Merge branch 'main' into pentest-removal2

Author: celeztyne

components/external-secrets-operator/staging/kustomization.yaml

@@ -2,3 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ../base
+  - networkpolicy-default-deny.yaml
+  - networkpolicy-allow-egress.yaml
+  - networkpolicy-allow-ingress.yaml
+  - networkpolicy-allow-same-ns.yaml

components/external-secrets-operator/staging/networkpolicy-allow-egress.yaml

@@ -0,0 +1,96 @@
+# Network Policy: DNS Egress
+#
+# Purpose: Allow the external-secrets pods to communicate with DNS (for name resolution)
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-dns-egress
+  namespace: external-secrets-operator
+spec:
+  # Selects ALL ESO Pods: main-controller, webhook, and cert-controller
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: external-secrets-operator
+  policyTypes:
+  - Egress
+  egress:
+  # Allow DNS queries to both the DNS pods and the DNS service (ClusterIP)
+  # The DNS service is typically at 172.30.0.10 in the service network
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: openshift-dns
+    - ipBlock:
+        cidr: 172.30.0.10/32
+    ports:
+    - protocol: UDP
+      port: 53
+    - protocol: TCP
+      port: 53
+---
+# Network Policy: Main Controller Egress
+#
+# Purpose: Allow the main external-secrets controller to communicate with:
+#   - Kubernetes API server (for watching CRDs, updating satus)
+#   - External secret providers (AWS, GCP, Vault, etc.)
+#   - OpenShift internal services
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-main-controller-egress
+  namespace: external-secrets-operator
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: external-secrets-operator
+      app.kubernetes.io/name: external-secrets
+  policyTypes:
+  - Egress
+  egress:
+  - to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+---
+# Network Policy: Cert Controller and Webhook Egress
+#
+# Purpose: Allow the cert-controller and webhook to communicate with
+# Kubernetes API server:
+#   - cert-controller: for managing webhook certificates
+#   - webhook: for CRD validation and cert management
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-cert-controller-webhook-egress
+  namespace: external-secrets-operator
+spec:
+  podSelector:
+    matchExpressions:
+    - key: app.kubernetes.io/name
+      operator: In
+      values:
+      - external-secrets-cert-controller
+      - external-secrets-webhook
+    matchLabels:
+      app.kubernetes.io/instance: external-secrets-operator
+  policyTypes:
+  - Egress
+  egress:
+  # Allow egress to Kubernetes API server
+  # As kube-apiserver uses host network, support multiple cluster
+  # configurations with different network CIDRs
+  - to:
+    # kubernetes default service
+    - ipBlock:
+        cidr: 172.30.0.1/32
+    # Aggregated node network for internal clusters (10.28.x.x - 10.29.x.x)
+    - ipBlock:
+        cidr: 10.28.0.0/15
+    # Aggregated node network for public clusters (10.200 - 10.210)
+    - ipBlock:
+        cidr: 10.192.0.0/11
+    ports:
+      - protocol: TCP
+        port: 443
+      - protocol: TCP
+        port: 6443
+

components/external-secrets-operator/staging/networkpolicy-allow-ingress.yaml

@@ -0,0 +1,93 @@
+---
+# Network Policy: Webhook Ingress
+#
+# Purpose: Allow incoming traffic to the validating webhook on port 10250 from:
+#   - Kubernetes API server (required for CRD validation)
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-webhook-ingress
+  namespace: external-secrets-operator
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: external-secrets-operator
+      app.kubernetes.io/name: external-secrets-webhook
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    # Allow webhook traffic from Kubernetes API server
+    # The kube-apiserver uses host network (node IPs) but the call
+    # is NATed and comes from a pod IP assigned to interface ovn-k8s-mp0
+    # - 192.168.0.0/16 (pod CIDR in most clusters)
+    # - 10.128.0.0/14 (pod CIDR in stg-rh01, prd-rh01 and prd-p01 clusters)
+    - ipBlock:
+        cidr: 10.128.0.0/14
+    - ipBlock:
+        cidr: 192.168.0.0/16
+    ports:
+    - protocol: TCP
+      port: 10250 # Webhook port
+---
+# Network Policy: Metrics Ingress
+#
+# Purpose: Allow Prometheus/monitoring systems to scrape metrics from all ESO components
+# Port: 8080 (metrics endpoint)
+#
+# Allows traffic from:
+#   - appstudio-workload-monitoring namespace
+#   - openshift-monitoring namespace
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-metrics-ingress
+  namespace: external-secrets-operator
+spec:
+  # Selects ALL ESO Pods (Controller, Webhook, Cert Controller)
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: external-secrets-operator
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    # Allow Prometheus to scrape metrics
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: appstudio-workload-monitoring
+    # Also allow from openshift-monitoring if it exists
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: openshift-monitoring
+    ports:
+    - protocol: TCP
+      port: 8080  # Metrics port
+---
+# Network Policy: Health Checks
+#
+# Purpose: Allow liveness/readiness probes on all ESO components
+# Port: 8081 (health check endpoint)
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-health-checks-ingress
+  namespace: external-secrets-operator
+spec:
+  # Selects ALL ESO Pods (Controller, Webhook, Cert Controller)
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: external-secrets-operator
+  policyTypes:
+  - Ingress
+  ingress:
+  # Allow health checks on port 8081
+  - from:
+    - ipBlock:
+        cidr: 10.128.0.0/14
+    - ipBlock:
+        cidr: 192.168.0.0/16
+    ports:
+    - protocol: TCP
+      port: 8081
+

