Skip to content

feat: implement controller for component configuration overrides (EP-1898) #121

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
openshift-app-platform-shift wants to merge 2 commits into
base: ai-staging-release-1.0
Choose a base branch
from
Open

feat: implement controller for component configuration overrides (EP-1898) #121

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6eddbc0
feat: add API types for component configuration overrides (EP-1898)
openshift-app-platform-shift[bot] Mar 22, 2026
52f2e90
feat: implement controller logic for component configuration override…
openshift-app-platform-shift[bot] Mar 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
100 changes: 97 additions & 3 deletions api/v1alpha1/external_secrets_config_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package v1alpha1

import (
corev1 "k8s.io/api/core/v1"
networkingv1 "k8s.io/api/networking/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
Expand Down Expand Up @@ -113,6 +114,33 @@ type ControllerConfig struct {
// +kubebuilder:validation:Optional
Labels map[string]string `json:"labels,omitempty"`

// annotations allows adding custom annotations to all external-secrets component
// Deployments and Pod templates. These annotations are applied globally to all
// operand components (Controller, Webhook, CertController, BitwardenSDKServer).
// These annotations are merged with any default annotations set by the operator.
// User-specified annotations take precedence over defaults in case of conflicts.
// Annotations with keys starting with kubernetes.io/, app.kubernetes.io/, openshift.io/, or k8s.io/
// are reserved and cannot be overridden.
//
// +kubebuilder:validation:XValidation:rule="self.all(a, !['kubernetes.io/', 'app.kubernetes.io/', 'openshift.io/', 'k8s.io/'].exists(p, a.key.startsWith(p)))",message="annotations with reserved prefixes 'kubernetes.io/', 'app.kubernetes.io/', 'openshift.io/', 'k8s.io/' are not allowed"
// +kubebuilder:validation:MinItems:=0
// +kubebuilder:validation:MaxItems:=50
// +kubebuilder:validation:Optional
// +listType=map
// +listMapKey=key
Annotations []Annotation `json:"annotations,omitempty"`

// componentConfigs allows specifying component-specific (Controller, Webhook, CertController, BitwardenSDKServer)
// configuration overrides. Each entry targets a specific operand component by its componentName.
// The componentName must be unique across all entries in this list.
// +kubebuilder:validation:XValidation:rule="self.all(x, self.exists_one(y, x.componentName == y.componentName))",message="componentName must be unique across all componentConfig entries"
// +kubebuilder:validation:MinItems:=0
// +kubebuilder:validation:MaxItems:=4
// +kubebuilder:validation:Optional
// +listType=map
// +listMapKey=componentName
ComponentConfigs []ComponentConfig `json:"componentConfigs,omitempty"`

// networkPolicies specifies the list of network policy configurations
// to be applied to external-secrets pods.
//
Expand Down Expand Up @@ -212,17 +240,83 @@ type CertProvidersConfig struct {
CertManager *CertManagerConfig `json:"certManager,omitempty"`
}

// ComponentName represents the different external-secrets components that can have network policies applied.
// ComponentName represents the different external-secrets operand components
// that can be individually configured or have network policies applied.
type ComponentName string

const (
// CoreController represents the external-secrets component
// CoreController represents the external-secrets core controller component.
CoreController ComponentName = "ExternalSecretsCoreController"

// BitwardenSDKServer represents the bitwarden-sdk-server component
// Webhook represents the external-secrets webhook component.
Webhook ComponentName = "Webhook"

// CertController represents the external-secrets cert-controller component.
CertController ComponentName = "CertController"

// BitwardenSDKServer represents the bitwarden-sdk-server component.
BitwardenSDKServer ComponentName = "BitwardenSDKServer"
)

// ComponentConfig holds the configuration overrides for a specific external-secrets operand component.
// Each entry targets a component by its componentName and allows setting deployment-level overrides
// and custom environment variables.
type ComponentConfig struct {
// componentName specifies which deployment component this configuration applies to.
// +kubebuilder:validation:Enum:=ExternalSecretsCoreController;Webhook;CertController;BitwardenSDKServer
// +kubebuilder:validation:Required
ComponentName ComponentName `json:"componentName"`

// deploymentConfig allows specifying deployment-level configuration overrides
// for the targeted component.
// +kubebuilder:validation:Optional
DeploymentConfig DeploymentConfig `json:"deploymentConfig,omitempty"`

// overrideEnv allows setting custom environment variables for the component's container.
// These environment variables are merged with the default environment variables set by
// the operator. User-specified variables take precedence in case of conflicts.
// Environment variables with names starting with HOSTNAME, KUBERNETES_, or EXTERNAL_SECRETS_
// are reserved and cannot be overridden.
//
// +kubebuilder:validation:XValidation:rule="self.all(e, !['HOSTNAME', 'KUBERNETES_', 'EXTERNAL_SECRETS_'].exists(p, e.name.startsWith(p)))",message="environment variable names with reserved prefixes 'HOSTNAME', 'KUBERNETES_', 'EXTERNAL_SECRETS_' are not allowed"
// +kubebuilder:validation:MinItems:=0
// +kubebuilder:validation:MaxItems:=50
// +kubebuilder:validation:Optional
// +listType=atomic
OverrideEnv []corev1.EnvVar `json:"overrideEnv,omitempty"`
}

// DeploymentConfig holds deployment-level configuration overrides for an operand component.
type DeploymentConfig struct {
// revisionHistoryLimit specifies the number of old ReplicaSets to retain for rollback.
// Minimum value of 1 is enforced to ensure rollback capability.
//
// +kubebuilder:validation:Minimum=1
// +kubebuilder:validation:Optional
RevisionHistoryLimit *int32 `json:"revisionHistoryLimit,omitempty"`
}

// KVPair represents a generic key-value pair for configuration.
type KVPair struct {
// key is the key of the key-value pair.
// +kubebuilder:validation:MinLength:=1
// +kubebuilder:validation:MaxLength:=317
// +kubebuilder:validation:Required
Key string `json:"key"`

// value is the value of the key-value pair.
// +kubebuilder:validation:MaxLength:=1024
// +kubebuilder:validation:Optional
Value string `json:"value,omitempty"`
}

// Annotation represents a custom annotation key-value pair.
// Embeds KVPair inline for reusability of key and value fields.
type Annotation struct {
// Embedded KVPair provides key and value fields.
KVPair `json:",inline"`
}

// NetworkPolicy represents a custom network policy configuration for operator-managed components.
// It includes a name for identification and the network policy rules to be enforced.
type NetworkPolicy struct {
Expand Down
Loading