feat: add extraArgs field to ComponentConfig to allow tuning controller arguments

[joyrex2001]

Summary

Fixes #154

Adds an extraArgs field to ComponentConfig so users can supply additional command-line arguments to any external-secrets component container without forking the operator. User-supplied arguments are merged on top of the operator's defaults, with user values taking precedence when the same flag is already present.

Usage

apiVersion: operator.openshift.io/v1alpha1
kind: ExternalSecretsConfig
metadata:
  name: cluster
spec:
  controllerConfig:
    componentConfigs:
      - componentName: ExternalSecretsCoreController
        extraArgs:
          - --client-burst=200
          - --client-qps=100
          - --concurrent=20

Supplying a flag that is already set by the operator (e.g. --concurrent) overrides the operator default. New flags are appended. The field is available on all four components: ExternalSecretsCoreController, Webhook, CertController, and BitwardenSDKServer.

Changes

API (api/v1alpha1/external_secrets_config_types.go)

• Added ExtraArgs []string field to ComponentConfig with a max of 50 items and +listType=atomic.

Controller (pkg/controller/external_secrets/deployments.go)

• Added mergeArgs(container, extraArgs) — merges extra args onto a container's existing arg list, matching flags by the key portion (before =) so that --concurrent=20 correctly replaces --concurrent=1.
• Wired mergeArgs into applyUserDeploymentConfigs after the existing OverrideEnv block, applying only to the target component container.

Generated files (make update)

• api/v1alpha1/zz_generated.deepcopy.go — ComponentConfig.DeepCopyInto updated to deep-copy ExtraArgs.
• config/crd/bases/operator.openshift.io_externalsecretsconfigs.yaml — CRD schema updated with extraArgs field.
• bundle/ and docs/ refreshed accordingly.

Tests

• TestMergeArgs — unit tests for the merge function covering nil init, flag-key override, append, mixed, empty, and positional args.
• TestApplyUserDeploymentConfigsWithExtraArgs — table-driven tests verifying correct behaviour for all four component containers, empty args no-op, combined with OverrideEnv, and init-container isolation.
• Two cases added to TestCreateOrApplyDeployments exercising the full createOrApplyDeployments call chain: one appending a new flag (--client-qps=100), one overriding an operator default (--concurrent=1 → --concurrent=5).

Summary by CodeRabbit

• New Features

  • Components now support additional command-line arguments via extraArgs (spec.controllerConfig.componentConfigs[].deploymentConfigs.extraArgs), limited to 50 items.
  • extraArgs are merged into the operator’s default component arguments using key-based override semantics (key=value) with de-duplication, applied only to the targeted component container.

• Documentation

  • Updated the API reference to describe extraArgs behavior and limits.

• Tests

  • Added unit tests covering argument merge/override behavior and application to component deployment containers (including interaction with OverrideEnv).

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 59dcd9dd-94d0-4339-b6c2-b9cfc8978164

📥 Commits

Reviewing files that changed from the base of the PR and between 48bb9ea and 7a3adc6.

⛔ Files ignored due to path filters (1)

• api/v1alpha1/zz_generated.deepcopy.go is excluded by !**/zz_generated*

📒 Files selected for processing (4)

• bundle/manifests/openshift-external-secrets-operator.clusterserviceversion.yaml
• bundle/manifests/operator.openshift.io_externalsecretsconfigs.yaml
• config/crd/bases/operator.openshift.io_externalsecretsconfigs.yaml
• docs/api_reference.md

✅ Files skipped from review due to trivial changes (2)

• bundle/manifests/openshift-external-secrets-operator.clusterserviceversion.yaml
• docs/api_reference.md

🚧 Files skipped from review as they are similar to previous changes (2)

• bundle/manifests/operator.openshift.io_externalsecretsconfigs.yaml
• config/crd/bases/operator.openshift.io_externalsecretsconfigs.yaml

---

Walkthrough

Adds an extraArgs field ([]string, maxItems 50) to the ComponentConfig API type. Updates both CRD YAML schemas and the API reference doc. Implements a mergeArgs helper that de-duplicates by flag key and wires it into applyUserDeploymentConfigs to apply user-supplied args to the matching component container.

