Home
Products
OpenShift Container Platform
4.19
Security and compliance
Chapter 11. External Secrets Operator for Red Hat OpenShift

Chapter 11. External Secrets Operator for Red Hat OpenShift

11.1. External Secrets Operator for Red Hat OpenShift overview

The External Secrets Operator for Red Hat OpenShift operates as a cluster-wide service to deploy and manage the external-secrets application. The external-secrets application integrates with external secrets management systems and performs secret fetching, refreshing, and provisioning within the cluster.

Important

The External Secrets Operator for Red Hat OpenShift is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

11.1.1. About the External Secrets Operator for Red Hat OpenShift

Use the External Secrets Operator for Red Hat OpenShift to integrate external-secrets application with the OpenShift Container Platform cluster. The external-secrets application fetches secrets stored in the external providers such as AWS Secrets Manager, HashiCorp Vault, Google Secret Manager, Azure Key Vault, IBM Cloud Secrets Manager, AWS Systems Manager Parameter Store and integrates them with Kubernetes in a secure manner.

Using the External Secrets Operator ensures the following:

Decouples applications from the secret-lifecycle management.
Centralizes secret storage to support compliance requirements.
Enables secure and automated secret rotation.
Supports multi-cloud secret sourcing with fine-grained access control.
Centralizes and audits access control.

Important

Do not attempt to use more than one External Secrets Operator in your cluster. If you have a community External Secrets Operator installed in your cluster, you must uninstall it before installing the External Secrets Operator for Red Hat OpenShift.

For more information about external-secrets application, see external-secrets.

Use the External Secrets Operator to authenticate with the external secrets store, retrieve secrets, and inject the retrieved secrets into a native Kubernetes secret. This method removes the need for applications to directly access or manage external secrets.

11.1.2. External secrets providers for the External Secrets Operator for Red Hat OpenShift

The External Secrets Operator for Red Hat OpenShift is tested with the following external secrets provider types:

Note

Red Hat does not test all factors associated with third-party secrets store provider functionality. For more information about third-party support, see the Red Hat third-party support policy.

11.1.3. Testing external secrets provider types

The following table shows the the test coverage for each tested external secrets provider type.

Secrets Provider	Test Status	Notes
AWS Secrets Manager	Partially tested	Ensures basic functionality.
AWS Systems Manager Parameter Store	Partially tested	Ensures basic functionality.
HashiCorp Vault	Partially tested
Google Secrets Manager	Partially tested

11.1.4. About FIPS compliance for External Secrets Operator for Red Hat OpenShift

The External Secrets Operator for Red Hat OpenShift supports FIPS compliance. When running on OpenShift Container Platform in FIPS mode, External Secrets Operator uses the RHEL cryptographic libraries submitted to NIST for FIPS validation on the x86_64, ppc64le, and s390X architectures. For more information about the NIST validation program, see Cryptographic module validation program. For more information about the latest NIST status for the individual versions of the RHEL cryptographic libraries submitted for validation, see Compliance activities and government standards.

To enable FIPS mode, install the External Secrets Operator on an OpenShift Container Platform cluster that runs in FIPS mode. For more information, see "Do you need extra security for your cluster?".

11.2. External Secrets Operator for Red Hat OpenShift release notes

The External Secrets Operator for Red Hat OpenShift is a cluster-wide service that provides lifecycle management for secrets fetched from external secret management systems.

These release notes track the development of External Secrets Operator.

Important

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

For more information, see External Secrets Operator overview.

11.2.1. Release notes for External Secrets Operator for Red Hat OpenShift 0.1.0 (Technology Preview)

Issued: 2025-06-26

The following advisories are available for the External Secrets Operator for Red Hat OpenShift 0.1.0:

Version 0.1.0 of the External Secrets Operator for Red Hat OpenShift is based on the upstream external-secrets version 0.14.3. For more information, see the external-secrets project release notes for v0.14.3.

11.2.1.1. New features and enhancements

This is the initial, Technology Preview release of the External Secrets Operator for Red Hat OpenShift.

11.3. Installing the External Secrets Operator for Red Hat OpenShift

The External Secrets Operator for Red Hat OpenShift is not installed on the OpenShift Container Platform by default. Install the External Secrets Operator by using either the web console or the command-line interface (CLI).

Important

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

11.3.1. Limitations of External Secrets Operator for Red Hat OpenShift

The following are the limitations of External Secrets Operator for Red Hat OpenShift during the installation and uninstallation of the external-secrets application.

Uninstalling the External Secrets Operator for Red Hat OpenShift does not delete the resources created for external-secrets application. you must clean up the resources manually.
When you add cert-manager Operator configurations in externalsecrets.operator.openshift.io object after creation, delete the external-secrets-cert-controller deployment resource manually to prevent degradation of the external-secrets application.
Enable the BitwardenSecretManagerProvider field in externalsecrets.operator.openshift.io object only when installed on OpenShift Cluster running on x86_64 and arm64 architectures .
Ensure cert-manager Operator is installed and operational before deploying the External Secrets Operator for Red Hat OpenShift for seamless functioning. If you install the cert-manager Operator later, manually restart the external-secrets-operator pod to apply cert-manager configurations in externalsecrets.operator.openshift.io object.

11.3.2. Installing the External Secrets Operator for Red Hat OpenShift by using the web console

You can use the web console to install the External Secrets Operator for Red Hat OpenShift.

Prerequisites

You have access to the cluster with cluster-admin privileges.
You have access to the OpenShift Container Platform web console.

Procedure

Log in to the OpenShift Container Platform web console.
Navigate to Operators OperatorHub.
Enter External Secrets Operator in the search box.
Select the External Secrets Operator for Red Hat OpenShift from the generated list and click Install.
On the Install Operator page:
1. Update the Update channel, if necessary. The channel defaults to tech-preview-v0.1, which installs the latest stable release of the External Secrets Operator.
2. Select the version from Version drop-down list.
3. Choose the Installed Namespace for the Operator.
  - To use the default Operator namespace, select the Operator recommended Namespace option.
  - To use the namespace that you created, select the Select a Namespace option, and then select the namespace from the drop-down list.
  - If the default external-secrets-operator namespace does not exist, it is created for you by the Operator Lifecycle Manager (OLM).
4. Select an Update approval strategy.
  - The Automatic strategy enables OLM to automatically update the Operator when a new version is available.
  - The Manual strategy requires a user with appropriate credentials to approve the Operator update.
5. Click Install.

Verification

Navigate to Operators Installed Operators.
Verify that External Secrets Operator is listed with a Status of Succeeded in the external-secrets-operator namespace.

11.3.3. Installing the External Secrets Operator for Red Hat OpenShift by using the CLI

You can use the command-line interface (CLI) to install the External Secrets Operator for Red Hat OpenShift.

Prerequisites

You have access to the cluster with cluster-admin privileges.

Procedure

Create a new project named external-secrets-operator by running the following command:
```
oc new-project external-secrets-operator
```
```
$ oc new-project external-secrets-operator
```
Copy to Clipboard

Create an OperatorGroup object by defining a YAML file with the following content:

Example operatorGroup.yaml file

apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: openshift-external-secrets-operator
  namespace: external-secrets-operator
spec:
  targetNamespaces: []

apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: openshift-external-secrets-operator
  namespace: external-secrets-operator
spec:
  targetNamespaces: []

Copy to Clipboard

Create the OperatorGroup object by running the following command:
```
oc create -f operatorGroup.yaml
```
```
$ oc create -f operatorGroup.yaml
```
Copy to Clipboard

Create a Subscription object by defining a YAML file with the following content:

Example subscription.yaml file

apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: openshift-external-secrets-operator
  namespace: external-secrets-operator
spec:
  channel: tech-preview-v0.1
  name: openshift-external-secrets-operator
  source: redhat-operators
  sourceNamespace: openshift-marketplace
  installPlanApproval: Automatic

apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: openshift-external-secrets-operator
  namespace: external-secrets-operator
spec:
  channel: tech-preview-v0.1
  name: openshift-external-secrets-operator
  source: redhat-operators
  sourceNamespace: openshift-marketplace
  installPlanApproval: Automatic

Copy to Clipboard

Create the Subscription object by running the following command:
```
oc create -f subscription.yaml
```
```
$ oc create -f subscription.yaml
```
Copy to Clipboard

Verification

Verify that the OLM subscription is created by running the following command:

oc get subscription -n external-secrets-operator

$ oc get subscription -n external-secrets-operator

Copy to Clipboard

Example output

NAME                                  PACKAGE                               SOURCE          CHANNEL
openshift-external-secrets-operator   openshift-external-secrets-operator   eso-010-index   tech-preview-v0.1

NAME                                  PACKAGE                               SOURCE          CHANNEL
openshift-external-secrets-operator   openshift-external-secrets-operator   eso-010-index   tech-preview-v0.1

Copy to Clipboard

Verify whether the Operator is successfully installed by running the following command:

oc get csv -n external-secrets-operator

$ oc get csv -n external-secrets-operator

Copy to Clipboard

Example output

NAME                               DISPLAY                                           VERSION   REPLACES   PHASE
external-secrets-operator.v0.1.0   External Secrets Operator for Red Hat OpenShift   0.1.0                Succeeded

NAME                               DISPLAY                                           VERSION   REPLACES   PHASE
external-secrets-operator.v0.1.0   External Secrets Operator for Red Hat OpenShift   0.1.0                Succeeded

Copy to Clipboard

Verify that the status of the External Secrets Operator is Running by entering the following command:

oc get pods -n external-secrets-operator

$ oc get pods -n external-secrets-operator

Copy to Clipboard

Example output

NAME                                                            READY   STATUS    RESTARTS   AGE
external-secrets-operator-controller-manager-5699f4bc54-kbsmn   1/1     Running   0          25h

NAME                                                            READY   STATUS    RESTARTS   AGE
external-secrets-operator-controller-manager-5699f4bc54-kbsmn   1/1     Running   0          25h

Copy to Clipboard

11.3.5. Installing the External Secrets operand for Red Hat OpenShift by using the CLI

You can use the command-line interface (CLI) to install the External Secrets operand.

Prerequisites

You have access to the cluster with cluster-admin privileges.

Procedure

Create a externalsecrets.openshift.operator.io object by defining a YAML file with the following content:

Example externalsecrets.yaml file

apiVersion: operator.openshift.io/v1alpha1
kind: ExternalSecrets
metadata:
  labels:
    app.kubernetes.io/name: external-secrets-operator
  name: cluster
spec: {}

apiVersion: operator.openshift.io/v1alpha1
kind: ExternalSecrets
metadata:
  labels:
    app.kubernetes.io/name: external-secrets-operator
  name: cluster
spec: {}

Copy to Clipboard

For more information on spec configuration, see "External Secrets Operator for Red Hat OpenShift APIs".

Create the externalsecrets.openshift.operator.io object by running the following command:
```
oc create -f externalsecrets.yaml
```
```
$ oc create -f externalsecrets.yaml
```
Copy to Clipboard

Verification

Verify that the external-secrets pods are running by entering the following command:

oc get pods -n external-secrets

$ oc get pods -n external-secrets

Copy to Clipboard

Example output

NAME                                                READY   STATUS    RESTARTS   AGE
external-secrets-75d47cb9c8-6p4n2                   1/1     Running   0          4h5m
external-secrets-cert-controller-676444b897-qb6ft   1/1     Running   0          4h5m
external-secrets-webhook-b566658ff-7m4d5            1/1     Running   0          4h5m

NAME                                                READY   STATUS    RESTARTS   AGE
external-secrets-75d47cb9c8-6p4n2                   1/1     Running   0          4h5m
external-secrets-cert-controller-676444b897-qb6ft   1/1     Running   0          4h5m
external-secrets-webhook-b566658ff-7m4d5            1/1     Running   0          4h5m

Copy to Clipboard

Verify that the external-secrets-operator deployment object reports a successful status by running the following command:

oc get externalsecrets.operator.openshift.io cluster -n external-secrets-operator -o jsonpath='{.status.conditions}' | jq .

$ oc get externalsecrets.operator.openshift.io cluster -n external-secrets-operator -o jsonpath='{.status.conditions}' | jq .

Copy to Clipboard

Example output

[
  {
    "lastTransitionTime": "2025-06-17T14:57:04Z",
    "message": "",
    "observedGeneration": 1,
    "reason": "Ready",
    "status": "False",
    "type": "Degraded"
  },
  {
    "lastTransitionTime": "2025-06-17T14:57:04Z",
    "message": "reconciliation successful",
    "observedGeneration": 1,
    "reason": "Ready",
    "status": "True",
    "type": "Ready"
  }
]

[
  {
    "lastTransitionTime": "2025-06-17T14:57:04Z",
    "message": "",
    "observedGeneration": 1,
    "reason": "Ready",
    "status": "False",
    "type": "Degraded"
  },
  {
    "lastTransitionTime": "2025-06-17T14:57:04Z",
    "message": "reconciliation successful",
    "observedGeneration": 1,
    "reason": "Ready",
    "status": "True",
    "type": "Ready"
  }
]

Copy to Clipboard

11.4. Uninstalling the External Secrets Operator for Red Hat OpenShift

You can remove the External Secrets Operator for Red Hat OpenShift from OpenShift Container Platform by uninstalling the Operator and removing its related resources.

