Add RBAC roles for ESO

components/secrets/external-secrets-operator/redhat/external-secrets-namespace.yaml

@@ -0,0 +1,8 @@
+---
+# Explicitly create the external-secrets namespace so the allow-vault-egress
+# NetworkPolicy (wave 2) can always find it, regardless of ESO operator timing.
+# The ESO operator will use this existing namespace when deploying its pods.
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: external-secrets

components/secrets/external-secrets-operator/redhat/externalsecretsconfig.yaml

@@ -0,0 +1,15 @@
+---
+# ExternalSecretsConfig is required by the Red Hat External Secrets Operator (RHESO)
+# to deploy the actual ESO controller pods (external-secrets, webhook, cert-controller).
+# Sync wave 1 ensures this is applied AFTER the ESO operator Subscription (wave 0)
+# is healthy and the operator.openshift.io CRD is available.
+# SkipDryRunOnMissingResource bypasses ArgoCD's pre-sync CRD validation so wave 0
+# can install the ESO operator (and its CRD) before wave 1 applies this resource.
+apiVersion: operator.openshift.io/v1alpha1
+kind: ExternalSecretsConfig
+metadata:
+  name: cluster
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+spec: {}

components/secrets/external-secrets-operator/redhat/kustomization.yaml

@@ -4,6 +4,9 @@ kind: Component
 resources:
   - namespace.yaml
   - operatorgroup.yaml
+  - external-secrets-namespace.yaml
+  - vault-egress-netpol.yaml
+  - externalsecretsconfig.yaml
 components:
   - ../community
 patches:

components/secrets/external-secrets-operator/redhat/vault-egress-netpol.yaml

@@ -0,0 +1,28 @@
+---
+# Allow ESO pods to reach Vault (vault.corp.redhat.com:8200).
+# The RHESO operator creates a deny-all-traffic NetworkPolicy by default,
+# so egress to Vault must be explicitly permitted.
+# Using corporate network CIDR (10.30.0.0/16) instead of specific IP
+# to avoid breakage if Vault IP changes within the corp network.
+# The external-secrets namespace is pre-created explicitly (external-secrets-namespace.yaml)
+# so this NetworkPolicy can be applied in wave 1 without timing issues.
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-vault-egress
+  namespace: external-secrets
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: external-secrets
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 10.30.0.0/16
+    ports:
+    - protocol: TCP
+      port: 8200

openshift-gitops.deploy/enable/clusterrole.yaml

@@ -90,6 +90,27 @@ rules:
       - 'vaultauths'
     verbs:
       - '*'
+  - apiGroups:
+      - external-secrets.io
+    resources:
+      - 'externalsecrets'
+      - 'secretstores'
+      - 'clustersecretstores'
+    verbs:
+      - '*'
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - 'networkpolicies'
+    verbs:
+      - '*'
+  - apiGroups:
+      - operator.openshift.io
+    resources:
+      - 'externalsecretsconfigs'
+      - 'externalsecretsmanagers'
+    verbs:
+      - '*'
   - apiGroups:
       - operator.openstack.org
     resources: