Customizing the External Secrets Operator for Red Hat OpenShift

After the External Secrets Operator for Red Hat OpenShift is installed, you can customize its behavior by editing the ExternalSecretsConfig custom resource (CR). This lets you modify components like the external-secrets controller, the cert-controller, the webhook, and the bitwardenSecretManagerProvider plugin and also lets you set environment variables for the Operator pod.

Additional resources

External Secrets Operator for Red Hat OpenShift APIs

Setting a log level for the External Secrets Operator for Red Hat OpenShift

Set the log level for the External Secrets Operator for Red Hat OpenShift to control the detail of log messages. By adjusting the verbosity, you can troubleshoot issues effectively and manage the volume of log data.

Prerequisites

You have access to the cluster with cluster-admin privileges.
You have created the ExternalSecretsConfig custom resource.

Procedure

Update the subscription object for the External Secrets Operator for Red Hat OpenShift to provide the verbosity level for the operator logs by running the following command:
```
$ oc -n <external_secrets_operator_namespace> patch subscription openshift-external-secrets-operator --type='merge' -p '{"spec":{"config":{"env":[{"name":"OPERATOR_LOG_LEVEL","value":"<log_level>"}]}}}'
```
where:

external_secrets_operator_namespace

Specifies the namespace where the Operator is installed.

log_level

Specifies the level of log detail. Values range from 1-5. The default is 2.

Verification

The External Secrets Operator pod is redeployed. Verify that the log level of the External Secrets Operator for Red Hat OpenShift is updated by running the following command:
```
$ oc set env deploy/external-secrets-operator-controller-manager -n external-secrets-operator --list | grep -e OPERATOR_LOG_LEVEL -e container
```
The following example verifies that the log level of the External Secrets Operator for Red Hat OpenShift is updated.
```
# deployments/external-secrets-operator-controller-manager, container manager
OPERATOR_LOG_LEVEL=2
```
Verify that the log level of the External Secrets Operator for Red Hat OpenShift is updated by running the oc logs command:
```
$ oc logs -n external-secrets-operator -f deployments/external-secrets-operator-controller-manager -c manager
```

Setting a log level for the External Secrets Operator for Red Hat OpenShift operand

Set the log level for the External Secrets Operator for Red Hat OpenShift operand to control the verbosity of log messages. By doing this task, you can adjust the amount of detail recorded for troubleshooting or monitoring purposes.

Prerequisites

You have access to the cluster with cluster-admin privileges.
You have created the ExternalSecretsConfig custom resource.

Procedure

Edit the ExternalSecretsConfig CR by running the following command:
```
$ oc edit externalsecretsconfigs.operator.openshift.io cluster
```
Set the log level value by editing the spec.appConfig.logLevel section:
```
apiVersion: operator.openshift.io/v1alpha1
kind: ExternalSecretsConfig
...
spec:
  appConfig:
    logLevel: <log_level> 
```
1. Supports the value range of 1-5. The log level gets mapped to the following operand support levels:
  - 1 - warnings
  - 2 - error logs
  - 3 - info logs
  - 4 and 5 - debug logs
Save your changes and exit the editor.

Configuring cert-manager for the external-secrets certificate requirements

Configure cert-manager to handle certificate management for the external-secrets webhook and plugins. This optional configuration automates certificate generation for plugins and eliminates the need for manual configuration.

When cert-manager is not used, external-secrets defaults to its own certificate management. In this mode, it automatically generates the required certificates for the webhook, while you are responsible for manually configuring certificates for the plugins.

Prerequisites

You have access to the cluster with cluster-admin privileges.
You have created the ExternalSecretsConfig custom resource.
You have installed the cert-manager Operator for Red Hat OpenShift. For more information, see "Installing the cert-manager Operator for Red Hat OpenShift"

Procedure

Edit the ExternalSecretsConfig custom resource by running the following command:
```
$  oc edit externalsecretsconfigs.operator.openshift.io cluster
```
Configure cert-manager by editing the spec.controllerConfig.certProvider.certManager section as follows:
```
apiVersion: operator.openshift.io/v1alpha1
kind: ExternalSecretsConfig
...
spec:
  controllerConfig:
    certProvider:
      certManager:
        injectAnnotations: "true"
        issuerRef:
          name: <issuer_name>
          kind: <issuer_kind>
          group: <issuer_group>
        mode: Enabled
```
where:

injectAnnotation

Must be set to true when enabled.

name

Specifies the name of the issuer object referenced in ExternalSecretsConfig.

kind

Specifies the API issuer. Can be set to either Issuer or ClusterIssuer.

group

Specifies the API issuer group. The group name must be cert-manager.io.

mode

Must be set to Enabled. This is an immutable field and cannot be modified once it is configured.
Save your changes.
After you update the cert-manager configurations in the externalsecretsconfig.operator.openshift.io object, you must manually delete external-secrets-cert-controller deployment by running the following command. This prevents performance degradation of the external-secrets application.
```
$ oc delete deployments.apps external-secrets-cert-controller -n external-secrets
```

Optionally, you can delete other resources created for the cert-controller by running the following commands:

$ oc delete clusterrolebindings.rbac.authorization.k8s.io external-secrets-cert-controller

$ oc delete clusterroles.rbac.authorization.k8s.io external-secrets-cert-controller

$ oc delete serviceaccounts external-secrets-cert-controller -n external-secrets

$ oc delete secrets external-secrets-webhook -n external-secrets

Additional resources

Configuring the bitwardenSecretManagerProvider plugin

Configure the bitwardenSecretManagerProvider plugin to use Bitwarden Secrets Manager as a source for your secrets. By using this integration, you can sync external secrets to your OpenShift Container Platform cluster.

Prerequisites

You have access to the cluster with cluster-admin privileges.
You have created the ExternalSecretsConfig custom resource.

Procedure

Edit the ExternalSecretsConfig custom resource by running the following command:
```
$  oc edit externalsecretsconfigs.operator.openshift.io cluster
```
Edit the spec.plugins.bitwardenSecretManagerProvider section as follows to enable the Bitwarden Secrets Manager:
```
apiVersion: operator.openshift.io/v1alpha1
kind: ExternalSecretsConfig
...
spec:
  plugins:
    bitwardenSecretManagerProvider:
      mode: Enabled
      secretRef:
        name: <secret_object_name>
```
where:

name

The name of the secret containing the certificate key pair for the plugin. The key name in the secret for the certificate must be tls.crt. The key name for the private key must be tls.key. The key name for the Certificate Authority (CA) certificate key name must be ca.crt. Configuring the secret is optional when the cert-manager certificate provider is configured.
Save your changes and exit the editor.
If you disable the plugin the following resources must be deleted manually by running the following commands:

$ oc delete deployments.apps bitwarden-sdk-server -n external-secrets

$ oc delete certificates.cert-manager.io bitwarden-tls-certs -n external-secrets

$ oc delete service bitwarden-sdk-server -n external-secrets

$ oc delete serviceaccounts bitwarden-sdk-server -n external-secrets