Important

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

11.4.1. Uninstalling the External Secrets Operator for Red Hat OpenShift using the web console

You can uninstall the External Secrets Operator for Red Hat OpenShift by using the web console.

Prerequisites

You have access to the cluster with cluster-admin privileges.
You have access to the OpenShift Container Platform web console.
The External Secrets Operator is installed.

Procedure

Log in to the OpenShift Container Platform web console.
Uninstall the External Secrets Operator for Red Hat OpenShift using the following steps:
1. Navigate to Operators Installed Operators.
2. Click the Options menu next to the External Secrets Operator for Red Hat OpenShift entry and click Uninstall Operator.
3. In the confirmation dialog, click Uninstall.

11.4.2. Removing External Secrets Operator for Red Hat OpenShift resources by using the web console

After you have uninstalled the External Secrets Operator for Red Hat OpenShift, you can optionally eliminate its associated resources from your cluster.

Prerequisites

You have access to the cluster with cluster-admin privileges.
You have access to the OpenShift Container Platform web console.

Procedure

Log in to the OpenShift Container Platform web console.
Remove the deployments of the external-secrets application components in the external-secrets namespace:
1. Click the Project drop-down menu to see a list of all available projects, and select the external-secrets project.
2. Navigate to Workloads Deployments.
3. Select the deployment that you want to delete.
4. Click the Actions drop-down menu, and select Delete Deployment to see a confirmation dialog box.
5. Click Delete to delete the deployment.
Remove the custom resource definitions (CRDs) that were installed by the External Secrets Operator using the following steps:
1. Navigate to Administration CustomResourceDefinitions.
2. Choose external-secrets.io/component: controller from the suggestions in the Label field to filter the CRDs.
3. Click the Options menu next to each of the following CRDs, and select Delete Custom Resource Definition:
  - ACRAccessToken
  - ClusterExternalSecret
  - ClusterGenerator
  - ClusterSecretStore
  - ECRAuthorizationToken
  - ExternalSecret
  - GCRAccessToken
  - GeneratorState
  - GithubAccessToken
  - Grafana
  - Password
  - PushSecret
  - QuayAccessToken
  - SecretStore
  - STSSessionToken
  - UUID
  - VaultDynamicSecret
  - Webhook
Remove the external-secrets-operator namespace using the following steps:
1. Navigate to Administration Namespaces.
2. Click the Options menu next to the External Secrets Operator and select Delete Namespace.
3. In the confirmation dialog, enter external-secrets-operator in the field and click Delete.

11.4.3. Removing External Secrets Operator for Red Hat OpenShift resources by using the CLI

After you have uninstalled the External Secrets Operator for Red Hat OpenShift, you can optionally eliminate its associated resources from your cluster by using the command-line interface (CLI).

Prerequisites

You have access to the cluster with cluster-admin privileges.

Procedure

Delete the deployments of the external-secrets application components in the external-secrets namespace by running the following command:
```
oc delete deployment -n external-secrets -l app=external-secrets
```
```
$ oc delete deployment -n external-secrets -l app=external-secrets
```
Copy to Clipboard

Delete the custom resource definitions (CRDs) that were installed by the External Secrets Operator by running the following command:

oc delete customresourcedefinitions.apiextensions.k8s.io -l external-secrets.io/component=controller

$ oc delete customresourcedefinitions.apiextensions.k8s.io -l external-secrets.io/component=controller

Copy to Clipboard

Delete the external-secrets-operator namespace by running the following command:
```
oc delete project external-secrets-operator
```
```
$ oc delete project external-secrets-operator
```
Copy to Clipboard

11.5. External Secrets Operator for Red Hat OpenShift APIs

External Secrets Operator for Red Hat OpenShift uses the following two APIs to configure the external-secrets application deployment.

Group	Version	Kind
`operator.openshift.io`	`v1alpha1`	`externalsecrets`
`operator.openshift.io`	`v1alpha1`	`externalsecretsmanager`

The following list contains the External Secrets Operator for Red Hat OpenShift APIs:

ExternalSecrets
ExternalSecretsList
ExternalSecretsManager
ExternalSecretsManagerList

11.5.1. externalSecretsManagerList

The externalSecretsManagerList object fetches the list of externalSecretsManager objects.

Field	Type	Description
`apiVersion`	string	The `apiVersion` specifies the version of the schema in use, which is `operator.openshift.io/v1alpha1`.
`kind`	string	`kind` specifies the type of the object, which is `externalSecretsManagerList` for this API.
`metadata`	ListMeta	Refer to Kubernetes API documentation for details about the `metadata` fields.
`items`	array	`Items` contains a list of `externalSecretsManager` objects.

11.5.2. externalSecretsManager

The externalSecretsManager object defines the configuration and information of deployments managed by the External Secrets Operator. Set the name to cluster as this allows only one instance of externalSecretsManager per cluster.

You can configure global options and enable optional features by using externalSecretsManager. This serves as a centralized configuration for managing multiple controllers of the Operator. The Operator automatically creates the externalSecretsManager object during installation.

Field	Type	Description
`apiVersion`	string	The `apiVersion` specifies the version of the schema in use, which is `operator.openshift.io/v1alpha1`.
`kind`	string	`kind` specifies the type of the object, which is `externalSecretsManager` for this Object.
`metadata`	ObjectMeta	Refer to Kubernetes API documentation for details about the `metadata` fields.
`spec`	object	`spec` contains specifications of the desired behavior.
`status`	object	`status` displays the most recently observed state of the controllers in the External Secrets Operator.

11.5.3. externalSecretsList

The externalSecretsList object fetches the list of externalSecrets objects.

Field	Type	Description
`apiVersion`	string	The `apiVersion` specifies the version of the schema in use, which is `operator.openshift.io/v1alpha1`
`kind`	string	`kind` specifies the type of the object, which is `externalSecretsList` for this API.
`metadata`	ListMeta	Refer to Kubernetes API documentation for details about the `metadata` fields.
`items`	array	`Items` contains a list of `externalSecrets` objects.

11.5.4. externalSecrets

The externalSecrets object defines the configuration and information for the managed external-secrets operand deployment. Set the name to cluster as externalSecrets object allows only one instance per cluster.

Creating an externalSecrets object triggers the creation of a deployment that manages the external-secrets operand and maintains the desired state.

Field	Type	Description
`apiVersion`	string	The `apiVersion` specifies the version of the schema in use, which is `operator.openshift.io/v1alpha1`.
`kind`	string	`kind` specifies the type of the object, which is `externalSecrets` for this object.
`metadata`	ObjectMeta	Refer to Kubernetes API documentation for details about the `metadata` fields.
`spec`	object	`spec` Contains the specifications of the desired behavior of the `externalSecrets` object.
`status`	object	`status` displays the most recently observed status of the `externalSecrets` object.

11.5.5. Listing fields in External Secrets Operator for Red Hat OpenShift APIs

The following fields apply to the External Secrets Operator for Red Hat OpenShift APIs.

11.5.6. externalSecretsManagerSpec

The externalSecretsManagerSpec field defines the desired behavior of the externalSecretsManager object.

Field	type	Description	Default	Validation
`globalConfig`	object	`globalConfig` configures the behavior of deployments that External Secrets Operator manages.		Optional
`feature`	array	`feature` enables the optional features of the Operator.		Optional

11.5.7. externalSecretsManagerStatus

The externalSecretsManagerStatus field shows the most recently observed status of the externalSecretsManager object.

Field	Type	Description	Default	Validation
`controllerStatus`	array	`controllerStatus` holds the observed conditions of the controllers used by the Operator.
`lastTransitionTime`	Time	`lastTransitionTime` records the most recent time the status of the condition changed.		Format: date-time Type: string

11.5.8. externalSecretsSpec

The externalSecretsSpec field defines the desired behavior of the externalSecrets object.

Field	Type	Description	Default	Validation
`externalSecretsConfig`	object	`externalSecretsConfig` configures the behavior of `external-secrets` operand.		Optional
`controllerConfig`	object	`controllerConfig` configures the controller to set up defaults that enable `external-secrets` operand.		Optional

11.5.9. externalSecretsStatus

The externalSecretsStatus field shows the most recently observed status of the externalSecrets Object.

Field	Type	Description	Default	Validation
`conditions`	Condition array	`conditions` contains information about the current state of deployment.
`externalSecretsImage`	string	`externalSecretsImage` specifies the image name and tag used for deploy `external-secrets` operand.

11.5.10. globalConfig

The globalConfig field configures the behavior of the External Secrets Operator.

Field	Type	Description	Default	Validation
`logLevel`	integer	`logLevel` supports a range of values as defined in the kubernetes logging guidelines.	1	The maximum range value is 5 The minimum range value is 1 Optional
`resources`	ResourceRequirements	`resources` defines the resource requirements. You cannot change the value of this field after setting it initially. For more information, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/		Optional
`affinity`	Affinity	`affinity` sets the scheduling affinity rules. For more information, see https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/		Optional
`tolerations`	Toleration array	`tolerations` sets the pod tolerations. For more information, see https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/		Optional
`nodeSelector`	object (keys:string, values:string)	nodeSelector defines the scheduling criteria by using the node labels. For more information, see https://kubernetes.io/docs/concepts/configuration/assign-pod-node/		Optional
`labels`	object (keys:string, values:string)	`labels` applies labels to all resources created for the `external-secrets` operand deployment.		Optional

11.5.11. feature

The feature field enables the optional features.

Field	Type	Description	Default	Validation
`name`	string	`name` of the optional feature.		Required
`enabled`	boolean	`enabled` determines whether the feature must be enabled.		Required

11.5.12. controllerStatus

The controllerStatus field contains the observed conditions of the controllers used by the Operator.

Field	Type	Description	Validation
`name`	string	`name` specifies the name of the controller for which the observed condition is recorded.	Required
`conditions`	array	`conditions` contains information about the current state of the External Secrets Operator controllers.
`observedGeneration`	integer	`observedGeneration` represents the `.metadata.generation` on the observed resource.	Minimum: 0

11.5.13. externalSecretsConfig

The externalSecretsConfig field configures the behavior of external-secrets operand.

Field	Type	Description	Default	Validation
`logLevel`	integer	`logLevel` supports a range of values as defined in the kubernetes logging guidelines.	1	The maximum range value is 5 The minimum range value is 1 Optional
`operatingNamespace`	string	`operatingNamespace` restricts the `external-secrets` operand operations to the provided namespace. Enabling this field disables `ClusterSecretStore` and `ClusterExternalSecret`.		Optional
`bitwardenSecretManagerProvider`	object	`bitwardenSecretManagerProvider` enables the bitwarden secrets manager provider and sets up the additional service required for connecting to the bitwarden server.		Optional
`webhookConfig`	object	`webhookConfig` configures webhook specifics of the `external-secrets` operand.
`certManagerConfig`	object	`certManagerConfig` configures `cert-manager` Operator settings that are used to generate certificates for the webhook and `bitwarden-sdk-server` components.		Optional
`resources`	ResourceRequirements	`resources` defines the resource requirements. You cannot change the value of this field after setting it initially. For more information, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/		Optional
`affinity`	Affinity	`affinity` sets the scheduling affinity rules. For more information, see https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/		Optional
`tolerations`	Toleration array	`tolerations` sets the pod tolerations. For more information, see https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/		Optional
`nodeSelector`	object (keys:string, values:string)	`nodeSelector` defines the scheduling criteria by using node labels. For more information, see https://kubernetes.io/docs/concepts/configuration/assign-pod-node/		Optional

11.5.14. controllerConfig

The controllerConfig field configures the operator to set the default values for installing external-secrets operand.

Field	Type	Description	Default	Validation
`namespace`	string	`namespace` configures the namespace for installing the `external-secrets` operand.	external-secrets	Optional
`labels`	object (keys:string, values:string)	`labels` field applies labels to all resources created for the `external-secrets` operand deployment.		Optional

11.5.15. bitwardenSecretManagerProvider

The bitwardenSecretManagerProvider field enables the bitwarden secrets manager provider and sets up the additional service required to connect to the bitwarden server.

Field	Type	Description	Default	Validation
`enabled`	string	`enabled` field enables the `bitwardenSecretManagerProvider`. you can set this field to `true` or `false`.	false	enum: [true false] Optional
`secretRef`	SecretReference	`SecretRef` specifies the kubernetes secret that contains the TLS key pair for the bitwarden server. If this reference is not provided and `certManagerConfig` field is configured, the issuer defined in `certManagerConfig` generates the required certificate. The secret must use `tls.crt` for certificate, `tls.key` for the private key, and `ca.crt` for CA certificate.		Optional

11.5.16. webhookConfig

The webhookConfig field configures the specifics of the external-secrets application webhook.

Field	Type	Description	Default	Validation
`certificateCheckInterval`	Duration	`certificateCheckInterval` configures the polling interval to check certificate validity.	5m	Optional

11.5.17. certManagerConfig

The certManagerConfig field configures the cert-manager Operator settings.

Field	Type	Description	Default	Validation
`enabled`	string	`enabled` specifies whether cert-manager must obtain and renew certificates for the webhook server instead of using built-in certificates. Set this field to `true` or `false`.	false	enum: [true false] Required
`addInjectorAnnotations`	string	`addInjectorAnnotations` adds the `cert-manager.io/inject-ca-from` annotation to the webhooks and custom resource definitions (CRDs) to automatically configure the webhook with the `cert-manager` Operator certificate authority (CA). This requires CA Injector to be enabled in `cert-manager` Operator. Set this field to `true` or `false`.	false	enum: [true false] Optional
`issuerRef`	ObjectReference	`issuerRef` contains details of the referenced object used for obtaining certificates. The object must exist in the `external-secrets` namespace unless a cluster-scoped `cert-manager` Operator issuer is used.		Required
`certificateDuration`	Duration	`certificateDuration` sets the validity period of the webhook certificate.	8760h	Optional
`certificateRenewBefore`	Duration	`certificateRenewBefore` sets the ahead time to renew the webhook certificate before expiry.	30m	Optional

11.5.18. objectReference

The ObjectReference field refers to an object by its name, kind, and group.

Field	Type	Description	Validation
`name`	string	`name` specifies the name of the resource being referred to.	Required
`kind`	string	`kind` specifies the kind of the resource being referred to.	Optional
`group`	string	`group` specifies the group of the resource being referred to.	Optional

11.5.19. secretReference

The secretReference field refers to a secret with the given name in the same namespace where it used.

Field	Type	Description	Default	Validation
`name`	string	`name` specifies the name of the secret resource being referred to.		Required

Chapter 11. External Secrets Operator for Red Hat OpenShift

11.1. External Secrets Operator for Red Hat OpenShift overview

11.1.1. About the External Secrets Operator for Red Hat OpenShift

11.1.2. External secrets providers for the External Secrets Operator for Red Hat OpenShift

11.1.3. Testing external secrets provider types

11.1.4. About FIPS compliance for External Secrets Operator for Red Hat OpenShift

11.2. External Secrets Operator for Red Hat OpenShift release notes

11.2.1. Release notes for External Secrets Operator for Red Hat OpenShift 0.1.0 (Technology Preview)

11.2.1.1. New features and enhancements

11.3. Installing the External Secrets Operator for Red Hat OpenShift

11.3.1. Limitations of External Secrets Operator for Red Hat OpenShift

11.3.2. Installing the External Secrets Operator for Red Hat OpenShift by using the web console

11.3.3. Installing the External Secrets Operator for Red Hat OpenShift by using the CLI

11.3.5. Installing the External Secrets operand for Red Hat OpenShift by using the CLI

11.4. Uninstalling the External Secrets Operator for Red Hat OpenShift

11.4.1. Uninstalling the External Secrets Operator for Red Hat OpenShift using the web console

11.4.2. Removing External Secrets Operator for Red Hat OpenShift resources by using the web console

11.4.3. Removing External Secrets Operator for Red Hat OpenShift resources by using the CLI

11.5. External Secrets Operator for Red Hat OpenShift APIs

11.5.1. externalSecretsManagerList

11.5.2. externalSecretsManager

11.5.3. externalSecretsList

11.5.4. externalSecrets

11.5.5. Listing fields in External Secrets Operator for Red Hat OpenShift APIs

11.5.6. externalSecretsManagerSpec

11.5.7. externalSecretsManagerStatus

11.5.8. externalSecretsSpec

11.5.9. externalSecretsStatus

11.5.10. globalConfig

11.5.11. feature

11.5.12. controllerStatus

11.5.13. externalSecretsConfig

11.5.14. controllerConfig

11.5.15. bitwardenSecretManagerProvider

11.5.16. webhookConfig

11.5.17. certManagerConfig

11.5.18. objectReference

11.5.19. secretReference

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

Making open source more inclusive

About Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links