From 7360a1ae6e2072f960224fb189cda7c15ea50027 Mon Sep 17 00:00:00 2001 From: pkomarov Date: Sun, 14 Jun 2026 22:28:19 +0300 Subject: [PATCH] Add RBAC roles for ESO Jira: https://redhat.atlassian.net/browse/OSPRH-30896 Related change: https://gitlab.cee.redhat.com/rhos-gitops/examples/-/merge_requests/88 --- .../redhat/external-secrets-namespace.yaml | 8 ++++++ .../redhat/externalsecretsconfig.yaml | 15 ++++++++++ .../redhat/kustomization.yaml | 3 ++ .../redhat/vault-egress-netpol.yaml | 28 +++++++++++++++++++ .../enable/clusterrole.yaml | 21 ++++++++++++++ 5 files changed, 75 insertions(+) create mode 100644 components/secrets/external-secrets-operator/redhat/external-secrets-namespace.yaml create mode 100644 components/secrets/external-secrets-operator/redhat/externalsecretsconfig.yaml create mode 100644 components/secrets/external-secrets-operator/redhat/vault-egress-netpol.yaml diff --git a/components/secrets/external-secrets-operator/redhat/external-secrets-namespace.yaml b/components/secrets/external-secrets-operator/redhat/external-secrets-namespace.yaml new file mode 100644 index 0000000..d3aea79 --- /dev/null +++ b/components/secrets/external-secrets-operator/redhat/external-secrets-namespace.yaml @@ -0,0 +1,8 @@ +--- +# Explicitly create the external-secrets namespace so the allow-vault-egress +# NetworkPolicy (wave 2) can always find it, regardless of ESO operator timing. +# The ESO operator will use this existing namespace when deploying its pods. +apiVersion: v1 +kind: Namespace +metadata: + name: external-secrets diff --git a/components/secrets/external-secrets-operator/redhat/externalsecretsconfig.yaml b/components/secrets/external-secrets-operator/redhat/externalsecretsconfig.yaml new file mode 100644 index 0000000..b707832 --- /dev/null +++ b/components/secrets/external-secrets-operator/redhat/externalsecretsconfig.yaml @@ -0,0 +1,15 @@ +--- +# ExternalSecretsConfig is required by the Red Hat External Secrets Operator (RHESO) +# to deploy the actual ESO controller pods (external-secrets, webhook, cert-controller). +# Sync wave 1 ensures this is applied AFTER the ESO operator Subscription (wave 0) +# is healthy and the operator.openshift.io CRD is available. +# SkipDryRunOnMissingResource bypasses ArgoCD's pre-sync CRD validation so wave 0 +# can install the ESO operator (and its CRD) before wave 1 applies this resource. +apiVersion: operator.openshift.io/v1alpha1 +kind: ExternalSecretsConfig +metadata: + name: cluster + annotations: + argocd.argoproj.io/sync-wave: "1" + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true +spec: {} diff --git a/components/secrets/external-secrets-operator/redhat/kustomization.yaml b/components/secrets/external-secrets-operator/redhat/kustomization.yaml index ef6a0d7..58eed40 100644 --- a/components/secrets/external-secrets-operator/redhat/kustomization.yaml +++ b/components/secrets/external-secrets-operator/redhat/kustomization.yaml @@ -4,6 +4,9 @@ kind: Component resources: - namespace.yaml - operatorgroup.yaml + - external-secrets-namespace.yaml + - vault-egress-netpol.yaml + - externalsecretsconfig.yaml components: - ../community patches: diff --git a/components/secrets/external-secrets-operator/redhat/vault-egress-netpol.yaml b/components/secrets/external-secrets-operator/redhat/vault-egress-netpol.yaml new file mode 100644 index 0000000..e9cbaff --- /dev/null +++ b/components/secrets/external-secrets-operator/redhat/vault-egress-netpol.yaml @@ -0,0 +1,28 @@ +--- +# Allow ESO pods to reach Vault (vault.corp.redhat.com:8200). +# The RHESO operator creates a deny-all-traffic NetworkPolicy by default, +# so egress to Vault must be explicitly permitted. +# Using corporate network CIDR (10.30.0.0/16) instead of specific IP +# to avoid breakage if Vault IP changes within the corp network. +# The external-secrets namespace is pre-created explicitly (external-secrets-namespace.yaml) +# so this NetworkPolicy can be applied in wave 1 without timing issues. +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-vault-egress + namespace: external-secrets + annotations: + argocd.argoproj.io/sync-wave: "1" +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: external-secrets + policyTypes: + - Egress + egress: + - to: + - ipBlock: + cidr: 10.30.0.0/16 + ports: + - protocol: TCP + port: 8200 diff --git a/openshift-gitops.deploy/enable/clusterrole.yaml b/openshift-gitops.deploy/enable/clusterrole.yaml index 8acfb6f..eebc793 100644 --- a/openshift-gitops.deploy/enable/clusterrole.yaml +++ b/openshift-gitops.deploy/enable/clusterrole.yaml @@ -90,6 +90,27 @@ rules: - 'vaultauths' verbs: - '*' + - apiGroups: + - external-secrets.io + resources: + - 'externalsecrets' + - 'secretstores' + - 'clustersecretstores' + verbs: + - '*' + - apiGroups: + - networking.k8s.io + resources: + - 'networkpolicies' + verbs: + - '*' + - apiGroups: + - operator.openshift.io + resources: + - 'externalsecretsconfigs' + - 'externalsecretsmanagers' + verbs: + - '*' - apiGroups: - operator.openstack.org resources: