openshift · siddhibhor-56 · May 7, 2026 · May 7, 2026 · May 7, 2026 · May 7, 2026
diff --git a/api/v1alpha1/meta.go b/api/v1alpha1/meta.go
@@ -111,8 +111,29 @@ type ProxyConfig struct {
 	// +kubebuilder:validation:MaxLength:=4096
 	// +optional
 	NoProxy string `json:"noProxy,omitempty"`
+
+	// NetworkPolicyProvisioning defines the management strategy for the proxy egress rule.
+	// When set to Managed, the operator automatically provisions and maintains
+	// a NetworkPolicy allowing traffic to the configured proxy.
+	// If no proxy is configured, no NetworkPolicy will be created
+	// regardless of this setting.
+	// +kubebuilder:validation:Enum=Managed;Unmanaged
+	// +kubebuilder:default=Managed
+	// +optional
+	NetworkPolicyProvisioning ManagementState `json:"networkPolicyProvisioning,omitempty"`
 }
 
+// ManagementState controls whether the operator manages the resource lifecycle.
+type ManagementState string
+
+const (
+	// ManagementStateManaged indicates the Operator is responsible for the resource lifecycle.
+	ManagementStateManaged ManagementState = "Managed"
+
+	// ManagementStateUnmanaged indicates the User is responsible for the resource lifecycle.
+	ManagementStateUnmanaged ManagementState = "Unmanaged"
+)
+
 // Mode indicates the operational state of the optional features.
 type Mode string
 

diff --git a/...a1/tests/externalsecretsconfig.operator.openshift.io/externalsecretsconfig.testsuite.yaml b/...a1/tests/externalsecretsconfig.operator.openshift.io/externalsecretsconfig.testsuite.yaml
@@ -1445,6 +1445,96 @@ tests:
                 injectAnnotations: "false"
                 certificateDuration: "8760h"
                 certificateRenewBefore: "30m"
+    - name: Should accept networkPolicyAllowProxyEgressAll set to Managed (default)
+      resourceName: cluster
+      initial: |
+        apiVersion: operator.openshift.io/v1alpha1
+        kind: ExternalSecretsConfig
+        spec:
+          appConfig:
+            proxy:
+              httpProxy: "http://proxy.example.com:3128"
+              networkPolicyAllowProxyEgressAll: Managed
+      expected: |
+        apiVersion: operator.openshift.io/v1alpha1
+        kind: ExternalSecretsConfig
+        spec:
+          appConfig:
+            logLevel: 1
+            proxy:
+              httpProxy: "http://proxy.example.com:3128"
+              networkPolicyAllowProxyEgressAll: Managed
+    - name: Should accept networkPolicyAllowProxyEgressAll set to Unmanaged
+      resourceName: cluster
+      initial: |
+        apiVersion: operator.openshift.io/v1alpha1
+        kind: ExternalSecretsConfig
+        spec:
+          appConfig:
+            proxy:
+              httpProxy: "http://proxy.example.com:3128"
+              networkPolicyAllowProxyEgressAll: Unmanaged
+      expected: |
+        apiVersion: operator.openshift.io/v1alpha1
+        kind: ExternalSecretsConfig
+        spec:
+          appConfig:
+            logLevel: 1
+            proxy:
+              httpProxy: "http://proxy.example.com:3128"
+              networkPolicyAllowProxyEgressAll: Unmanaged
+    - name: Should default networkPolicyAllowProxyEgressAll to Managed when proxy is set without the field
+      resourceName: cluster
+      initial: |
+        apiVersion: operator.openshift.io/v1alpha1
+        kind: ExternalSecretsConfig
+        spec:
+          appConfig:
+            proxy:
+              httpProxy: "http://proxy.example.com:3128"
+      expected: |
+        apiVersion: operator.openshift.io/v1alpha1
+        kind: ExternalSecretsConfig
+        spec:
+          appConfig:
+            logLevel: 1
+            proxy:
+              httpProxy: "http://proxy.example.com:3128"
+              networkPolicyAllowProxyEgressAll: Managed
+    - name: Should fail with invalid value for networkPolicyAllowProxyEgressAll
+      resourceName: cluster
+      initial: |
+        apiVersion: operator.openshift.io/v1alpha1
+        kind: ExternalSecretsConfig
+        spec:
+          appConfig:
+            proxy:
+              httpProxy: "http://proxy.example.com:3128"
+              networkPolicyAllowProxyEgressAll: Enabled
+      expectedError: "spec.appConfig.proxy.networkPolicyAllowProxyEgressAll: Unsupported value: \"Enabled\": supported values: \"Managed\", \"Unmanaged\""
+    - name: Should accept proxy config with all fields including networkPolicyAllowProxyEgressAll
+      resourceName: cluster
+      initial: |
+        apiVersion: operator.openshift.io/v1alpha1
+        kind: ExternalSecretsConfig
+        spec:
+          appConfig:
+            proxy:
+              httpProxy: "http://proxy.example.com:3128"
+              httpsProxy: "https://proxy.example.com:3128"
+              noProxy: "localhost,127.0.0.1,.cluster.local"
+              networkPolicyAllowProxyEgressAll: Unmanaged
+      expected: |
+        apiVersion: operator.openshift.io/v1alpha1
+        kind: ExternalSecretsConfig
+        spec:
+          appConfig:
+            logLevel: 1
+            proxy:
+              httpProxy: "http://proxy.example.com:3128"
+              httpsProxy: "https://proxy.example.com:3128"
+              noProxy: "localhost,127.0.0.1,.cluster.local"
+              networkPolicyAllowProxyEgressAll: Unmanaged
   onUpdate:
     - name: Should be able to update labels in controller config
       resourceName: cluster
@@ -1726,3 +1816,30 @@ tests:
                   - to:
                       - ipBlock:
                           cidr: 172.16.0.0/12
+    - name: Should be able to update networkPolicyAllowProxyEgressAll from Managed to Unmanaged
+      resourceName: cluster
+      initial: |
+        apiVersion: operator.openshift.io/v1alpha1
+        kind: ExternalSecretsConfig
+        spec:
+          appConfig:
+            proxy:
+              httpProxy: "http://proxy.example.com:3128"
+              networkPolicyAllowProxyEgressAll: Managed
+      updated: |
+        apiVersion: operator.openshift.io/v1alpha1
+        kind: ExternalSecretsConfig
+        spec:
+          appConfig:
+            proxy:
+              httpProxy: "http://proxy.example.com:3128"
+              networkPolicyAllowProxyEgressAll: Unmanaged
+      expected: |
+        apiVersion: operator.openshift.io/v1alpha1
+        kind: ExternalSecretsConfig
+        spec:
+          appConfig:
+            logLevel: 1
+            proxy:
+              httpProxy: "http://proxy.example.com:3128"
+              networkPolicyAllowProxyEgressAll: Unmanaged
diff --git a/.../tests/externalsecretsmanager.operator.openshift.io/externalsecretsmanager.testsuite.yaml b/.../tests/externalsecretsmanager.operator.openshift.io/externalsecretsmanager.testsuite.yaml
@@ -89,6 +89,7 @@ tests:
               httpProxy: "http://proxy.example.com:8080"
               httpsProxy: "https://proxy.example.com:8443"
               noProxy: "localhost,127.0.0.1,.local"
+              networkPolicyAllowProxyEgressAll: Managed
     - name: Should fail to create with invalid singleton name
       resourceName: invalid-name
       initial: |
@@ -182,6 +183,7 @@ tests:
             logLevel: 1
             proxy:
               httpProxy: "http://proxy-url-at-exactly-two-thousand-and-forty-eight-characters-to-test-the-boundary-condition-where-we-want-to-ensure-that-urls-at-the-maximum-allowed-length-are-accepted-properly-by-the-validation-system-while-urls-that-exceed-this-limit-are-rejected-appropriately-which-is-important-for-maintaining-proper-validation-boundaries-in-production-systems-where-configuration-parameters-must-be-validated-correctly-to-prevent-system-failures-or-unexpected-behavior-that-could-impact-application-functionality-and-user-experience-in-various-deployment-environments-including-development-staging-and-production-kubernetes-clusters-running-across-different-cloud-providers-and-on-premises-infrastructure-where-proxy-configurations-are-commonly-used-for-network-security-and-compliance-requirements-that-organizations-need-to-meet-for-their-business-operations-and-regulatory-obligations-in-different-geographical-regions-around-the-world-where-various-network-policies-and-security-measures-are-implemented-to-protect-sensitive-data-and-ensure-proper-access-control-for-applications-and-services-that-handle-confidential-information-and-business-critical-processes-that-must-operate-reliably-and-securely-at-all-times-without-interruption-or-performance-degradation-that-could-affect-end-users-and-customers-who-depend-on-these-systems-for-their-daily-activities-and-business-needs-which-makes-proper-validation-of-configuration-parameters-like-proxy-urls-essential-for-maintaining-system-stability-and-security-in-production-environments-where-any-configuration-error-could-have-significant-consequences-for-business-continuity-and-customer-satisfaction-which-is-why-we-implement-comprehensive-boundary-testing-to-ensure-that-all-validation-rules-work-correctly-at-their-specified-limits-and-provide-clear-error-messages-when-those-limits-are-exceeded-by-user-configurations.example.com:8080"
+              networkPolicyAllowProxyEgressAll: Managed
     - name: Should accept HTTPS proxy URL at maximum length boundary
       resourceName: cluster
       initial: |
@@ -200,6 +202,7 @@ tests:
             logLevel: 1
             proxy:
               httpsProxy: "https://secure-proxy-url-at-exactly-two-thousand-and-forty-eight-characters-to-test-the-boundary-condition-where-we-want-to-ensure-that-urls-at-the-maximum-allowed-length-are-accepted-properly-by-the-validation-system-while-urls-that-exceed-this-limit-are-rejected-appropriately-which-is-important-for-maintaining-proper-validation-boundaries-in-production-systems-where-configuration-parameters-must-be-validated-correctly-to-prevent-system-failures-or-unexpected-behavior-that-could-impact-application-functionality-and-user-experience-in-various-deployment-environments-including-development-staging-and-production-kubernetes-clusters-running-across-different-cloud-providers-and-on-premises-infrastructure-where-proxy-configurations-are-commonly-used-for-network-security-and-compliance-requirements-that-organizations-need-to-meet-for-their-business-operations-and-regulatory-obligations-in-different-geographical-regions-around-the-world-where-various-network-policies-and-security-measures-are-implemented-to-protect-sensitive-data-and-ensure-proper-access-control-for-applications-and-services-that-handle-confidential-information-and-business-critical-processes-that-must-operate-reliably-and-securely-at-all-times-without-interruption-or-performance-degradation-that-could-affect-end-users-and-customers-who-depend-on-these-systems-for-their-daily-activities-and-business-needs-which-makes-proper-validation-of-configuration-parameters-like-proxy-urls-essential-for-maintaining-system-stability-and-security-in-production-environments-where-any-configuration-error-could-have-significant-consequences-for-business-continuity-and-customer-satisfaction-which-is-why-we-implement-comprehensive-boundary-testing-to-ensure-that-all-validation-rules-work-correctly-at-their-specified-limits-and-provide-clear-error-messages-when-those-limits-are-exceeded.example.com:8443"
+              networkPolicyAllowProxyEgressAll: Managed
     - name: Should accept empty proxy configuration
       resourceName: cluster
       initial: |
@@ -221,6 +224,7 @@ tests:
               httpProxy: ""
               httpsProxy: ""
               noProxy: ""
+              networkPolicyAllowProxyEgressAll: Managed
   onUpdate:
     - name: Should be able to add global config after creation
       resourceName: cluster
@@ -338,6 +342,7 @@ tests:
               httpProxy: "http://proxy.company.com:3128"
               httpsProxy: "https://proxy.company.com:3128"
               noProxy: "localhost,127.0.0.1,.company.com"
+              networkPolicyAllowProxyEgressAll: Managed
     - name: Should be able to update node selector and tolerations
       resourceName: cluster
       initial: |

diff --git a/bundle/manifests/openshift-external-secrets-operator.clusterserviceversion.yaml b/bundle/manifests/openshift-external-secrets-operator.clusterserviceversion.yaml
@@ -605,6 +605,7 @@ spec:
           - networkpolicies
           verbs:
           - create
+          - delete
           - get
           - list
           - update

diff --git a/bundle/manifests/operator.openshift.io_externalsecretsconfigs.yaml b/bundle/manifests/operator.openshift.io_externalsecretsconfigs.yaml
@@ -1034,6 +1034,18 @@ spec:
                         maxLength: 2048
                         minLength: 0
                         type: string
+                      networkPolicyProvisioning:
+                        default: Managed
+                        description: |-
+                          NetworkPolicyProvisioning defines the management strategy for the proxy egress rule.
+                          When set to Managed, the operator automatically provisions and maintains
+                          a NetworkPolicy allowing traffic to the configured proxy.
+                          If no proxy is configured, no NetworkPolicy will be created
+                          regardless of this setting.
+                        enum:
+                        - Managed
+                        - Unmanaged
+                        type: string
                       noProxy:
                         description: |-
                           noProxy is a comma-separated list of hostnames and/or CIDRs and/or IPs for which the proxy should not be used.

diff --git a/bundle/manifests/operator.openshift.io_externalsecretsmanagers.yaml b/bundle/manifests/operator.openshift.io_externalsecretsmanagers.yaml
@@ -1031,6 +1031,18 @@ spec:
                         maxLength: 2048
                         minLength: 0
                         type: string
+                      networkPolicyProvisioning:
+                        default: Managed
+                        description: |-
+                          NetworkPolicyProvisioning defines the management strategy for the proxy egress rule.
+                          When set to Managed, the operator automatically provisions and maintains
+                          a NetworkPolicy allowing traffic to the configured proxy.
+                          If no proxy is configured, no NetworkPolicy will be created
+                          regardless of this setting.
+                        enum:
+                        - Managed
+                        - Unmanaged
+                        type: string
                       noProxy:
                         description: |-
                           noProxy is a comma-separated list of hostnames and/or CIDRs and/or IPs for which the proxy should not be used.

diff --git a/config/crd/bases/operator.openshift.io_externalsecretsconfigs.yaml b/config/crd/bases/operator.openshift.io_externalsecretsconfigs.yaml
@@ -1034,6 +1034,18 @@ spec:
                         maxLength: 2048
                         minLength: 0
                         type: string
+                      networkPolicyProvisioning:
+                        default: Managed
+                        description: |-
+                          NetworkPolicyProvisioning defines the management strategy for the proxy egress rule.
+                          When set to Managed, the operator automatically provisions and maintains
+                          a NetworkPolicy allowing traffic to the configured proxy.
+                          If no proxy is configured, no NetworkPolicy will be created
+                          regardless of this setting.
+                        enum:
+                        - Managed
+                        - Unmanaged
+                        type: string
                       noProxy:
                         description: |-
                           noProxy is a comma-separated list of hostnames and/or CIDRs and/or IPs for which the proxy should not be used.

diff --git a/config/crd/bases/operator.openshift.io_externalsecretsmanagers.yaml b/config/crd/bases/operator.openshift.io_externalsecretsmanagers.yaml
@@ -1031,6 +1031,18 @@ spec:
                         maxLength: 2048
                         minLength: 0
                         type: string
+                      networkPolicyProvisioning:
+                        default: Managed
+                        description: |-
+                          NetworkPolicyProvisioning defines the management strategy for the proxy egress rule.
+                          When set to Managed, the operator automatically provisions and maintains
+                          a NetworkPolicy allowing traffic to the configured proxy.
+                          If no proxy is configured, no NetworkPolicy will be created
+                          regardless of this setting.
+                        enum:
+                        - Managed
+                        - Unmanaged
+                        type: string
                       noProxy:
                         description: |-
                           noProxy is a comma-separated list of hostnames and/or CIDRs and/or IPs for which the proxy should not be used.

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -181,6 +181,7 @@ rules:
   - networkpolicies
   verbs:
   - create
+  - delete
   - get
   - list
   - update

diff --git a/docs/api_reference.md b/docs/api_reference.md
@@ -414,6 +414,23 @@ _Appears in:_
 | `labels` _object (keys:string, values:string)_ | labels to apply to all resources created by the operator.<br />This field can have a maximum of 20 entries. |  | MaxProperties: 20 <br />MinProperties: 0 <br /> |
 
 
+#### ManagementState
+
+_Underlying type:_ _string_
+
+ManagementState controls whether the operator manages the resource lifecycle.
+
+
+
+_Appears in:_
+- [ProxyConfig](#proxyconfig)
+
+| Field | Description |
+| --- | --- |
+| `Managed` | ManagementStateManaged indicates the Operator is responsible for the resource lifecycle.<br /> |
+| `Unmanaged` | ManagementStateUnmanaged indicates the User is responsible for the resource lifecycle.<br /> |
+
+
 #### Mode
 
 _Underlying type:_ _string_
@@ -498,6 +515,7 @@ _Appears in:_
 | `httpProxy` _string_ | httpProxy is the URL of the proxy for HTTP requests.<br />This field can have a maximum of 2048 characters. |  | MaxLength: 2048 <br />MinLength: 0 <br /> |
 | `httpsProxy` _string_ | httpsProxy is the URL of the proxy for HTTPS requests.<br />This field can have a maximum of 2048 characters. |  | MaxLength: 2048 <br />MinLength: 0 <br /> |
 | `noProxy` _string_ | noProxy is a comma-separated list of hostnames and/or CIDRs and/or IPs for which the proxy should not be used.<br />This field can have a maximum of 4096 characters. |  | MaxLength: 4096 <br />MinLength: 0 <br /> |
+| `networkPolicyProvisioning` _[ManagementState](#managementstate)_ | NetworkPolicyProvisioning defines the management strategy for the proxy egress rule.<br />When set to Managed, the operator automatically provisions and maintains<br />a NetworkPolicy allowing traffic to the configured proxy.<br />If no proxy is configured, no NetworkPolicy will be created<br />regardless of this setting. | Managed | Enum: [Managed Unmanaged] <br /> |
 
 
 #### SecretReference

diff --git a/pkg/controller/external_secrets/constants.go b/pkg/controller/external_secrets/constants.go
@@ -66,6 +66,19 @@ const (
 	// https://cs.opensource.google/go/go/+/refs/tags/go1.24.4:src/crypto/x509/root_linux.go;l=22
 	trustedCABundleMountPath = "/etc/pki/tls/certs"
 
+	// proxyEgressNetworkPolicyName is the name of the programmatically-built proxy egress NetworkPolicy.
+	// Created only when spec.appConfig.proxy.networkPolicyAllowProxyEgressAll is Managed (default)
+	// and an effective proxy is configured via getProxyConfiguration().
+	proxyEgressNetworkPolicyName = "eso-sys-proxy-egress-core"
+
+	// migrationCompleteAnnotation is set on ExternalSecretsConfig after legacy unprefixed
+	// NetworkPolicies have been pruned on the first reconcile under the new naming scheme.
+	migrationCompleteAnnotation = "operator.openshift.io/network-policy-migration-complete"
+
+	// userNetworkPolicyPrefix is prepended to user-defined NetworkPolicy names from spec.networkPolicies[].
+	// The user writes name: allow-external-secrets-egress; the K8s object is eso-user-allow-external-secrets-egress.
+	userNetworkPolicyPrefix = "eso-user-"
+
 	// Proxy environment variable names (uppercase).
 	httpProxyEnvVar  = "HTTP_PROXY"
 	httpsProxyEnvVar = "HTTPS_PROXY"

diff --git a/pkg/controller/external_secrets/controller.go b/pkg/controller/external_secrets/controller.go
@@ -104,7 +104,7 @@ type Reconciler struct {
 // +kubebuilder:rbac:groups="",resources=events;secrets;services;serviceaccounts,verbs=get;list;watch;create;update;delete;patch
 // +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;create;update
 // +kubebuilder:rbac:groups=cert-manager.io,resources=certificates;clusterissuers;issuers,verbs=get;list;watch;create;update
-// +kubebuilder:rbac:groups=networking.k8s.io,resources=networkpolicies,verbs=get;list;watch;create;update
+// +kubebuilder:rbac:groups=networking.k8s.io,resources=networkpolicies,verbs=get;list;watch;create;update;delete
 // +kubebuilder:rbac:groups="",resources=namespaces,verbs=get;list;watch;create;update;patch
 
 // +kubebuilder:rbac:groups="",resources=endpoints,verbs=get;list;watch
-Original file line number
+Diff line change
@@ Expand Up / @@ -605,6 +605,7 @@ spec: @@
               - networkpolicies
               verbs:
               - create
+              - delete
               - get
               - list
               - update
@@ Expand Down @@