NetworkPolicy blocks external-secrets-operator due to incorrect label selector #3
Description
Problem
The NetworkPolicy created by this chart blocks access from the external-secrets-operator due to an incorrect label selector.
Current Behavior
The NetworkPolicy template uses this selector:
spec:
ingress:
- from:
- podSelector:
matchLabels:
app.kubernetes.io/part-of: external-secretsHowever, the external-secrets-operator pods actually have this label:
app.kubernetes.io/name: external-secretsThis causes ClusterSecretStore validation to fail with:
error accessing external store: dial tcp <service-ip>:8087: i/o timeout
Expected Behavior
The NetworkPolicy should allow access from external-secrets-operator pods.
Suggested Fix
Update the NetworkPolicy template to include both label selectors:
spec:
ingress:
- from:
- podSelector:
matchLabels:
app.kubernetes.io/name: external-secrets
- podSelector:
matchLabels:
app.kubernetes.io/part-of: external-secretsEnvironment
- Chart version: 0.3.0
- External Secrets Operator version: 0.20.1
- Kubernetes version: 1.31+
Workaround
Currently using a postRenderer with kustomize patch to fix the NetworkPolicy:
postRenderers:
- kustomize:
patches:
- patch: |-
- op: replace
path: /spec/ingress
value:
- from:
- podSelector:
matchLabels:
app.kubernetes.io/name: external-secrets
- podSelector:
matchLabels:
app.kubernetes.io/part-of: external-secrets
target:
kind: NetworkPolicy
name: external-secret-2-bw-cli