Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 11. External Secrets Operator for Red Hat OpenShift

The External Secrets Operator for Red Hat OpenShift operates as a cluster-wide service to deploy and manage the external-secrets application. The external-secrets application integrates with external secrets management systems and performs secret fetching, refreshing, and provisioning within the cluster.

Use the External Secrets Operator for Red Hat OpenShift to integrate external-secrets application with the OpenShift Container Platform cluster. The external-secrets application fetches secrets stored in the external providers such as AWS Secrets Manager, HashiCorp Vault, Google Secret Manager, Azure Key Vault, IBM Cloud Secrets Manager, AWS Systems Manager Parameter Store and integrates them with Kubernetes in a secure manner.

Using the External Secrets Operator ensures the following:

  • Decouples applications from the secret-lifecycle management.
  • Centralizes secret storage to support compliance requirements.
  • Enables secure and automated secret rotation.
  • Supports multi-cloud secret sourcing with fine-grained access control.
  • Centralizes and audits access control.
Important

Do not attempt to use more than one External Secrets Operator in your cluster. If you have a community External Secrets Operator installed in your cluster, you must uninstall it before installing the External Secrets Operator for Red Hat OpenShift.

For more information about external-secrets application, see external-secrets.

Use the External Secrets Operator to authenticate with the external secrets store, retrieve secrets, and inject the retrieved secrets into a native Kubernetes secret. This method removes the need for applications to directly access or manage external secrets.

The External Secrets Operator for Red Hat OpenShift is tested with the following external secrets provider types:

Note

Red Hat does not test all factors associated with third-party secrets store provider functionality. For more information about third-party support, see the Red Hat third-party support policy.

11.1.3. Testing external secrets provider types
Copy link

The following table shows the test coverage for each tested external secrets provider type.

Expand
Secrets ProviderTest StatusNotes

AWS Secrets Manager

Partially tested

Ensures basic functionality.

AWS Systems Manager Parameter Store

Partially tested

Ensures basic functionality.

HashiCorp Vault

Partially tested

 

Google Secrets Manager

Partially tested

 

The External Secrets Operator for Red Hat OpenShift supports FIPS compliance. When running on OpenShift Container Platform in FIPS mode, External Secrets Operator uses the RHEL cryptographic libraries submitted to NIST for FIPS validation on the x86_64, ppc64le, and s390X architectures. For more information about the NIST validation program, see Cryptographic module validation program. For more information about the latest NIST status for the individual versions of the RHEL cryptographic libraries submitted for validation, see Compliance activities and government standards.

To enable FIPS mode, install the External Secrets Operator on an OpenShift Container Platform cluster that runs in FIPS mode. For more information, see "Do you need extra security for your cluster?".

11.1.5. Security considerations
Copy link

When using the External Secrets Operator for Red Hat OpenShift, there are some security concerns you should consider:

  • The external-secrets operand fetches the secrets from the configured external providers and stores it in a Kubernetes native Secrets resource. This results in a secret zero problem. It is recommended to secure the secret objects using additional encryption. For more information, see Data encryption options.
  • When configuring SecretStore and ClusterSecretStore resources, consider using short-term credential-based authorization. This approach enhances security by limiting the window of opportunity for unauthorized access, even if credentials are compromised.
  • To enhance the security of the External Secrets Operator for Red Hat OpenShift, it is crucial to implement role-based access controls (RBACs). These RBACs should define and limit access to the custom resources provided by the External Secrets Operator.

The External Secrets Operator for Red Hat OpenShift is a cluster-wide service that provides lifecycle management for secrets fetched from external secret management systems.

These release notes track the development of External Secrets Operator.

For more information, see External Secrets Operator overview.

Issued: 2025-11-03

The following advisories are available for the External Secrets Operator for Red Hat OpenShift 1.0.0:

Version 1.0.0 of the External Secrets Operator for Red Hat OpenShift is based on the upstream external-secrets project, version v0.19.0. For more information, see the external-secrets project release notes for v0.19.0.

11.2.1.1. Bug fixes
Copy link

  • Before this release, many of the APIs listed in the console for the External Secrets Operator for Red Hat OpenShift were missing descriptions. With this release, the API descriptions have been added. (OCPBUGS-61081)

11.2.1.2. New features and enhancements
Copy link

Renaming and improvements on the Operator API

With this release, the Operator API, externalsecrets.operator.openshift.io has been renamed to externalsecretsconfigs.operator.openshift.io to avoid confusion with the external-secrets provided API that has the same name, but a different purpose. The external-secrets provided API has also been restructured and new features are added.

For more information, see External Secrets Operator for Red Hat OpenShift APIs.

Support to collect metrics of External Secrets Operator

With this release, the External Secrets Operator for Red Hat OpenShift supports collecting metrics for both the Operator and operands. This is optional and must be enabled.

For more information, see Monitoring the External Secrets Operator for Red Hat OpenShift.

Support to configure proxy for External Secrets Operator

With this release, the External Secrets Operator for Red Hat OpenShift supports configuring proxy for both the Operator and operand.

For more information, see About the egress proxy for the External Secrets Operator for Red Hat OpenShift.

Root filesystem is read-only for External Secrets Operator for Red Hat OpenShift containers

With this release, to improve security, the External Secrets Operator for Red Hat OpenShift and all its operands have the readOnlyRootFilesystem security context set to true by default. This enhancement hardens the containers and prevents a potential attacker from modifying the contents of the container’s root file system.

Network policy hardening is now available for External Secrets Operator components

With this release, External Secrets Operator for Red Hat OpenShift includes pre-defined NetworkPolicy resources designed for enhanced security by governing ingress and egress traffic for operand components. These policies cover essential internal traffic, such as ingress to the metrics and webhook servers, and egress to the OpenShift API server and DNS server. Note that deployment of the NetworkPolicy is enabled by default and egress allow policies must be explicitly defined in the ExternalSecretsConfig custom resource for the external-secrets component to fetch secrets from external providers.

For more information, see Configuring network policy for the operand.

Issued: 2025-06-26

The following advisories are available for the External Secrets Operator for Red Hat OpenShift 0.1.0:

Version 0.1.0 of the External Secrets Operator for Red Hat OpenShift is based on the upstream external-secrets version 0.14.3. For more information, see the external-secrets project release notes for v0.14.3.

11.2.2.1. New features and enhancements
Copy link

  • This is the initial, Technology Preview release of the External Secrets Operator for Red Hat OpenShift.

The External Secrets Operator for Red Hat OpenShift is not installed on the OpenShift Container Platform by default. Install the External Secrets Operator by using either the web console or the command-line interface (CLI).

The following are the limitations of External Secrets Operator for Red Hat OpenShift during the installation and uninstallation of the external-secrets application.

  • Uninstalling the External Secrets Operator for Red Hat OpenShift does not delete the resources created for external-secrets application. you must clean up the resources manually.
  • When you add cert-manager Operator configurations in externalsecrets.operator.openshift.io object after creation, delete the external-secrets-cert-controller deployment resource manually to prevent degradation of the external-secrets application.
  • Enable the BitwardenSecretManagerProvider field in externalsecrets.operator.openshift.io object only when installed on OpenShift Cluster running on x86_64 and arm64 architectures .
  • Ensure cert-manager Operator is installed and operational before deploying the External Secrets Operator for Red Hat OpenShift for seamless functioning. If you install the cert-manager Operator later, manually restart the external-secrets-operator pod to apply cert-manager configurations in externalsecrets.operator.openshift.io object.

You can use the web console to install the External Secrets Operator for Red Hat OpenShift.

Prerequisites

  • You have access to the cluster with cluster-admin privileges.
  • You have access to the OpenShift Container Platform web console.

Procedure

  1. Log in to the OpenShift Container Platform web console.
  2. Navigate to Ecosystem Software Catalog.
  3. Enter External Secrets Operator in the search box.
  4. Select the External Secrets Operator for Red Hat OpenShift from the generated list and click Install.

  5. On the Install Operator page:

    1. Update the Update channel, if necessary. The channel defaults to tech-preview-v0.1, which installs the latest stable release of the External Secrets Operator.
    2. Select the version from Version drop-down list.

    3. Choose the Installed Namespace for the Operator.

      • To use the default Operator namespace, select the Operator recommended Namespace option.
      • To use the namespace that you created, select the Select a Namespace option, and then select the namespace from the drop-down list.
      • If the default external-secrets-operator namespace does not exist, it is created for you by the Operator Lifecycle Manager (OLM).

    4. Select an Update approval strategy.

      • The Automatic strategy enables OLM to automatically update the Operator when a new version is available.
      • The Manual strategy requires a user with appropriate credentials to approve the Operator update.
    5. Click Install.

Verification

  1. Navigate to Ecosystem Installed Operators.
  2. Verify that External Secrets Operator is listed with a Status of Succeeded in the external-secrets-operator namespace.

You can use the command-line interface (CLI) to install the External Secrets Operator for Red Hat OpenShift.

Prerequisites

  • You have access to the cluster with cluster-admin privileges.

Procedure

  1. Create a new project named external-secrets-operator by running the following command: 

    $ oc new-project external-secrets-operator
    Copy to Clipboard Toggle word wrap

  2. Create an OperatorGroup object by defining a YAML file with the following content:

    Example operatorGroup.yaml file

    apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: openshift-external-secrets-operator
  namespace: external-secrets-operator
spec:
  targetNamespaces: []
    Copy to Clipboard Toggle word wrap

  3. Create the OperatorGroup object by running the following command: 

    $ oc create -f operatorGroup.yaml
    Copy to Clipboard Toggle word wrap

  4. Create a Subscription object by defining a YAML file with the following content:

    Example subscription.yaml file

    apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: openshift-external-secrets-operator
  namespace: external-secrets-operator
spec:
  channel: tech-preview-v0.1
  name: openshift-external-secrets-operator
  source: redhat-operators
  sourceNamespace: openshift-marketplace
  installPlanApproval: Automatic
    Copy to Clipboard Toggle word wrap

  5. Create the Subscription object by running the following command: 

    $ oc create -f subscription.yaml
    Copy to Clipboard Toggle word wrap

Verification

  1. Verify that the OLM subscription is created by running the following command: 

    $ oc get subscription -n external-secrets-operator
    Copy to Clipboard Toggle word wrap

    Example output

    NAME                                  PACKAGE                               SOURCE          CHANNEL
openshift-external-secrets-operator   openshift-external-secrets-operator   eso-010-index   tech-preview-v0.1
    Copy to Clipboard Toggle word wrap

  2. Verify whether the Operator is successfully installed by running the following command: 

    $ oc get csv -n external-secrets-operator
    Copy to Clipboard Toggle word wrap

    Example output

    NAME                               DISPLAY                                           VERSION   REPLACES   PHASE
external-secrets-operator.v0.1.0   External Secrets Operator for Red Hat OpenShift   0.1.0                Succeeded
    Copy to Clipboard Toggle word wrap

  3. Verify that the status of the External Secrets Operator is Running by entering the following command: 

    $ oc get pods -n external-secrets-operator
    Copy to Clipboard Toggle word wrap

    Example output

    NAME                                                            READY   STATUS    RESTARTS   AGE
external-secrets-operator-controller-manager-5699f4bc54-kbsmn   1/1     Running   0          25h
    Copy to Clipboard Toggle word wrap

You can use the command-line interface (CLI) to install the External Secrets operand.

Prerequisites

  • You have access to the cluster with cluster-admin privileges.

Procedure

  1. Create a externalsecrets.openshift.operator.io object by defining a YAML file with the following content:

    Example externalsecrets.yaml file

    apiVersion: operator.openshift.io/v1alpha1
kind: ExternalSecrets
metadata:
  labels:
    app.kubernetes.io/name: external-secrets-operator
  name: cluster
spec: {}
    Copy to Clipboard Toggle word wrap

    For more information on spec configuration, see "External Secrets Operator for Red Hat OpenShift APIs".

  2. Create the externalsecrets.openshift.operator.io object by running the following command: 

    $ oc create -f externalsecrets.yaml
    Copy to Clipboard Toggle word wrap

Verification

  1. Verify that the external-secrets pods are running by entering the following command: 

    $ oc get pods -n external-secrets
    Copy to Clipboard Toggle word wrap

    Example output

    NAME                                                READY   STATUS    RESTARTS   AGE
external-secrets-75d47cb9c8-6p4n2                   1/1     Running   0          4h5m
external-secrets-cert-controller-676444b897-qb6ft   1/1     Running   0          4h5m
external-secrets-webhook-b566658ff-7m4d5            1/1     Running   0          4h5m
    Copy to Clipboard Toggle word wrap

  2. Verify that the external-secrets-operator deployment object reports a successful status by running the following command: 

    $ oc get externalsecrets.operator.openshift.io cluster -n external-secrets-operator -o jsonpath='{.status.conditions}' | jq .
    Copy to Clipboard Toggle word wrap

    Example output

    [
  {
    "lastTransitionTime": "2025-06-17T14:57:04Z",
    "message": "",
    "observedGeneration": 1,
    "reason": "Ready",
    "status": "False",
    "type": "Degraded"
  },
  {
    "lastTransitionTime": "2025-06-17T14:57:04Z",
    "message": "reconciliation successful",
    "observedGeneration": 1,
    "reason": "Ready",
    "status": "True",
    "type": "Ready"
  }
]
    Copy to Clipboard Toggle word wrap

11.4. Configuring network policy for the operand
Copy link

The External Secrets Operator for Red Hat OpenShift includes pre-defined NetworkPolicies for security, but you must configure additonal, custom policies through the ExternalSecretsConfig custom resource to set the external-secrets controller egress allow policies to communicate with external providers. These configurable policies are set via the ExternalSecretsConfig custom resource to establish the egress allow policy.

You must configure custom policies through the ExternalSecretsConfig custom resource to allow all egress to all external providers.

Prerequisites

  • An ExternalSecretsConfig must be predefined.
  • You must be able to define specific egress rules, including desitination ports and protocols

Procedure

  1. Edit the ExternalSecretsConfig CR by running the following command: 

    $ oc edit externalsecretsconfigs.operator.openshift.io cluster
    Copy to Clipboard Toggle word wrap

  2. Set the policy by editing the networkPolicies section: 

    apiVersion: operator.openshift.io/v1alpha1
kind: ExternalSecretsConfig
metadata:
  name: cluster
spec:
  controllerConfig:
    networkPolicies:
      - name: allow-external-secrets-egress
        componentName: CoreController
        egress: # Allow all egress traffic
    Copy to Clipboard Toggle word wrap

You must configure custom policies through the ExternalSecretsConfig custom resource to allow all egress to a specific provider.

Prerequisites

  • An ExternalSecretsConfig must be predefined.
  • You must be able to define specific egress rules, including desitination ports and protocols

Procedure

  1. Edit the ExternalSecretsConfig CR by running the following command: 

    $ oc edit externalsecretsconfigs.operator.openshift.io cluster
    Copy to Clipboard Toggle word wrap

  2. Set the policy by editing the networkPolicies section. The following example shows how to allow egress to Amazon Web Services (AWS) endpoints. 

    apiVersion: operator.openshift.io/v1alpha1
kind: ExternalSecretsConfig
metadata:
  name: cluster
spec:
  controllerConfig:
    networkPolicies:
      - componentName: ExternalSecretsCoreController
        egress:
          # Allow egress to Kubernetes API server, AWS endpoints, and DNS
          - ports:
              - port: 443   # HTTPS (AWS Secrets Manager)
                protocol: TCP
      - name: allow-external-secrets-egress
    Copy to Clipboard Toggle word wrap
    componentName
    name for the core controller specified as ExternalSecretsCoreController.

Egress rules must include the necessary ports, such as Transmission Control Protocol (TCP) port 443 for services like the AWS Secrets Manager.

11.4.3. Default ingress and egress rules
Copy link

The following table summarizes the default ingress and egress rules.

Expand
ComponentIngress portsEgress portsDescription

external-secrets

8080

6443

Allows retrieving metrics and interacting with the API server

external-secrets-webhook

8080/10250

6443

Allows retrieving metrics, handling webhook requests, and interacting with the API server

external-secrets-cert-controller

8080

6443

Allows retrieving metrics and interacting with the API server

external-secrets-bitwarden-server

9998

6443

Handles Bitwarden server connections and interacts with the API server

external-secrets-allow-dns

 

5353

Enables DNS lookups to find external secret providers.

If a cluster-wide egress proxy is configured in OpenShift Container Platform, Operator Lifecycle Manager (OLM) automatically configures Operators that it manages with the cluster-wide proxy. OLM automatically updates all of the Operator’s deployments with the HTTP_PROXY, HTTPS_PROXY, NO_PROXY environment variables.

The egress proxy can be configured in the ExternalSecretsConfig or the ExternalSecretsManager custom resource (CR). The Operator and the operand make use of the OpenShift Container Platform supported certificate authority (CA) bundle for the proxy validations.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.
  • You have created the ExternalSecretsConfig custom CR.

Procedure

  • To set the proxy in the ExternalSecretsConfig resource, perform the following steps:

    1. Edit the ExternalSecretsConfig resource by running the following command: 

      $ oc edit externalsecretsconfigs.operator.openshift.io cluster
      Copy to Clipboard Toggle word wrap

    2. Edit the spec.appConfig.proxy section to set the proxy values as follows: 

      apiVersion: operator.openshift.io/v1alpha1
kind: ExternalSecretsConfig
...
spec:
  appConfig:
    proxy:
      httpProxy: <http_proxy>
      httpsProxy: <https_proxy>
      noProxy: <no_proxy>
      Copy to Clipboard Toggle word wrap

where:

<http_proxy>
Specifies the proxy URL for the http requests.
<https_proxy>
Proxy URL for the https requests.
<no_proxy>

Comma-separated list of hostnames, CIDRs, IPs or a combination of these, for which the proxy should not be used.

  • To set the proxy in the ExternalSecretsManager CR, perform the following steps.

    1. Edit the ExternalSecretsManager CR by running the following command: 

      $ oc edit externalsecretsmanagers.operator.openshift.io cluster
      Copy to Clipboard Toggle word wrap

    2. Edit the spec.globalConfig.proxy section to set the proxy values as follows: 

      apiVersion: operator.openshift.io/v1alpha1
kind: ExternalSecretsManager
...
spec:
  globalConfig:
    proxy:
      httpProxy: <http_proxy>
      httpsProxy: <https_proxy>
      noProxy: <no_proxy>
      Copy to Clipboard Toggle word wrap

where:

<http_proxy>
Specifies the proxy URL for the http requests.
<https_proxy>
Proxy URL for the https requests.
<no_proxy>
Comma-separated list of hostnames, CIDRs, IPs or a combination of these for which the proxy should not be used.

By default, the External Secrets Operator for Red Hat OpenShift exposes metrics for the Operator and the operands. You can configure OpenShift Monitoring to collect these metrics by using the Prometheus Operator format.

11.6.1. Enabling user workload monitoring
Copy link

You can enable monitoring for user-defined projects by configuring user workload monitoring in the cluster. For more information, see "Setting up metrics collection for user-defined projects".

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. Create the cluster-monitoring-config.yaml YAML file: 

    apiVersion: v1
kind: ConfigMap
metadata:
  name: cluster-monitoring-config
  namespace: openshift-monitoring
data:
  config.yaml: |
    enableUserWorkload: true
    Copy to Clipboard Toggle word wrap

  2. Apply the ConfigMap by running the following command: 

    $ oc apply -f cluster-monitoring-config.yaml
    Copy to Clipboard Toggle word wrap

Verification

  • Verify that the monitoring components for user workloads are running in the openshift-user-workload-monitoring namespace by running the following command: 

    $ oc -n openshift-user-workload-monitoring get pod
    Copy to Clipboard Toggle word wrap

    Example output

    NAME                                   READY   STATUS    RESTARTS   AGE
prometheus-operator-5f79cff9c9-67pjb   2/2     Running   0          25h
prometheus-user-workload-0             6/6     Running   0          25h
thanos-ruler-user-workload-0           4/4     Running   0          25h
    Copy to Clipboard Toggle word wrap

    The status of the pods such as prometheus-operator, prometheus-user-workload, and thanos-ruler-user-workload must be Running.

The External Secrets Operator for Red Hat OpenShift exposes metrics by default on port 8443 at the /metrics service endpoint. You can configure metrics collection for the Operator by creating a ServiceMonitor custom resource (CR) that enables the Prometheus Operator to collect custom metrics. For more information, see "Configuring user workload monitoring".

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.
  • You have installed the External Secrets Operator for Red Hat OpenShift.
  • You have enabled the user workload monitoring.

Procedure

  1. Configure the Operator to use HTTP for the metrics server. HTTPS is enabled by default.

    1. Update the subscription object for External Secrets Operator for Red Hat OpenShift to configure the HTTP protocol by running the following command: 

      $ oc -n external-secrets-operator patch subscription openshift-external-secrets-operator --type='merge' -p '{"spec":{"config":{"env":[{"name":"METRICS_BIND_ADDRESS","value":":8080"}, {"name": "METRICS_SECURE", "value": "false"}]}}}'
      Copy to Clipboard Toggle word wrap

    2. To verify that the External Secrets Operator pod is redeployed and that the configured values for METRICS_BIND_ADDRESS and METRICS_SECURE are updated, run the following command: 

      $ oc set env --list deployment/external-secrets-operator-controller-manager -n external-secrets-operator | grep -e METRICS_BIND_ADDRESS -e METRICS_SECURE -e container
      Copy to Clipboard Toggle word wrap

      The following example shows that the METRICS_BIND_ADDRESS and METRICS_SECURE have been updated: 

      # deployments/external-secrets-operator-controller-manager, container manager
METRICS_BIND_ADDRESS=:8080
METRICS_SECURE=false
      Copy to Clipboard Toggle word wrap

  2. Create the Secret resource with the kubernetes.io/service-account.name annotation to inject the token required for authenticating with the metrics server.

    1. Create the secret-external-secrets-operator.yaml YAML file: 

      apiVersion: v1
kind: Secret
metadata:
  labels:
    app: external-secrets-operator
  name: external-secrets-operator-metrics-auth
  namespace: external-secrets-operator
  annotations:
    kubernetes.io/service-account.name: external-secrets-operator-controller-manager
type: kubernetes.io/service-account-token
      Copy to Clipboard Toggle word wrap

    2. Create the Secret resource by running the following command: 

      $ oc apply -f secret-external-secrets-operator.yaml
      Copy to Clipboard Toggle word wrap

  3. Create the ClusterRoleBinding resource required for granting permissions to access metrics:

    1. Create the clusterrolebinding-external-secrets.yaml YAML file:

      The following example shows a cluserrolebinding-external-secrets.yaml file. 

      apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    app: external-secrets-operator
  name: external-secrets-allow-metrics-access
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: external-secrets-operator-metrics-reader
subjects:
  - kind: ServiceAccount
    name: external-secrets-operator-controller-manager
    namespace: external-secrets-operator
      Copy to Clipboard Toggle word wrap

    2. Create the ClusterRoldeBinding custom resource by running the following command: 

      $ oc apply -f clusterrolebinding-external-secrets.yaml
      Copy to Clipboard Toggle word wrap

  4. Create the ServiceMonitor CR if using the default HTTPS:

    1. Create the servicemonitor-external-secrets-operator-https.yaml YAML file: 

      apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  labels:
    app: external-secrets-operator
  name: external-secrets-operator-metrics-monitor
  namespace: external-secrets-operator
spec:
  endpoints:
    - authorization:
        credentials:
          name: external-secrets-operator-metrics-auth
          key: token
        type: Bearer
      interval: 60s
      path: /metrics
      port: metrics-https
      scheme: https
      scrapeTimeout: 30s
      tlsConfig:
        ca:
          configMap:
            name: openshift-service-ca.crt
            key: service-ca.crt
        serverName: external-secrets-operator-controller-manager-metrics-service.external-secrets-operator.svc.cluster.local
  namespaceSelector:
    matchNames:
      - external-secrets-operator
  selector:
    matchLabels:
      app: external-secrets-operator
      svc: external-secrets-operator-controller-manager-metrics-service
      Copy to Clipboard Toggle word wrap

    2. Create the ServiceMonitor CR by running the following command: 

      $ oc apply -f servicemonitor-external-secrets-operator-https.yaml
      Copy to Clipboard Toggle word wrap

  5. Create the ServiceMonitor CR if configured to use HTTP:

    1. Create the servicemonitor-external-secrets-operator-http.yaml YAML file: 

      apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  labels:
    app: external-secrets-operator
  name: external-secrets-operator-metrics-monitor
  namespace: external-secrets-operator
spec:
  endpoints:
    - authorization:
        credentials:
          name: external-secrets-operator-metrics-auth
          key: token
        type: Bearer
      interval: 60s
      path: /metrics
      port: metrics-http
      scheme: http
      scrapeTimeout: 30s
  namespaceSelector:
    matchNames:
      - external-secrets-operator
  selector:
    matchLabels:
      app: external-secrets-operator
      svc: external-secrets-operator-controller-manager-metrics-service
      Copy to Clipboard Toggle word wrap

    2. Create the ServiceMonitor CR by running the following command: 

      $ oc apply -f servicemonitor-external-secrets-operator-http.yaml
      Copy to Clipboard Toggle word wrap

      After the ServiceMonitor CR is created, the user workload Prometheus instance begins metrics collection from the Operator. The collected metrics are labeled with job="external-secrets-operator-controller-manager-metrics-service".

Verification

  1. In the OpenShift Container Platform web console, navigate to Observe Targets.

  2. In the Label filter field, enter the following labels to filter the metrics targets for each operand: 

    $ service=external-secrets-operator-controller-manager-metrics-service
    Copy to Clipboard Toggle word wrap
  3. Confirm that the Status column shows Up for the external-secrets-operator.

As a cluster administrator, or as a user with view access to all namespaces, you can query the Operator metrics by using the OpenShift Container Platform web console or the command-line interface (CLI). For more information, see "Accessing metrics".

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.
  • You have installed the External Secrets Operator for Red Hat OpenShift.
  • You have enabled monitoring and metrics collection by creating a ServiceMonitor object.

Procedure

  1. In the OpenShift Container Platform web console, navigate to Observe Metrics.

  2. In the query field, enter the following PromQL expressions to query the External Secrets Operator for Red Hat OpenShift metric: 

    {job="external-secrets-operator-controller-manager-metrics-service"}
    Copy to Clipboard Toggle word wrap

The External Secrets Operator for Red Hat OpenShift operands exposes metrics by default on port 8080 at the /metrics service endpoint for all three components (external-secrets, external-secrets-cert-controll, and external-secrets-webhook). You can configure metrics collection for the external-secrets operands by creating a ServiceMonitor custom resource (CR) that enables the Prometheus Operator to collect custom metrics. For more information, see "Configuring user workload monitoring".

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.
  • You have installed the External Secrets Operator for Red Hat OpenShift.
  • You have enabled the user workload monitoring.

Procedure

  1. Create the ClusterRoleBinding resource required for granting permissions to access metrics:

    1. Create the clusterrolebinding-external-secrets.yaml YAML file:

      The following example shows a cluserrolebinding-external-secrets.yaml file. 

      apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    app: external-secrets
  name: external-secrets-allow-metrics-access
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: external-secrets-operator-metrics-reader
subjects:
  - kind: ServiceAccount
    name: external-secrets
    namespace: external-secrets
  - kind: ServiceAccount
    name: external-secrets-cert-controller
    namespace: external-secrets
  - kind: ServiceAccount
    name: external-secrets-webhook
    namespace: external-secrets
      Copy to Clipboard Toggle word wrap

    2. Create the ClusterRoldeBinding custom resource by running the following command: 

      $ oc apply -f clusterrolebinding-external-secrets.yaml
      Copy to Clipboard Toggle word wrap

  2. Create the ServiceMonitor CR:

    1. Create the servicemonitor-external-secrets.yaml YAML file: 

      apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  labels:
    app: external-secrets
  name: external-secrets-metrics-monitor
  namespace: external-secrets
spec:
  endpoints:
    - interval: 60s
      path: /metrics
      port: metrics
      scheme: http
      scrapeTimeout: 30s
  namespaceSelector:
    matchNames:
      - external-secrets
  selector:
    matchExpressions:
      - key: app.kubernetes.io/name
        operator: In
        values:
          - external-secrets
          - external-secrets-cert-controller
          - external-secrets-webhook
      - key: app.kubernetes.io/instance
        operator: In
        values:
          - external-secrets
      - key: app.kubernetes.io/managed-by
        operator: In
        values:
          - external-secrets-operator
      Copy to Clipboard Toggle word wrap

    2. Create the ServiceMonitor CR by running the following command: 

      $ oc apply -f servicemonitor-external-secrets.yaml
      Copy to Clipboard Toggle word wrap

      After the ServiceMonitor CR is created, the user workload Prometheus instance begins metrics collection from the External Secrets Operator for Red Hat OpenShift operands. The collected metrics are labeled with job="external-secrets",job="external-secrets-cainjector", and job="external-secrets-webhook".

Verification

  1. In the OpenShift Container Platform web console, navigate to Observe Targets.

  2. In the Label filter field, enter the following labels to filter the metrics targets for each operand: 

    $ service=external-secrets
    Copy to Clipboard Toggle word wrap 
    $ service=external-secrets-cert-controller-metrics
    Copy to Clipboard Toggle word wrap 
    $ service=external-secrets-webhook
    Copy to Clipboard Toggle word wrap
  3. Confirm that the Status column shows Up for the external-secrets, external-secrets-cert-controller and external-secrets-webhook.

As a cluster administrator, or as a user with view access to all namespaces, you can query external-secrets operand metrics by using the OpenShift Container Platform web console or the command-line interface (CLI). For more information, see "Accessing metrics".

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.
  • You have installed the External Secrets Operator for Red Hat OpenShift.
  • You have enabled monitoring and metrics collection by creating a ServiceMonitor object.

Procedure

  1. In the OpenShift Container Platform web console, navigate to Observe Metrics.

  2. In the query field, enter the following PromQL expressions to query the External Secrets Operator for Red Hat OpenShift operands metric for each operand: 

    {job="external-secrets"}
    Copy to Clipboard Toggle word wrap 
    {job="external-secrets-webhook"}
    Copy to Clipboard Toggle word wrap 
    {job="external-secrets-cert-controller-metrics"}
    Copy to Clipboard Toggle word wrap

After the External Secrets Operator for Red Hat OpenShift is installed, you can customize its behavior by editing the ExternalSecretsConfig custom resource (CR). This lets you modify components like the external-secrets controller, the cert-controller, the webhook, and the bitwardenSecretManagerProvider plugin and also lets you set environment variables for the Operator pod.

You can set a log level for the External Secrets Operator for Red Hat OpenShift to determine the verbosity of the operator log messages.

Prerequisites

  • You have access to the cluster with cluster-admin privileges.
  • You have created the ExternalSecretsConfig custom resource.

Procedure

  • Update the subscription object for External Secrets Operator for Red Hat OpenShift to provide the verbosity level for the operator logs by running the following command: 

    $ oc -n <external_secrets_operator_namespace> patch subscription openshift-external-secrets-operator --type='merge' -p '{"spec":{"config":{"env":[{"name":"OPERATOR_LOG_LEVEL","value":"<log_level>"}]}}}'
    Copy to Clipboard Toggle word wrap

    where:

    external_secrets_operator_namespace
    Namespace where the operator is installed.
    log_level
    Supports the value range of 1-5. The default is 2.

Verification

  1. The External Secrets Operator pod is redeployed. Verify that the log level of the External Secrets Operator for Red Hat OpenShift is updated by running the following command: 

    $ oc set env deploy/external-secrets-operator-controller-manager -n external-secrets-operator --list | grep -e OPERATOR_LOG_LEVEL -e container
    Copy to Clipboard Toggle word wrap

    Example output

    # deployments/external-secrets-operator-controller-manager, container manager
OPERATOR_LOG_LEVEL=2
    Copy to Clipboard Toggle word wrap

  2. Verify that the log level of the External Secrets Operator for Red Hat OpenShift is updated by running the oc logs command: 

    $ oc logs -n external-secrets-operator -f deployments/external-secrets-operator-controller-manager -c manager
    Copy to Clipboard Toggle word wrap

You can set a log level for the External Secrets Operator for Red Hat OpenShift to determine the verbosity of log messages.

Prerequisites

  • You have access to the cluster with cluster-admin privileges.
  • You have created the ExternalSecretsConfig custom resource.

Procedure

  1. Edit the ExternalSecretsConfig CR by running the following command: 

    $ oc edit externalsecretsconfigs.operator.openshift.io cluster
    Copy to Clipboard Toggle word wrap

  2. Set the log level value by editing the spec.appConfig.logLevel section: 

    apiVersion: operator.openshift.io/v1alpha1
kind: ExternalSecretsConfig
...
spec:
  appConfig:
    logLevel: <log_level>
    1
    Copy to Clipboard Toggle word wrap
    1
    Supports the value range of 1-5. The log level gets mapped to the following operand support levels:
    • 1 - warnings
    • 2 - error logs
    • 3 - info logs
    • 4 and 5 - debug logs
  3. Save your changes and exit the editor.

The external-secrets webhook and plugins can be assigned to cert-manager for certificate management. This configuration is optional.

When cert-manager is not used, external-secrets defaults to its own certificate management. In this mode, it automatically generates the required certificates for the webhook, while you are responsible for manually configuring certificates for the plugins.

Prerequisites

  • You have access to the cluster with cluster-admin privileges.
  • You have created the ExternalSecretsConfig custom resource.
  • You have installed the cert-manager Operator for Red Hat OpenShift. For more information, see "Installing the cert-manager Operator for Red Hat OpenShift"

Procedure

  1. Edit the ExternalSecretsConfig custom resource by running the following command: 

    $  oc edit externalsecretsconfigs.operator.openshift.io cluster
    Copy to Clipboard Toggle word wrap

  2. Configure cert-manager by editing the spec.controllerConfig.certProvider.certManager section as follows: 

    apiVersion: operator.openshift.io/v1alpha1
kind: ExternalSecretsConfig
...
spec:
  controllerConfig:
    certProvider:
      certManager:
        injectAnnotations: "true"
        issuerRef:
          name: <issuer_name>
          kind: <issuer_kind>
          group: <issuer_group>
        mode: Enabled
    Copy to Clipboard Toggle word wrap

    where:

    injectAnnotation
    Must be set to true when enabled.
    name
    Name of the issuer object referenced in ExternalSecretsConfig.
    kind
    API issuer. Can be set to either Issuer or ClusterIssuer.
    group
    API issuer group. The group name must be cert-manager.io.
    mode
    Must be set to Enabled. This is an immutable field and cannot be modified once it is configured.
  3. Save your changes.

  4. After you update the cert-manager configurations in the externalsecretsconfig.operator.openshift.io object, you must manually delete external-secrets-cert-controller deployment by running the following command. This prevents performance degradation of the external-secrets application. 

    $ oc delete deployments.apps external-secrets-cert-controller -n external-secrets
    Copy to Clipboard Toggle word wrap

  5. Optionally, you can delete other resources created for the cert-controller by running the following commands: 

    $ oc delete clusterrolebindings.rbac.authorization.k8s.io external-secrets-cert-controller
    Copy to Clipboard Toggle word wrap 
    $ oc delete clusterroles.rbac.authorization.k8s.io external-secrets-cert-controller
    Copy to Clipboard Toggle word wrap 
    $ oc delete serviceaccounts external-secrets-cert-controller -n external-secrets
    Copy to Clipboard Toggle word wrap 
    $ oc delete secrets external-secrets-webhook -n external-secrets
    Copy to Clipboard Toggle word wrap

You can enable the bitwardenSecretManagerProvider to use the Bitwarden Secrets Manager provider as a source for your secrets.

Prerequisites

  • You have access to the cluster with cluster-admin privileges.
  • You have created the ExternalSecretsConfig custom resource.

Procedure

  1. Edit the ExternalSecretsConfig custom resource by running the following command: 

    $  oc edit externalsecretsconfigs.operator.openshift.io cluster
    Copy to Clipboard Toggle word wrap

  2. Edit the spec.plugins.bitwardenSecretManagerProvider section as follows to enable the Bitwarden Secrets Manager: 

    apiVersion: operator.openshift.io/v1alpha1
kind: ExternalSecretsConfig
...
spec:
  plugins:
    bitwardenSecretManagerProvider:
      mode: Enabled
      secretRef:
        name: <secret_object_name>
    Copy to Clipboard Toggle word wrap

    where:

    name
    The name of the secret containing the certificate key pair for the plugin. The key name in the secret for the certificate must be tls.crt. The key name for the private key must be tls.key. The key name for the Certificate Authority (CA) certificate key name must be ca.crt. Configuring the secret is optional when the cert-manager certificate provider is configured.
  3. Save your changes and exit the editor.
  4. If you disable the plugin the following resources must be deleted manually by running the following commands: 
$ oc delete deployments.apps bitwarden-sdk-server -n external-secrets
Copy to Clipboard Toggle word wrap 
$ oc delete certificates.cert-manager.io bitwarden-tls-certs -n external-secrets
Copy to Clipboard Toggle word wrap 
$ oc delete service bitwarden-sdk-server -n external-secrets
Copy to Clipboard Toggle word wrap 
$ oc delete serviceaccounts bitwarden-sdk-server -n external-secrets
Copy to Clipboard Toggle word wrap

You can remove the External Secrets Operator for Red Hat OpenShift from OpenShift Container Platform by uninstalling the Operator and removing its related resources.

You can uninstall the External Secrets Operator for Red Hat OpenShift by using the web console.

Prerequisites

  • You have access to the cluster with cluster-admin privileges.
  • You have access to the OpenShift Container Platform web console.
  • The External Secrets Operator is installed.

Procedure

  1. Log in to the OpenShift Container Platform web console.

  2. Uninstall the External Secrets Operator for Red Hat OpenShift using the following steps:

    1. Navigate to Ecosystem Installed Operators.
    2. Click the Options menu kebab next to the External Secrets Operator for Red Hat OpenShift entry and click Uninstall Operator.
    3. In the confirmation dialog, click Uninstall.

After you have uninstalled the External Secrets Operator for Red Hat OpenShift, you can optionally eliminate its associated resources from your cluster.

Prerequisites

  • You have access to the cluster with cluster-admin privileges.
  • You have access to the OpenShift Container Platform web console.

Procedure

  1. Log in to the OpenShift Container Platform web console.

  2. Remove the deployments of the external-secrets application components in the external-secrets namespace:

    1. Click the Project drop-down menu to see a list of all available projects, and select the external-secrets project.
    2. Navigate to Workloads Deployments.
    3. Select the deployment that you want to delete.
    4. Click the Actions drop-down menu, and select Delete Deployment to see a confirmation dialog box.
    5. Click Delete to delete the deployment.

  3. Remove the custom resource definitions (CRDs) that were installed by the External Secrets Operator using the following steps:

    1. Navigate to Administration CustomResourceDefinitions.
    2. Choose external-secrets.io/component: controller from the suggestions in the Label field to filter the CRDs.

    3. Click the Options menu kebab next to each of the following CRDs, and select Delete Custom Resource Definition:

      • ACRAccessToken
      • ClusterExternalSecret
      • ClusterGenerator
      • ClusterSecretStore
      • ECRAuthorizationToken
      • ExternalSecret
      • GCRAccessToken
      • GeneratorState
      • GithubAccessToken
      • Grafana
      • Password
      • PushSecret
      • QuayAccessToken
      • SecretStore
      • STSSessionToken
      • UUID
      • VaultDynamicSecret
      • Webhook

  4. Remove the external-secrets-operator namespace using the following steps:

    1. Navigate to Administration Namespaces.
    2. Click the Options menu kebab next to the External Secrets Operator and select Delete Namespace.
    3. In the confirmation dialog, enter external-secrets-operator in the field and click Delete.

