feat: implement controller logic for component configuration overrides

Add controller reconciliation logic for:
- annotations: applies user-defined annotations to all operand Deployments
  and Pod templates, with reserved prefix filtering
- componentConfigs: applies per-component deployment overrides including
  revisionHistoryLimit and overrideEnv
- overrideEnv: merges custom environment variables into component containers,
  with reserved prefix filtering (HOSTNAME, KUBERNETES_, EXTERNAL_SECRETS_)
- UpdateComponentConfig condition: reports success/failure of component
  configuration application in ExternalSecretsConfig status

New file: component_config.go — contains annotation application logic,
component config mapping, and environment variable override handling.

Modified files:
- deployments.go — integrates annotation and componentConfig application
  into the deployment object builder pipeline
- install_external_secrets.go — adds UpdateComponentConfig condition
  reporting after deployment reconciliation

Enhancement Proposal: openshift/enhancements#1898

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: swghosh

pkg/controller/external_secrets/component_config.go

@@ -0,0 +1,224 @@
+/*
+Copyright 2025.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package external_secrets
+
+import (
+	"strings"
+
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	apimeta "k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	operatorv1alpha1 "github.com/openshift/external-secrets-operator/api/v1alpha1"
+)
+
+// reservedAnnotationPrefixes is the list of annotation key prefixes that are reserved
+// and cannot be overridden by user-specified annotations.
+var reservedAnnotationPrefixes = []string{
+	"kubernetes.io/",
+	"app.kubernetes.io/",
+	"openshift.io/",
+	"k8s.io/",
+}
+
+// reservedEnvVarPrefixes is the list of environment variable name prefixes that are reserved
+// and cannot be overridden by user-specified environment variables.
+var reservedEnvVarPrefixes = []string{
+	"HOSTNAME",
+	"KUBERNETES_",
+	"EXTERNAL_SECRETS_",
+}
+
+// componentNameToDeploymentAssetName maps ComponentName values to their corresponding
+// deployment asset names used in the operator.
+var componentNameToDeploymentAssetName = map[operatorv1alpha1.ComponentName]string{
+	operatorv1alpha1.CoreController:     controllerDeploymentAssetName,
+	operatorv1alpha1.Webhook:            webhookDeploymentAssetName,
+	operatorv1alpha1.CertController:     certControllerDeploymentAssetName,
+	operatorv1alpha1.BitwardenSDKServer: bitwardenDeploymentAssetName,
+}
+
+// componentNameToContainerName maps ComponentName values to their primary container names
+// within the respective deployment pods.
+var componentNameToContainerName = map[operatorv1alpha1.ComponentName]string{
+	operatorv1alpha1.CoreController:     "external-secrets",
+	operatorv1alpha1.Webhook:            "webhook",
+	operatorv1alpha1.CertController:     "cert-controller",
+	operatorv1alpha1.BitwardenSDKServer: "bitwarden-sdk-server",
+}
+
+// applyAnnotationsToDeployment applies user-specified annotations to the Deployment and its
+// Pod template. Reserved annotation prefixes are filtered out and logged.
+func (r *Reconciler) applyAnnotationsToDeployment(deployment *appsv1.Deployment, esc *operatorv1alpha1.ExternalSecretsConfig) {
+	if len(esc.Spec.ControllerConfig.Annotations) == 0 {
+		return
+	}
+
+	for _, annotation := range esc.Spec.ControllerConfig.Annotations {
+		if isReservedAnnotation(annotation.Key) {
+			r.log.V(1).Info("skip adding reserved annotation", "annotation", annotation.Key, "value", annotation.Value)
+			continue
+		}
+
+		// Apply annotation to the Deployment metadata
+		deploymentAnnotations := deployment.GetAnnotations()
+		if deploymentAnnotations == nil {
+			deploymentAnnotations = make(map[string]string)
+		}
+		deploymentAnnotations[annotation.Key] = annotation.Value
+		deployment.SetAnnotations(deploymentAnnotations)
+
+		// Apply annotation to the Pod template
+		podAnnotations := deployment.Spec.Template.GetAnnotations()
+		if podAnnotations == nil {
+			podAnnotations = make(map[string]string)
+		}
+		podAnnotations[annotation.Key] = annotation.Value
+		deployment.Spec.Template.SetAnnotations(podAnnotations)
+	}
+}
+
+// isReservedAnnotation checks if an annotation key starts with any reserved prefix.
+func isReservedAnnotation(key string) bool {
+	for _, prefix := range reservedAnnotationPrefixes {
+		if strings.HasPrefix(key, prefix) {
+			return true
+		}
+	}
+	return false
+}
+
+// applyComponentConfig applies component-specific configuration overrides to the deployment.
+// This includes revisionHistoryLimit and overrideEnv settings.
+func (r *Reconciler) applyComponentConfig(deployment *appsv1.Deployment, esc *operatorv1alpha1.ExternalSecretsConfig, assetName string) {
+	if len(esc.Spec.ControllerConfig.ComponentConfigs) == 0 {
+		return
+	}
+
+	// Find the component name for this deployment asset
+	var componentName operatorv1alpha1.ComponentName
+	found := false
+	for name, asset := range componentNameToDeploymentAssetName {
+		if asset == assetName {
+			componentName = name
+			found = true
+			break
+		}
+	}
+	if !found {
+		return
+	}
+
+	// Find the matching ComponentConfig entry
+	for _, cc := range esc.Spec.ControllerConfig.ComponentConfigs {
+		if cc.ComponentName != componentName {
+			continue
+		}
+
+		// Apply revisionHistoryLimit
+		if cc.DeploymentConfigs.RevisionHistoryLimit != nil {
+			deployment.Spec.RevisionHistoryLimit = cc.DeploymentConfigs.RevisionHistoryLimit
+			r.log.V(1).Info("applied revisionHistoryLimit override",
+				"component", componentName,
+				"revisionHistoryLimit", *cc.DeploymentConfigs.RevisionHistoryLimit)
+		}
+
+		// Apply overrideEnv
+		if len(cc.OverrideEnv) > 0 {
+			r.applyOverrideEnv(deployment, cc.OverrideEnv, componentName)
+		}
+
+		break
+	}
+}
+
+// applyOverrideEnv applies custom environment variables to the primary container
+// of the deployment. Reserved environment variable prefixes are filtered out.
+func (r *Reconciler) applyOverrideEnv(deployment *appsv1.Deployment, overrideEnv []corev1.EnvVar, componentName operatorv1alpha1.ComponentName) {
+	containerName, ok := componentNameToContainerName[componentName]
+	if !ok {
+		r.log.V(1).Info("no container name mapping found for component", "component", componentName)
+		return
+	}
+
+	for i := range deployment.Spec.Template.Spec.Containers {
+		container := &deployment.Spec.Template.Spec.Containers[i]
+		if container.Name != containerName {
+			continue
+		}
+
+		for _, envVar := range overrideEnv {
+			if isReservedEnvVar(envVar.Name) {
+				r.log.V(1).Info("skip adding reserved environment variable", "envVar", envVar.Name, "component", componentName)
+				continue
+			}
+
+			// Check if the env var already exists in the container spec
+			envUpdated := false
+			for j := range container.Env {
+				if container.Env[j].Name == envVar.Name {
+					container.Env[j] = envVar
+					envUpdated = true
+					r.log.V(2).Info("updated existing environment variable",
+						"envVar", envVar.Name, "component", componentName)
+					break
+				}
+			}
+
+			// If not found, append the new env var
+			if !envUpdated {
+				container.Env = append(container.Env, envVar)
+				r.log.V(2).Info("added new environment variable",
+					"envVar", envVar.Name, "component", componentName)
+			}
+		}
+
+		break
+	}
+}
+
+// isReservedEnvVar checks if an environment variable name starts with any reserved prefix.
+func isReservedEnvVar(name string) bool {
+	for _, prefix := range reservedEnvVarPrefixes {
+		if strings.HasPrefix(name, prefix) {
+			return true
+		}
+	}
+	return false
+}
+
+// updateComponentConfigCondition updates the UpdateComponentConfig condition on the
+// ExternalSecretsConfig status based on the reconciliation result.
+func (r *Reconciler) updateComponentConfigCondition(esc *operatorv1alpha1.ExternalSecretsConfig, err error) {
+	condition := metav1.Condition{
+		Type:               operatorv1alpha1.UpdateComponentConfig,
+		ObservedGeneration: esc.GetGeneration(),
+	}
+
+	if err != nil {
+		condition.Status = metav1.ConditionFalse
+		condition.Reason = operatorv1alpha1.ReasonFailed
+		condition.Message = err.Error()
+	} else {
+		condition.Status = metav1.ConditionTrue
+		condition.Reason = operatorv1alpha1.ReasonCompleted
+		condition.Message = "component configuration overrides applied successfully"
+	}
+
+	apimeta.SetStatusCondition(&esc.Status.Conditions, condition)
+}

