chore: Get validating webhook failurePolicy for Secretstore dynamically

[LochanRn]

Problem Statement

What is the problem you're trying to solve?

Webhook Timeout Issue: The Kubernetes API server was unable to reach the External Secrets
Operator validation webhook, causing a timeout error:
Post "https://external-secrets-webhook.uipath.svc:443/validate-external-secrets-io-v1-secret
store?timeout=5s": context deadline exceeded

This is a known issue in EKS clusters where the API server (which runs on the control plane
outside the VPC) cannot resolve cluster DNS names for webhook services.

Related Issue

Fixes #956

Proposed Changes

I want to Ignore failurePolicy even for secretstore when i disable it for external secrets.

How do you like to solve the issue and why?

I have updated the templates in validating webhook.

Format

Please ensure that your PR follows the following format for the title:

feat(scope): add new feature
fix(scope): fix bug
docs(scope): update documentation
chore(scope): update build tool or dependencies
ref(scope): refactor code
clean(scope): provider cleanup
test(scope): add tests
perf(scope): improve performance
desig(scope): improve design

Where scope is optionally one of:

• charts
• templating

Checklist

• I have read the contribution guidelines
• All commits are signed with git commit --signoff
• My changes have reasonable test coverage
• All tests pass with make test
• I ensured my PR is ready for review with make reviewable

This PR makes the validating webhook failurePolicy configurable via Helm values for the SecretStore (namespaced) and ExternalSecret validating webhooks by adding failurePolicy: {{ .Values.webhook.failurePolicy }} to their webhook definitions in deploy/charts/external-secrets/templates/validatingwebhook.yaml. The ClusterSecretStore webhook was not modified.

[gusfcarvalho]

hi @LochanRn . #956 was not caused by this issue. It was a problem on the port related to external-secrets-webhook when using EKS.

If you want to ignore the webhook because you expect it to fail everytime, I'd suggest you to instead just disable it. You'll earn a lot when it comes to APIServer responses due to avoiding the whole timeout checks.

[gusfcarvalho]

(Though, I could see this contribution by itself could be useful for tricky upgrades within the user base).

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[LochanRn]

hi @LochanRn . #956 was not caused by this issue. It was a problem on the port related to external-secrets-webhook when using EKS.

If you want to ignore the webhook because you expect it to fail everytime, I'd suggest you to instead just disable it. You'll earn a lot when it comes to APIServer responses due to avoiding the whole timeout checks.

makes sense, but i think this PR might still helpfull.

[Skarlso]

Can you please fix the sonar issue for formatting. Then please add a test for this under the helm tests to see that nothing is being messed up. Thanks.

[coderabbitai]

Walkthrough

Adds a failurePolicy field to the first webhook (validate.secretstore.external-secrets.io) in the ValidatingWebhookConfiguration template of the external-secrets Helm chart, sourcing the value from .Values.webhook.failurePolicy.

Changes

Cohort / File(s)	Summary
Webhook Configuration deploy/charts/external-secrets/templates/validatingwebhook.yaml	Adds a failurePolicy field to the first ValidatingWebhookConfiguration webhook (validate.secretstore.external-secrets.io), populated from .Values.webhook.failurePolicy.

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	The PR makes a targeted change to add dynamic failurePolicy configuration to the SecretStore validating webhook, which aligns with the intent to resolve webhook timeout issues on EKS by allowing failurePolicy to be controlled via Helm values.
Out of Scope Changes check	✅ Passed	The change is narrowly scoped to add the failurePolicy field to one validating webhook configuration in the Helm template, directly addressing the linked issue without introducing unrelated modifications.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

deploy/charts/external-secrets/templates/validatingwebhook.yaml (1)

36-50: Missing failurePolicy for ClusterSecretStore webhook.

According to the PR description, both SecretStore and ClusterSecretStore should have failurePolicy configured dynamically. However, the ClusterSecretStore webhook is missing this field. This creates an inconsistency where only SecretStore respects the failurePolicy setting, while ClusterSecretStore operations could still fail due to webhook timeouts in environments with connectivity issues (like the EKS scenario described in issue #956).

🔧 Proposed fix to add failurePolicy

   admissionReviewVersions: ["v1", "v1beta1"]
   sideEffects: None
   timeoutSeconds: 5
+  failurePolicy: {{ .Values.webhook.failurePolicy }}
 ---

🤖 Fix all issues with AI agents

In @deploy/charts/external-secrets/templates/validatingwebhook.yaml:
- Line 34: The Helm template for the validating webhook sets failurePolicy using
the expression {{ .Values.webhook.failurePolicy}} which lacks a space before the
closing braces; update the template expression to include a space before the
closing braces (e.g., use {{ .Values.webhook.failurePolicy }}) and make the same
spacing correction for the matching occurrence on line 84 to resolve the
formatting inconsistency.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7b160ce and b62a70c.

📒 Files selected for processing (1)

• deploy/charts/external-secrets/templates/validatingwebhook.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: publish-artifacts (Dockerfile.ubi, CGO_ENABLED=0 GOEXPERIMENT=boringcrypto, amd64 ppc64le, linux/... / Build and Publish
• GitHub Check: publish-artifacts (Dockerfile.ubi, CGO_ENABLED=0, amd64 arm64 ppc64le, linux/amd64,linux/arm64,li... / Build and Publish
• GitHub Check: publish-artifacts (Dockerfile, CGO_ENABLED=0, amd64 arm64 s390x ppc64le, linux/amd64,linux/arm64,... / Build and Publish
• GitHub Check: unit-tests
• GitHub Check: check-diff
• GitHub Check: Analyze project (actions, none)
• GitHub Check: Analyze project (go, autobuild)
• GitHub Check: lint-and-test

🔇 Additional comments (1)

deploy/charts/external-secrets/templates/validatingwebhook.yaml (1)

34-34: No action needed — the webhook.failurePolicy value is already defined in values.yaml, and helm tests for webhook functionality already exist.

The template reference to .Values.webhook.failurePolicy is properly supported by the values.yaml file (line 402, set to Fail by default). Additionally, helm tests are already present in the repository at deploy/charts/external-secrets/tests/webhook_test.yaml and related test files, so the maintainer's requirement for test coverage is already satisfied.

Likely an incorrect or invalid review comment.

[Skarlso]

@LochanRn if you take care of the formatting and run make check-diff we can merge this. :)

[Skarlso]

/ok-to-test sha=34e20e15c990e90cf6b52edf459faa50e5037f87

[eso-service-account-app]

[Bot] - ✅ e2e for 34e20e15c990e90cf6b52edf459faa50e5037f87 passed

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud