Skip to content

Comments

oape: controller implementation from EP #1834#109

Open
swghosh wants to merge 3 commits intoopenshift:ai-staging-release-1.1from
swghosh:oape/controller-1834
Open

oape: controller implementation from EP #1834#109
swghosh wants to merge 3 commits intoopenshift:ai-staging-release-1.1from
swghosh:oape/controller-1834

Conversation

@swghosh
Copy link
Member

@swghosh swghosh commented Feb 19, 2026

Summary

  • Add stale custom NetworkPolicy cleanup when policies are removed from ExternalSecretsConfig spec
  • Add RBAC delete verb for networkpolicies resource to enable cleanup
  • Add operator.openshift.io/custom-network-policy label to distinguish custom from static policies
  • Add 5 comprehensive unit tests for stale policy cleanup logic

Stacks on top of #108 (API types + tests)

Auto-generated controller/reconciler code from openshift/enhancements#1834

Test plan

  • make build passes
  • make test passes (67/67 API tests, all unit tests pass)
  • Coverage for external_secrets controller: 67.9%
  • RBAC role.yaml regenerated

🤖 Generated with Claude Code

swghosh and others added 2 commits February 19, 2026 18:12
@swghosh @claude
oape: generate API types and tests from EP #1834
7c68895 
Adds NetworkPolicy API type improvements and comprehensive integration
tests for the ExternalSecretsConfig networkPolicies field from EP #1834.

Changes:
- Fix godoc comments on ComponentName constants (trailing periods)
- Add DNS subdomain validation pattern for NetworkPolicy name field
- Improve Egress field documentation for clarity
- Fix Egress JSON tag (remove omitempty for Required field)
- Fix listType marker spacing
- Add 15 new integration test cases covering:
  - NetworkPolicy creation for CoreController and BitwardenSDKServer
  - Multiple networkPolicies in a single config
  - Allow-all egress and deny-all egress configurations
  - DNS name validation (uppercase, underscores, leading/trailing hyphens)
  - Empty networkPolicies list handling
  - Name length validation
  - Invalid componentName validation
  - NetworkPolicy addition after creation (onUpdate)
  - Immutability of name and componentName fields (onUpdate)
- Regenerated CRD manifests with updated validation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@swghosh @claude
oape: implement controller from EP #1834
33caffb 
Adds stale custom NetworkPolicy cleanup logic and RBAC improvements
for the NetworkPolicy feature from EP #1834.

Changes:
- Add RBAC delete verb for networkpolicies to enable cleanup
- Add custom network policy label for lifecycle management
- Implement deleteStaleCustomNetworkPolicies() to remove NetworkPolicies
  that are no longer referenced in ExternalSecretsConfig spec
- Add comprehensive unit tests for stale policy cleanup
  (no stale, single stale, all stale, list error, delete error)
- Update buildNetworkPolicyFromConfig to apply custom label
- Regenerated RBAC role.yaml

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@coderabbitai
Copy link

coderabbitai bot commented Feb 19, 2026

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Tip

Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord.

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci
Copy link

openshift-ci bot commented Feb 19, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: swghosh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 19, 2026
@swghosh @claude
oape: fix DNS network policy coverage for webhook and cert-controller…
a74824a 
… pods

The DNS allow policy was only covering external-secrets and bitwarden-sdk-server
pods, leaving webhook and cert-controller pods without DNS resolution capability.
This would prevent those pods from resolving the API server hostname, effectively
breaking their API server connectivity.

Add external-secrets-webhook and external-secrets-cert-controller to the DNS
policy podSelector matchExpressions to ensure all operand components can resolve
DNS names.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bharath-b-rh bharath-b-rh Awaiting requested review from bharath-b-rh

@TrilokGeer TrilokGeer Awaiting requested review from TrilokGeer

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@swghosh