components/external-secrets-operator/staging/networkpolicy-allow-same-ns.yaml

@@ -0,0 +1,44 @@
+---
+# Network Policy: Intra-namespace Communication
+#
+# Purpose: Allow all ESO components to communicate with each other
+# within the same namespace, including localhost communication
+#
+# Applies to: Main controller, webhook, and cert-controller
+# Note: This provides a fallback for any internal coordination between ESO components
+# that is not explicitly covered by more specific policies
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-same-namespace
+  namespace: external-secrets-operator
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: external-secrets-operator
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/instance: external-secrets-operator
+  # Allow pods to communicate with themselves (localhost)
+  # This is needed for health checks and internal probe endpoints
+  - from:
+    - podSelector: {}
+    ports:
+    - protocol: TCP
+      port: 8081  # Health check port
+  egress:
+  - to:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/instance: external-secrets-operator
+  # Allow pods to reach their own localhost
+  - to:
+    - podSelector: {}
+    ports:
+    - protocol: TCP
+      port: 8081  # Health check port

components/external-secrets-operator/staging/networkpolicy-default-deny.yaml

@@ -0,0 +1,22 @@
+---
+# Network Policy: Default Deny All
+#
+# Purpose: Implements a "deny all / permit by exception" security model
+#
+# Behavior:
+#   - Blocks ALL ingress traffic by default
+#   - Blocks ALL egress traffic by default
+#   - Other NetworkPolicies selectively allow specific traffic patterns
+#
+# Security: Aligns with ESO threat model recommendations
+# Reference: https://external-secrets.io/latest/guides/threat-model/
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-all
+  namespace: external-secrets-operator
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  - Egress

components/kueue/production/stone-prod-p02/queue-config/cluster-queue.yaml

@@ -149,6 +149,8 @@ spec:
     - linux-x86-64
     - local
     - localhost
+    - macos-mac2metal-arm64
+    - windows-amd64
     flavors:
     - name: platform-group-3
       resources:
@@ -174,6 +176,10 @@ spec:
         nominalQuota: '1000'
       - name: localhost
         nominalQuota: '1000'
+      - name: macos-mac2metal-arm64
+        nominalQuota: '5'
+      - name: windows-amd64
+        nominalQuota: '5'
   stopPolicy: None
 ---
 apiVersion: kueue.x-k8s.io/v1beta1

components/mintmaker/development/kustomization.yaml

@@ -2,13 +2,13 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ../base
-  - https://github.com/konflux-ci/mintmaker/config/default?ref=d697b66123406f17ad538425e0f3ab60e45f8083
-  - https://github.com/konflux-ci/mintmaker/config/renovate?ref=d697b66123406f17ad538425e0f3ab60e45f8083
+  - https://github.com/konflux-ci/mintmaker/config/default?ref=fc5c9899e3778a3ba25decc179e2044426abf13b
+  - https://github.com/konflux-ci/mintmaker/config/renovate?ref=fc5c9899e3778a3ba25decc179e2044426abf13b
 
 images:
   - name: quay.io/konflux-ci/mintmaker
     newName: quay.io/konflux-ci/mintmaker
-    newTag: d697b66123406f17ad538425e0f3ab60e45f8083
+    newTag: fc5c9899e3778a3ba25decc179e2044426abf13b
   - name: quay.io/konflux-ci/mintmaker-renovate-image
     newName: quay.io/konflux-ci/mintmaker-renovate-image
     newTag: latest

components/mintmaker/staging/base/kustomization.yaml

@@ -4,18 +4,18 @@ resources:
 - ../../base
 - ../../base/external-secrets
 - ../blackbox
-- https://github.com/konflux-ci/mintmaker/config/default?ref=d697b66123406f17ad538425e0f3ab60e45f8083
-- https://github.com/konflux-ci/mintmaker/config/renovate?ref=d697b66123406f17ad538425e0f3ab60e45f8083
+- https://github.com/konflux-ci/mintmaker/config/default?ref=fc5c9899e3778a3ba25decc179e2044426abf13b
+- https://github.com/konflux-ci/mintmaker/config/renovate?ref=fc5c9899e3778a3ba25decc179e2044426abf13b
 
 namespace: mintmaker
 
 images:
 - name: quay.io/konflux-ci/mintmaker
   newName: quay.io/konflux-ci/mintmaker
-  newTag: d697b66123406f17ad538425e0f3ab60e45f8083
+  newTag: fc5c9899e3778a3ba25decc179e2044426abf13b
 - name: quay.io/konflux-ci/mintmaker-renovate-image
   newName: quay.io/konflux-ci/mintmaker-renovate-image
-  newTag: 66ba659c9e490c87a057e5443526a37fa7ba1705
+  newTag: d626233abbe78bbd7a2abd1e51592d3d1a667f49
 
 commonAnnotations:
   argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true