Skip to content

feat: implement componentConfig and annotations controller logic (EP#1898) #128

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
swghosh wants to merge 2 commits into
base: ai-staging-release-1.0
Choose a base branch
from
Open

feat: implement componentConfig and annotations controller logic (EP#1898) #128

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6ef3225
feat: add componentConfig and annotations API types to ExternalSecret…
swghosh Apr 6, 2026
8fd97a7
feat: implement componentConfig and annotations controller logic
swghosh Apr 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
98 changes: 95 additions & 3 deletions api/v1alpha1/external_secrets_config_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package v1alpha1

import (
corev1 "k8s.io/api/core/v1"
networkingv1 "k8s.io/api/networking/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
Expand Down Expand Up @@ -113,6 +114,36 @@ type ControllerConfig struct {
// +kubebuilder:validation:Optional
Labels map[string]string `json:"labels,omitempty"`

// annotations allows adding custom annotations to all external-secrets component
// Deployments and Pod templates. These annotations are applied globally to all
// operand components (Controller, Webhook, CertController, BitwardenSDKServer).
// These annotations are merged with any default annotations set by the operator.
// User-specified annotations take precedence over defaults in case of conflicts.
// Annotations with keys starting with kubernetes.io/, app.kubernetes.io/, openshift.io/, or k8s.io/
// are reserved and cannot be overridden.
//
// +kubebuilder:validation:XValidation:rule="self.all(a, !['kubernetes.io/', 'app.kubernetes.io/', 'openshift.io/', 'k8s.io/'].exists(p, a.key.startsWith(p)))",message="annotations with reserved prefixes 'kubernetes.io/', 'app.kubernetes.io/', 'openshift.io/', 'k8s.io/' are not allowed"
// +listType=map
// +listMapKey=key
// +kubebuilder:validation:Optional
// +optional
Annotations []Annotation `json:"annotations,omitempty"`

// componentConfigs allows specifying component-specific configuration overrides
// for each external-secrets operand component (ExternalSecretsCoreController, Webhook,
// CertController, BitwardenSDKServer).
// Each entry must target a unique componentName. A maximum of 4 entries is allowed,
// one for each supported component.
//
// +kubebuilder:validation:XValidation:rule="self.all(x, self.exists_one(y, x.componentName == y.componentName))",message="componentName must be unique across all componentConfig entries"
// +kubebuilder:validation:MinItems:=0
// +kubebuilder:validation:MaxItems:=4
// +listType=map
// +listMapKey=componentName
// +kubebuilder:validation:Optional
// +optional
ComponentConfigs []ComponentConfig `json:"componentConfigs,omitempty"`

// networkPolicies specifies the list of network policy configurations
// to be applied to external-secrets pods.
//
Expand Down Expand Up @@ -212,17 +243,78 @@ type CertProvidersConfig struct {
CertManager *CertManagerConfig `json:"certManager,omitempty"`
}

// ComponentName represents the different external-secrets components that can have network policies applied.
// ComponentName represents the different external-secrets operand components
// that can be individually configured or targeted by policies.
type ComponentName string

const (
// CoreController represents the external-secrets component
// CoreController represents the external-secrets core controller component.
CoreController ComponentName = "ExternalSecretsCoreController"

// BitwardenSDKServer represents the bitwarden-sdk-server component
// Webhook represents the external-secrets webhook component.
Webhook ComponentName = "Webhook"

// CertController represents the external-secrets cert-controller component.
CertController ComponentName = "CertController"

// BitwardenSDKServer represents the bitwarden-sdk-server component.
BitwardenSDKServer ComponentName = "BitwardenSDKServer"
)

// ComponentConfig specifies configuration overrides for a specific external-secrets
// operand component. Each entry targets a single component by name and allows
// deployment-level configuration and custom environment variables.
type ComponentConfig struct {
// componentName specifies which deployment component this configuration applies to.
// +kubebuilder:validation:Enum:=ExternalSecretsCoreController;Webhook;CertController;BitwardenSDKServer
// +kubebuilder:validation:Required
ComponentName ComponentName `json:"componentName"`

// deploymentConfigs allows specifying deployment-level configuration overrides
// for the targeted component.
// +kubebuilder:validation:Optional
// +optional
DeploymentConfigs DeploymentConfig `json:"deploymentConfigs,omitempty"`

// overrideEnv allows setting custom environment variables for the component's container.
// These environment variables are merged with the default environment variables set by
// the operator. User-specified variables take precedence in case of conflicts.
// Environment variables starting with HOSTNAME, KUBERNETES_, or EXTERNAL_SECRETS_ are reserved
// and cannot be overridden.
//
// +kubebuilder:validation:XValidation:rule="self.all(e, !['HOSTNAME', 'KUBERNETES_', 'EXTERNAL_SECRETS_'].exists(p, e.name.startsWith(p)))",message="Environment variable names with reserved prefixes 'HOSTNAME', 'KUBERNETES_', 'EXTERNAL_SECRETS_' are not allowed"
// +kubebuilder:validation:Optional
// +optional
OverrideEnv []corev1.EnvVar `json:"overrideEnv,omitempty"`
}

// DeploymentConfig specifies deployment-level configuration overrides for
// an external-secrets operand component.
type DeploymentConfig struct {
// revisionHistoryLimit specifies the number of old ReplicaSets to retain for rollback.
// Minimum value of 1 is enforced to ensure rollback capability.
//
// +kubebuilder:validation:Minimum=1
// +kubebuilder:validation:Optional
// +optional
RevisionHistoryLimit *int32 `json:"revisionHistoryLimit,omitempty"`
}

// Annotation represents a custom annotation key-value pair.
type Annotation struct {
// key is the annotation key. It must conform to Kubernetes annotation key constraints.
// +kubebuilder:validation:MinLength:=1
// +kubebuilder:validation:MaxLength:=317
// +kubebuilder:validation:Required
Key string `json:"key"`

// value is the annotation value. It can be an empty string.
// +kubebuilder:validation:MaxLength:=262144
// +kubebuilder:validation:Optional
// +optional
Value string `json:"value,omitempty"`
}

// NetworkPolicy represents a custom network policy configuration for operator-managed components.
// It includes a name for identification and the network policy rules to be enforced.
type NetworkPolicy struct {
Expand Down
Loading