External Secrets Operator for Red Hat OpenShift APIs

External Secrets Operator for Red Hat OpenShift uses the following two APIs to configure the external-secrets application deployment.

Group	Version	Kind
operator.openshift.io	v1alpha1	externalsecretsConfig
operator.openshift.io	v1alpha1	externalsecretsmanager

The following list contains the External Secrets Operator for Red Hat OpenShift APIs:

• ExternalSecretsConfig

• ExternalSecretsManager

externalSecretsManagerList

The externalSecretsManagerList object fetches the list of externalSecretsManager objects.

Field	Type	Description	Default	Validation
apiVersion	string	The apiVersion specifies the version of the schema in use, which is operator.openshift.io/v1alpha1.
kind	string	kind specifies the type of the object, which is externalSecretsManagerList for this API.
metadata	ListMeta	Refer to Kubernetes API documentation for details about the metadata fields.
items	array

externalSecretsManager

The externalSecretsManager object defines the configuration and information of deployments managed by the External Secrets Operator. Set the name to cluster as this allows only one instance of externalSecretsManager per cluster.

You can configure global options by using externalSecretsManager. This serves as a centralized configuration for managing multiple controllers of the Operator. The Operator automatically creates the externalSecretsManager object during installation.

Field	Type	Description	Default	Validation
apiVersion	string	The apiVersion specifies the version of the schema in use, which is operator.openshift.io/v1alpha1.
kind	string	kind specifies the type of the object, which is externalSecretsManager for this Object.
metadata	ObjectMeta	Refer to Kubernetes API documentation for details about the metadata fields.
spec	object	spec contains specifications of the desired behavior.
status	object	status displays the most recently observed state of the controllers in the External Secrets Operator.

externalSecretsConfigList

The externalSecretsConfigList object fetches the list of externalSecretsConfig objects.

Field	Type	Description	Default	Validation
apiVersion	string	The apiVersion specifies the version of the schema in use, which is operator.openshift.io/v1alpha1
kind	string	kind specifies the type of the object, which is externalSecretsList for this API.
metadata	ListMeta	Refer to Kubernetes API documentation for details about the metadata fields.
items	array	Items contains a list of externalSecrets objects.

externalSecretsConfig

The externalSecretsConfig object defines the configuration and information for the managed external-secrets operand deployment. Set the name to cluster as externalSecretsConfig object allows only one instance per cluster.

Creating an externalSecretsConfig object triggers the deployment of the external-secrets operand and maintains the desired state.

Field	Type	Description	Default	Validation
apiVersion	string	The apiVersion specifies the version of the schema in use, which is operator.openshift.io/v1alpha1.
kind	string	kind specifies the type of the object, which is externalSecrets for this object.
metadata	ObjectMeta	Refer to Kubernetes API documentation for details about the metadata fields.
spec	object	spec contains the specifications of the desired behavior of the externalSecrets object.
status	object	status displays the most recently observed status of the externalSecrets object.

Listing fields in External Secrets Operator for Red Hat OpenShift APIs

The following fields apply to the External Secrets Operator for Red Hat OpenShift APIs.

externalSecretsManagerSpec

The externalSecretsManagerSpec field defines the desired behavior of the externalSecretsManager object.

Field	type	Description	Default	Validation
globalConfig	object	globalConfig configures the behavior of deployments that External Secrets Operator manages.		Optional

externalSecretsManagerStatus

The externalSecretsManagerStatus field shows the most recently observed status of the externalSecretsManager object.

Field	Type	Description	Default	Validation
controllerStatuses	array	controllerStatuses holds the observed conditions of the controllers used by the Operator.
lastTransitionTime	Time	lastTransitionTime records the most recent time the status of the condition changed.		Format: date-time Type: string

externalSecretsConfigSpec

The externalSecretsConfigSpec field defines the desired behavior of the externalSecrets object.

Field	Type	Description	Default	Validation
appConfig	object	appConfig configures the behavior of the external-secrets operand.		Optional
plugins	object	plugins configures the optional provider plugins.		Optional
controllerConfig	object	controllerConfig configures the controller to set up defaults that enable external-secrets operand.		Optional

externalSecretsConfigStatus

The externalSecretsConfigStatus field shows the most recently observed status of the externalSecretsConfig Object.

Field	Type	Description	Default	Validation
conditions	Condition array	conditions contains information about the current state of deployment.
externalSecretsImage	string	externalSecretsImage specifies the image name and tag used for deploy external-secrets operand.
bitwardenSDKServerImage	string	bitwardenSDKServerImage specifies the name of the image and tag used for deploying the bitwarden-sdk-server.

globalConfig

The globalConfig field configures the behavior of the External Secrets Operator.

Field	Type	Description	Default	Validation
labels	integer	labels applies to all resources created by the Operator. This field can have a maximum of 20 entries	1	The maximum number of properties is 20 The minimum number of properties is 0 Optional
logLevel	integer	logLevel supports a range of values as defined in the kubernetes logging guidelines.	1	The maximum range value is 5 The minimum range value is 1 Optional
resources	ResourceRequirements	resources defines the resource requirements. You cannot change the value of this field after setting it initially. For more information, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/		Optional
affinity	Affinity	affinity sets the scheduling affinity rules. For more information, see https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/		Optional
tolerations	Toleration array	tolerations sets the pod tolerations. For more information, see https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/		The maximum number of items is 50 The minimum number of items is 0 Optional
nodeSelector	object (keys:string, values:string)	nodeSelector defines the scheduling criteria by using the node labels. For more information, see https://kubernetes.io/docs/concepts/configuration/assign-pod-node/		The maximum number of properties is 50 The minimum number of properties is 0 Optional
proxy	object	proxy sets the proxy configurations available in the operand containers managed by the Operator as environment variables.		Optional

controllerConfig

The controllerConfig specifies the configurations used by the controller when installing the external-secrets operand and the plugins.

Field	Type	Description	Default	Validation
certProvider	string	certProvider defines the configuration for the certificate providers used to manage TLS certificates for webhook and plugins.		Optional
labels	object (keys:string, values:string)	labels field applies labels to all resources created for the external-secrets operand deployment.		The maximum number of properties is 20. The minimum number of properties is 0. Optional

controllerStatus

The controllerStatus field contains the observed conditions of the controllers used by the Operator.

Field	Type	Description	Default	Validation
name	string	name specifies the name of the controller for which the observed condition is recorded.		Required
conditions	array	conditions contains information about the current state of the External Secrets Operator controllers.
observedGeneration	integer	observedGeneration represents the .metadata.generation on the observed resource.		The minimum number of observed resources is 0.

applicationConfig

The applicationConfig specifies the configurations for the external-secrets operand.

Field	Type	Description	Default	Validation
logLevel	integer	logLevel supports a range of values as defined in the kubernetes logging guidelines.	1	The maximum range value is 5 The minimum range value is 1 Optional
operatingNamespace	string	operatingNamespace restricts the external-secrets operand operations to the provided namespace. Enabling this field disables ClusterSecretStore and ClusterExternalSecret.		The maximum length is 63 The minimum length is 1 Optional
webhookConfig	object	webhookConfig configures webhook specifics of the external-secrets operand.
resources	ResourceRequirements	resources defines the resource requirements. You cannot change the value of this field after setting it initially. For more information, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/		Optional
affinity	Affinity	affinity sets the scheduling affinity rules. For more information, see https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/		Optional
tolerations	Toleration array	tolerations sets the pod tolerations. For more information, see https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/		The maximum number of items is 50 The minimum number of items is 0 Optional
nodeSelector	object (keys:string, values:string)	nodeSelector defines the scheduling criteria by using node labels. For more information, see https://kubernetes.io/docs/concepts/configuration/assign-pod-node/		The maximum number of properties is 50 The minimum number of properties is 0 Optional
proxy	object (keys:string, values:string)	proxy sets the proxy configurations available in operand containers managed by the Operator as environment variables.		Optional

bitwardenSecretManagerProvider

The bitwardenSecretManagerProvider field enables the Bitwarden secrets manager provider and sets up the additional service required to connect to the Bitwarden server.

Field	Type	Description	Default	Validation
mode	string	mode field enables the bitwardenSecretManagerProvider provider state, which can be set to Enabled or Disabled. If set to Enabled, the Operator ensures the plugin is deployed and synchronized. If set to Disabled, the Bitwarden provider plugin reconciliation is disabled. The plugin and resources remain in their current state, and are not managed by the Operator.	Disabled	enum: [Enabled Disabled] Optional
secretRef	SecretReference	SecretRef specifies the Kubernetes secret that contains the TLS key pair for the Bitwarden server. If this reference is not provided and the certManagerConfig field is configured, the issuer defined in certManagerConfig generates the required certificate. The secret must use tls.crt for certificate, tls.key for the private key, and ca.crt for CA certificate.		Optional

webhookConfig

The webhookConfig field configures the specifics of the external-secrets application webhook.

Field	Type	Description	Default	Validation
certificateCheckInterval	Duration	certificateCheckInterval configures the polling interval to check certificate validity.	5m	Optional

certManagerConfig

The certManagerConfig field configures the cert-manager Operator settings.

Field	Type	Description	Default	Validation
mode	string	mode specifies whether to use cert-manager for certificate management instead of the built-in cert-controller which can be indicated by setting either Enabled or Disabled. If set to Enabled, uses cert-manager for obtaining the certificates for the webhook server and other components. If set to Disabled, uses the cert-controller for obtaining the certificates for the webhook server. Disabled is the default behavior.	false	enum: [true false] Required
injectAnnotations	string	injectAnnotations adds the cert-manager.io/inject-ca-from annotation to the webhooks and custom resource definitions (CRDs) to automatically configure the webhook with the cert-manager Operator certificate authority (CA). This requires CA Injector to be enabled in cert-manager Operator. Set this field to true or false. When set, this field cannot be changed.	false	enum: [true false] Optional
issuerRef	ObjectReference	issuerRef contains details of the referenced object used for obtaining certificates. The object must exist in the external-secrets namespace unless a cluster-scoped cert-manager Operator issuer is used.		Required
certificateDuration	Duration	certificateDuration sets the validity period of the webhook certificate.	8760h	Optional
certificateRenewBefore	Duration	certificateRenewBefore sets the ahead time to renew the webhook certificate before expiry.	30m	Optional

certProvidersConfig

The certProvidersConfig defines the configuration for the certificate providers used to manage TLS certificates for webhook and plugins.

Field	Type	Description	Default	Validation
certManager	object	certManager defines the configuration for cert-manager provider specifics.		Optional

objectReference

The ObjectReference field refers to an object by its name, kind, and group.

Field	Type	Description	Default	Validation
name	string	name specifies the name of the resource being referred to.		The maximum length is 253 characters. The minimum length is 1 character. Required
kind	string	kind specifies the kind of the resource being referred to.		The maximum length is 253 characters. The minimum length is 1 character. Optional
group	string	group specifies the group of the resource being referred to.		The maximum length is 253 characters. The minimum length is 1 character. Optional

secretReference

The secretReference field refers to a secret with the given name in the same namespace where it used.

Field	Type	Description	Default	Validation
name	string	name specifies the name of the secret resource being referred to.		The maximum length is 253. The minimum length is 1. Required

condition

The condition field holds information about the condition of the external-secrets deployment.

Field	Type	Description	Default	Validation
type	string	type contains the condition of the deployment.		Required
status	ConditionStatus	status contains the status of the condition of the deployment
message	string	message provides details on the state of the deployment

conditionalStatus

The conditionalStatus field holds information about the current state of the external-secrets deployment.

Field	Type	Description	Default	Validation
conditions	array	conditions contains information on the current state of the deployment.

mode

The mode field indicates the operational state of the optional features.

Field	Type	Description	Default	Validation
Enabled		Enabled indicates the optional configuration is enabled.
Disabled		Disabled indicates the optional configuration is disabled.

pluginsConfig

The pluginsConfig configures the optional plugins.

Field	Type	Description	Default	Validation
bitwardenSecretManagerProvider	object	bitwardenSecretManagerProvider enables the bitwarden-secrets-manager provider plugin for connecting with the 'bitwarden-secrets-manager'.		Optional

proxyConfig

The proxyConfig holds the proxy configurations which are made available in the operand containers and managed by the Operator as environment variables.

Field	Type	Description	Default	Validation
httpProxy	string	The httpProxy field contains the URL of the proxy for HTTP requests. This field can have a maximum of 2048 characters.		The maximum length is 2048 characters. The minimum length is 0 characters. Optional
httpsProxy	string	The httpsProxy field contains the URL of the proxy for HTTPS requests. This field can have a maximum of 2048 characters.		The maximum length is 2048 characters. The minimum length is 0 characters. Optional
noProxy	string	The noProxy field is a comma-separated list of hostnames, classless inter-domain routings (CIDRs), and IP addresses or a combination of the three for which the proxy should not be used. This field can have a maximum of 4096 characters.		The maximum length is 4096 characters. The minimum length is 0 characters. Optional