After you have uninstalled the External Secrets Operator for Red Hat OpenShift, you can optionally eliminate its associated resources from your cluster by using the command-line interface (CLI).

Prerequisites

  • You have access to the cluster with cluster-admin privileges.

Procedure

  1. Delete the deployments of the external-secrets application components in the external-secrets namespace by running the following command: 

    $ oc delete deployment -n external-secrets -l app=external-secrets
    Copy to Clipboard Toggle word wrap

  2. Delete the custom resource definitions (CRDs) that were installed by the External Secrets Operator by running the following command: 

    $ oc delete customresourcedefinitions.apiextensions.k8s.io -l external-secrets.io/component=controller
    Copy to Clipboard Toggle word wrap

  3. Delete the external-secrets-operator namespace by running the following command: 

    $ oc delete project external-secrets-operator
    Copy to Clipboard Toggle word wrap

External Secrets Operator for Red Hat OpenShift uses the following two APIs to configure the external-secrets application deployment.

Expand
GroupVersionKind

operator.openshift.io

v1alpha1

externalsecretsConfig

operator.openshift.io

v1alpha1

externalsecretsmanager

The following list contains the External Secrets Operator for Red Hat OpenShift APIs:

  • ExternalSecretsConfig
  • ExternalSecretsManager

11.9.1. externalSecretsManagerList
Copy link

The externalSecretsManagerList object fetches the list of externalSecretsManager objects.

Expand
FieldTypeDescriptionDefaultValidation

apiVersion

string

The apiVersion specifies the version of the schema in use, which is operator.openshift.io/v1alpha1.

  

kind

string

kind specifies the type of the object, which is externalSecretsManagerList for this API.

  

metadata

ListMeta

Refer to Kubernetes API documentation for details about the metadata fields.

  

items

array

   

11.9.2. externalSecretsManager
Copy link

The externalSecretsManager object defines the configuration and information of deployments managed by the External Secrets Operator. Set the name to cluster as this allows only one instance of externalSecretsManager per cluster.

You can configure global options by using externalSecretsManager. This serves as a centralized configuration for managing multiple controllers of the Operator. The Operator automatically creates the externalSecretsManager object during installation.

Expand
FieldTypeDescriptionDefaultValidation

apiVersion

string

The apiVersion specifies the version of the schema in use, which is operator.openshift.io/v1alpha1.

  

kind

string

kind specifies the type of the object, which is externalSecretsManager for this Object.

  

metadata

ObjectMeta

Refer to Kubernetes API documentation for details about the metadata fields.

  

spec

object

spec contains specifications of the desired behavior.

  

status

object

status displays the most recently observed state of the controllers in the External Secrets Operator.

  

11.9.3. externalSecretsConfigList
Copy link

The externalSecretsConfigList object fetches the list of externalSecretsConfig objects.

Expand
FieldTypeDescriptionDefaultValidation

apiVersion

string

The apiVersion specifies the version of the schema in use, which is operator.openshift.io/v1alpha1

  

kind

string

kind specifies the type of the object, which is externalSecretsList for this API.

  

metadata

ListMeta

Refer to Kubernetes API documentation for details about the metadata fields.

  

items

array

Items contains a list of externalSecrets objects.

  

11.9.4. externalSecretsConfig
Copy link

The externalSecretsConfig object defines the configuration and information for the managed external-secrets operand deployment. Set the name to cluster as externalSecretsConfig object allows only one instance per cluster.

Creating an externalSecretsConfig object triggers the deployment of the external-secrets operand and maintains the desired state.

Expand
FieldTypeDescriptionDefaultValidation

apiVersion

string

The apiVersion specifies the version of the schema in use, which is operator.openshift.io/v1alpha1.

  

kind

string

kind specifies the type of the object, which is externalSecrets for this object.

  

metadata

ObjectMeta

Refer to Kubernetes API documentation for details about the metadata fields.

  

spec

object

spec contains the specifications of the desired behavior of the externalSecrets object.

  

status

object

status displays the most recently observed status of the externalSecrets object.

  

The following fields apply to the External Secrets Operator for Red Hat OpenShift APIs.

11.9.6. externalSecretsManagerSpec
Copy link

The externalSecretsManagerSpec field defines the desired behavior of the externalSecretsManager object.

Expand
FieldtypeDescriptionDefaultValidation

globalConfig

object

globalConfig configures the behavior of deployments that External Secrets Operator manages.

 

Optional

11.9.7. externalSecretsManagerStatus
Copy link

The externalSecretsManagerStatus field shows the most recently observed status of the externalSecretsManager object.

Expand
FieldTypeDescriptionDefaultValidation

controllerStatuses

array

controllerStatuses holds the observed conditions of the controllers used by the Operator.

  

lastTransitionTime

Time

lastTransitionTime records the most recent time the status of the condition changed.

 

Format: date-time

Type: string

11.9.8. externalSecretsConfigSpec
Copy link

The externalSecretsConfigSpec field defines the desired behavior of the externalSecrets object.

Expand
FieldTypeDescriptionDefaultValidation

appConfig

object

appConfig configures the behavior of the external-secrets operand.

 

Optional

plugins

object

plugins configures the optional provider plugins.

 

Optional

controllerConfig

object

controllerConfig configures the controller to set up defaults that enable external-secrets operand.

 

Optional

11.9.9. externalSecretsConfigStatus
Copy link

The externalSecretsConfigStatus field shows the most recently observed status of the externalSecretsConfig Object.

Expand
FieldTypeDescriptionDefaultValidation

conditions

Condition array

conditions contains information about the current state of deployment.

  

externalSecretsImage

string

externalSecretsImage specifies the image name and tag used for deploy external-secrets operand.

  

bitwardenSDKServerImage

string

bitwardenSDKServerImage specifies the name of the image and tag used for deploying the bitwarden-sdk-server.

  

11.9.10. globalConfig
Copy link

The globalConfig field configures the behavior of the External Secrets Operator.

Expand
FieldTypeDescriptionDefaultValidation

labels

integer

labels applies to all resources created by the Operator. This field can have a maximum of 20 entries

1

The maximum number of properties is 20

The minimum number of properties is 0

Optional

logLevel

integer

logLevel supports a range of values as defined in the kubernetes logging guidelines.

1

The maximum range value is 5

The minimum range value is 1

Optional

resources

ResourceRequirements

resources defines the resource requirements. You cannot change the value of this field after setting it initially. For more information, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

 

Optional

affinity

Affinity

affinity sets the scheduling affinity rules. For more information, see https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/

 

Optional

tolerations

Toleration array

tolerations sets the pod tolerations. For more information, see https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/

 

The maximum number of items is 50

The minimum number of items is 0

Optional

nodeSelector

object (keys:string, values:string)

nodeSelector defines the scheduling criteria by using the node labels. For more information, see https://kubernetes.io/docs/concepts/configuration/assign-pod-node/

 

The maximum number of properties is 50

The minimum number of properties is 0

Optional

proxy

object

proxy sets the proxy configurations available in the operand containers managed by the Operator as environment variables.

 

Optional

11.9.11. controllerConfig
Copy link

The controllerConfig specifies the configurations used by the controller when installing the external-secrets operand and the plugins.

Expand
FieldTypeDescriptionDefaultValidation

certProvider

string

certProvider defines the configuration for the certificate providers used to manage TLS certificates for webhook and plugins.

 

Optional

labels

object (keys:string, values:string)

labels field applies labels to all resources created for the external-secrets operand deployment.

 

The maximum number of properties is 20.

The minimum number of properties is 0.

Optional

11.9.12. controllerStatus
Copy link

The controllerStatus field contains the observed conditions of the controllers used by the Operator.

Expand
FieldTypeDescriptionDefaultValidation

name

string

name specifies the name of the controller for which the observed condition is recorded.

 

Required

conditions

array

conditions contains information about the current state of the External Secrets Operator controllers.

  

observedGeneration

integer

observedGeneration represents the .metadata.generation on the observed resource.

