Home
Products
OpenShift Container Platform
4.20
Security and compliance
Chapter 11. External Secrets Operator for Red Hat OpenShift

Chapter 11. External Secrets Operator for Red Hat OpenShift

11.1. External Secrets Operator for Red Hat OpenShift overview
Copy link

The External Secrets Operator for Red Hat OpenShift operates as a cluster-wide service to deploy and manage the external-secrets application. The external-secrets application integrates with external secrets management systems and performs secret fetching, refreshing, and provisioning within the cluster.

11.1.1. About the External Secrets Operator for Red Hat OpenShift
Copy link

Use the External Secrets Operator for Red Hat OpenShift to integrate external-secrets application with the OpenShift Container Platform cluster. The external-secrets application fetches secrets stored in the external providers such as AWS Secrets Manager, HashiCorp Vault, Google Secret Manager, Azure Key Vault, IBM Cloud Secrets Manager, AWS Systems Manager Parameter Store and integrates them with Kubernetes in a secure manner.

Using the External Secrets Operator ensures the following:

Decouples applications from the secret-lifecycle management.
Centralizes secret storage to support compliance requirements.
Enables secure and automated secret rotation.
Supports multi-cloud secret sourcing with fine-grained access control.
Centralizes and audits access control.

Important

Do not attempt to use more than one External Secrets Operator in your cluster. If you have a community External Secrets Operator installed in your cluster, you must uninstall it before installing the External Secrets Operator for Red Hat OpenShift.

For more information about external-secrets application, see external-secrets.

Use the External Secrets Operator to authenticate with the external secrets store, retrieve secrets, and inject the retrieved secrets into a native Kubernetes secret. This method removes the need for applications to directly access or manage external secrets.

11.1.2. External secrets providers for the External Secrets Operator for Red Hat OpenShift
Copy link

The External Secrets Operator for Red Hat OpenShift is tested with the following external secrets provider types:

Note

Red Hat does not test all factors associated with third-party secrets store provider functionality. For more information about third-party support, see the Red Hat third-party support policy.

11.1.3. Testing external secrets provider types
Copy link

The following table shows the test coverage for each tested external secrets provider type.

Expand

Secrets Provider	Test Status	Notes
AWS Secrets Manager	Partially tested	Ensures basic functionality.
AWS Systems Manager Parameter Store	Partially tested	Ensures basic functionality.
HashiCorp Vault	Partially tested
Google Secrets Manager	Partially tested

11.1.4. About FIPS compliance for External Secrets Operator for Red Hat OpenShift
Copy link

The External Secrets Operator for Red Hat OpenShift supports FIPS compliance. When running on OpenShift Container Platform in FIPS mode, External Secrets Operator uses the RHEL cryptographic libraries submitted to NIST for FIPS validation on the x86_64, ppc64le, and s390X architectures. For more information about the NIST validation program, see Cryptographic module validation program. For more information about the latest NIST status for the individual versions of the RHEL cryptographic libraries submitted for validation, see Compliance activities and government standards.

To enable FIPS mode, install the External Secrets Operator on an OpenShift Container Platform cluster that runs in FIPS mode. For more information, see "Do you need extra security for your cluster?".

11.1.5. Security considerations
Copy link

When using the External Secrets Operator for Red Hat OpenShift, there are some security concerns you should consider:

The external-secrets operand fetches the secrets from the configured external providers and stores it in a Kubernetes native Secrets resource. This results in a secret zero problem. It is recommended to secure the secret objects using additional encryption. For more information, see Data encryption options.
When configuring SecretStore and ClusterSecretStore resources, consider using short-term credential-based authorization. This approach enhances security by limiting the window of opportunity for unauthorized access, even if credentials are compromised.
To enhance the security of the External Secrets Operator for Red Hat OpenShift, it is crucial to implement role-based access controls (RBACs). These RBACs should define and limit access to the custom resources provided by the External Secrets Operator.

11.2. External Secrets Operator for Red Hat OpenShift release notes
Copy link

The External Secrets Operator for Red Hat OpenShift is a cluster-wide service that provides lifecycle management for secrets fetched from external secret management systems.

These release notes track the development of External Secrets Operator.

For more information, see External Secrets Operator overview.

11.2.1. Release notes for External Secrets Operator for Red Hat OpenShift 0.1.0 (Technology Preview)
Copy link

Issued: 2025-06-26

The following advisories are available for the External Secrets Operator for Red Hat OpenShift 0.1.0:

Version 0.1.0 of the External Secrets Operator for Red Hat OpenShift is based on the upstream external-secrets version 0.14.3. For more information, see the external-secrets project release notes for v0.14.3.

11.2.1.1. New features and enhancements
Copy link

This is the initial, Technology Preview release of the External Secrets Operator for Red Hat OpenShift.

11.3. Installing the External Secrets Operator for Red Hat OpenShift
Copy link

The External Secrets Operator for Red Hat OpenShift is not installed on the OpenShift Container Platform by default. Install the External Secrets Operator by using either the web console or the command-line interface (CLI).

11.3.1. Limitations of External Secrets Operator for Red Hat OpenShift
Copy link

The following are the limitations of External Secrets Operator for Red Hat OpenShift during the installation and uninstallation of the external-secrets application.

Uninstalling the External Secrets Operator for Red Hat OpenShift does not delete the resources created for external-secrets application. you must clean up the resources manually.
When you add cert-manager Operator configurations in externalsecrets.operator.openshift.io object after creation, delete the external-secrets-cert-controller deployment resource manually to prevent degradation of the external-secrets application.
Enable the BitwardenSecretManagerProvider field in externalsecrets.operator.openshift.io object only when installed on OpenShift Cluster running on x86_64 and arm64 architectures .
Ensure cert-manager Operator is installed and operational before deploying the External Secrets Operator for Red Hat OpenShift for seamless functioning. If you install the cert-manager Operator later, manually restart the external-secrets-operator pod to apply cert-manager configurations in externalsecrets.operator.openshift.io object.

11.3.2. Installing the External Secrets Operator for Red Hat OpenShift by using the web console
Copy link

You can use the web console to install the External Secrets Operator for Red Hat OpenShift.

Prerequisites

You have access to the cluster with cluster-admin privileges.
You have access to the OpenShift Container Platform web console.

Procedure

Log in to the OpenShift Container Platform web console.
Navigate to Ecosystem Software Catalog.
Enter External Secrets Operator in the search box.
Select the External Secrets Operator for Red Hat OpenShift from the generated list and click Install.
On the Install Operator page:
1. Update the Update channel, if necessary. The channel defaults to tech-preview-v0.1, which installs the latest stable release of the External Secrets Operator.
2. Select the version from Version drop-down list.
3. Choose the Installed Namespace for the Operator.
  - To use the default Operator namespace, select the Operator recommended Namespace option.
  - To use the namespace that you created, select the Select a Namespace option, and then select the namespace from the drop-down list.
  - If the default external-secrets-operator namespace does not exist, it is created for you by the Operator Lifecycle Manager (OLM).
4. Select an Update approval strategy.
  - The Automatic strategy enables OLM to automatically update the Operator when a new version is available.
  - The Manual strategy requires a user with appropriate credentials to approve the Operator update.
5. Click Install.

Verification

Navigate to Ecosystem Installed Operators.
Verify that External Secrets Operator is listed with a Status of Succeeded in the external-secrets-operator namespace.

11.3.3. Installing the External Secrets Operator for Red Hat OpenShift by using the CLI
Copy link

You can use the command-line interface (CLI) to install the External Secrets Operator for Red Hat OpenShift.

Prerequisites

You have access to the cluster with cluster-admin privileges.

Procedure

Create a new project named external-secrets-operator by running the following command:
```
oc new-project external-secrets-operator
```
```
$ oc new-project external-secrets-operator
```
Copy to Clipboard Toggle word wrap

Create an OperatorGroup object by defining a YAML file with the following content:

Example operatorGroup.yaml file

apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: openshift-external-secrets-operator
  namespace: external-secrets-operator
spec:
  targetNamespaces: []

apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: openshift-external-secrets-operator
  namespace: external-secrets-operator
spec:
  targetNamespaces: []

Copy to Clipboard

Toggle word wrap

Create the OperatorGroup object by running the following command:
```
oc create -f operatorGroup.yaml
```
```
$ oc create -f operatorGroup.yaml
```
Copy to Clipboard Toggle word wrap

Create a Subscription object by defining a YAML file with the following content:

Example subscription.yaml file

apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: openshift-external-secrets-operator
  namespace: external-secrets-operator
spec:
  channel: tech-preview-v0.1
  name: openshift-external-secrets-operator
  source: redhat-operators
  sourceNamespace: openshift-marketplace
  installPlanApproval: Automatic

apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: openshift-external-secrets-operator
  namespace: external-secrets-operator
spec:
  channel: tech-preview-v0.1
  name: openshift-external-secrets-operator
  source: redhat-operators
  sourceNamespace: openshift-marketplace
  installPlanApproval: Automatic

Copy to Clipboard

Toggle word wrap

Create the Subscription object by running the following command:
```
oc create -f subscription.yaml
```
```
$ oc create -f subscription.yaml
```
Copy to Clipboard Toggle word wrap

Verification

Verify that the OLM subscription is created by running the following command:

oc get subscription -n external-secrets-operator

$ oc get subscription -n external-secrets-operator

Copy to Clipboard

Toggle word wrap

Example output

NAME                                  PACKAGE                               SOURCE          CHANNEL
openshift-external-secrets-operator   openshift-external-secrets-operator   eso-010-index   tech-preview-v0.1

NAME                                  PACKAGE                               SOURCE          CHANNEL
openshift-external-secrets-operator   openshift-external-secrets-operator   eso-010-index   tech-preview-v0.1

Copy to Clipboard

Toggle word wrap

Verify whether the Operator is successfully installed by running the following command:

oc get csv -n external-secrets-operator

$ oc get csv -n external-secrets-operator

Copy to Clipboard

Toggle word wrap

Example output

NAME                               DISPLAY                                           VERSION   REPLACES   PHASE
external-secrets-operator.v0.1.0   External Secrets Operator for Red Hat OpenShift   0.1.0                Succeeded

NAME                               DISPLAY                                           VERSION   REPLACES   PHASE
external-secrets-operator.v0.1.0   External Secrets Operator for Red Hat OpenShift   0.1.0                Succeeded

Copy to Clipboard

Toggle word wrap

Verify that the status of the External Secrets Operator is Running by entering the following command:

oc get pods -n external-secrets-operator

$ oc get pods -n external-secrets-operator

Copy to Clipboard

Toggle word wrap

Example output

NAME                                                            READY   STATUS    RESTARTS   AGE
external-secrets-operator-controller-manager-5699f4bc54-kbsmn   1/1     Running   0          25h

NAME                                                            READY   STATUS    RESTARTS   AGE
external-secrets-operator-controller-manager-5699f4bc54-kbsmn   1/1     Running   0          25h

Copy to Clipboard

Toggle word wrap

11.3.5. Installing the External Secrets operand for Red Hat OpenShift by using the CLI
Copy link

You can use the command-line interface (CLI) to install the External Secrets operand.

Prerequisites

You have access to the cluster with cluster-admin privileges.

Procedure

Create a externalsecrets.openshift.operator.io object by defining a YAML file with the following content:

Example externalsecrets.yaml file

apiVersion: operator.openshift.io/v1alpha1
kind: ExternalSecrets
metadata:
  labels:
    app.kubernetes.io/name: external-secrets-operator
  name: cluster
spec: {}

apiVersion: operator.openshift.io/v1alpha1
kind: ExternalSecrets
metadata:
  labels:
    app.kubernetes.io/name: external-secrets-operator
  name: cluster
spec: {}

Copy to Clipboard

Toggle word wrap

For more information on spec configuration, see "External Secrets Operator for Red Hat OpenShift APIs".

Create the externalsecrets.openshift.operator.io object by running the following command:
```
oc create -f externalsecrets.yaml
```
```
$ oc create -f externalsecrets.yaml
```
Copy to Clipboard Toggle word wrap

Verification

Verify that the external-secrets pods are running by entering the following command:

oc get pods -n external-secrets

$ oc get pods -n external-secrets

Copy to Clipboard

Toggle word wrap

Example output

NAME                                                READY   STATUS    RESTARTS   AGE
external-secrets-75d47cb9c8-6p4n2                   1/1     Running   0          4h5m
external-secrets-cert-controller-676444b897-qb6ft   1/1     Running   0          4h5m
external-secrets-webhook-b566658ff-7m4d5            1/1     Running   0          4h5m

NAME                                                READY   STATUS    RESTARTS   AGE
external-secrets-75d47cb9c8-6p4n2                   1/1     Running   0          4h5m
external-secrets-cert-controller-676444b897-qb6ft   1/1     Running   0          4h5m
external-secrets-webhook-b566658ff-7m4d5            1/1     Running   0          4h5m

Copy to Clipboard

Toggle word wrap

Verify that the external-secrets-operator deployment object reports a successful status by running the following command:

oc get externalsecrets.operator.openshift.io cluster -n external-secrets-operator -o jsonpath='{.status.conditions}' | jq .

$ oc get externalsecrets.operator.openshift.io cluster -n external-secrets-operator -o jsonpath='{.status.conditions}' | jq .

Copy to Clipboard

Toggle word wrap

Example output

[
  {
    "lastTransitionTime": "2025-06-17T14:57:04Z",
    "message": "",
    "observedGeneration": 1,
    "reason": "Ready",
    "status": "False",
    "type": "Degraded"
  },
  {
    "lastTransitionTime": "2025-06-17T14:57:04Z",
    "message": "reconciliation successful",
    "observedGeneration": 1,
    "reason": "Ready",
    "status": "True",
    "type": "Ready"
  }
]

[
  {
    "lastTransitionTime": "2025-06-17T14:57:04Z",
    "message": "",
    "observedGeneration": 1,
    "reason": "Ready",
    "status": "False",
    "type": "Degraded"
  },
  {
    "lastTransitionTime": "2025-06-17T14:57:04Z",
    "message": "reconciliation successful",
    "observedGeneration": 1,
    "reason": "Ready",
    "status": "True",
    "type": "Ready"
  }
]

Copy to Clipboard

Toggle word wrap

11.4. Configuring network policy for the operand
Copy link

The External Secrets Operator for Red Hat OpenShift includes pre-defined NetworkPolicies for security, but you must configure additonal, custom policies through the ExternalSecretsConfig custom resource to set the external-secrets controller egress allow policies to communicate with external providers. These configurable policies are set via the ExternalSecretsConfig custom resource to establish the egress allow policy.

11.4.1. Adding a custom network policy to allow egress to all external providers
Copy link

You must configure custom policies through the ExternalSecretsConfig custom resource to allow all egress to all external providers.

Prerequisites

An ExternalSecretsConfig must be predefined.
You must be able to define specific egress rules, including desitination ports and protocols

Procedure

Edit the ExternalSecretsConfig CR by running the following command:

oc edit externalsecretsconfigs.operator.openshift.io cluster

$ oc edit externalsecretsconfigs.operator.openshift.io cluster

Copy to Clipboard

Toggle word wrap

Set the policy by editing the networkPolicies section:

apiVersion: operator.openshift.io/v1alpha1
kind: ExternalSecretsConfig
metadata:
  name: cluster
spec:
  controllerConfig:
    networkPolicies:
      - name: allow-external-secrets-egress
        componentName: CoreController
        egress: # Allow all egress traffic

apiVersion: operator.openshift.io/v1alpha1
kind: ExternalSecretsConfig
metadata:
  name: cluster
spec:
  controllerConfig:
    networkPolicies:
      - name: allow-external-secrets-egress
        componentName: CoreController
        egress: # Allow all egress traffic

Copy to Clipboard

Toggle word wrap

11.4.2. Adding a custom network policy to allow egress to a specific provider
Copy link

You must configure custom policies through the ExternalSecretsConfig custom resource to allow all egress to a specific provider.

Prerequisites

An ExternalSecretsConfig must be predefined.
You must be able to define specific egress rules, including desitination ports and protocols

Procedure

Edit the ExternalSecretsConfig CR by running the following command:

oc edit externalsecretsconfigs.operator.openshift.io cluster

$ oc edit externalsecretsconfigs.operator.openshift.io cluster

Copy to Clipboard

Toggle word wrap

Set the policy by editing the networkPolicies section. The following example shows how to allow egress to Amazon Web Services (AWS) endpoints.

apiVersion: operator.openshift.io/v1alpha1
kind: ExternalSecretsConfig
metadata:
  name: cluster
spec:
  controllerConfig:
    networkPolicies:
      - componentName: ExternalSecretsCoreController
        egress:
          # Allow egress to Kubernetes API server, AWS endpoints, and DNS
          - ports:
              - port: 443   # HTTPS (AWS Secrets Manager)
                protocol: TCP
      - name: allow-external-secrets-egress

apiVersion: operator.openshift.io/v1alpha1
kind: ExternalSecretsConfig
metadata:
  name: cluster
spec:
  controllerConfig:
    networkPolicies:
      - componentName: ExternalSecretsCoreController
        egress:
          # Allow egress to Kubernetes API server, AWS endpoints, and DNS
          - ports:
              - port: 443   # HTTPS (AWS Secrets Manager)
                protocol: TCP
      - name: allow-external-secrets-egress

Copy to Clipboard

Toggle word wrap

componentName: name for the core controller specified as ExternalSecretsCoreController.

Egress rules must include the necessary ports, such as Transmission Control Protocol (TCP) port 443 for services like the AWS Secrets Manager.

11.4.3. Default ingress and egress rules
Copy link

The following table summarizes the default ingress and egress rules.

Expand

Component	Ingress ports	Egress ports	Description
`external-secrets`	8080	6443	Allows retrieving metrics and interacting with the API server
`external-secrets-webhook`	8080/10250	6443	Allows retrieving metrics, handling webhook requests, and interacting with the API server
`external-secrets-cert-controller`	8080	6443	Allows retrieving metrics and interacting with the API server
`external-secrets-bitwarden-server`	9998	6443	Handles Bitwarden server connections and interacts with the API server
`external-secrets-allow-dns`		5353	Enables DNS lookups to find external secret providers.

11.5. About the egress proxy for the External Secrets Operator for Red Hat OpenShift
Copy link

If a cluster-wide egress proxy is configured in OpenShift Container Platform, Operator Lifecycle Manager (OLM) automatically configures Operators that it manages with the cluster-wide proxy. OLM automatically updates all of the Operator’s deployments with the HTTP_PROXY, HTTPS_PROXY, NO_PROXY environment variables.

11.5.1. Configuring the egress proxy for the External Secrets Operator for Red Hat OpenShift
Copy link

The egress proxy can be configured in the ExternalSecretsConfig or the ExternalSecretsManager custom resource (CR). The Operator and the operand make use of the OpenShift Container Platform supported certificate authority (CA) bundle for the proxy validations.

Prerequisites

You have access to the cluster as a user with the cluster-admin role.
You have created the ExternalSecretsConfig custom CR.

Procedure

To set the proxy in the ExternalSecretsConfig resource, perform the following steps:

Edit the ExternalSecretsConfig resource by running the following command:
```
oc edit externalsecretsconfigs.operator.openshift.io cluster
```
```
$ oc edit externalsecretsconfigs.operator.openshift.io cluster
```
Copy to Clipboard Toggle word wrap

Edit the spec.appConfig.proxy section to set the proxy values as follows:

apiVersion: operator.openshift.io/v1alpha1
kind: ExternalSecretsConfig
...
spec:
  appConfig:
    proxy:
      httpProxy: <http_proxy>
      httpsProxy: <https_proxy>
      noProxy: <no_proxy>

apiVersion: operator.openshift.io/v1alpha1
kind: ExternalSecretsConfig
...
spec:
  appConfig:
    proxy:
      httpProxy: <http_proxy>
      httpsProxy: <https_proxy>
      noProxy: <no_proxy>

Copy to Clipboard

Toggle word wrap

where:

<http_proxy>

Specifies the proxy URL for the http requests.

<https_proxy>

Proxy URL for the https requests.

<no_proxy>

Comma-separated list of hostnames, CIDRs, IPs or a combination of these, for which the proxy should not be used.

To set the proxy in the ExternalSecretsManager CR, perform the following steps.

Edit the ExternalSecretsManager CR by running the following command:

oc edit externalsecretsmanagers.operator.openshift.io cluster

$ oc edit externalsecretsmanagers.operator.openshift.io cluster

Copy to Clipboard

Toggle word wrap

Edit the spec.globalConfig.proxy section to set the proxy values as follows:

apiVersion: operator.openshift.io/v1alpha1
kind: ExternalSecretsManager
...
spec:
  globalConfig:
    proxy:
      httpProxy: <http_proxy>
      httpsProxy: <https_proxy>
      noProxy: <no_proxy>

apiVersion: operator.openshift.io/v1alpha1
kind: ExternalSecretsManager
...
spec:
  globalConfig:
    proxy:
      httpProxy: <http_proxy>
      httpsProxy: <https_proxy>
      noProxy: <no_proxy>

Copy to Clipboard

Toggle word wrap

where:

<http_proxy>: Specifies the proxy URL for the http requests.
<https_proxy>: Proxy URL for the https requests.
<no_proxy>: Comma-separated list of hostnames, CIDRs, IPs or a combination of these for which the proxy should not be used.

11.6. Uninstalling the External Secrets Operator for Red Hat OpenShift
Copy link

You can remove the External Secrets Operator for Red Hat OpenShift from OpenShift Container Platform by uninstalling the Operator and removing its related resources.

11.6.1. Uninstalling the External Secrets Operator for Red Hat OpenShift using the web console
Copy link

You can uninstall the External Secrets Operator for Red Hat OpenShift by using the web console.

Prerequisites

You have access to the cluster with cluster-admin privileges.
You have access to the OpenShift Container Platform web console.
The External Secrets Operator is installed.

Procedure

Log in to the OpenShift Container Platform web console.
Uninstall the External Secrets Operator for Red Hat OpenShift using the following steps:
1. Navigate to Ecosystem Installed Operators.
2. Click the Options menu next to the External Secrets Operator for Red Hat OpenShift entry and click Uninstall Operator.
3. In the confirmation dialog, click Uninstall.

11.6.2. Removing External Secrets Operator for Red Hat OpenShift resources by using the web console
Copy link

After you have uninstalled the External Secrets Operator for Red Hat OpenShift, you can optionally eliminate its associated resources from your cluster.

Prerequisites

You have access to the cluster with cluster-admin privileges.
You have access to the OpenShift Container Platform web console.

Procedure

Log in to the OpenShift Container Platform web console.
Remove the deployments of the external-secrets application components in the external-secrets namespace:
1. Click the Project drop-down menu to see a list of all available projects, and select the external-secrets project.
2. Navigate to Workloads Deployments.
3. Select the deployment that you want to delete.
4. Click the Actions drop-down menu, and select Delete Deployment to see a confirmation dialog box.
5. Click Delete to delete the deployment.
Remove the custom resource definitions (CRDs) that were installed by the External Secrets Operator using the following steps:
1. Navigate to Administration CustomResourceDefinitions.
2. Choose external-secrets.io/component: controller from the suggestions in the Label field to filter the CRDs.
3. Click the Options menu next to each of the following CRDs, and select Delete Custom Resource Definition:
  - ACRAccessToken
  - ClusterExternalSecret
  - ClusterGenerator
  - ClusterSecretStore
  - ECRAuthorizationToken
  - ExternalSecret
  - GCRAccessToken
  - GeneratorState
  - GithubAccessToken
  - Grafana
  - Password
  - PushSecret
  - QuayAccessToken
  - SecretStore
  - STSSessionToken
  - UUID
  - VaultDynamicSecret
  - Webhook
Remove the external-secrets-operator namespace using the following steps:
1. Navigate to Administration Namespaces.
2. Click the Options menu next to the External Secrets Operator and select Delete Namespace.
3. In the confirmation dialog, enter external-secrets-operator in the field and click Delete.

11.6.3. Removing External Secrets Operator for Red Hat OpenShift resources by using the CLI
Copy link

After you have uninstalled the External Secrets Operator for Red Hat OpenShift, you can optionally eliminate its associated resources from your cluster by using the command-line interface (CLI).

Prerequisites

You have access to the cluster with cluster-admin privileges.

Procedure

Delete the deployments of the external-secrets application components in the external-secrets namespace by running the following command:
```
oc delete deployment -n external-secrets -l app=external-secrets
```
```
$ oc delete deployment -n external-secrets -l app=external-secrets
```
Copy to Clipboard Toggle word wrap

Delete the custom resource definitions (CRDs) that were installed by the External Secrets Operator by running the following command:

oc delete customresourcedefinitions.apiextensions.k8s.io -l external-secrets.io/component=controller

$ oc delete customresourcedefinitions.apiextensions.k8s.io -l external-secrets.io/component=controller

Copy to Clipboard

Toggle word wrap

Delete the external-secrets-operator namespace by running the following command:
```
oc delete project external-secrets-operator
```
```
$ oc delete project external-secrets-operator
```
Copy to Clipboard Toggle word wrap

11.7. External Secrets Operator for Red Hat OpenShift APIs
Copy link

External Secrets Operator for Red Hat OpenShift uses the following two APIs to configure the external-secrets application deployment.

Expand

Group	Version	Kind
`operator.openshift.io`	`v1alpha1`	`externalsecretsConfig`
`operator.openshift.io`	`v1alpha1`	`externalsecretsmanager`

The following list contains the External Secrets Operator for Red Hat OpenShift APIs:

ExternalSecretsConfig
ExternalSecretsManager

11.7.1. externalSecretsManagerList
Copy link

The externalSecretsManagerList object fetches the list of externalSecretsManager objects.

Expand

Field	Type	Description
`apiVersion`	string	The `apiVersion` specifies the version of the schema in use, which is `operator.openshift.io/v1alpha1`.
`kind`	string	`kind` specifies the type of the object, which is `externalSecretsManagerList` for this API.
`metadata`	ListMeta	Refer to Kubernetes API documentation for details about the `metadata` fields.
`items`	array

11.7.2. externalSecretsManager
Copy link

The externalSecretsManager object defines the configuration and information of deployments managed by the External Secrets Operator. Set the name to cluster as this allows only one instance of externalSecretsManager per cluster.

You can configure global options by using externalSecretsManager. This serves as a centralized configuration for managing multiple controllers of the Operator. The Operator automatically creates the externalSecretsManager object during installation.

Expand

Field	Type	Description
`apiVersion`	string	The `apiVersion` specifies the version of the schema in use, which is `operator.openshift.io/v1alpha1`.
`kind`	string	`kind` specifies the type of the object, which is `externalSecretsManager` for this Object.
`metadata`	ObjectMeta	Refer to Kubernetes API documentation for details about the `metadata` fields.
`spec`	object	`spec` contains specifications of the desired behavior.
`status`	object	`status` displays the most recently observed state of the controllers in the External Secrets Operator.

11.7.3. externalSecretsConfigList
Copy link

The externalSecretsConfigList object fetches the list of externalSecretsConfig objects.

Expand

Field	Type	Description
`apiVersion`	string	The `apiVersion` specifies the version of the schema in use, which is `operator.openshift.io/v1alpha1`
`kind`	string	`kind` specifies the type of the object, which is `externalSecretsList` for this API.
`metadata`	ListMeta	Refer to Kubernetes API documentation for details about the `metadata` fields.
`items`	array	`Items` contains a list of `externalSecrets` objects.

11.7.4. externalSecretsConfig
Copy link

The externalSecretsConfig object defines the configuration and information for the managed external-secrets operand deployment. Set the name to cluster as externalSecretsConfig object allows only one instance per cluster.

Creating an externalSecretsConfig object triggers the deployment of the external-secrets operand and maintains the desired state.

Expand

Field	Type	Description
`apiVersion`	string	The `apiVersion` specifies the version of the schema in use, which is `operator.openshift.io/v1alpha1`.
`kind`	string	`kind` specifies the type of the object, which is `externalSecrets` for this object.
`metadata`	ObjectMeta	Refer to Kubernetes API documentation for details about the `metadata` fields.
`spec`	object	`spec` contains the specifications of the desired behavior of the `externalSecrets` object.
`status`	object	`status` displays the most recently observed status of the `externalSecrets` object.

11.7.5. Listing fields in External Secrets Operator for Red Hat OpenShift APIs
Copy link

The following fields apply to the External Secrets Operator for Red Hat OpenShift APIs.

11.7.6. externalSecretsManagerSpec
Copy link

The externalSecretsManagerSpec field defines the desired behavior of the externalSecretsManager object.

Expand

Field	type	Description	Default	Validation
`globalConfig`	object	`globalConfig` configures the behavior of deployments that External Secrets Operator manages.		Optional

11.7.7. externalSecretsManagerStatus
Copy link

The externalSecretsManagerStatus field shows the most recently observed status of the externalSecretsManager object.

Expand

Field Type Description Default Validation

Field	Type	Description	Default	Validation
`controllerStatuses`	array	`controllerStatuses` holds the observed conditions of the controllers used by the Operator.
`lastTransitionTime`	Time	`lastTransitionTime` records the most recent time the status of the condition changed.		Format: date-time Type: string

controllerStatuses

array

controllerStatuses holds the observed conditions of the controllers used by the Operator.

lastTransitionTime

Time

lastTransitionTime records the most recent time the status of the condition changed.

Format: date-time

Type: string

11.7.8. externalSecretsConfigSpec
Copy link

The externalSecretsConfigSpec field defines the desired behavior of the externalSecrets object.

Expand

Field	Type	Description	Validation
`appConfig`	object	`appConfig` configures the behavior of the `external-secrets` operand.	Optional
`plugins`	object	`plugins` configures the optional provider plugins.	Optional
`controllerConfig`	object	`controllerConfig` configures the controller to set up defaults that enable `external-secrets` operand.	Optional

11.7.9. externalSecretsConfigStatus
Copy link

The externalSecretsConfigStatus field shows the most recently observed status of the externalSecretsConfig Object.

Expand

Field	Type	Description
`conditions`	Condition array	`conditions` contains information about the current state of deployment.
`externalSecretsImage`	string	`externalSecretsImage` specifies the image name and tag used for deploy `external-secrets` operand.
`bitwardenSDKServerImage`	string	`bitwardenSDKServerImage` specifies the name of the image and tag used for deploying the `bitwarden-sdk-server`.

11.7.10. globalConfig
Copy link

The globalConfig field configures the behavior of the External Secrets Operator.

Expand

Field	Type	Description	Default	Validation
`labels`	integer	`labels` applies to all resources created by the Operator. This field can have a maximum of 20 entries	1	The maximum number of properties is 20 The minimum number of properties is 0 Optional
`logLevel`	integer	`logLevel` supports a range of values as defined in the kubernetes logging guidelines.	1	The maximum range value is 5 The minimum range value is 1 Optional
`resources`	ResourceRequirements	`resources` defines the resource requirements. You cannot change the value of this field after setting it initially. For more information, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/		Optional
`affinity`	Affinity	`affinity` sets the scheduling affinity rules. For more information, see https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/		Optional
`tolerations`	Toleration array	`tolerations` sets the pod tolerations. For more information, see https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/		The maximum number of items is 50 The minimum number of items is 0 Optional
`nodeSelector`	object (keys:string, values:string)	`nodeSelector` defines the scheduling criteria by using the node labels. For more information, see https://kubernetes.io/docs/concepts/configuration/assign-pod-node/		The maximum number of properties is 50 The minimum number of properties is 0 Optional
`proxy`	object	`proxy` sets the proxy configurations available in the operand containers managed by the Operator as environment variables.		Optional

11.7.11. controllerConfig
Copy link

The controllerConfig specifies the configurations used by the controller when installing the external-secrets operand and the plugins.

Expand

Field Type Description Default Validation

Field	Type	Description	Default	Validation
`certProvider`	string	`certProvider` defines the configuration for the certificate providers used to manage TLS certificates for webhook and plugins.		Optional
`labels`	object (keys:string, values:string)	`labels` field applies labels to all resources created for the `external-secrets` operand deployment.		The maximum number of properties is 20. The minimum number of properties is 0. Optional

certProvider

string

certProvider defines the configuration for the certificate providers used to manage TLS certificates for webhook and plugins.

Optional

labels

object (keys:string, values:string)

labels field applies labels to all resources created for the external-secrets operand deployment.

The maximum number of properties is 20.

The minimum number of properties is 0.

Optional

11.7.12. controllerStatus
Copy link

The controllerStatus field contains the observed conditions of the controllers used by the Operator.

Expand

Field	Type	Description	Validation
`name`	string	`name` specifies the name of the controller for which the observed condition is recorded.	Required
`conditions`	array	`conditions` contains information about the current state of the External Secrets Operator controllers.
`observedGeneration`	integer	`observedGeneration` represents the `.metadata.generation` on the observed resource.	The minimum number of observed resources is 0.

11.7.13. applicationConfig
Copy link

The applicationConfig specifies the configurations for the external-secrets operand.

Expand

Field	Type	Description	Default	Validation
`logLevel`	integer	`logLevel` supports a range of values as defined in the kubernetes logging guidelines.	1	The maximum range value is 5 The minimum range value is 1 Optional
`operatingNamespace`	string	`operatingNamespace` restricts the `external-secrets` operand operations to the provided namespace. Enabling this field disables `ClusterSecretStore` and `ClusterExternalSecret`.		The maximum length is 63 The minimum length is 1 Optional
`webhookConfig`	object	`webhookConfig` configures webhook specifics of the `external-secrets` operand.
`resources`	ResourceRequirements	`resources` defines the resource requirements. You cannot change the value of this field after setting it initially. For more information, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/		Optional
`affinity`	Affinity	`affinity` sets the scheduling affinity rules. For more information, see https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/		Optional
`tolerations`	Toleration array	`tolerations` sets the pod tolerations. For more information, see https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/		The maximum number of items is 50 The minimum number of items is 0 Optional
`nodeSelector`	object (keys:string, values:string)	`nodeSelector` defines the scheduling criteria by using node labels. For more information, see https://kubernetes.io/docs/concepts/configuration/assign-pod-node/		The maximum number of properties is 50 The minimum number of properties is 0 Optional
`proxy`	object (keys:string, values:string)	`proxy` sets the proxy configurations available in operand containers managed by the Operator as environment variables.		Optional

11.7.14. bitwardenSecretManagerProvider
Copy link

The bitwardenSecretManagerProvider field enables the Bitwarden secrets manager provider and sets up the additional service required to connect to the Bitwarden server.

Expand

Field Type Description Default Validation

Field	Type	Description	Default	Validation
`mode`	string	`mode` field enables the `bitwardenSecretManagerProvider` provider state, which can be set to `Enabled` or `Disabled`. If set to `Enabled`, the Operator ensures the plugin is deployed and synchronized. If set to `Disabled`, the Bitwarden provider plugin reconciliation is disabled. The plugin and resources remain in their current state, and are not managed by the Operator.	`Disabled`	enum: [Enabled Disabled] Optional
`secretRef`	SecretReference	`SecretRef` specifies the Kubernetes secret that contains the TLS key pair for the Bitwarden server. If this reference is not provided and the `certManagerConfig` field is configured, the issuer defined in `certManagerConfig` generates the required certificate. The secret must use `tls.crt` for certificate, `tls.key` for the private key, and `ca.crt` for CA certificate.		Optional

mode

string

mode field enables the bitwardenSecretManagerProvider provider state, which can be set to Enabled or Disabled. If set to Enabled, the Operator ensures the plugin is deployed and synchronized. If set to Disabled, the Bitwarden provider plugin reconciliation is disabled. The plugin and resources remain in their current state, and are not managed by the Operator.

Disabled

enum: [Enabled Disabled]

Optional

secretRef

SecretReference

SecretRef specifies the Kubernetes secret that contains the TLS key pair for the Bitwarden server. If this reference is not provided and the certManagerConfig field is configured, the issuer defined in certManagerConfig generates the required certificate. The secret must use tls.crt for certificate, tls.key for the private key, and ca.crt for CA certificate.

Optional

11.7.15. webhookConfig
Copy link

The webhookConfig field configures the specifics of the external-secrets application webhook.

Expand

Field	Type	Description	Default	Validation
`certificateCheckInterval`	Duration	`certificateCheckInterval` configures the polling interval to check certificate validity.	5m	Optional

11.7.16. certManagerConfig
Copy link

The certManagerConfig field configures the cert-manager Operator settings.

Expand

Field	Type	Description	Default	Validation
`mode`	string	`mode` specifies whether to use cert-manager for certificate management instead of the built-in `cert-controller` which can be indicated by setting either `Enabled` or `Disabled`. If set to `Enabled`, uses `cert-manager` for obtaining the certificates for the webhook server and other components. If set to `Disabled`, uses the `cert-controller` for obtaining the certificates for the webhook server. `Disabled` is the default behavior.	false	enum: [true false] Required
`injectAnnotations`	string	`injectAnnotations` adds the `cert-manager.io/inject-ca-from` annotation to the webhooks and custom resource definitions (CRDs) to automatically configure the webhook with the `cert-manager` Operator certificate authority (CA). This requires CA Injector to be enabled in `cert-manager` Operator. Set this field to `true` or `false`. When set, this field cannot be changed.	false	enum: [true false] Optional
`issuerRef`	ObjectReference	`issuerRef` contains details of the referenced object used for obtaining certificates. The object must exist in the `external-secrets` namespace unless a cluster-scoped `cert-manager` Operator issuer is used.		Required
`certificateDuration`	Duration	`certificateDuration` sets the validity period of the webhook certificate.	8760h	Optional
`certificateRenewBefore`	Duration	`certificateRenewBefore` sets the ahead time to renew the webhook certificate before expiry.	30m	Optional

11.7.17. certProvidersConfig
Copy link

The certProvidersConfig defines the configuration for the certificate providers used to manage TLS certificates for webhook and plugins.

Expand

Field	Type	Description	Default	Validation
`certManager`	object	`certManager` defines the configuration for `cert-manager` provider specifics.		Optional

11.7.18. objectReference
Copy link

The ObjectReference field refers to an object by its name, kind, and group.

Expand

Field Type Description Default Validation

Field	Type	Description	Validation
`name`	string	`name` specifies the name of the resource being referred to.	The maximum length is 253 characters. The minimum length is 1 character. Required
`kind`	string	`kind` specifies the kind of the resource being referred to.	The maximum length is 253 characters. The minimum length is 1 character. Optional
`group`	string	`group` specifies the group of the resource being referred to.	The maximum length is 253 characters. The minimum length is 1 character. Optional

name

string

name specifies the name of the resource being referred to.

The maximum length is 253 characters.

The minimum length is 1 character.

Required

kind

string

kind specifies the kind of the resource being referred to.

The maximum length is 253 characters.

The minimum length is 1 character.

Optional

group

string

group specifies the group of the resource being referred to.

The maximum length is 253 characters.

The minimum length is 1 character.

Optional

11.7.19. secretReference
Copy link

The secretReference field refers to a secret with the given name in the same namespace where it used.

Expand

Field Type Description Default Validation

Field	Type	Description	Default	Validation
`name`	string	`name` specifies the name of the secret resource being referred to.		The maximum length is 253. The minimum length is 1. Required

name

string

name specifies the name of the secret resource being referred to.

The maximum length is 253.

The minimum length is 1.

Required

11.7.20. condition
Copy link

The condition field holds information about the condition of the external-secrets deployment.

Expand

Field	Type	Description	Validation
`type`	string	`type` contains the condition of the deployment.	Required
`status`	ConditionStatus	`status` contains the status of the condition of the deployment
`message`	string	`message` provides details on the state of the deployment

11.7.21. conditionalStatus
Copy link

The conditionalStatus field holds information about the current state of the external-secrets deployment.

Expand

Field	Type	Description	Default	Validation
`conditions`	array	`conditions` contains information on the current state of the deployment.

11.7.22. mode
Copy link

The mode field indicates the operational state of the optional features.

Expand

Field	Type	Description	Default	Validation
`Enabled`		`Enabled` indicates the optional configuration is enabled.
`Disabled`		`Disabled` indicates the optional configuration is disabled.

11.7.23. pluginsConfig
Copy link

The pluginsConfig configures the optional plugins.

Expand

Field	Type	Description	Default	Validation
`bitwardenSecretManagerProvider`	object	`bitwardenSecretManagerProvider` enables the `bitwarden-secrets-manager` provider plugin for connecting with the 'bitwarden-secrets-manager'.		Optional

11.7.24. proxyConfig
Copy link

The proxyConfig holds the proxy configurations which are made available in the operand containers and managed by the Operator as environment variables.

Expand

Field Type Description Default Validation

Field	Type	Description	Validation
`httpProxy`	string	The `httpProxy` field contains the URL of the proxy for HTTP requests. This field can have a maximum of 2048 characters.	The maximum length is 2048 characters. The minimum length is 0 characters. Optional
`httpsProxy`	string	The `httpsProxy` field contains the URL of the proxy for HTTPS requests. This field can have a maximum of 2048 characters.	The maximum length is 2048 characters. The minimum length is 0 characters. Optional
`noProxy`	string	The `noProxy` field is a comma-separated list of hostnames, classless inter-domain routings (CIDRs), and IP addresses or a combination of the three for which the proxy should not be used. This field can have a maximum of 4096 characters.	The maximum length is 4096 characters. The minimum length is 0 characters. Optional

httpProxy

string

The httpProxy field contains the URL of the proxy for HTTP requests. This field can have a maximum of 2048 characters.

The maximum length is 2048 characters.

The minimum length is 0 characters.

Optional

httpsProxy

string

The httpsProxy field contains the URL of the proxy for HTTPS requests. This field can have a maximum of 2048 characters.

The maximum length is 2048 characters.

The minimum length is 0 characters.

Optional

noProxy

string

The noProxy field is a comma-separated list of hostnames, classless inter-domain routings (CIDRs), and IP addresses or a combination of the three for which the proxy should not be used. This field can have a maximum of 4096 characters.

The maximum length is 4096 characters.

The minimum length is 0 characters.

Optional

11.8. Migrating from the community External Secrets Operator to External Secrets Operator for Red Hat OpenShift
Copy link

You can migrate from the community version of the External Secrets Operator. Migrating to External Secrets Operator for Red Hat OpenShift provides you with an officially supported product giving you access to enterprise-grade support. It also provides you with seamless integration from installation to upgrades.

The following migration versions have been fully tested.

Expand

Upstream version	Installation method	Downstream version
0.11.0	OLM	v1.0.0 GA
0.19.0	Helm	v1.0.0 GA

Note

The migration does not support rollbacks.

Note

External Secrets Operator for Red Hat OpenShift is based on the upstream version 0.19.0. Do not attempt to migrate from a higher version of the External Secrets Operator.

11.8.1. Deleting the community External Secrets Operator
Copy link

You must delete the operatorconfigs.operator.external-secrets.io custom resource (CR) for the community External Secrets Operator to delete the external-secrets application installed by the community External Secrets Operator.

Prerequisites

You must be logged in as a user with the cluster-admin role.
You must have the oc command-line tool installed and configured.

Procedure

Find your community Operator’s namespace by running the following command:

oc get operatorconfigs.operator.external-secrets.io -A

$ oc get operatorconfigs.operator.external-secrets.io -A

Copy to Clipboard

Toggle word wrap

The following is an example of finding the namespace:

NAMESPACE             NAME        AGE
external-secrets      cluster     9m18s

NAMESPACE             NAME        AGE
external-secrets      cluster     9m18s

Copy to Clipboard

Toggle word wrap

Delete the operatorconfig by running the following command:

oc delete operatorconfig <config_name> -n <operator_namespace>

$ oc delete operatorconfig <config_name> -n <operator_namespace>

Copy to Clipboard

Toggle word wrap

Verification

To verify that the operatorconfig was deleted, run the following command:
```
oc get operatorconfig -n <operator_namespace>
```
```
$ oc get operatorconfig -n <operator_namespace>
```
Copy to Clipboard Toggle word wrap
The command must return no resource found.

To verify that the old webhooks are deleted, run the following commands:

oc get validatingwebhookconfigurations | grep external-secrets

$ oc get validatingwebhookconfigurations | grep external-secrets

Copy to Clipboard

Toggle word wrap

oc get mutatingwebhookconfigurations | grep external-secrets

$ oc get mutatingwebhookconfigurations | grep external-secrets

Copy to Clipboard

Toggle word wrap

The commands must return no results.

11.8.2. Uninstalling the community External Secrets Operator
Copy link

You must uninstall the community External Secrets Operator to prevent it from being recreated or conflicting with the new one.

Prerequisites

You must be logged in as a user with the cluster-admin role.
You must have deleted the operatorconfig.

Procedure

If you installed the community External Secrets Operator by an Operator Lifecycle Manager (OLM) subscription, delete the Operator by performing the following steps:
1. Find the subscription name by running the following command:
  $ oc get subscription -n <operator_namespace> | grep external-secrets
  Copy to Clipboard Toggle word wrap
2. Delete the subscription by running the following command:
  $ oc delete subscription <subscription_name> -n <operator_namespace>
  Copy to Clipboard Toggle word wrap
3. Delete the ClusterServiceVersion by running the following command:
  $ oc delete csv <csv_name> -n <operator_namespace>
  Copy to Clipboard Toggle word wrap
If you installed the community {external-secret-operator} by Helm, delete the Operator by running the following command:
```
helm uninstall <release_name> -n <operator_namespace>
```
```
$ helm uninstall <release_name> -n <operator_namespace>
```
Copy to Clipboard Toggle word wrap
If you installed the community {external-secret-operator} by raw manifests, delete the Operator by running the following command:
```
oc delete -f /path/to/your/old/manifests.yaml -n <operator_namespace>
```
```
$ oc delete -f /path/to/your/old/manifests.yaml -n <operator_namespace>
```
Copy to Clipboard Toggle word wrap

11.8.3. Installing the External Secrets Operator for Red Hat OpenShift
Copy link

Once the operatorconfig has been deleted and the community {external-secret-operator-short} has been deleted, you can install the External Secrets Operator for Red Hat OpenShift. For more information, see Installing the External Secrets Operator for Red Hat OpenShift.

11.8.4. Creating the ExternalSecretsConfig Operator
Copy link

The purpose of creating the ExternalSecretsConfig is to install and configure the external-secrets. The configuration ensures that cert-manager and Bitwarden support are enabled.

Prerequisites

External Secrets Operator for Red Hat OpenShift is installed.
cert-manager Operator for Red Hat OpenShift is installed.
You have access to the cluster with cluster-admin privileges.

Procedure

Create an externalsecretsconfig file by defining a YAML file with the following content:

apiVersion: operator.openshift.io/v1alpha1
kind: ExternalSecretsConfig
metadata:
  labels:
    app.kubernetes.io/name: cluster
  name: cluster
spec:
  appConfig:
    logLevel: 3
  webhookConfig:
    certificateCheckInterval: 5m0s
  controllerConfig:
    certProvider:
      certManager:
        certificateDuration: 8760h0m0s
        certificateRenewBefore: 30m0s
        injectAnnotations: "true"
        issuerRef:
          group: cert-manager.io
          kind: Issuer
          name: _<created_issuer_name>_
    mode: Enabled
    networkPolicies:
    - componentName: ExternalSecretsCoreController
      egress:
      - ports:
        - port: 443
          protocol: TCP
        - port: 9998
          protocol: TCP
        name: allow-external-secrets-egress
    plugins:
      bitwardenSecretManagerProvider:
        mode: Enabled

apiVersion: operator.openshift.io/v1alpha1
kind: ExternalSecretsConfig
metadata:
  labels:
    app.kubernetes.io/name: cluster
  name: cluster
spec:
  appConfig:
    logLevel: 3
  webhookConfig:
    certificateCheckInterval: 5m0s
  controllerConfig:
    certProvider:
      certManager:
        certificateDuration: 8760h0m0s
        certificateRenewBefore: 30m0s
        injectAnnotations: "true"
        issuerRef:
          group: cert-manager.io
          kind: Issuer
          name: _<created_issuer_name>_
    mode: Enabled
    networkPolicies:
    - componentName: ExternalSecretsCoreController
      egress:
      - ports:
        - port: 443
          protocol: TCP
        - port: 9998
          protocol: TCP
        name: allow-external-secrets-egress
    plugins:
      bitwardenSecretManagerProvider:
        mode: Enabled

Copy to Clipboard

Toggle word wrap

Create the ExternalSecretsConfig object by running the following command:
```
oc create -f externalsecretsconfig.yaml
```
```
$ oc create -f externalsecretsconfig.yaml
```
Copy to Clipboard Toggle word wrap

Verification

Verify that all custom resources (CRs) are present and that the APIs are using v1 instead of v1beta1. There CRs are retained and automatically converted by the new Operator.

To verify that the external-secrets pods are in a running state, run the following command:

oc get pods -n external-secret

$ oc get pods -n external-secret

Copy to Clipboard

Toggle word wrap

The following is example output that the external-secrets pods are in a running state

NAME                                          READY        STATUS        RESTARTS     AGE
bitwarden-sdk-server-5b4cf48766-w7zp7         1/1          Running       0            5m
external-secrets-5854b85dd5-m6zf9             1/1          Running       0            5m
external-secrets-webhook-5cb85b8fdb-6jtqb     1/1          Running       0            5m

NAME                                          READY        STATUS        RESTARTS     AGE
bitwarden-sdk-server-5b4cf48766-w7zp7         1/1          Running       0            5m
external-secrets-5854b85dd5-m6zf9             1/1          Running       0            5m
external-secrets-webhook-5cb85b8fdb-6jtqb     1/1          Running       0            5m

Copy to Clipboard

Toggle word wrap

To verify that the SecretStore CR is present, run the following command:

oc get secretstores.external-secrets.io -A

$ oc get secretstores.external-secrets.io -A

Copy to Clipboard

Toggle word wrap

The following is example output from validating that the SecretStore is present:

NAMESPACE               NAME                         AGE         STATUS      CAPABILITIES    READY
external-secrets-1      gcp-store                    18min       Valid       ReadWrite       True
external-secrets-2      aws-secretstore              11min       Valid       ReadWrite       True
external-secrets        bitwarden-secretsmanager     20min       Valid       Readwrite       True

NAMESPACE               NAME                         AGE         STATUS      CAPABILITIES    READY
external-secrets-1      gcp-store                    18min       Valid       ReadWrite       True
external-secrets-2      aws-secretstore              11min       Valid       ReadWrite       True
external-secrets        bitwarden-secretsmanager     20min       Valid       Readwrite       True

Copy to Clipboard

Toggle word wrap

To verify that the ExternalSecret CR is present, run the following command:

oc get externalsecrets.external-secrets.io -A

$ oc get externalsecrets.external-secrets.io -A

Copy to Clipboard

Toggle word wrap

The following is example output from validating that the SecretStore is present:

NAMESPACE             NAME                    STORE                      REFRESH INTERVAL    STATUS          READY
external-secrets-1    gcp-externalsecret      gcp-store                  1hr                 SecretSynced    True
external-secrets-2    aws-external-secret     aws-secret-store           1hr                 SecretSynced    True
external-secrets      bitwarden               bitwarden-secretsmanager   1hr                 SecretSynced    True

NAMESPACE             NAME                    STORE                      REFRESH INTERVAL    STATUS          READY
external-secrets-1    gcp-externalsecret      gcp-store                  1hr                 SecretSynced    True
external-secrets-2    aws-external-secret     aws-secret-store           1hr                 SecretSynced    True
external-secrets      bitwarden               bitwarden-secretsmanager   1hr                 SecretSynced    True

Copy to Clipboard

Toggle word wrap

To verify that the SecretStore is apiVersion: external-secrets.io/v1, run the following command:

oc get secretstores.external-secrets.io -n external-secrets-1 gcp-store -o yaml

$ oc get secretstores.external-secrets.io -n external-secrets-1 gcp-store -o yaml

Copy to Clipboard

Toggle word wrap

The following is example output that the SecretStore is apiVersion: external-secrets.io/v1.

apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
  creationTimestamp: "2025-10-27T11:38:19Z"
  generation: 1
  name: gcp-store
  namespace: external-secrets-1
  resourceVersion: "104519"
  uid: 7bccb0cc-2557-4f4a-9caa-1577f0108f4b
spec:
.
.
.
status:
  capabilities: ReadWrite
  conditions:
  - lastTransitionTime: "2025-10-27T11:38:19Z"
    message: store validated
    reason: Valid
    status: "True"
    type: Ready

apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
  creationTimestamp: "2025-10-27T11:38:19Z"
  generation: 1
  name: gcp-store
  namespace: external-secrets-1
  resourceVersion: "104519"
  uid: 7bccb0cc-2557-4f4a-9caa-1577f0108f4b
spec:
.
.
.
status:
  capabilities: ReadWrite
  conditions:
  - lastTransitionTime: "2025-10-27T11:38:19Z"
    message: store validated
    reason: Valid
    status: "True"
    type: Ready

Copy to Clipboard

Toggle word wrap

To verify that the ExternalSecret is apiVersion: external-secrets.io/v1, run the following command:

oc get externalsecrets.external-secrets.io -n external-secrets-1 gcp-externalsecret -o yaml

$ oc get externalsecrets.external-secrets.io -n external-secrets-1 gcp-externalsecret -o yaml

Copy to Clipboard

Toggle word wrap

The following is example output that the ExternalSecret is apiVersion: external-secrets.io/v1.

apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  creationTimestamp: "2025-10-27T11:39:03Z"
  generation: 1
  name: gcp-externalsecret
  namespace: external-secrets-1
  resourceVersion: "104532"
  uid: 93a3295a-a3ad-4304-90e1-1328d951e5fb
spec:
.
.
.
status:
  binding:
    name: k8s-secret-gcp
  conditions:
  - lastTransitionTime: "2025-10-27T11:39:03Z"
    message: secret synced
    reason: SecretSynced
    status: "True"
    type: Ready
  refreshTime: "2025-10-27T12:13:15Z"
  syncedResourceVersion: 1-f47fe3c0b255b6dd8047cdffa772587bb829efe7a1cb70febeda2eb2

apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  creationTimestamp: "2025-10-27T11:39:03Z"
  generation: 1
  name: gcp-externalsecret
  namespace: external-secrets-1
  resourceVersion: "104532"
  uid: 93a3295a-a3ad-4304-90e1-1328d951e5fb
spec:
.
.
.
status:
  binding:
    name: k8s-secret-gcp
  conditions:
  - lastTransitionTime: "2025-10-27T11:39:03Z"
    message: secret synced
    reason: SecretSynced
    status: "True"
    type: Ready
  refreshTime: "2025-10-27T12:13:15Z"
  syncedResourceVersion: 1-f47fe3c0b255b6dd8047cdffa772587bb829efe7a1cb70febeda2eb2

Copy to Clipboard

Toggle word wrap

Chapter 11. External Secrets Operator for Red Hat OpenShift

11.1. External Secrets Operator for Red Hat OpenShift overviewCopy linkLink copied to clipboard!

11.1.1. About the External Secrets Operator for Red Hat OpenShiftCopy linkLink copied to clipboard!

11.1.2. External secrets providers for the External Secrets Operator for Red Hat OpenShiftCopy linkLink copied to clipboard!

11.1.3. Testing external secrets provider typesCopy linkLink copied to clipboard!

11.1.4. About FIPS compliance for External Secrets Operator for Red Hat OpenShiftCopy linkLink copied to clipboard!

11.1.5. Security considerationsCopy linkLink copied to clipboard!

11.2. External Secrets Operator for Red Hat OpenShift release notesCopy linkLink copied to clipboard!

11.2.1. Release notes for External Secrets Operator for Red Hat OpenShift 0.1.0 (Technology Preview)Copy linkLink copied to clipboard!

11.2.1.1. New features and enhancementsCopy linkLink copied to clipboard!

11.3. Installing the External Secrets Operator for Red Hat OpenShiftCopy linkLink copied to clipboard!

11.3.1. Limitations of External Secrets Operator for Red Hat OpenShiftCopy linkLink copied to clipboard!

11.3.2. Installing the External Secrets Operator for Red Hat OpenShift by using the web consoleCopy linkLink copied to clipboard!

11.3.3. Installing the External Secrets Operator for Red Hat OpenShift by using the CLICopy linkLink copied to clipboard!

11.3.5. Installing the External Secrets operand for Red Hat OpenShift by using the CLICopy linkLink copied to clipboard!

11.4. Configuring network policy for the operandCopy linkLink copied to clipboard!

11.4.1. Adding a custom network policy to allow egress to all external providersCopy linkLink copied to clipboard!

11.4.2. Adding a custom network policy to allow egress to a specific providerCopy linkLink copied to clipboard!

11.4.3. Default ingress and egress rulesCopy linkLink copied to clipboard!

11.5. About the egress proxy for the External Secrets Operator for Red Hat OpenShiftCopy linkLink copied to clipboard!

11.5.1. Configuring the egress proxy for the External Secrets Operator for Red Hat OpenShiftCopy linkLink copied to clipboard!

11.6. Uninstalling the External Secrets Operator for Red Hat OpenShiftCopy linkLink copied to clipboard!

11.6.1. Uninstalling the External Secrets Operator for Red Hat OpenShift using the web consoleCopy linkLink copied to clipboard!

11.6.2. Removing External Secrets Operator for Red Hat OpenShift resources by using the web consoleCopy linkLink copied to clipboard!

11.6.3. Removing External Secrets Operator for Red Hat OpenShift resources by using the CLICopy linkLink copied to clipboard!

11.7. External Secrets Operator for Red Hat OpenShift APIsCopy linkLink copied to clipboard!

11.7.1. externalSecretsManagerListCopy linkLink copied to clipboard!

11.7.2. externalSecretsManagerCopy linkLink copied to clipboard!

11.7.3. externalSecretsConfigListCopy linkLink copied to clipboard!

11.7.4. externalSecretsConfigCopy linkLink copied to clipboard!

11.7.5. Listing fields in External Secrets Operator for Red Hat OpenShift APIsCopy linkLink copied to clipboard!

11.7.6. externalSecretsManagerSpecCopy linkLink copied to clipboard!

11.7.7. externalSecretsManagerStatusCopy linkLink copied to clipboard!

11.7.8. externalSecretsConfigSpecCopy linkLink copied to clipboard!

11.7.9. externalSecretsConfigStatusCopy linkLink copied to clipboard!

11.7.10. globalConfigCopy linkLink copied to clipboard!

11.7.11. controllerConfigCopy linkLink copied to clipboard!

11.7.12. controllerStatusCopy linkLink copied to clipboard!

11.7.13. applicationConfigCopy linkLink copied to clipboard!

11.7.14. bitwardenSecretManagerProviderCopy linkLink copied to clipboard!

11.7.15. webhookConfigCopy linkLink copied to clipboard!

11.7.16. certManagerConfigCopy linkLink copied to clipboard!

11.7.17. certProvidersConfigCopy linkLink copied to clipboard!

11.7.18. objectReferenceCopy linkLink copied to clipboard!

11.7.19. secretReferenceCopy linkLink copied to clipboard!

11.7.20. conditionCopy linkLink copied to clipboard!

11.7.21. conditionalStatusCopy linkLink copied to clipboard!

11.7.22. modeCopy linkLink copied to clipboard!

11.7.23. pluginsConfigCopy linkLink copied to clipboard!

11.7.24. proxyConfigCopy linkLink copied to clipboard!

11.8. Migrating from the community External Secrets Operator to External Secrets Operator for Red Hat OpenShiftCopy linkLink copied to clipboard!

11.8.1. Deleting the community External Secrets OperatorCopy linkLink copied to clipboard!

11.8.2. Uninstalling the community External Secrets OperatorCopy linkLink copied to clipboard!

11.8.3. Installing the External Secrets Operator for Red Hat OpenShiftCopy linkLink copied to clipboard!

11.8.4. Creating the ExternalSecretsConfig OperatorCopy linkLink copied to clipboard!

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

Making open source more inclusive

About Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

11.1. External Secrets Operator for Red Hat OpenShift overview
Copy link

11.1.1. About the External Secrets Operator for Red Hat OpenShift
Copy link

11.1.2. External secrets providers for the External Secrets Operator for Red Hat OpenShift
Copy link

11.1.3. Testing external secrets provider types
Copy link

11.1.4. About FIPS compliance for External Secrets Operator for Red Hat OpenShift
Copy link

11.1.5. Security considerations
Copy link

11.2. External Secrets Operator for Red Hat OpenShift release notes
Copy link

11.2.1. Release notes for External Secrets Operator for Red Hat OpenShift 0.1.0 (Technology Preview)
Copy link

11.2.1.1. New features and enhancements
Copy link

11.3. Installing the External Secrets Operator for Red Hat OpenShift
Copy link

11.3.1. Limitations of External Secrets Operator for Red Hat OpenShift
Copy link

11.3.2. Installing the External Secrets Operator for Red Hat OpenShift by using the web console
Copy link

11.3.3. Installing the External Secrets Operator for Red Hat OpenShift by using the CLI
Copy link

11.3.5. Installing the External Secrets operand for Red Hat OpenShift by using the CLI
Copy link

11.4. Configuring network policy for the operand
Copy link

11.4.1. Adding a custom network policy to allow egress to all external providers
Copy link

11.4.2. Adding a custom network policy to allow egress to a specific provider
Copy link

11.4.3. Default ingress and egress rules
Copy link

11.5. About the egress proxy for the External Secrets Operator for Red Hat OpenShift
Copy link

11.5.1. Configuring the egress proxy for the External Secrets Operator for Red Hat OpenShift
Copy link

11.6. Uninstalling the External Secrets Operator for Red Hat OpenShift
Copy link

11.6.1. Uninstalling the External Secrets Operator for Red Hat OpenShift using the web console
Copy link

11.6.2. Removing External Secrets Operator for Red Hat OpenShift resources by using the web console
Copy link

11.6.3. Removing External Secrets Operator for Red Hat OpenShift resources by using the CLI
Copy link

11.7. External Secrets Operator for Red Hat OpenShift APIs
Copy link

11.7.1. externalSecretsManagerList
Copy link

11.7.2. externalSecretsManager
Copy link

11.7.3. externalSecretsConfigList
Copy link

11.7.4. externalSecretsConfig
Copy link

11.7.5. Listing fields in External Secrets Operator for Red Hat OpenShift APIs
Copy link

11.7.6. externalSecretsManagerSpec
Copy link

11.7.7. externalSecretsManagerStatus
Copy link

11.7.8. externalSecretsConfigSpec
Copy link

11.7.9. externalSecretsConfigStatus
Copy link

11.7.10. globalConfig
Copy link

11.7.11. controllerConfig
Copy link

11.7.12. controllerStatus
Copy link

11.7.13. applicationConfig
Copy link

11.7.14. bitwardenSecretManagerProvider
Copy link

11.7.15. webhookConfig
Copy link

11.7.16. certManagerConfig
Copy link

11.7.17. certProvidersConfig
Copy link

11.7.18. objectReference
Copy link

11.7.19. secretReference
Copy link

11.7.20. condition
Copy link

11.7.21. conditionalStatus
Copy link

11.7.22. mode
Copy link

11.7.23. pluginsConfig
Copy link

11.7.24. proxyConfig
Copy link

11.8. Migrating from the community External Secrets Operator to External Secrets Operator for Red Hat OpenShift
Copy link

11.8.1. Deleting the community External Secrets Operator
Copy link

11.8.2. Uninstalling the community External Secrets Operator
Copy link

11.8.3. Installing the External Secrets Operator for Red Hat OpenShift
Copy link

11.8.4. Creating the ExternalSecretsConfig Operator
Copy link