Changes

ExtraArgs support for ComponentConfig

Layer / File(s)	Summary
API type, CRD schemas, and documentation api/v1alpha1/external_secrets_config_types.go, config/crd/bases/operator.openshift.io_externalsecretsconfigs.yaml, bundle/manifests/operator.openshift.io_externalsecretsconfigs.yaml, docs/api_reference.md	Adds ExtraArgs []string to ComponentConfig with +kubebuilder:validation:MaxItems=50 and +listType=atomic. Propagates the field into both CRD YAML schemas with matching constraints and documents it in the API reference.
mergeArgs helper and applyUserDeploymentConfigs wiring pkg/controller/external_secrets/deployments.go	Imports strings. Extends applyUserDeploymentConfigs to call mergeArgs on the container whose name matches the component. Adds mergeArgs, which initializes container.Args if nil, parses each arg with strings.Cut to extract the flag key, replaces any existing arg sharing the same key, and appends the arg if no match is found.
Tests pkg/controller/external_secrets/deployments_test.go	Adds subtests to TestCreateOrApplyDeployments for append and override ExtraArgs scenarios. Adds TestMergeArgs covering key-based override, positional-arg exact match, and nil/empty inputs. Adds TestApplyUserDeploymentConfigsWithExtraArgs validating per-container targeting across all component containers, init-container isolation, and combined ExtraArgs+OverrideEnv.
Bundle manifest update bundle/manifests/openshift-external-secrets-operator.clusterserviceversion.yaml	Updates metadata.annotations.createdAt timestamp.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 13 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 30.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	❓ Inconclusive	Custom check specifies Ginkgo test code review (It blocks, BeforeEach/AfterEach, Eventually/Consistently), but PR adds standard Go unit tests using table-driven patterns with t.Run(). Check require...	Clarify whether Ginkgo-specific requirements apply to standard Go test code, or broaden check to cover Go's table-driven testing patterns and mock-based testing practices.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding an extraArgs field to ComponentConfig for tuning controller arguments.
Linked Issues check	✅ Passed	The PR fully implements all requirements from #154: adds extraArgs field across all components, supports performance-tuning flags, implements flag-key-based precedence for user arguments to override defaults, and extends to all components.
Out of Scope Changes check	✅ Passed	All changes are directly related to implementing the extraArgs feature: API schema updates, controller logic for merging arguments, comprehensive tests, CRD manifests, and documentation. No unrelated changes detected.
Stable And Deterministic Test Names	✅ Passed	All test names in the PR are stable and deterministic. Tests use standard Go table-driven pattern with t.Run(), not Ginkgo. All 15 new test cases have static, descriptive names with no dynamic cont...
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. Only standard Go unit tests were added to pkg/controller/external_secrets/deployments_test.go. The check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR adds only Go unit tests (testing package), not Ginkgo e2e tests. Check for SNO-incompatible e2e tests does not apply.
Topology-Aware Scheduling Compatibility	✅ Passed	This PR adds CLI argument configuration capability through an ExtraArgs field and a mergeArgs function. It introduces no scheduling constraints (no affinity, nodeSelector, tolerations, topology spr...
Ote Binary Stdout Contract	✅ Passed	PR introduces API, controller, and test changes for the extraArgs feature with no stdout writes in process-level code; all logging uses structured logr (stderr), and no fmt.Print/klog violations de...
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added in this PR. All new tests are standard Go unit tests (TestMergeArgs, TestApplyUserDeploymentConfigsWithExtraArgs, cases in TestCreateOrApplyDeployments) using the...
No-Weak-Crypto	✅ Passed	No weak cryptographic usage detected. PR adds ExtraArgs field and mergeArgs() function for managing command-line arguments; string comparisons are for CLI flag keys only, not cryptographic material.
Container-Privileges	✅ Passed	The PR adds ExtraArgs field for container arguments. The existing security context properly sets AllowPrivilegeEscalation=false, Capabilities.Drop=[ALL], ReadOnlyRootFilesystem=true, and RunAsNonRo...
No-Sensitive-Data-In-Logs	✅ Passed	No logging of container arguments or sensitive data found. mergeArgs function and ExtraArgs processing contain no logging. Existing logging only records deployment names and feature states, never a...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: joyrex2001
Once this PR has been reviewed and has the lgtm label, please assign mytreya-rh for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @joyrex2001. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/controller/external_secrets/deployments_test.go`:
- Around line 1957-1967: The test case "both extra args and override env applied
together" specifies both ExtraArgs and OverrideEnv in the componentConfig but
only verifies the expectedArgs assertions. Add verification after the existing
args assertions to confirm that the OverrideEnv values are correctly applied to
the deployment, specifically checking that the LOG_LEVEL environment variable
with value "debug" is present in the container environment of the
external-secrets container. This ensures that regressions in OverrideEnv
handling will be caught by this combined test case.
- Around line 671-688: The validateDeployment function has a logic flaw where it
returns early upon finding "--concurrent=5", allowing the test to pass even if
"--concurrent=1" still exists later in the args list. Refactor the assertion
logic to scan through all args in the "external-secrets" container, tracking
whether both "--concurrent=1" and "--concurrent=5" are present. After completing
the full iteration through all args, assert that "--concurrent=1" does not exist
and that "--concurrent=5" is present, instead of returning early when
"--concurrent=5" is first found.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 39f4bd85-f393-4207-997c-36090f30eb9d

📥 Commits

Reviewing files that changed from the base of the PR and between 6fcdb4a and f1ab247.

⛔ Files ignored due to path filters (1)

• api/v1alpha1/zz_generated.deepcopy.go is excluded by !**/zz_generated*

📒 Files selected for processing (11)

• api/v1alpha1/external_secrets_config_types.go
• bundle.Dockerfile
• bundle/manifests/external-secrets.io_externalsecrets.yaml
• bundle/manifests/openshift-external-secrets-operator.clusterserviceversion.yaml
• bundle/manifests/operator.openshift.io_externalsecretsconfigs.yaml
• bundle/metadata/annotations.yaml
• config/crd/bases/operator.openshift.io_externalsecretsconfigs.yaml
• config/manifests/bases/openshift-external-secrets-operator.clusterserviceversion.yaml
• docs/api_reference.md
• pkg/controller/external_secrets/deployments.go
• pkg/controller/external_secrets/deployments_test.go

💤 Files with no reviewable changes (1)

• bundle/manifests/external-secrets.io_externalsecrets.yaml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@bundle/manifests/openshift-external-secrets-operator.clusterserviceversion.yaml`:
- Around line 223-231: The createdAt field in the YAML contains unresolved Git
merge conflict markers (<<<<<<, ======, >>>>>>> symbols) that make the file
invalid YAML. Since
bundle/manifests/openshift-external-secrets-operator.clusterserviceversion.yaml
is a generated file, do not manually edit these conflict markers. Instead,
resolve the merge conflict in the upstream source manifest file that generates
this bundle artifact, then regenerate the entire bundle/ directory using the
appropriate generation tool or command to ensure all artifacts are consistent
and the conflict markers are eliminated.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: cdeaf5a4-b0d4-44c5-b691-4322e8137a9e

📥 Commits

Reviewing files that changed from the base of the PR and between 092387b and 48bb9ea.

⛔ Files ignored due to path filters (1)

• api/v1alpha1/zz_generated.deepcopy.go is excluded by !**/zz_generated*

📒 Files selected for processing (7)

• api/v1alpha1/external_secrets_config_types.go
• bundle/manifests/openshift-external-secrets-operator.clusterserviceversion.yaml
• bundle/manifests/operator.openshift.io_externalsecretsconfigs.yaml
• config/crd/bases/operator.openshift.io_externalsecretsconfigs.yaml
• docs/api_reference.md
• pkg/controller/external_secrets/deployments.go
• pkg/controller/external_secrets/deployments_test.go

🚧 Files skipped from review as they are similar to previous changes (6)

• api/v1alpha1/external_secrets_config_types.go
• bundle/manifests/operator.openshift.io_externalsecretsconfigs.yaml
• config/crd/bases/operator.openshift.io_externalsecretsconfigs.yaml
• pkg/controller/external_secrets/deployments.go
• docs/api_reference.md
• pkg/controller/external_secrets/deployments_test.go

[joyrex2001]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.