 

The minimum number of observed resources is 0.

11.9.13. applicationConfig
Copy link

The applicationConfig specifies the configurations for the external-secrets operand.

Expand
FieldTypeDescriptionDefaultValidation

logLevel

integer

logLevel supports a range of values as defined in the kubernetes logging guidelines.

1

The maximum range value is 5

The minimum range value is 1

Optional

operatingNamespace

string

operatingNamespace restricts the external-secrets operand operations to the provided namespace. Enabling this field disables ClusterSecretStore and ClusterExternalSecret.

 

The maximum length is 63

The minimum length is 1

Optional

webhookConfig

object

webhookConfig configures webhook specifics of the external-secrets operand.

  

resources

ResourceRequirements

resources defines the resource requirements. You cannot change the value of this field after setting it initially. For more information, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

 

Optional

affinity

Affinity

affinity sets the scheduling affinity rules. For more information, see https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/

 

Optional

tolerations

Toleration array

tolerations sets the pod tolerations. For more information, see https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/

 

The maximum number of items is 50

The minimum number of items is 0

Optional

nodeSelector

object (keys:string, values:string)

nodeSelector defines the scheduling criteria by using node labels. For more information, see https://kubernetes.io/docs/concepts/configuration/assign-pod-node/

 

The maximum number of properties is 50

The minimum number of properties is 0

Optional

proxy

object (keys:string, values:string)

proxy sets the proxy configurations available in operand containers managed by the Operator as environment variables.

 

Optional

11.9.14. bitwardenSecretManagerProvider
Copy link

The bitwardenSecretManagerProvider field enables the Bitwarden secrets manager provider and sets up the additional service required to connect to the Bitwarden server.

Expand
FieldTypeDescriptionDefaultValidation

mode

string

mode field enables the bitwardenSecretManagerProvider provider state, which can be set to Enabled or Disabled. If set to Enabled, the Operator ensures the plugin is deployed and synchronized. If set to Disabled, the Bitwarden provider plugin reconciliation is disabled. The plugin and resources remain in their current state, and are not managed by the Operator.

Disabled

enum: [Enabled Disabled]

Optional

secretRef

SecretReference

SecretRef specifies the Kubernetes secret that contains the TLS key pair for the Bitwarden server. If this reference is not provided and the certManagerConfig field is configured, the issuer defined in certManagerConfig generates the required certificate. The secret must use tls.crt for certificate, tls.key for the private key, and ca.crt for CA certificate.

 

Optional

11.9.15. webhookConfig
Copy link

The webhookConfig field configures the specifics of the external-secrets application webhook.

Expand
FieldTypeDescriptionDefaultValidation

certificateCheckInterval

Duration

certificateCheckInterval configures the polling interval to check certificate validity.

5m

Optional

11.9.16. certManagerConfig
Copy link

The certManagerConfig field configures the cert-manager Operator settings.

Expand
FieldTypeDescriptionDefaultValidation

mode

string

mode specifies whether to use cert-manager for certificate management instead of the built-in cert-controller which can be indicated by setting either Enabled or Disabled. If set to Enabled, uses cert-manager for obtaining the certificates for the webhook server and other components. If set to Disabled, uses the cert-controller for obtaining the certificates for the webhook server. Disabled is the default behavior.

false

enum: [true false]

Required

injectAnnotations

string

injectAnnotations adds the cert-manager.io/inject-ca-from annotation to the webhooks and custom resource definitions (CRDs) to automatically configure the webhook with the cert-manager Operator certificate authority (CA). This requires CA Injector to be enabled in cert-manager Operator. Set this field to true or false. When set, this field cannot be changed.

false

enum: [true false]

Optional

issuerRef

ObjectReference

issuerRef contains details of the referenced object used for obtaining certificates. The object must exist in the external-secrets namespace unless a cluster-scoped cert-manager Operator issuer is used.

 

Required

certificateDuration

Duration

certificateDuration sets the validity period of the webhook certificate.

8760h

Optional

certificateRenewBefore

Duration

certificateRenewBefore sets the ahead time to renew the webhook certificate before expiry.

30m

Optional

11.9.17. certProvidersConfig
Copy link

The certProvidersConfig defines the configuration for the certificate providers used to manage TLS certificates for webhook and plugins.

Expand
FieldTypeDescriptionDefaultValidation

certManager

object

certManager defines the configuration for cert-manager provider specifics.

 

Optional

11.9.18. objectReference
Copy link

The ObjectReference field refers to an object by its name, kind, and group.

Expand
FieldTypeDescriptionDefaultValidation

name

string

name specifies the name of the resource being referred to.

 

The maximum length is 253 characters.

The minimum length is 1 character.

Required

kind

string

kind specifies the kind of the resource being referred to.

 

The maximum length is 253 characters.

The minimum length is 1 character.

Optional

group

string

group specifies the group of the resource being referred to.

 

The maximum length is 253 characters.

The minimum length is 1 character.

Optional

11.9.19. secretReference
Copy link

The secretReference field refers to a secret with the given name in the same namespace where it used.

Expand
FieldTypeDescriptionDefaultValidation

name

string

name specifies the name of the secret resource being referred to.

 

The maximum length is 253.

The minimum length is 1.

Required

11.9.20. condition
Copy link

The condition field holds information about the condition of the external-secrets deployment.

Expand
FieldTypeDescriptionDefaultValidation

type

string

type contains the condition of the deployment.

 

Required

status

ConditionStatus

status contains the status of the condition of the deployment

  

message

string

message provides details on the state of the deployment

  

11.9.21. conditionalStatus
Copy link

The conditionalStatus field holds information about the current state of the external-secrets deployment.

Expand
FieldTypeDescriptionDefaultValidation

conditions

array

conditions contains information on the current state of the deployment.

  

11.9.22. mode
Copy link

The mode field indicates the operational state of the optional features.

Expand
FieldTypeDescriptionDefaultValidation

Enabled

 

Enabled indicates the optional configuration is enabled.

  

Disabled

 

Disabled indicates the optional configuration is disabled.

  

11.9.23. pluginsConfig
Copy link

The pluginsConfig configures the optional plugins.

Expand
FieldTypeDescriptionDefaultValidation

bitwardenSecretManagerProvider

object

bitwardenSecretManagerProvider enables the bitwarden-secrets-manager provider plugin for connecting with the 'bitwarden-secrets-manager'.

 

Optional

11.9.24. proxyConfig
Copy link

The proxyConfig holds the proxy configurations which are made available in the operand containers and managed by the Operator as environment variables.

Expand
FieldTypeDescriptionDefaultValidation

httpProxy

string

The httpProxy field contains the URL of the proxy for HTTP requests. This field can have a maximum of 2048 characters.

 

The maximum length is 2048 characters.

The minimum length is 0 characters.

Optional

httpsProxy

string

The httpsProxy field contains the URL of the proxy for HTTPS requests. This field can have a maximum of 2048 characters.

 

The maximum length is 2048 characters.

The minimum length is 0 characters.

Optional

noProxy

string

The noProxy field is a comma-separated list of hostnames, classless inter-domain routings (CIDRs), and IP addresses or a combination of the three for which the proxy should not be used. This field can have a maximum of 4096 characters.

 

The maximum length is 4096 characters.

The minimum length is 0 characters.

Optional

You can migrate from the community version of the External Secrets Operator. Migrating to External Secrets Operator for Red Hat OpenShift provides you with an officially supported product giving you access to enterprise-grade support. It also provides you with seamless integration from installation to upgrades.

The following migration versions have been fully tested.

Expand
Upstream versionInstallation methodDownstream version

0.11.0

OLM

v1.0.0 GA

0.19.0

Helm

v1.0.0 GA

Note

The migration does not support rollbacks.

Note

External Secrets Operator for Red Hat OpenShift is based on the upstream version 0.19.0. Do not attempt to migrate from a higher version of the External Secrets Operator.

You must delete the operatorconfigs.operator.external-secrets.io custom resource (CR) for the community External Secrets Operator to delete the external-secrets application installed by the community External Secrets Operator.