pkg/controller/external_secrets/deployments.go

@@ -148,6 +148,12 @@ func (r *Reconciler) getDeploymentObject(assetName string, esc *operatorv1alpha1
 		return nil, fmt.Errorf("failed to update proxy configuration: %w", err)
 	}
 
+	// Apply user-specified annotations to Deployment and Pod template
+	r.applyAnnotationsToDeployment(deployment, esc)
+
+	// Apply component-specific configuration overrides (revisionHistoryLimit, overrideEnv)
+	r.applyComponentConfig(deployment, esc, assetName)
+
 	return deployment, nil
 }
 

pkg/controller/external_secrets/install_external_secrets.go

@@ -94,9 +94,15 @@ func (r *Reconciler) reconcileExternalSecretsDeployment(esc *operatorv1alpha1.Ex
 
 	if err := r.createOrApplyDeployments(esc, resourceLabels, recon); err != nil {
 		r.log.Error(err, "failed to reconcile deployment resource")
+		r.updateComponentConfigCondition(esc, err)
 		return err
 	}
 
+	// Update condition to reflect successful component config application
+	if len(esc.Spec.ControllerConfig.ComponentConfigs) > 0 || len(esc.Spec.ControllerConfig.Annotations) > 0 {
+		r.updateComponentConfigCondition(esc, nil)
+	}
+
 	if err := r.createOrApplyValidatingWebhookConfiguration(esc, resourceLabels, recon); err != nil {
 		r.log.Error(err, "failed to reconcile validating webhook resource")
 		return err