-  # Allow access to Kubernetes API server
+  # Allow access to Kubernetes API server and bitwarden sdk external server
   egress:
     - ports:
         - protocol: TCP
-          port: 6443
+          port: 6443
+        - protocol: TCP
+          port: 443
diff --git a/bindata/external-secrets/networkpolicy_allow-dns.yaml b/bindata/external-secrets/networkpolicy_allow-dns.yaml
@@ -9,8 +9,12 @@ metadata:
   name: allow-to-dns
 spec:
   podSelector:
-    matchLabels:
-      app.kubernetes.io/name: external-secrets
+    matchExpressions:
+      - key: app.kubernetes.io/name
+        operator: In
+        values:
+          - external-secrets
+          - bitwarden-sdk-server
   egress:
     - to:
         - namespaceSelector:
@@ -24,5 +28,9 @@ spec:
           port: 5353
         - protocol: UDP
           port: 5353
+        - protocol: TCP
+          port: 53
+        - protocol: UDP
+          port: 53
   policyTypes:
       - Egress
diff --git a/bundle/manifests/operator.openshift.io_externalsecretsconfigs.yaml b/bundle/manifests/operator.openshift.io_externalsecretsconfigs.yaml
@@ -1300,7 +1300,7 @@ spec:
                             egress is a list of egress rules to be applied to the selected pods. Outgoing traffic
                             is allowed if there are no NetworkPolicies selecting the pod (and cluster policy
                             otherwise allows the traffic), OR if the traffic matches at least one egress rule
-                            across all of the NetworkPolicy objects whose podSelector matches the pod. If
+                            across all the NetworkPolicy objects whose podSelector matches the pod. If
                             this field is empty then this NetworkPolicy limits all outgoing traffic (and serves
                             solely to ensure that the pods it selects are isolated by default).
                             The operator will automatically handle ingress rules based on the current running ports.
@@ -1505,7 +1505,18 @@ spec:
                       - egress
                       - name
                       type: object
+                    maxItems: 50
+                    minItems: 0
                     type: array
+                    x-kubernetes-list-map-keys:
+                    - name
+                    - componentName
+                    x-kubernetes-list-type: map
+                    x-kubernetes-validations:
+                    - message: name and componentName fields in networkPolicies are
+                        immutable
+                      rule: oldSelf.all(op, self.exists(p, p.name == op.name && p.componentName
+                        == op.componentName))
                   periodicReconcileInterval:
                     default: 300
                     description: |-
diff --git a/config/crd/bases/operator.openshift.io_externalsecretsconfigs.yaml b/config/crd/bases/operator.openshift.io_externalsecretsconfigs.yaml
@@ -1300,7 +1300,7 @@ spec:
                             egress is a list of egress rules to be applied to the selected pods. Outgoing traffic
                             is allowed if there are no NetworkPolicies selecting the pod (and cluster policy
                             otherwise allows the traffic), OR if the traffic matches at least one egress rule
-                            across all of the NetworkPolicy objects whose podSelector matches the pod. If
+                            across all the NetworkPolicy objects whose podSelector matches the pod. If
                             this field is empty then this NetworkPolicy limits all outgoing traffic (and serves
                             solely to ensure that the pods it selects are isolated by default).
                             The operator will automatically handle ingress rules based on the current running ports.