Prerequisites

  • You must be logged in as a user with the cluster-admin role.
  • You must have the oc command-line tool installed and configured.

Procedure

  1. Find your community Operator’s namespace by running the following command: 

    $ oc get operatorconfigs.operator.external-secrets.io -A
    Copy to Clipboard Toggle word wrap

    The following is an example of finding the namespace: 

    NAMESPACE             NAME        AGE
external-secrets      cluster     9m18s
    Copy to Clipboard Toggle word wrap

  2. Delete the operatorconfig by running the following command: 

    $ oc delete operatorconfig <config_name> -n <operator_namespace>
    Copy to Clipboard Toggle word wrap

Verification

  1. To verify that the operatorconfig was deleted, run the following command: 

    $ oc get operatorconfig -n <operator_namespace>
    Copy to Clipboard Toggle word wrap

    The command must return no resource found.

  2. To verify that the old webhooks are deleted, run the following commands: 

    $ oc get validatingwebhookconfigurations | grep external-secrets
    Copy to Clipboard Toggle word wrap 
    $ oc get mutatingwebhookconfigurations | grep external-secrets
    Copy to Clipboard Toggle word wrap

    The commands must return no results.

You must uninstall the community External Secrets Operator to prevent it from being recreated or conflicting with the new one.

Prerequisites

  • You must be logged in as a user with the cluster-admin role.
  • You must have deleted the operatorconfig.

Procedure

  1. If you installed the community External Secrets Operator by an Operator Lifecycle Manager (OLM) subscription, delete the Operator by performing the following steps:

    1. Find the subscription name by running the following command: 

      $ oc get subscription -n <operator_namespace> | grep external-secrets
      Copy to Clipboard Toggle word wrap

    2. Delete the subscription by running the following command: 

      $ oc delete subscription <subscription_name> -n <operator_namespace>
      Copy to Clipboard Toggle word wrap

    3. Delete the ClusterServiceVersion by running the following command: 

      $ oc delete csv <csv_name> -n <operator_namespace>
      Copy to Clipboard Toggle word wrap

  2. If you installed the community {external-secret-operator} by Helm, delete the Operator by running the following command: 

    $ helm uninstall <release_name> -n <operator_namespace>
    Copy to Clipboard Toggle word wrap

  3. If you installed the community {external-secret-operator} by raw manifests, delete the Operator by running the following command: 

    $ oc delete -f /path/to/your/old/manifests.yaml -n <operator_namespace>
    Copy to Clipboard Toggle word wrap

Once the operatorconfig has been deleted and the community {external-secret-operator-short} has been deleted, you can install the External Secrets Operator for Red Hat OpenShift. For more information, see Installing the External Secrets Operator for Red Hat OpenShift.

The purpose of creating the ExternalSecretsConfig is to install and configure the external-secrets. The configuration ensures that cert-manager and Bitwarden support are enabled.

Prerequisites

  • External Secrets Operator for Red Hat OpenShift is installed.
  • cert-manager Operator for Red Hat OpenShift is installed.
  • You have access to the cluster with cluster-admin privileges.

Procedure

  1. Create an externalsecretsconfig file by defining a YAML file with the following content: 

    apiVersion: operator.openshift.io/v1alpha1
kind: ExternalSecretsConfig
metadata:
  labels:
    app.kubernetes.io/name: cluster
  name: cluster
spec:
  appConfig:
    logLevel: 3
  webhookConfig:
    certificateCheckInterval: 5m0s
  controllerConfig:
    certProvider:
      certManager:
        certificateDuration: 8760h0m0s
        certificateRenewBefore: 30m0s
        injectAnnotations: "true"
        issuerRef:
          group: cert-manager.io
          kind: Issuer
          name: _<created_issuer_name>_
    mode: Enabled
    networkPolicies:
    - componentName: ExternalSecretsCoreController
      egress:
      - ports:
        - port: 443
          protocol: TCP
        - port: 9998
          protocol: TCP
        name: allow-external-secrets-egress
    plugins:
      bitwardenSecretManagerProvider:
        mode: Enabled
    Copy to Clipboard Toggle word wrap

  2. Create the ExternalSecretsConfig object by running the following command: 

    $ oc create -f externalsecretsconfig.yaml
    Copy to Clipboard Toggle word wrap

Verification

Verify that all custom resources (CRs) are present and that the APIs are using v1 instead of v1beta1. There CRs are retained and automatically converted by the new Operator.

  1. To verify that the external-secrets pods are in a running state, run the following command: 

    $ oc get pods -n external-secret
    Copy to Clipboard Toggle word wrap

    The following is example output that the external-secrets pods are in a running state 

    NAME                                          READY        STATUS        RESTARTS     AGE
bitwarden-sdk-server-5b4cf48766-w7zp7         1/1          Running       0            5m
external-secrets-5854b85dd5-m6zf9             1/1          Running       0            5m
external-secrets-webhook-5cb85b8fdb-6jtqb     1/1          Running       0            5m
    Copy to Clipboard Toggle word wrap

  2. To verify that the SecretStore CR is present, run the following command: 

    $ oc get secretstores.external-secrets.io -A
    Copy to Clipboard Toggle word wrap

    The following is example output from validating that the SecretStore is present: 

    NAMESPACE               NAME                         AGE         STATUS      CAPABILITIES    READY
external-secrets-1      gcp-store                    18min       Valid       ReadWrite       True
external-secrets-2      aws-secretstore              11min       Valid       ReadWrite       True
external-secrets        bitwarden-secretsmanager     20min       Valid       Readwrite       True
    Copy to Clipboard Toggle word wrap

  3. To verify that the ExternalSecret CR is present, run the following command: 

    $ oc get externalsecrets.external-secrets.io -A
    Copy to Clipboard Toggle word wrap

    The following is example output from validating that the SecretStore is present: 

    NAMESPACE             NAME                    STORE                      REFRESH INTERVAL    STATUS          READY
external-secrets-1    gcp-externalsecret      gcp-store                  1hr                 SecretSynced    True
external-secrets-2    aws-external-secret     aws-secret-store           1hr                 SecretSynced    True
external-secrets      bitwarden               bitwarden-secretsmanager   1hr                 SecretSynced    True
    Copy to Clipboard Toggle word wrap

  4. To verify that the SecretStore is apiVersion: external-secrets.io/v1, run the following command: 

    $ oc get secretstores.external-secrets.io -n external-secrets-1 gcp-store -o yaml
    Copy to Clipboard Toggle word wrap

    The following is example output that the SecretStore is apiVersion: external-secrets.io/v1. 

    apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
  creationTimestamp: "2025-10-27T11:38:19Z"
  generation: 1
  name: gcp-store
  namespace: external-secrets-1
  resourceVersion: "104519"
  uid: 7bccb0cc-2557-4f4a-9caa-1577f0108f4b
spec:
.
.
.
status:
  capabilities: ReadWrite
  conditions:
  - lastTransitionTime: "2025-10-27T11:38:19Z"
    message: store validated
    reason: Valid
    status: "True"
    type: Ready
    Copy to Clipboard Toggle word wrap

  5. To verify that the ExternalSecret is apiVersion: external-secrets.io/v1, run the following command: 

    $ oc get externalsecrets.external-secrets.io -n external-secrets-1 gcp-externalsecret -o yaml
    Copy to Clipboard Toggle word wrap

    The following is example output that the ExternalSecret is apiVersion: external-secrets.io/v1. 

    apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  creationTimestamp: "2025-10-27T11:39:03Z"
  generation: 1
  name: gcp-externalsecret
  namespace: external-secrets-1
  resourceVersion: "104532"
  uid: 93a3295a-a3ad-4304-90e1-1328d951e5fb
spec:
.
.
.
status:
  binding:
    name: k8s-secret-gcp
  conditions:
  - lastTransitionTime: "2025-10-27T11:39:03Z"
    message: secret synced
    reason: SecretSynced
    status: "True"
    type: Ready
  refreshTime: "2025-10-27T12:13:15Z"
  syncedResourceVersion: 1-f47fe3c0b255b6dd8047cdffa772587bb829efe7a1cb70febeda2eb2
    Copy to Clipboard Toggle word wrap
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat