From 14b7b6663f9364dfb771f990ea8f7d8be246ce80 Mon Sep 17 00:00:00 2001 From: pkomarov Date: Sun, 14 Jun 2026 22:28:19 +0300 Subject: [PATCH] Add RBAC roles for ESO Jira: https://redhat.atlassian.net/browse/OSPRH-30896 Related change: https://gitlab.cee.redhat.com/rhos-gitops/examples/-/merge_requests/88 --- .../argocd/annotations/kustomization.yaml | 18 ++++++++++++- .../redhat/external-secrets-namespace.yaml | 8 ++++++ .../redhat/externalsecretsconfig.yaml | 10 +++++++ .../redhat/kustomization.yaml | 3 +++ .../redhat/vault-egress-netpol.yaml | 27 +++++++++++++++++++ .../enable/clusterrole.yaml | 21 +++++++++++++++ 6 files changed, 86 insertions(+), 1 deletion(-) create mode 100644 components/secrets/external-secrets-operator/redhat/external-secrets-namespace.yaml create mode 100644 components/secrets/external-secrets-operator/redhat/externalsecretsconfig.yaml create mode 100644 components/secrets/external-secrets-operator/redhat/vault-egress-netpol.yaml diff --git a/components/argocd/annotations/kustomization.yaml b/components/argocd/annotations/kustomization.yaml index 0f33a4d..495f550 100644 --- a/components/argocd/annotations/kustomization.yaml +++ b/components/argocd/annotations/kustomization.yaml @@ -99,7 +99,7 @@ patches: value: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true argocd.argoproj.io/sync-wave: "-5" - # --- Wave 1: MetalLB, network policies, and Vault connection --- + # --- Wave 1: MetalLB, network policies, Vault connection, and ESO config --- - target: kind: MetalLB patch: |- @@ -108,6 +108,22 @@ patches: value: argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true argocd.argoproj.io/sync-wave: "1" + - target: + kind: NetworkPolicy + patch: |- + - op: add + path: /metadata/annotations + value: + argocd.argoproj.io/sync-wave: "1" + - target: + group: operator.openshift.io + kind: ExternalSecretsConfig + patch: |- + - op: add + path: /metadata/annotations + value: + argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true + argocd.argoproj.io/sync-wave: "1" - target: group: nmstate.io version: v1 diff --git a/components/secrets/external-secrets-operator/redhat/external-secrets-namespace.yaml b/components/secrets/external-secrets-operator/redhat/external-secrets-namespace.yaml new file mode 100644 index 0000000..d3aea79 --- /dev/null +++ b/components/secrets/external-secrets-operator/redhat/external-secrets-namespace.yaml @@ -0,0 +1,8 @@ +--- +# Explicitly create the external-secrets namespace so the allow-vault-egress +# NetworkPolicy (wave 2) can always find it, regardless of ESO operator timing. +# The ESO operator will use this existing namespace when deploying its pods. +apiVersion: v1 +kind: Namespace +metadata: + name: external-secrets diff --git a/components/secrets/external-secrets-operator/redhat/externalsecretsconfig.yaml b/components/secrets/external-secrets-operator/redhat/externalsecretsconfig.yaml new file mode 100644 index 0000000..d15dc54 --- /dev/null +++ b/components/secrets/external-secrets-operator/redhat/externalsecretsconfig.yaml @@ -0,0 +1,10 @@ +--- +# ExternalSecretsConfig is required by the Red Hat External Secrets Operator (RHESO) +# to deploy the actual ESO controller pods (external-secrets, webhook, cert-controller). +# Sync wave and SkipDryRunOnMissingResource are managed centrally via +# components/argocd/annotations/kustomization.yaml. +apiVersion: operator.openshift.io/v1alpha1 +kind: ExternalSecretsConfig +metadata: + name: cluster +spec: {} diff --git a/components/secrets/external-secrets-operator/redhat/kustomization.yaml b/components/secrets/external-secrets-operator/redhat/kustomization.yaml index ef6a0d7..58eed40 100644 --- a/components/secrets/external-secrets-operator/redhat/kustomization.yaml +++ b/components/secrets/external-secrets-operator/redhat/kustomization.yaml @@ -4,6 +4,9 @@ kind: Component resources: - namespace.yaml - operatorgroup.yaml + - external-secrets-namespace.yaml + - vault-egress-netpol.yaml + - externalsecretsconfig.yaml components: - ../community patches: diff --git a/components/secrets/external-secrets-operator/redhat/vault-egress-netpol.yaml b/components/secrets/external-secrets-operator/redhat/vault-egress-netpol.yaml new file mode 100644 index 0000000..1c301ac --- /dev/null +++ b/components/secrets/external-secrets-operator/redhat/vault-egress-netpol.yaml @@ -0,0 +1,27 @@ +--- +# Allow ESO pods to reach Vault on port 8200. +# The RHESO operator creates a deny-all-traffic NetworkPolicy by default, +# so egress to Vault must be explicitly permitted. +# Replace the cidr below with your Vault server's network CIDR to restrict +# egress to only the network segment where Vault resides. +# The external-secrets namespace is pre-created explicitly (external-secrets-namespace.yaml) +# to ensure this NetworkPolicy can be applied without timing issues. +# Sync wave is managed centrally via components/argocd/annotations/kustomization.yaml. +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-vault-egress + namespace: external-secrets +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: external-secrets + policyTypes: + - Egress + egress: + - to: + - ipBlock: + cidr: 0.0.0.0/0 + ports: + - protocol: TCP + port: 8200 diff --git a/openshift-gitops.deploy/enable/clusterrole.yaml b/openshift-gitops.deploy/enable/clusterrole.yaml index 8acfb6f..eebc793 100644 --- a/openshift-gitops.deploy/enable/clusterrole.yaml +++ b/openshift-gitops.deploy/enable/clusterrole.yaml @@ -90,6 +90,27 @@ rules: - 'vaultauths' verbs: - '*' + - apiGroups: + - external-secrets.io + resources: + - 'externalsecrets' + - 'secretstores' + - 'clustersecretstores' + verbs: + - '*' + - apiGroups: + - networking.k8s.io + resources: + - 'networkpolicies' + verbs: + - '*' + - apiGroups: + - operator.openshift.io + resources: + - 'externalsecretsconfigs' + - 'externalsecretsmanagers' + verbs: + - '*' - apiGroups: - operator.openstack.org resources: