Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

Chapter 12. External Secrets Operator for Red Hat OpenShift

12.1. External Secrets Operator for Red Hat OpenShift overview
Copia collegamento

The External Secrets Operator for Red Hat OpenShift operates as a cluster-wide service to deploy and manage the external-secrets application. The external-secrets application integrates with external secrets management systems and performs secret fetching, refreshing, and provisioning within the cluster.

12.1.1. About the External Secrets Operator for Red Hat OpenShift
Copia collegamento

Use the External Secrets Operator for Red Hat OpenShift to integrate external-secrets application with the OpenShift Container Platform cluster. The external-secrets application fetches secrets stored in the external providers such as AWS Secrets Manager, HashiCorp Vault, Google Secret Manager, Azure Key Vault, IBM Cloud Secrets Manager, AWS Systems Manager Parameter Store and integrates them with Kubernetes in a secure manner.

Using the External Secrets Operator ensures the following:

  • Decouples applications from the secret-lifecycle management.
  • Centralizes secret storage to support compliance requirements.
  • Enables secure and automated secret rotation.
  • Supports multi-cloud secret sourcing with fine-grained access control.
  • Centralizes and audits access control.
Important

Do not attempt to use more than one External Secrets Operator in your cluster. If you have a community External Secrets Operator installed in your cluster, you must uninstall it before installing the External Secrets Operator for Red Hat OpenShift.

For more information about external-secrets application, see external-secrets.

Use the External Secrets Operator to authenticate with the external secrets store, retrieve secrets, and inject the retrieved secrets into a native Kubernetes secret. This method removes the need for applications to directly access or manage external secrets.

The External Secrets Operator for Red Hat OpenShift is tested with the following external secrets provider types:

Note

Red Hat does not test all factors associated with third-party secrets store provider functionality. For more information about third-party support, see the Red Hat third-party support policy.

The External Secrets Operator for Red Hat OpenShift supports FIPS compliance. When running on OpenShift Container Platform in FIPS mode, External Secrets Operator uses the RHEL cryptographic libraries submitted to NIST for FIPS validation on the x86_64, ppc64le, and s390X architectures. For more information about the NIST validation program, see Cryptographic module validation program. For more information about the latest NIST status for the individual versions of the RHEL cryptographic libraries submitted for validation, see Compliance activities and government standards.

To enable FIPS mode, install the External Secrets Operator on an OpenShift Container Platform cluster that runs in FIPS mode. For more information, see "Do you need extra security for your cluster?".

12.1.4. Security considerations
Copia collegamento

When using the External Secrets Operator for Red Hat OpenShift, there are some security concerns you should consider:

  • The external-secrets operand fetches the secrets from the configured external providers and stores it in a Kubernetes native Secrets resource. This results in a secret zero problem. It is recommended to secure the secret objects using additional encryption. For more information, see Data encryption options.
  • When configuring SecretStore and ClusterSecretStore resources, consider using short-term credential-based authorization. This approach enhances security by limiting the window of opportunity for unauthorized access, even if credentials are compromised.
  • To enhance the security of the External Secrets Operator for Red Hat OpenShift, it is crucial to implement role-based access controls (RBACs). These RBACs should define and limit access to the custom resources provided by the External Secrets Operator.

12.2. External Secrets Operator for Red Hat OpenShift release notes
Copia collegamento

The External Secrets Operator for Red Hat OpenShift is a cluster-wide service that provides lifecycle management for secrets fetched from external secret management systems.

These release notes track the development of External Secrets Operator.

For more information, see External Secrets Operator overview.

Issued: 2025-11-03

The following advisories are available for the External Secrets Operator for Red Hat OpenShift 1.0.0:

Version 1.0.0 of the External Secrets Operator for Red Hat OpenShift is based on the upstream external-secrets project, version v0.19.0. For more information, see the external-secrets project release notes for v0.19.0.

12.2.1.1. Bug fixes
Copia collegamento

  • Before this release, many of the APIs listed in the console for the External Secrets Operator for Red Hat OpenShift were missing descriptions. With this release, the API descriptions have been added. (OCPBUGS-61081)

12.2.1.2. New features and enhancements
Copia collegamento

Renaming and improvements on the Operator API

With this release, the Operator API, externalsecrets.operator.openshift.io has been renamed to externalsecretsconfigs.operator.openshift.io to avoid confusion with the external-secrets provided API that has the same name, but a different purpose. The external-secrets provided API has also been restructured and new features are added.

For more information, see External Secrets Operator for Red Hat OpenShift APIs.

Support to collect metrics of External Secrets Operator

With this release, the External Secrets Operator for Red Hat OpenShift supports collecting metrics for both the Operator and operands. This is optional and must be enabled.

For more information, see Monitoring the External Secrets Operator for Red Hat OpenShift.

Support to configure proxy for External Secrets Operator

With this release, the External Secrets Operator for Red Hat OpenShift supports configuring proxy for both the Operator and operand.

For more information, see About the egress proxy for the External Secrets Operator for Red Hat OpenShift.

Root filesystem is read-only for External Secrets Operator for Red Hat OpenShift containers

With this release, to improve security, the External Secrets Operator for Red Hat OpenShift and all its operands have the readOnlyRootFilesystem security context set to true by default. This enhancement hardens the containers and prevents a potential attacker from modifying the contents of the container’s root file system.

Network policy hardening is now available for External Secrets Operator components

With this release, External Secrets Operator for Red Hat OpenShift includes pre-defined NetworkPolicy resources designed for enhanced security by governing ingress and egress traffic for operand components. These policies cover essential internal traffic, such as ingress to the metrics and webhook servers, and egress to the OpenShift API server and DNS server. Note that deployment of the NetworkPolicy is enabled by default and egress allow policies must be explicitly defined in the ExternalSecretsConfig custom resource for the external-secrets component to fetch secrets from external providers.

For more information, see Configuring network policy for the operand.

Issued: 2025-06-26

The following advisories are available for the External Secrets Operator for Red Hat OpenShift 0.1.0:

Version 0.1.0 of the External Secrets Operator for Red Hat OpenShift is based on the upstream external-secrets version 0.14.3. For more information, see the external-secrets project release notes for v0.14.3.

12.2.2.1. New features and enhancements
Copia collegamento

  • This is the initial, Technology Preview release of the External Secrets Operator for Red Hat OpenShift.

12.3. Installing the External Secrets Operator for Red Hat OpenShift
Copia collegamento

To manage external secrets on OpenShift Container Platform, install the External Secrets Operator by using the web console or the command-line interface (CLI).

12.3.1. Limitations of External Secrets Operator for Red Hat OpenShift
Copia collegamento

The following are the limitations of External Secrets Operator for Red Hat OpenShift during the installation and uninstallation of the external-secrets application.

  • Uninstalling the External Secrets Operator for Red Hat OpenShift does not delete the resources created for external-secrets application. you must clean up the resources manually.
  • When you add cert-manager Operator configurations in externalsecrets.operator.openshift.io object after creation, delete the external-secrets-cert-controller deployment resource manually to prevent degradation of the external-secrets application.
  • Enable the BitwardenSecretManagerProvider field in externalsecrets.operator.openshift.io object only when installed on OpenShift Cluster running on x86_64 and arm64 architectures .
  • Ensure cert-manager Operator is installed and operational before deploying the External Secrets Operator for Red Hat OpenShift for seamless functioning. If you install the cert-manager Operator later, manually restart the external-secrets-operator pod to apply cert-manager configurations in externalsecrets.operator.openshift.io object.

Install the External Secrets Operator for Red Hat OpenShift by using the web console to add secret management features to your cluster. By doing this task, you can select an update channel and approval strategy to ensure the Operator stays current.

Prerequisites

  • You have access to the cluster with cluster-admin privileges.
  • You have access to the OpenShift Container Platform web console.

Procedure

  1. Log in to the OpenShift Container Platform web console.
  2. Navigate to Ecosystem Software Catalog.
  3. Enter External Secrets Operator in the search box.
  4. Select the External Secrets Operator for Red Hat OpenShift from the generated list and click Install.

  5. On the Install Operator page:

    1. Update the Update channel, if necessary. The channel defaults to stable-v1, which installs the latest stable release of the External Secrets Operator.
    2. Select the version from Version drop-down list.

    3. Choose the Installed Namespace for the Operator.

      • To use the default Operator namespace, select the Operator recommended Namespace option.
      • To use the namespace that you created, select the Select a Namespace option, and then select the namespace from the drop-down list.
      • If the default external-secrets-operator namespace does not exist, it is created for you by the Operator Lifecycle Manager (OLM).

    4. Select an Update approval strategy.

      • The Automatic strategy enables OLM to automatically update the Operator when a new version is available.
      • The Manual strategy requires a user with appropriate credentials to approve the Operator update.
    5. Click Install.

Verification

  1. Navigate to Ecosystem Installed Operators.
  2. Verify that External Secrets Operator is listed with a Status of Succeeded in the external-secrets-operator namespace.

You can use the command-line interface (CLI) to install the External Secrets Operator for Red Hat OpenShift.

Prerequisites

  • You have access to the cluster with cluster-admin privileges.

Procedure

  1. Create a new project named external-secrets-operator by running the following command: 

    $ oc new-project external-secrets-operator

  2. Create an OperatorGroup object by defining a YAML file with the following content: 

    apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: openshift-external-secrets-operator
  namespace: external-secrets-operator
spec:
  targetNamespaces: []

  3. Create the OperatorGroup object by running the following command: 

    $ oc create -f operatorGroup.yaml

  4. Create a Subscription object by defining a YAML file with the following content:

    The following is an example of a subscription.yaml file. 

    apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: openshift-external-secrets-operator
  namespace: external-secrets-operator
spec:
  channel: stable-v1
  name: openshift-external-secrets-operator
  source: redhat-operators
  sourceNamespace: openshift-marketplace
  installPlanApproval: Automatic
  startingCSV: external-secrets-operator.v1.0.0

  5. Create the Subscription object by running the following command: 

    $ oc create -f subscription.yaml

Verification

  1. Verify that the OLM subscription is created by running the following command: 

    $ oc get subscription -n external-secrets-operator

    The following is example output verifying the OLM subscription is created. 

    NAME                                  PACKAGE                               SOURCE             CHANNEL
openshift-external-secrets-operator   openshift-external-secrets-operator   redhat-operators   stable-v1

  2. Verify whether the Operator is successfully installed by running the following command: 

    $ oc get csv -n external-secrets-operator

    The following is example output verifying that the Operator is installed. 

    NAME                               DISPLAY                                           VERSION   REPLACES   PHASE
external-secrets-operator.v1.0.0   External Secrets Operator for Red Hat OpenShift   1.0.0                Succeeded

  3. Verify that the status of the External Secrets Operator is Running by entering the following command: 

    $ oc get pods -n external-secrets-operator

    The following is example output verifying the External Secrets Operator is Running. 

    NAME                                                            READY   STATUS    RESTARTS   AGE
external-secrets-operator-controller-manager-5699f4bc54-kbsmn   1/1     Running   0          25h

12.3.5. Installing the External Secrets operand by using the CLI
Copia collegamento

Install the External Secrets operand on OpenShift Container Platform by using the CLI to create the necessary configuration object. By completing this task, you ensure that the External Secrets Operator is properly configured to manage secrets from external APIs on your cluster.

Prerequisites

  • You have access to the cluster with cluster-admin privileges.

Procedure

  1. Create an externalsecretsconfig.openshift.operator.io object by defining a YAML file with the following content:

    Example externalsecretsconfig.yaml file.

    apiVersion: operator.openshift.io/v1alpha1
kind: ExternalSecretsConfig
metadata:
  labels:
    app: external-secrets-operator
    app.kubernetes.io/name: cluster
  name: cluster
spec:
  controllerConfig:
    networkPolicies:
    - componentName: ExternalSecretsCoreController
      egress:
      - {}
      name: allow-external-secrets-egress

    For more information on spec configuration, see "External Secrets Operator for Red Hat OpenShift APIs".

  2. Create the externalsecretsconfigs.openshift.operator.io object by running the following command: 

    $ oc create -f externalsecretsconfig.yaml

Verification

  1. Verify that the external-secrets pods are running by entering the following command: 

    $ oc get pods -n external-secrets

    Example output

    NAME                                                READY   STATUS    RESTARTS   AGE
external-secrets-75d47cb9c8-6p4n2                   1/1     Running   0          4h5m
external-secrets-cert-controller-676444b897-qb6ft   1/1     Running   0          4h5m
external-secrets-webhook-b566658ff-7m4d5            1/1     Running   0          4h5m

  2. Verify that the external-secrets-operator deployment object reports a successful status by running the following command: 

    $ oc get externalsecretsconfig.operator.openshift.io cluster -n external-secrets-operator -o jsonpath='{.status.conditions}' | jq .

    Example output

    [
  {
    "lastTransitionTime": "2025-06-17T14:57:04Z",
    "message": "",
    "observedGeneration": 2,
    "reason": "Ready",
    "status": "False",
    "type": "Degraded"
  },
  {
    "lastTransitionTime": "2025-11-27T05:58:38Z,
    "message": "reconciliation successful",
    "observedGeneration": 2,
    "reason": "Ready",
    "status": "True",
    "type": "Ready"
  }
]

Next step

  • Configure the network policies of the operand as described in "Configuring network policy for the operand".

Control the version of the External Secrets Operator for Red Hat OpenShift in your cluster by selecting an update channel. By using this mechanism, you can declare a specific version track, ensuring your environment receives only the updates you require for stability.

The External Secrets Operator for Red Hat OpenShift offers the following update channels:

  • stable-v1
  • stable-v1.y

Select the stable-v1 channel to install and update the latest release of the External Secrets Operator for Red Hat OpenShift. By selecting this channel, you can use the most recent stable release for your Operator.

Note

The stable-v1 channel is the default and suggested channel while installing the External Secrets Operator for Red Hat OpenShift.

The stable-v1 channel offers the following update approval strategies:

Automatic
If you choose automatic updates for an installed External Secrets Operator for Red Hat OpenShift, a new version of the External Secrets Operator for Red Hat OpenShift is available in the stable-v1 channel. The Operator Lifecycle Manager (OLM) automatically upgrades the running instance of your Operator without human intervention.
Manual
If you select manual updates, when a newer version of the External Secrets Operator for Red Hat OpenShift is available, OLM creates an update request. As a cluster administrator, you must then manually approve that update request to have the cert-manager Operator for Red Hat OpenShift updated to the new version.

Select the stable-v1 channel to install and update the latest release of the External Secrets Operator for Red Hat OpenShift. By selecting this channel, you can use the latest stable release and allows you to choose between automatic and manual updates.

The y-stream version of the External Secrets Operator for Red Hat OpenShift installs updates from the stable-v1.y channels such as stable-v1.0, stable-v1.1, and stable-v1.2. Select the stable-v1.y channel if you want to use the y-stream version and stay updated to the z-stream version of the External Secrets Operator for Red Hat OpenShift.

The stable-v1.y channel offers the following update approval strategies:

Automatic
If you choose automatic updates for an installed External Secrets Operator for Red Hat OpenShift, a new z-stream version of the External Secrets Operator for Red Hat OpenShift is available in the stable-v1.y channel. OLM automatically upgrades the running instance of your Operator without human intervention.
Manual
If you select manual updates, when a newer version of the External Secrets Operator for Red Hat OpenShift is available, OLM creates an update request. As a cluster administrator, you must then manually approve that update request to have the External Secrets Operator for Red Hat OpenShift updated to the new version of the z-stream releases.

12.4. Configuring network policy for the operand
Copia collegamento

The External Secrets Operator for Red Hat OpenShift includes pre-defined NetworkPolicies for security, but you must configure additional, custom policies through the ExternalSecretsConfig custom resource to set the external-secrets controller egress allow policies to communicate with external providers. These configurable policies are set via the ExternalSecretsConfig custom resource to establish the egress allow policy.

You must configure custom policies through the ExternalSecretsConfig custom resource to allow all egress to all external providers.

Prerequisites

  • An ExternalSecretsConfig must be predefined.
  • You must be able to define specific egress rules, including destination ports and protocols.

Procedure

  1. Edit the ExternalSecretsConfig CR by running the following command: 

    $ oc edit externalsecretsconfigs.operator.openshift.io cluster

  2. Set the policy by editing the networkPolicies section: 

    apiVersion: operator.openshift.io/v1alpha1
kind: ExternalSecretsConfig
metadata:
  name: cluster
spec:
  controllerConfig:
    networkPolicies:
      - name: allow-external-secrets-egress
        componentName: CoreController
        egress: # Allow all egress traffic

12.4.2. Adding a custom network policy to allow egress to a specific provider
Copia collegamento

You must configure custom policies through the ExternalSecretsConfig custom resource to allow all egress to a specific provider.

Prerequisites

  • An ExternalSecretsConfig must be predefined.
  • You must be able to define specific egress rules, including destination ports and protocols

Procedure

  1. Edit the ExternalSecretsConfig CR by running the following command: 

    $ oc edit externalsecretsconfigs.operator.openshift.io cluster

  2. Set the policy by editing the networkPolicies section. The following example shows how to allow egress to Amazon Web Services (AWS) endpoints. 

    apiVersion: operator.openshift.io/v1alpha1
kind: ExternalSecretsConfig
metadata:
  name: cluster
spec:
  controllerConfig:
    networkPolicies:
      - componentName: ExternalSecretsCoreController
        egress:
          # Allow egress to Kubernetes API server, AWS endpoints, and DNS
          - ports:
              - port: 443   # HTTPS (AWS Secrets Manager)
                protocol: TCP
      - name: allow-external-secrets-egress

    where:

    componentName
    Specifies the name for the core controller which is ExternalSecretsCoreController. Egress rules must specify the required ports, such as Transmission Control Protocol (TCP) port 443, for services such as the AWS Secrets Manager.

12.4.3. Default ingress and egress rules
Copia collegamento

The following table summarizes the default ingress and egress rules.

Expand
ComponentIngress portsEgress portsDescription

external-secrets

8080

6443

Allows retrieving metrics and interacting with the API server

external-secrets-webhook

8080/10250

6443

Allows retrieving metrics, handling webhook requests, and interacting with the API server

external-secrets-cert-controller

8080

6443

Allows retrieving metrics and interacting with the API server

external-secrets-bitwarden-server

9998

6443

Handles Bitwarden server connections and interacts with the API server

external-secrets-allow-dns

 

5353

Enables DNS lookups to find external secret providers.

If a cluster-wide egress proxy is configured in OpenShift Container Platform, Operator Lifecycle Manager (OLM) automatically configures Operators that it manages with the cluster-wide proxy. OLM automatically updates all of the Operator’s deployments with the HTTP_PROXY, HTTPS_PROXY, NO_PROXY environment variables.

The egress proxy can be configured in the ExternalSecretsConfig or the ExternalSecretsManager custom resource (CR). The Operator and the operand make use of the OpenShift Container Platform supported certificate authority (CA) bundle for the proxy validations.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.
  • You have created the ExternalSecretsConfig custom CR.

Procedure

  • To set the proxy in the ExternalSecretsConfig resource, perform the following steps:

    1. Edit the ExternalSecretsConfig resource by running the following command: 

      $ oc edit externalsecretsconfigs.operator.openshift.io cluster

    2. Edit the spec.appConfig.proxy section to set the proxy values as follows: 

      apiVersion: operator.openshift.io/v1alpha1
kind: ExternalSecretsConfig
...
spec:
  appConfig:
    proxy:
      httpProxy: <http_proxy>
      httpsProxy: <https_proxy>
      noProxy: <no_proxy>

      where:

      <http_proxy>
      Specifies the proxy URL for the http requests.
      <https_proxy>
      Specifies the proxy URL for the https requests.
      <no_proxy>
      Specifies a comma-separated list of hostnames, CIDRs, IPs or a combination of these, for which the proxy should not be used.

  • To set the proxy in the ExternalSecretsManager CR, perform the following steps.

    1. Edit the ExternalSecretsManager CR by running the following command: 

      $ oc edit externalsecretsmanagers.operator.openshift.io cluster

    2. Edit the spec.globalConfig.proxy section to set the proxy values as follows: 

      apiVersion: operator.openshift.io/v1alpha1
kind: ExternalSecretsManager
...
spec:
  globalConfig:
    proxy:
      httpProxy: <http_proxy>
      httpsProxy: <https_proxy>
      noProxy: <no_proxy>

where:

<http_proxy>
Specifies the proxy URL for the http requests.
<https_proxy>
Proxy URL for the https requests.
<no_proxy>
Comma-separated list of hostnames, CIDRs, IPs or a combination of these for which the proxy should not be used.

12.6. Monitoring the External Secrets Operator for Red Hat OpenShift
Copia collegamento

By default, the External Secrets Operator for Red Hat OpenShift exposes metrics for the Operator and the operands. You can configure OpenShift Monitoring to collect these metrics by using the Prometheus Operator format.

12.6.1. Enabling user workload monitoring
Copia collegamento

To enable metrics collection for user-defined projects, configure user workload monitoring in the OpenShift Container Platform cluster. With this configuration, you can maintain visibility into the performance and status of your specific project workloads.

For more information, see "Setting up metrics collection for user-defined projects".

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. Create the cluster-monitoring-config.yaml YAML file: 

    apiVersion: v1
kind: ConfigMap
metadata:
  name: cluster-monitoring-config
  namespace: openshift-monitoring
data:
  config.yaml: |
    enableUserWorkload: true

  2. Apply the ConfigMap by running the following command: 

    $ oc apply -f cluster-monitoring-config.yaml

Verification

  • Verify that the monitoring components for user workloads are running in the openshift-user-workload-monitoring namespace by running the following command: 

    $ oc -n openshift-user-workload-monitoring get pod

    Example output

    NAME                                   READY   STATUS    RESTARTS   AGE
prometheus-operator-5f79cff9c9-67pjb   2/2     Running   0          25h
prometheus-user-workload-0             6/6     Running   0          25h
thanos-ruler-user-workload-0           4/4     Running   0          25h

    The status of the pods such as prometheus-operator, prometheus-user-workload, and thanos-ruler-user-workload must be Running.

The External Secrets Operator for Red Hat OpenShift exposes metrics by default on port 8443 at the /metrics service endpoint. You can configure metrics collection for the Operator by creating a ServiceMonitor custom resource (CR) that enables the Prometheus Operator to collect custom metrics. For more information, see "Configuring user workload monitoring".

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.
  • You have installed the External Secrets Operator for Red Hat OpenShift.
  • You have enabled the user workload monitoring.

Procedure

  1. Configure the Operator to use HTTP for the metrics server. HTTPS is enabled by default.

    1. Update the subscription object for External Secrets Operator for Red Hat OpenShift to configure the HTTP protocol by running the following command: 

      $ oc -n external-secrets-operator patch subscription openshift-external-secrets-operator --type='merge' -p '{"spec":{"config":{"env":[{"name":"METRICS_BIND_ADDRESS","value":":8080"}, {"name": "METRICS_SECURE", "value": "false"}]}}}'

    2. To verify that the External Secrets Operator pod is redeployed and that the configured values for METRICS_BIND_ADDRESS and METRICS_SECURE are updated, run the following command: 

      $ oc set env --list deployment/external-secrets-operator-controller-manager -n external-secrets-operator | grep -e METRICS_BIND_ADDRESS -e METRICS_SECURE -e container

      The following example shows that the METRICS_BIND_ADDRESS and METRICS_SECURE have been updated: 

      # deployments/external-secrets-operator-controller-manager, container manager
METRICS_BIND_ADDRESS=:8080
METRICS_SECURE=false

  2. Create the Secret resource with the kubernetes.io/service-account.name annotation to inject the token required for authenticating with the metrics server.

    1. Create the secret-external-secrets-operator.yaml YAML file: 

      apiVersion: v1
kind: Secret
metadata:
  labels:
    app: external-secrets-operator
  name: external-secrets-operator-metrics-auth
  namespace: external-secrets-operator
  annotations:
    kubernetes.io/service-account.name: external-secrets-operator-controller-manager
type: kubernetes.io/service-account-token

    2. Create the Secret resource by running the following command: 

      $ oc apply -f secret-external-secrets-operator.yaml

  3. Create the ClusterRoleBinding resource required for granting permissions to access metrics:

    1. Create the clusterrolebinding-external-secrets.yaml YAML file:

      The following example shows a clusterrolebinding-external-secrets.yaml file. 

      apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    app: external-secrets-operator
  name: external-secrets-allow-metrics-access
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: external-secrets-operator-metrics-reader
subjects:
  - kind: ServiceAccount
    name: external-secrets-operator-controller-manager
    namespace: external-secrets-operator

    2. Create the ClusterRoldeBinding custom resource by running the following command: 

      $ oc apply -f clusterrolebinding-external-secrets.yaml

  4. Create the ServiceMonitor CR if using the default HTTPS:

    1. Create the servicemonitor-external-secrets-operator-https.yaml YAML file: 

      apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  labels:
    app: external-secrets-operator
  name: external-secrets-operator-metrics-monitor
  namespace: external-secrets-operator
spec:
  endpoints:
    - authorization:
        credentials:
          name: external-secrets-operator-metrics-auth
          key: token
        type: Bearer
      interval: 60s
      path: /metrics
      port: metrics-https
      scheme: https
      scrapeTimeout: 30s
      tlsConfig:
        ca:
          configMap:
            name: openshift-service-ca.crt
            key: service-ca.crt
        serverName: external-secrets-operator-controller-manager-metrics-service.external-secrets-operator.svc.cluster.local
  namespaceSelector:
    matchNames:
      - external-secrets-operator
  selector:
    matchLabels:
      app: external-secrets-operator
      svc: external-secrets-operator-controller-manager-metrics-service

    2. Create the ServiceMonitor CR by running the following command: 

      $ oc apply -f servicemonitor-external-secrets-operator-https.yaml

  5. Create the ServiceMonitor CR if configured to use HTTP:

    1. Create the servicemonitor-external-secrets-operator-http.yaml YAML file: 

      apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  labels:
    app: external-secrets-operator
  name: external-secrets-operator-metrics-monitor
  namespace: external-secrets-operator
spec:
  endpoints:
    - authorization:
        credentials:
          name: external-secrets-operator-metrics-auth
          key: token
        type: Bearer
      interval: 60s
      path: /metrics
      port: metrics-http
      scheme: http
      scrapeTimeout: 30s
  namespaceSelector:
    matchNames:
      - external-secrets-operator
  selector:
    matchLabels:
      app: external-secrets-operator
      svc: external-secrets-operator-controller-manager-metrics-service

    2. Create the ServiceMonitor CR by running the following command: 

      $ oc apply -f servicemonitor-external-secrets-operator-http.yaml

      After the ServiceMonitor CR is created, the user workload Prometheus instance begins metrics collection from the Operator. The collected metrics are labeled with job="external-secrets-operator-controller-manager-metrics-service".

Verification

  1. In the OpenShift Container Platform web console, navigate to Observe Targets.

  2. In the Label filter field, enter the following labels to filter the metrics targets for each operand: 

    $ service=external-secrets-operator-controller-manager-metrics-service
  3. Confirm that the Status column shows Up for the external-secrets-operator.

As a cluster administrator, or as a user with view access to all namespaces, you can query the Operator metrics by using the OpenShift Container Platform web console or the command-line interface (CLI). For more information, see "Accessing metrics".

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.
  • You have installed the External Secrets Operator for Red Hat OpenShift.
  • You have enabled monitoring and metrics collection by creating a ServiceMonitor object.

Procedure

  1. In the OpenShift Container Platform web console, navigate to Observe Metrics.

  2. In the query field, enter the following PromQL expressions to query the External Secrets Operator for Red Hat OpenShift metric: 

    {job="external-secrets-operator-controller-manager-metrics-service"}

The External Secrets Operator for Red Hat OpenShift operands exposes metrics by default on port 8080 at the /metrics service endpoint for all three components (external-secrets, external-secrets-cert-controll, and external-secrets-webhook). You can configure metrics collection for the external-secrets operands by creating a ServiceMonitor custom resource (CR) that enables the Prometheus Operator to collect custom metrics. For more information, see "Configuring user workload monitoring".

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.
  • You have installed the External Secrets Operator for Red Hat OpenShift.
  • You have enabled the user workload monitoring.

Procedure

  1. Create the ClusterRoleBinding resource required for granting permissions to access metrics:

    1. Create the clusterrolebinding-external-secrets.yaml YAML file:

      The following example shows a clusterrolebinding-external-secrets.yaml file. 

      apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    app: external-secrets
  name: external-secrets-allow-metrics-access
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: external-secrets-operator-metrics-reader
subjects:
  - kind: ServiceAccount
    name: external-secrets
    namespace: external-secrets
  - kind: ServiceAccount
    name: external-secrets-cert-controller
    namespace: external-secrets
  - kind: ServiceAccount
    name: external-secrets-webhook
    namespace: external-secrets

    2. Create the ClusterRoldeBinding custom resource by running the following command: 

      $ oc apply -f clusterrolebinding-external-secrets.yaml

  2. Create the ServiceMonitor CR:

    1. Create the servicemonitor-external-secrets.yaml YAML file: 

      apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  labels:
    app: external-secrets
  name: external-secrets-metrics-monitor
  namespace: external-secrets
spec:
  endpoints:
    - interval: 60s
      path: /metrics
      port: metrics
      scheme: http
      scrapeTimeout: 30s
  namespaceSelector:
    matchNames:
      - external-secrets
  selector:
    matchExpressions:
      - key: app.kubernetes.io/name
        operator: In
        values:
          - external-secrets
          - external-secrets-cert-controller
          - external-secrets-webhook
      - key: app.kubernetes.io/instance
        operator: In
        values:
          - external-secrets
      - key: app.kubernetes.io/managed-by
        operator: In
        values:
          - external-secrets-operator

    2. Create the ServiceMonitor CR by running the following command: 

      $ oc apply -f servicemonitor-external-secrets.yaml

      After the ServiceMonitor CR is created, the user workload Prometheus instance begins metrics collection from the External Secrets Operator for Red Hat OpenShift operands. The collected metrics are labeled with job="external-secrets",job="external-secrets-cainjector", and job="external-secrets-webhook".

Verification

  1. In the OpenShift Container Platform web console, navigate to Observe Targets.

  2. In the Label filter field, enter the following labels to filter the metrics targets for each operand: 

    $ service=external-secrets
     
    $ service=external-secrets-cert-controller-metrics
     
    $ service=external-secrets-webhook
  3. Confirm that the Status column shows Up for the external-secrets, external-secrets-cert-controller and external-secrets-webhook.

12.6.5. Querying metrics for the external-secrets operand
Copia collegamento

As a cluster administrator, or as a user with view access to all namespaces, you can query external-secrets operand metrics by using the OpenShift Container Platform web console or the command-line interface (CLI). For more information, see "Accessing metrics".

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.
  • You have installed the External Secrets Operator for Red Hat OpenShift.
  • You have enabled monitoring and metrics collection by creating a ServiceMonitor object.

Procedure

  1. In the OpenShift Container Platform web console, navigate to Observe Metrics.

  2. In the query field, enter the following PromQL expressions to query the External Secrets Operator for Red Hat OpenShift operands metric for each operand: 

    {job="external-secrets"}
     
    {job="external-secrets-webhook"}
     
    {job="external-secrets-cert-controller-metrics"}

12.7. Customizing the External Secrets Operator for Red Hat OpenShift
Copia collegamento

You can customize the behavior of the External Secrets Operator for Red Hat OpenShift operand components by configuring custom annotations, deployment lifecycle settings, and environment variables through the ExternalSecretsConfig custom resource (CR).

These configurations provide administrators with fine-grained control over the external-secrets deployment.

You can customize the External Secrets Operator for Red Hat OpenShift operand by using the ExternalSecretsConfig custom resource (CR). The CR supports a set of deployment and runtime options, such as custom annotations, revision history limits, environment variables, resource limits, tolerations, and proxy settings—so you can control how the operand is deployed and run without editing the operand resources directly.

All supported options are defined in the ExternalSecretsConfig CR (for example under the spec.controllerConfig for controller-related settings). The Operator reconciles the operand from this CR. Changes made directly to operand resources are overwritten. Use the ExternalSecretsConfig CR as the only supported way to customize the operand.

For the complete list of fields and allowed values, see the ExternalSecretsConfig API reference in the External Secrets Operator for Red Hat OpenShift documentation.

Set the log level for the External Secrets Operator for Red Hat OpenShift to control the detail of log messages. By adjusting the verbosity, you can troubleshoot issues effectively and manage the volume of log data.

Prerequisites

  • You have access to the cluster with cluster-admin privileges.
  • You have created the ExternalSecretsConfig custom resource.

Procedure

  • Update the subscription object for the External Secrets Operator for Red Hat OpenShift to provide the verbosity level for the operator logs by running the following command: 

    $ oc -n <external_secrets_operator_namespace> patch subscription openshift-external-secrets-operator --type='merge' -p '{"spec":{"config":{"env":[{"name":"OPERATOR_LOG_LEVEL","value":"<log_level>"}]}}}'

    where:

    external_secrets_operator_namespace
    Specifies the namespace where the Operator is installed.
    log_level
    Specifies the level of log detail. Values range from 1-5. The default is 2.

Verification

  1. The External Secrets Operator pod is redeployed. Verify that the log level of the External Secrets Operator for Red Hat OpenShift is updated by running the following command: 

    $ oc set env deploy/external-secrets-operator-controller-manager -n external-secrets-operator --list | grep -e OPERATOR_LOG_LEVEL -e container

    The following example verifies that the log level of the External Secrets Operator for Red Hat OpenShift is updated. 

    # deployments/external-secrets-operator-controller-manager, container manager
OPERATOR_LOG_LEVEL=2

  2. Verify that the log level of the External Secrets Operator for Red Hat OpenShift is updated by running the oc logs command: 

    $ oc logs -n external-secrets-operator -f deployments/external-secrets-operator-controller-manager -c manager

Set the log level for the External Secrets Operator for Red Hat OpenShift operand to control the verbosity of log messages. By doing this task, you can adjust the amount of detail recorded for troubleshooting or monitoring purposes.

Prerequisites

  • You have access to the cluster with cluster-admin privileges.
  • You have created the ExternalSecretsConfig custom resource.

Procedure

  1. Edit the ExternalSecretsConfig CR by running the following command: 

    $ oc edit externalsecretsconfigs.operator.openshift.io cluster

  2. Set the log level value by editing the spec.appConfig.logLevel section: 

    apiVersion: operator.openshift.io/v1alpha1
kind: ExternalSecretsConfig
...
spec:
  appConfig:
    logLevel: <log_level>
    1
    1
    Supports the value range of 1-5. The log level gets mapped to the following operand support levels:
    • 1 - warnings
    • 2 - error logs
    • 3 - info logs
    • 4 and 5 - debug logs
  3. Save your changes and exit the editor.

Configure cert-manager to handle certificate management for the external-secrets webhook and plugins. This optional configuration automates certificate generation for plugins and eliminates the need for manual configuration.

When cert-manager is not used, external-secrets defaults to its own certificate management. In this mode, it automatically generates the required certificates for the webhook, while you are responsible for manually configuring certificates for the plugins.

Prerequisites

  • You have access to the cluster with cluster-admin privileges.
  • You have created the ExternalSecretsConfig custom resource.
  • You have installed the cert-manager Operator for Red Hat OpenShift. For more information, see "Installing the cert-manager Operator for Red Hat OpenShift"

Procedure

  1. Edit the ExternalSecretsConfig custom resource by running the following command: 

    $  oc edit externalsecretsconfigs.operator.openshift.io cluster

  2. Configure cert-manager by editing the spec.controllerConfig.certProvider.certManager section as follows: 

    apiVersion: operator.openshift.io/v1alpha1
kind: ExternalSecretsConfig
...
spec:
  controllerConfig:
    certProvider:
      certManager:
        injectAnnotations: "true"
        issuerRef:
          name: <issuer_name>
          kind: <issuer_kind>
          group: <issuer_group>
        mode: Enabled

    where:

    injectAnnotation
    Must be set to true when enabled.
    name
    Specifies the name of the issuer object referenced in ExternalSecretsConfig.
    kind
    Specifies the API issuer. Can be set to either Issuer or ClusterIssuer.
    group
    Specifies the API issuer group. The group name must be cert-manager.io.
    mode
    Must be set to Enabled. This is an immutable field and cannot be modified once it is configured.
  3. Save your changes.

  4. After you update the cert-manager configurations in the externalsecretsconfig.operator.openshift.io object, you must manually delete external-secrets-cert-controller deployment by running the following command. This prevents performance degradation of the external-secrets application. 

    $ oc delete deployments.apps external-secrets-cert-controller -n external-secrets

  5. Optionally, you can delete other resources created for the cert-controller by running the following commands: 

    $ oc delete clusterrolebindings.rbac.authorization.k8s.io external-secrets-cert-controller
     
    $ oc delete clusterroles.rbac.authorization.k8s.io external-secrets-cert-controller
     
    $ oc delete serviceaccounts external-secrets-cert-controller -n external-secrets
     
    $ oc delete secrets external-secrets-webhook -n external-secrets

12.7.4. Configuring the bitwardenSecretManagerProvider plugin
Copia collegamento

Configure the bitwardenSecretManagerProvider plugin to use Bitwarden Secrets Manager as a source for your secrets. By using this integration, you can sync external secrets to your OpenShift Container Platform cluster.

Prerequisites

  • You have access to the cluster with cluster-admin privileges.
  • You have created the ExternalSecretsConfig custom resource.

Procedure

  1. Edit the ExternalSecretsConfig custom resource by running the following command: 

    $  oc edit externalsecretsconfigs.operator.openshift.io cluster

  2. Edit the spec.plugins.bitwardenSecretManagerProvider section as follows to enable the Bitwarden Secrets Manager: 

    apiVersion: operator.openshift.io/v1alpha1
kind: ExternalSecretsConfig
...
spec:
  plugins:
    bitwardenSecretManagerProvider:
      mode: Enabled
      secretRef:
        name: <secret_object_name>

    where:

    name
    The name of the secret containing the certificate key pair for the plugin. The key name in the secret for the certificate must be tls.crt. The key name for the private key must be tls.key. The key name for the Certificate Authority (CA) certificate key name must be ca.crt. Configuring the secret is optional when the cert-manager certificate provider is configured.
  3. Save your changes and exit the editor.
  4. If you disable the plugin the following resources must be deleted manually by running the following commands: 
$ oc delete deployments.apps bitwarden-sdk-server -n external-secrets
 
$ oc delete certificates.cert-manager.io bitwarden-tls-certs -n external-secrets
 
$ oc delete service bitwarden-sdk-server -n external-secrets
 
$ oc delete serviceaccounts bitwarden-sdk-server -n external-secrets

12.7.5. Adding custom annotations to external-secrets resources
Copia collegamento

To customize your resources, you can define up to 20 custom annotations in the custom resource (CR). The Operator merges the annotations with the defaults, prioritizes them, and safely preserves annotations set by external systems.

When an annotation is removed from the CR, the Operator automatically removes it from all managed resources during the next reconciliation. Annotations set by external sources, such as Kubernetes system annotations or annotations added by other controllers, are preserved and are not affected by the Operator.

Annotation keys containing the following reserved domain prefixes are not allowed and are rejected by validation if applied:

  • kubernetes.io/ (including subdomains such as *.kubernetes.io/)
  • k8s.io/ (including subdomains such as *.k8s.io/)
  • openshift.io/ (including subdomains such as *.openshift.io/)
  • cert-manager.io/

Prerequisites

  • You have access to the cluster with cluster-admin privileges.
  • You have created the ExternalSecretsConfig custom resource.

Procedure

  1. Edit the ExternalSecretsConfig CR by running the following command: 

    $ oc edit externalsecretsconfigs.operator.openshift.io cluster

  2. Add the annotations field under spec.controllerConfig as follows: 

    apiVersion: operator.openshift.io/v1alpha1
kind: ExternalSecretsConfig
metadata:
  name: cluster
spec:
  controllerConfig:
    annotations:
      prometheus.io/scrape: "true"
      example.com/environment: "production"

Verification

  1. Verify that annotations are applied to the external-secrets deployment by running the following command: 

    $ oc get deployment external-secrets -n external-secrets -o jsonpath='{.metadata.annotations}' | jq .

    The output should include the custom annotations you specified.

  2. Verify that annotations are applied to the pod template by running the following command: 

    $ oc get deployment external-secrets -n external-secrets -o jsonpath='{.spec.template.metadata.annotations}' | jq .

    The output should include the custom annotations you specified.

  3. Verify that annotations are applied to other managed resources such as Services by running the following command: 

    $ oc get service external-secrets-webhook -n external-secrets -o jsonpath='{.metadata.annotations}' | jq .

    The output should include the custom annotations you specified.

12.7.6. Configuring the revisionHistoryLimit for external-secrets components
Copia collegamento

Configure the number of old ReplicaSet objects retained for rollback by setting the revisionHistoryLimit parameter for external-secrets components.

The following components can be configured:

Expand
Component nameDescription

ExternalSecretsCoreController

The main external-secrets controller.

Webhook

The external-secrets webhook server.

CertController

The certificate controller for webhook TLS.

BitwardenSDKServer

The Bitwarden SDK server plugin.

Each component can only have one configuration entry. A maximum of 4 component configuration entries are allowed, one per component.

Prerequisites

  • You have access to the cluster with cluster-admin privileges.
  • You have created the ExternalSecretsConfig custom resource.

Procedure

  1. Edit the ExternalSecretsConfig CR by running the following command: 

    $ oc edit externalsecretsconfigs.operator.openshift.io cluster

  2. Add the componentConfigs field under spec.controllerConfig as follows: 

    apiVersion: operator.openshift.io/v1alpha1
kind: ExternalSecretsConfig
metadata:
  name: cluster
spec:
  controllerConfig:
    componentConfigs:
      - componentName: ExternalSecretsCoreController
        deploymentConfigs:
          revisionHistoryLimit: 5
      - componentName: Webhook
        deploymentConfigs:
          revisionHistoryLimit: 3

    where

    spec.controllerConfig.componentConfigs.componentName.deploymentConfigs.revisionHistoryLimit
    Specifies the number of old ReplicaSet objects to retain for rollback. The value must be at least 1 to ensure rollback capability. The maximum value is 50. If not specified, the default is 10.

Verification

  • Verify that the revisionHistoryLimit parameter is applied to the deployment by running the following command: 

    $ oc get deployment external-secrets -n external-secrets -o jsonpath='{.spec.revisionHistoryLimit}'

    The output should display the value you configured.

12.7.7. Setting custom environment variables for external-secrets components
Copia collegamento

To configure component behavior at runtime or integrate with external services, set custom environment variables for individual external-secrets components.

Custom environment variables are merged with the default environment variables set by the Operator. User-specified variables take precedence in case of conflicts with the Operator defaults. A maximum of 50 custom environment variables can be specified per component.

The environment variable names starting with the following prefixes are reserved:

  • HOSTNAME
  • KUBERNETES_
  • EXTERNAL_SECRETS_

Prerequisites

  • You have access to the cluster with cluster-admin privileges.
  • You have created the ExternalSecretsConfig custom resource.

Procedure

  1. Edit the ExternalSecretsConfig CR by running the following command: 

    $ oc edit externalsecretsconfigs.operator.openshift.io cluster

  2. Add the overrideEnv field under the desired component in the spec.controllerConfig.componentConfigs stanza as follows: 

    apiVersion: operator.openshift.io/v1alpha1
kind: ExternalSecretsConfig
metadata:
  name: cluster
spec:
  controllerConfig:
    componentConfigs:
      - componentName: ExternalSecretsCoreController
        overrideEnv:
          - name: Example
            value: "4"

    where

    spec.controllerConfig.componentConfigs.overrideEnv.name
    Specifies the name of the environment variable. Environment variable names starting with HOSTNAME, KUBERNETES_, or EXTERNAL_SECRETS_ are reserved and are not allowed.
    spec.controllerConfig.componentConfigs.overrideEnv.value
    Specifies the value of the environment variable.

Verification

  • Verify that the environment variable is set on the deployment by running the following command: 

    $ oc set env deployment/external-secrets -n external-secrets --list

    The output should include the custom environment variable you specified.

12.8. Uninstalling the External Secrets Operator for Red Hat OpenShift
Copia collegamento

You can remove the External Secrets Operator for Red Hat OpenShift from OpenShift Container Platform by uninstalling the Operator and removing its related resources.

You can uninstall the External Secrets Operator for Red Hat OpenShift by using the web console.

Prerequisites

  • You have access to the cluster with cluster-admin privileges.
  • You have access to the OpenShift Container Platform web console.
  • The External Secrets Operator is installed.

Procedure

  1. Log in to the OpenShift Container Platform web console.

  2. Uninstall the External Secrets Operator for Red Hat OpenShift using the following steps:

    1. Navigate to Ecosystem Installed Operators.
    2. Click the Options menu kebab next to the External Secrets Operator for Red Hat OpenShift entry and click Uninstall Operator.
    3. In the confirmation dialog, click Uninstall.

To clean up your cluster after uninstalling the External Secrets Operator for Red Hat OpenShift, remove its associated resources. This deletes residual components, such as deployments and custom resource definitions.

Prerequisites

  • You have access to the cluster with cluster-admin privileges.
  • You have access to the OpenShift Container Platform web console.

Procedure

  1. Log in to the OpenShift Container Platform web console.

  2. Remove the deployments of the external-secrets application components in the external-secrets namespace:

    1. Click the Project drop-down menu to see a list of all available projects, and select the external-secrets project.
    2. Navigate to Workloads Deployments.
    3. Select the deployment that you want to delete.
    4. Click the Actions drop-down menu, and select Delete Deployment to see a confirmation dialog box.
    5. Click Delete to delete the deployment.

  3. Remove the custom resource definitions (CRDs) that were installed by the External Secrets Operator using the following steps:

    1. Navigate to Administration CustomResourceDefinitions.
    2. Choose external-secrets.io/component: controller from the suggestions in the Label field to filter the CRDs.

    3. Click the Options menu kebab next to each of the following CRDs, and select Delete Custom Resource Definition:

      • ACRAccessToken
      • ClusterExternalSecret
      • ClusterGenerator
      • ClusterPushSecret
      • ClusterSecretStore
      • ECRAuthorizationToken
      • ExternalSecret
      • GCRAccessToken
      • GeneratorState
      • GithubAccessToken
      • Grafana
      • MFA
      • Password
      • PushSecret
      • QuayAccessToken
      • SecretStore
      • SSHKey
      • STSSessionToken
      • UUID
      • VaultDynamicSecret
      • Webhook

  4. Remove the external-secrets-operator namespace using the following steps:

    1. Navigate to Administration Namespaces.
    2. Click the Options menu kebab next to the External Secrets Operator and select Delete Namespace.
    3. In the confirmation dialog, enter external-secrets-operator in the field and click Delete.

After you have uninstalled the External Secrets Operator for Red Hat OpenShift, you can optionally eliminate its associated resources from your cluster by using the command-line interface (CLI).

Prerequisites

  • You have access to the cluster with cluster-admin privileges.

Procedure

  1. Delete the deployments of the external-secrets application components in the external-secrets namespace by running the following command: 

    $ oc delete deployment -n external-secrets -l app=external-secrets

  2. Delete the custom resource definitions (CRDs) that were installed by the External Secrets Operator by running the following command: 

    $ oc delete customresourcedefinitions.apiextensions.k8s.io -l external-secrets.io/component=controller

  3. Delete the external-secrets-operator namespace by running the following command: 

    $ oc delete project external-secrets-operator

12.9. External Secrets Operator for Red Hat OpenShift APIs
Copia collegamento

External Secrets Operator for Red Hat OpenShift uses the following two APIs to configure the external-secrets application deployment.

Expand
GroupVersionKind

operator.openshift.io

v1alpha1

externalsecretsConfig

operator.openshift.io

v1alpha1

externalsecretsmanager

The following list contains the External Secrets Operator for Red Hat OpenShift APIs:

  • ExternalSecretsConfig
  • ExternalSecretsManager

12.9.1. externalSecretsManagerList
Copia collegamento

The externalSecretsManagerList object fetches the list of externalSecretsManager objects.

Expand
FieldTypeDescriptionDefaultValidation

apiVersion

string

The apiVersion specifies the version of the schema in use, which is operator.openshift.io/v1alpha1.

  

kind

string

kind specifies the type of the object, which is externalSecretsManagerList for this API.

  

metadata

ListMeta

Refer to Kubernetes API documentation for details about the metadata fields.

  

items

array

   

12.9.2. externalSecretsManager
Copia collegamento

The externalSecretsManager object defines the configuration and information of deployments managed by the External Secrets Operator. Set the name to cluster as this allows only one instance of externalSecretsManager per cluster.

You can configure global options by using externalSecretsManager. This serves as a centralized configuration for managing multiple controllers of the Operator. The Operator automatically creates the externalSecretsManager object during installation.

Expand
FieldTypeDescriptionDefaultValidation

apiVersion

string

The apiVersion specifies the version of the schema in use, which is operator.openshift.io/v1alpha1.

  

kind

string

kind specifies the type of the object, which is externalSecretsManager for this Object.

  

metadata

ObjectMeta

Refer to Kubernetes API documentation for details about the metadata fields.

  

spec

object

spec contains specifications of the desired behavior.

  

status

object

status displays the most recently observed state of the controllers in the External Secrets Operator.

  

12.9.3. externalSecretsConfigList
Copia collegamento

The externalSecretsConfigList object fetches the list of externalSecretsConfig objects.

Expand
FieldTypeDescriptionDefaultValidation

apiVersion

string

The apiVersion specifies the version of the schema in use, which is operator.openshift.io/v1alpha1

  

kind

string

kind specifies the type of the object, which is externalSecretsList for this API.

  

metadata

ListMeta

Refer to Kubernetes API documentation for details about the metadata fields.

  

items

array

Items contains a list of externalSecrets objects.

  

12.9.4. externalSecretsConfig
Copia collegamento

The externalSecretsConfig object defines the configuration and information for the managed external-secrets operand deployment. Set the name to cluster as externalSecretsConfig object allows only one instance per cluster.

Creating an externalSecretsConfig object triggers the deployment of the external-secrets operand and maintains the desired state.

Expand
FieldTypeDescriptionDefaultValidation

apiVersion

string

The apiVersion specifies the version of the schema in use, which is operator.openshift.io/v1alpha1.

  

kind

string

kind specifies the type of the object, which is externalSecrets for this object.

  

metadata

ObjectMeta

Refer to Kubernetes API documentation for details about the metadata fields.

  

spec

object

spec contains the specifications of the desired behavior of the externalSecrets object.

  

status

object

status displays the most recently observed status of the externalSecrets object.

  

12.9.5. Listing fields in External Secrets Operator for Red Hat OpenShift APIs
Copia collegamento

The following fields apply to the External Secrets Operator for Red Hat OpenShift APIs.

12.9.6. externalSecretsManagerSpec
Copia collegamento

The externalSecretsManagerSpec field defines the desired behavior of the externalSecretsManager object.

Expand
FieldtypeDescriptionDefaultValidation

globalConfig

object

globalConfig configures the behavior of deployments that External Secrets Operator manages.

 

Optional

12.9.7. externalSecretsManagerStatus
Copia collegamento

The externalSecretsManagerStatus field shows the most recently observed status of the externalSecretsManager object.

Expand
FieldTypeDescriptionDefaultValidation

controllerStatuses

array

controllerStatuses holds the observed conditions of the controllers used by the Operator.

  

lastTransitionTime

Time

lastTransitionTime records the most recent time the status of the condition changed.

 

Format: date-time

Type: string

12.9.8. externalSecretsConfigSpec
Copia collegamento

The externalSecretsConfigSpec field defines the desired behavior of the externalSecrets object.

Expand
FieldTypeDescriptionDefaultValidation

appConfig

object

appConfig configures the behavior of the external-secrets operand.

 

Optional

plugins

object

plugins configures the optional provider plugins.

 

Optional

controllerConfig

object

controllerConfig configures the controller to set up defaults that enable external-secrets operand.

 

Optional

12.9.9. externalSecretsConfigStatus
Copia collegamento

The externalSecretsConfigStatus field shows the most recently observed status of the externalSecretsConfig Object.

Expand
FieldTypeDescriptionDefaultValidation

conditions

Condition array

conditions contains information about the current state of deployment.

  

externalSecretsImage

string

externalSecretsImage specifies the image name and tag used for deploy external-secrets operand.

  

bitwardenSDKServerImage

string

bitwardenSDKServerImage specifies the name of the image and tag used for deploying the bitwarden-sdk-server.

  

12.9.10. globalConfig
Copia collegamento

The globalConfig field configures the behavior of the External Secrets Operator.

Expand
FieldTypeDescriptionDefaultValidation

labels

integer

labels applies to all resources created by the Operator. This field can have a maximum of 20 entries

1

The maximum number of properties is 20

The minimum number of properties is 0

Optional

logLevel

integer

logLevel supports a range of values as defined in the kubernetes logging guidelines.

1

The maximum range value is 5

The minimum range value is 1

Optional

resources

ResourceRequirements

resources defines the resource requirements. You cannot change the value of this field after setting it initially. For more information, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

 

Optional

affinity

Affinity

affinity sets the scheduling affinity rules. For more information, see https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/

 

Optional

tolerations

Toleration array

tolerations sets the pod tolerations. For more information, see https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/

 

The maximum number of items is 50

The minimum number of items is 0

Optional

nodeSelector

object (keys:string, values:string)

nodeSelector defines the scheduling criteria by using the node labels. For more information, see https://kubernetes.io/docs/concepts/configuration/assign-pod-node/

 

The maximum number of properties is 50

The minimum number of properties is 0

Optional

proxy

object

proxy sets the proxy configurations available in the operand containers managed by the Operator as environment variables.

 

Optional

12.9.11. controllerConfig
Copia collegamento

The controllerConfig specifies the configurations used by the controller when installing the external-secrets operand and the plugins.

Expand
FieldTypeDescriptionDefaultValidation

certProvider

string

certProvider defines the configuration for the certificate providers used to manage TLS certificates for webhook and plugins.

 

Optional

labels

object (keys:string, values:string)

labels field applies labels to all resources created for the external-secrets operand deployment.

 

The maximum number of properties is 20.

The minimum number of properties is 0.

Optional

annotations

object (keys:string, values:string)

annotations add custom annotations to all the resources created for the external-secrets deployment. The annotations are merged with any default annotations set by the Operator. User-specified annotations take precedence over defaults in case of conflicts. Annotation keys containing the reserved domains kubernetes.io/, openshift.io/, k8s.io/, or cert-manager.io/ (including subdomains like *.kubernetes.io/) are not allowed.

 

The maximum number of properties is 20.

The minimum number of properties is 0.

Optional

12.9.12. controllerStatus
Copia collegamento

The controllerStatus field contains the observed conditions of the controllers used by the Operator.

Expand
FieldTypeDescriptionDefaultValidation

name

string

name specifies the name of the controller for which the observed condition is recorded.

 

Required

conditions

array

conditions contains information about the current state of the External Secrets Operator controllers.

  

observedGeneration

integer

observedGeneration represents the .metadata.generation on the observed resource.

 

The minimum number of observed resources is 0.

12.9.13. applicationConfig
Copia collegamento

The applicationConfig specifies the configurations for the external-secrets operand.

Expand
FieldTypeDescriptionDefaultValidation

logLevel

integer

logLevel supports a range of values as defined in the kubernetes logging guidelines.

1

The maximum range value is 5

The minimum range value is 1

Optional

operatingNamespace

string

operatingNamespace restricts the external-secrets operand operations to the provided namespace. Enabling this field disables ClusterSecretStore and ClusterExternalSecret.

 

The maximum length is 63

The minimum length is 1

Optional

webhookConfig

object

webhookConfig configures webhook specifics of the external-secrets operand.

  

resources

ResourceRequirements

resources defines the resource requirements. You cannot change the value of this field after setting it initially. For more information, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/

 

Optional

affinity

Affinity

affinity sets the scheduling affinity rules. For more information, see https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/

 

Optional

tolerations

Toleration array

tolerations sets the pod tolerations. For more information, see https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/

 

The maximum number of items is 50

The minimum number of items is 0

Optional

nodeSelector

object (keys:string, values:string)

nodeSelector defines the scheduling criteria by using node labels. For more information, see https://kubernetes.io/docs/concepts/configuration/assign-pod-node/

 

The maximum number of properties is 50

The minimum number of properties is 0

Optional

proxy

object (keys:string, values:string)

proxy sets the proxy configurations available in operand containers managed by the Operator as environment variables.

 

Optional

12.9.14. bitwardenSecretManagerProvider
Copia collegamento

The bitwardenSecretManagerProvider field enables the Bitwarden secrets manager provider and sets up the additional service required to connect to the Bitwarden server.

Expand
FieldTypeDescriptionDefaultValidation

mode

string

mode field enables the bitwardenSecretManagerProvider provider state, which can be set to Enabled or Disabled. If set to Enabled, the Operator ensures the plugin is deployed and synchronized. If set to Disabled, the Bitwarden provider plugin reconciliation is disabled. The plugin and resources remain in their current state, and are not managed by the Operator.

Disabled

enum: [Enabled Disabled]

Optional

secretRef

SecretReference

SecretRef specifies the Kubernetes secret that contains the TLS key pair for the Bitwarden server. If this reference is not provided and the certManagerConfig field is configured, the issuer defined in certManagerConfig generates the required certificate. The secret must use tls.crt for certificate, tls.key for the private key, and ca.crt for CA certificate.

 

Optional

12.9.15. webhookConfig
Copia collegamento

The webhookConfig field configures the specifics of the external-secrets application webhook.

Expand
FieldTypeDescriptionDefaultValidation

certificateCheckInterval

Duration

certificateCheckInterval configures the polling interval to check certificate validity.

5m

Optional

12.9.16. certManagerConfig
Copia collegamento

The certManagerConfig field configures the cert-manager Operator settings.

Expand
FieldTypeDescriptionDefaultValidation

mode

string

mode specifies whether to use cert-manager for certificate management instead of the built-in cert-controller which can be indicated by setting either Enabled or Disabled. If set to Enabled, uses cert-manager for obtaining the certificates for the webhook server and other components. If set to Disabled, uses the cert-controller for obtaining the certificates for the webhook server. Disabled is the default behavior.

false

enum: [true false]

Required

injectAnnotations

string

injectAnnotations adds the cert-manager.io/inject-ca-from annotation to the webhooks and custom resource definitions (CRDs) to automatically configure the webhook with the cert-manager Operator certificate authority (CA). This requires CA Injector to be enabled in cert-manager Operator. Set this field to true or false. When set, this field cannot be changed.

false

enum: [true false]

Optional

issuerRef

ObjectReference

issuerRef contains details of the referenced object used for obtaining certificates. The object must exist in the external-secrets namespace unless a cluster-scoped cert-manager Operator issuer is used.

 

Required

certificateDuration

Duration

certificateDuration sets the validity period of the webhook certificate.

8760h

Optional

certificateRenewBefore

Duration

certificateRenewBefore sets the ahead time to renew the webhook certificate before expiry.

30m

Optional

12.9.17. certProvidersConfig
Copia collegamento

The certProvidersConfig defines the configuration for the certificate providers used to manage TLS certificates for webhook and plugins.

Expand
FieldTypeDescriptionDefaultValidation

certManager

object

certManager defines the configuration for cert-manager provider specifics.

 

Optional

12.9.18. objectReference
Copia collegamento

The ObjectReference field refers to an object by its name, kind, and group.

Expand
FieldTypeDescriptionDefaultValidation

name

string

name specifies the name of the resource being referred to.

 

The maximum length is 253 characters.

The minimum length is 1 character.

Required

kind

string

kind specifies the kind of the resource being referred to.

 

The maximum length is 253 characters.

The minimum length is 1 character.

Optional

group

string

group specifies the group of the resource being referred to.

 

The maximum length is 253 characters.

The minimum length is 1 character.

Optional

12.9.19. secretReference
Copia collegamento

The secretReference field refers to a secret with the given name in the same namespace where it used.

Expand
FieldTypeDescriptionDefaultValidation

name

string

name specifies the name of the secret resource being referred to.

 

The maximum length is 253.

The minimum length is 1.

Required

12.9.20. condition
Copia collegamento

The condition field holds information about the condition of the external-secrets deployment.

Expand
FieldTypeDescriptionDefaultValidation

type

string

type contains the condition of the deployment.

 

Required

status

ConditionStatus

status contains the status of the condition of the deployment

  

message

string

message provides details on the state of the deployment

  

12.9.21. conditionalStatus
Copia collegamento

The conditionalStatus field holds information about the current state of the external-secrets deployment.

Expand
FieldTypeDescriptionDefaultValidation

conditions

array

conditions contains information on the current state of the deployment.

  

12.9.22. mode
Copia collegamento

The mode field indicates the operational state of the optional features.

Expand
FieldTypeDescriptionDefaultValidation

Enabled

 

Enabled indicates the optional configuration is enabled.

  

Disabled

 

Disabled indicates the optional configuration is disabled.

  

12.9.23. pluginsConfig
Copia collegamento

The pluginsConfig configures the optional plugins.

Expand
FieldTypeDescriptionDefaultValidation

bitwardenSecretManagerProvider

object

bitwardenSecretManagerProvider enables the bitwarden-secrets-manager provider plugin for connecting with the 'bitwarden-secrets-manager'.

 

Optional

12.9.24. proxyConfig
Copia collegamento

The proxyConfig holds the proxy configurations which are made available in the operand containers and managed by the Operator as environment variables.

Expand
FieldTypeDescriptionDefaultValidation

httpProxy

string

The httpProxy field contains the URL of the proxy for HTTP requests. This field can have a maximum of 2048 characters.

 

The maximum length is 2048 characters.

The minimum length is 0 characters.

Optional

httpsProxy

string

The httpsProxy field contains the URL of the proxy for HTTPS requests. This field can have a maximum of 2048 characters.

 

The maximum length is 2048 characters.

The minimum length is 0 characters.

Optional

noProxy

string

The noProxy field is a comma-separated list of hostnames, classless inter-domain routings (CIDRs), and IP addresses or a combination of the three for which the proxy should not be used. This field can have a maximum of 4096 characters.

 

The maximum length is 4096 characters.

The minimum length is 0 characters.

Optional

12.9.25. componentConfig
Copia collegamento

The componentConfig field defines configuration overrides for a specific external-secrets component.

Expand
FieldTypeDescriptionDefaultValidation

componentName

string

componentName identifies which external-secrets component this configuration applies to. Valid values are ExternalSecretsCoreController, Webhook, CertController, and BitwardenSDKServer.

 

Enum: [ExternalSecretsCoreController, Webhook, CertController, BitwardenSDKServer]

Required

deploymentConfigs

object

deploymentConfigs specifies overrides for the Kubernetes Deployment resource of this component.

 

Optional

overrideEnv

EnvVar

array

overrideEnv specifies custom environment variables for this component’s container. These are merged with operator-managed environment variables, with user-defined values taking precedence. Environment variable names starting with HOSTNAME, KUBERNETES_ or EXTERNAL_SECRETS_ are reserved and are not allowed.

 

The maximum number of items is 50.

Optional

12.9.26. deploymentConfig
Copia collegamento

The deploymentConfig field defines configuration overrides for a Kubernetes Deployment resource.

Expand
FieldTypeDescriptionDefaultValidation

revisionHistoryLimit

integer

revisionHistoryLimit specifies the number of old ReplicaSets to retain for rollback purposes. This allows rolling back to previous deployment versions using the command oc rollout undo. Must be at least 1 to ensure rollback capability.

10

The minimum value is 1.

The maximum value is 50.

Optional

Migrate from the community External Secrets Operator to the External Secrets Operator for Red Hat OpenShift supported version. This conversion provides you with enterprise-grade support and seamless integration for managing external secrets.

The following migration versions have been fully tested.

Expand
Upstream versionInstallation methodDownstream version

0.11.0

OLM

v1.0.0 GA

0.19.0

Helm

v1.0.0 GA

Note

The migration does not support rollbacks.

Note

External Secrets Operator for Red Hat OpenShift is based on the upstream version 0.19.0. Do not try to migrate from a higher version of the External Secrets Operator.

12.10.1. Deleting the community External Secrets Operator
Copia collegamento

Delete the configuration resource for the community Operator so that the legacy application is fully removed. This action prevents conflicts before installing the External Secrets Operator for Red Hat OpenShift.

Prerequisites

  • You must be logged in as a user with the cluster-admin role.
  • You must have the oc command-line tool installed and configured.

Procedure

  1. Find your community Operator’s namespace by running the following command: 

    $ oc get operatorconfigs.operator.external-secrets.io -A

    The following is an example of finding the namespace: 

    NAMESPACE             NAME        AGE
external-secrets      cluster     9m18s

  2. Delete the operatorconfig custom resrouce (CR) by running the following command: 

    $ oc delete operatorconfig <config_name> -n <operator_namespace>

Verification

  1. To verify that the operatorconfig CR is deleted, run the following command: 

    $ oc get operatorconfig -n <operator_namespace>

    The command must return no resource found.

  2. To verify that the old webhooks are deleted, run the following commands: 

    $ oc get validatingwebhookconfigurations | grep external-secrets
     
    $ oc get mutatingwebhookconfigurations | grep external-secrets

    The commands must return no results.

12.10.2. Uninstalling the community External Secrets Operator
Copia collegamento

Uninstall the community External Secrets Operator to prevent conflicts or accidental recreation after you migrate to External Secrets Operator for Red Hat OpenShift.

You must uninstall the community External Secrets Operator to prevent it from being recreated or conflicting with the new one. The steps to uninstall are different based on how the community External Secrets Operator was installed but the prerequisites are the same for each.

12.10.2.1. Uninstalling a helm installed community External Secrets Operator
Copia collegamento

Remove the community External Secrets Operator that was installed using Helm. This helps you free up resources and maintain a clean environment for your cluster.

Prerequisites

  • You must be logged in as a user with the cluster-admin role.
  • You must have deleted the operatorconfig custom resource (CR).

Procedure

  1. Install the External Secrets Operator for Red Hat OpenShift. The external-secrets-operator namespace must be null.

  2. Delete the External Secrets Operator by running the following command: 

    $ oc helm delete <release_name> -n <operator_namespace>
    Note

    Using helm delete might delete all Custom Resource Definitions (CRDs) and CRs. It is recommended to installl the downstream Operator first if the namespace external-secrets-operator is empty.

Remove the community External Secrets Operator that was installed by an Operator Lifecycle Manager (OLM) subscription. This helps you free up resources and maintain a clean environment for your cluster.

Prerequisites

  • You must be logged in as a user with the cluster-admin role.
  • You must have deleted the operatorconfig CR.

Procedure

  1. Find the subscription name by running the following command: 

    $ oc get subscription -n <operator_namespace> | grep external-secrets

  2. Delete the subscription by running the following command: 

    $ oc delete subscription <subscription_name> -n <operator_namespace>

  3. Delete the ClusterServiceVersion by running the following command: 

    $ oc delete csv <csv_name> -n <operator_namespace>

Remove the community External Secrets Operator that was installed by raw manifests. This helps you free up resources and maintain a clean environment for your cluster.

Prerequisites

  • You must be logged in as a user with the cluster-admin role.
  • You must have deleted the operatorconfig CR.

Procedure

  • To remove the communiity External Secrets Operator that was installed by raw manifests, run the following command: 

    $ oc delete -f /path/to/your/old/manifests.yaml -n <operator_namespace>

12.10.3. Installing the External Secrets Operator for Red Hat OpenShift
Copia collegamento

Install the External Secrets Operator for Red Hat OpenShift after cleaning up the community version. This establishes the officially supported service for managing secrets in your cluster. For more information, see Installing the External Secrets Operator for Red Hat OpenShift.

12.10.4. Creating the ExternalSecretsConfig Operator
Copia collegamento

Create the ExternalSecretsConfig resource to install and configure the core external-secrets component. This setup helps ensure that features like Bitwarden and cert-manager support are correctly enabled.

Prerequisites

  • External Secrets Operator for Red Hat OpenShift is installed.
  • cert-manager Operator for Red Hat OpenShift is installed.
  • You have access to the cluster with cluster-admin privileges.

Procedure

  1. Create an externalsecretsconfig file by defining a YAML file with the following content: 

    apiVersion: operator.openshift.io/v1alpha1
kind: ExternalSecretsConfig
metadata:
  labels:
    app.kubernetes.io/name: cluster
  name: cluster
spec:
  appConfig:
    logLevel: 1
  controllerConfig:
    networkPolicies:
      - componentName: ExternalSecretsCoreController
        egress:
          - {}
        name: allow-external-secrets-egress
  plugins: {}

  2. Create the ExternalSecretsConfig object by running the following command: 

    $ oc create -f externalsecretsconfig.yaml

Verification

Verify that all custom resources (CRs) are present and that the APIs are using v1 instead of v1beta1. There CRs are retained and automatically converted by the new Operator.

  1. To verify that the external-secrets pods are in a running state, run the following command: 

    $ oc get pods -n external-secret

    The following is example output that the external-secrets pods are in a running state. 

    NAME                                          READY        STATUS        RESTARTS     AGE
bitwarden-sdk-server-5b4cf48766-w7zp7         1/1          Running       0            5m
external-secrets-5854b85dd5-m6zf9             1/1          Running       0            5m
external-secrets-webhook-5cb85b8fdb-6jtqb     1/1          Running       0            5m

  2. To verify that the SecretStore CR is present, run the following command: 

    $ oc get secretstores.external-secrets.io -A

    The following is example output from validating that the SecretStore is present: 

    NAMESPACE               NAME                         AGE         STATUS      CAPABILITIES    READY
external-secrets-1      gcp-store                    18min       Valid       ReadWrite       True
external-secrets-2      aws-secretstore              11min       Valid       ReadWrite       True
external-secrets        bitwarden-secretsmanager     20min       Valid       Readwrite       True

  3. To verify that the ExternalSecret CR is present, run the following command: 

    $ oc get externalsecrets.external-secrets.io -A

    The following is example output from validating that the SecretStore is present: 

    NAMESPACE             NAME                    STORE                      REFRESH INTERVAL    STATUS          READY
external-secrets-1    gcp-externalsecret      gcp-store                  1hr                 SecretSynced    True
external-secrets-2    aws-external-secret     aws-secret-store           1hr                 SecretSynced    True
external-secrets      bitwarden               bitwarden-secretsmanager   1hr                 SecretSynced    True

  4. To verify that the SecretStore is apiVersion: external-secrets.io/v1, run the following command: 

    $ oc get secretstores.external-secrets.io -n external-secrets-1 gcp-store -o yaml

    The following is example output that the SecretStore is apiVersion: external-secrets.io/v1. 

    apiVersion: external-secrets.io/v1
kind: SecretStore
metadata:
  creationTimestamp: "2025-10-27T11:38:19Z"
  generation: 1
  name: gcp-store
  namespace: external-secrets-1
  resourceVersion: "104519"
  uid: 7bccb0cc-2557-4f4a-9caa-1577f0108f4b
spec:
.
.
.
status:
  capabilities: ReadWrite
  conditions:
  - lastTransitionTime: "2025-10-27T11:38:19Z"
    message: store validated
    reason: Valid
    status: "True"
    type: Ready

  5. To verify that the ExternalSecret is apiVersion: external-secrets.io/v1, run the following command: 

    $ oc get externalsecrets.external-secrets.io -n external-secrets-1 gcp-externalsecret -o yaml

    The following is example output that the ExternalSecret is apiVersion: external-secrets.io/v1. 

    apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  creationTimestamp: "2025-10-27T11:39:03Z"
  generation: 1
  name: gcp-externalsecret
  namespace: external-secrets-1
  resourceVersion: "104532"
  uid: 93a3295a-a3ad-4304-90e1-1328d951e5fb
spec:
.
.
.
status:
  binding:
    name: k8s-secret-gcp
  conditions:
  - lastTransitionTime: "2025-10-27T11:39:03Z"
    message: secret synced
    reason: SecretSynced
    status: "True"
    type: Ready
  refreshTime: "2025-10-27T12:13:15Z"
  syncedResourceVersion: 1-f47fe3c0b255b6dd8047cdffa772587bb829efe7a1cb70febeda2eb2
Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2026 Red HatTorna in cima