@@ -1505,7 +1505,18 @@ spec:
                       - egress
                       - name
                       type: object
+                    maxItems: 50
+                    minItems: 0
                     type: array
+                    x-kubernetes-list-map-keys:
+                    - name
+                    - componentName
+                    x-kubernetes-list-type: map
+                    x-kubernetes-validations:
+                    - message: name and componentName fields in networkPolicies are
+                        immutable
+                      rule: oldSelf.all(op, self.exists(p, p.name == op.name && p.componentName
+                        == op.componentName))
                   periodicReconcileInterval:
                     default: 300
                     description: |-
diff --git a/docs/api_reference.md b/docs/api_reference.md
@@ -181,7 +181,7 @@ _Appears in:_
 | `certProvider` _[CertProvidersConfig](#certprovidersconfig)_ | certProvider is for defining the configuration for certificate providers used to manage TLS certificates for webhook and plugins. |  | Optional: \{\} <br /> |
 | `labels` _object (keys:string, values:string)_ | labels to apply to all resources created for the external-secrets operand deployment.<br />This field can have a maximum of 20 entries. |  | MaxProperties: 20 <br />MinProperties: 0 <br />Optional: \{\} <br /> |
 | `periodicReconcileInterval` _integer_ | periodicReconcileInterval specifies the time interval in seconds for periodic reconciliation by the operator.<br />This controls how often the operator checks resources created for external-secrets operand to ensure they remain in desired state.<br />Interval can have value between 120-18000 seconds (2 minutes to 5 hours). Defaults to 300 seconds (5 minutes) if not specified. | 300 | Maximum: 18000 <br />Minimum: 120 <br />Optional: \{\} <br /> |
-| `networkPolicies` _[NetworkPolicy](#networkpolicy) array_ | networkPolicies specifies the list of network policy configurations<br />to be applied to external-secrets pods.<br />Each entry allows specifying a name for the generated NetworkPolicy object,<br />along with its full Kubernetes NetworkPolicy definition.<br />If this field is not provided, external-secrets components will be isolated<br />with deny-all network policies, which will prevent proper operation. |  | Optional: \{\} <br /> |
+| `networkPolicies` _[NetworkPolicy](#networkpolicy) array_ | networkPolicies specifies the list of network policy configurations<br />to be applied to external-secrets pods.<br />Each entry allows specifying a name for the generated NetworkPolicy object,<br />along with its full Kubernetes NetworkPolicy definition.<br />If this field is not provided, external-secrets components will be isolated<br />with deny-all network policies, which will prevent proper operation. |  | MaxItems: 50 <br />MinItems: 0 <br />Optional: \{\} <br /> |
 
 
 #### ControllerStatus
@@ -410,7 +410,7 @@ _Appears in:_
 | --- | --- | --- | --- |
 | `name` _string_ | name is a unique identifier for this network policy configuration.<br />This name will be used as part of the generated NetworkPolicy resource name. |  | MaxLength: 253 <br />MinLength: 1 <br />Required: \{\} <br /> |
 | `componentName` _[ComponentName](#componentname)_ | componentName specifies which external-secrets component this network policy applies to. |  | Enum: [ExternalSecretsCoreController BitwardenSDKServer] <br />Required: \{\} <br /> |
-| `egress` _[NetworkPolicyEgressRule](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#networkpolicyegressrule-v1-networking) array_ | egress is a list of egress rules to be applied to the selected pods. Outgoing traffic<br />is allowed if there are no NetworkPolicies selecting the pod (and cluster policy<br />otherwise allows the traffic), OR if the traffic matches at least one egress rule<br />across all of the NetworkPolicy objects whose podSelector matches the pod. If<br />this field is empty then this NetworkPolicy limits all outgoing traffic (and serves<br />solely to ensure that the pods it selects are isolated by default).<br />The operator will automatically handle ingress rules based on the current running ports. |  | Required: \{\} <br /> |
+| `egress` _[NetworkPolicyEgressRule](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#networkpolicyegressrule-v1-networking) array_ | egress is a list of egress rules to be applied to the selected pods. Outgoing traffic<br />is allowed if there are no NetworkPolicies selecting the pod (and cluster policy<br />otherwise allows the traffic), OR if the traffic matches at least one egress rule<br />across all the NetworkPolicy objects whose podSelector matches the pod. If<br />this field is empty then this NetworkPolicy limits all outgoing traffic (and serves<br />solely to ensure that the pods it selects are isolated by default).<br />The operator will automatically handle ingress rules based on the current running ports. |  | Required: \{\} <br /> |
 
 
 #### ObjectReference
diff --git a/pkg/operator/assets/bindata.go b/pkg/operator/assets/bindata.go
