Installing the External Secrets Operator for Red Hat OpenShift

To manage external secrets on OpenShift Container Platform, install the External Secrets Operator by using the web console or the command-line interface (CLI).

Limitations of External Secrets Operator for Red Hat OpenShift

The following are the limitations of External Secrets Operator for Red Hat OpenShift during the installation and uninstallation of the external-secrets application.

• Uninstalling the External Secrets Operator for Red Hat OpenShift does not delete the resources created for external-secrets application. you must clean up the resources manually.

• When you add cert-manager Operator configurations in externalsecrets.operator.openshift.io object after creation, delete the external-secrets-cert-controller deployment resource manually to prevent degradation of the external-secrets application.

• Enable the BitwardenSecretManagerProvider field in externalsecrets.operator.openshift.io object only when installed on OpenShift Cluster running on x86_64 and arm64 architectures .

• Ensure cert-manager Operator is installed and operational before deploying the External Secrets Operator for Red Hat OpenShift for seamless functioning. If you install the cert-manager Operator later, manually restart the external-secrets-operator pod to apply cert-manager configurations in externalsecrets.operator.openshift.io object.

Installing the External Secrets Operator for Red Hat OpenShift by using the web console

Install the External Secrets Operator for Red Hat OpenShift by using the web console to add secret management features to your cluster. By doing this task, you can select an update channel and approval strategy to ensure the Operator stays current.

Prerequisites

• You have access to the cluster with cluster-admin privileges.

• You have access to the OpenShift Container Platform web console.

Procedure

1. Log in to the OpenShift Container Platform web console.

2. Navigate to Ecosystem → Software Catalog.

3. Enter External Secrets Operator in the search box.

4. Select the External Secrets Operator for Red Hat OpenShift from the generated list and click Install.

5. On the Install Operator page:

   1. Update the Update channel, if necessary. The channel defaults to stable-v1, which installs the latest stable release of the External Secrets Operator.

   2. Select the version from Version drop-down list.

   3. Choose the Installed Namespace for the Operator.

      • To use the default Operator namespace, select the Operator recommended Namespace option.

      • To use the namespace that you created, select the Select a Namespace option, and then select the namespace from the drop-down list.

      • If the default external-secrets-operator namespace does not exist, it is created for you by the Operator Lifecycle Manager (OLM).

   4. Select an Update approval strategy.

      • The Automatic strategy enables OLM to automatically update the Operator when a new version is available.

      • The Manual strategy requires a user with appropriate credentials to approve the Operator update.

   5. Click Install.

Verification

1. Navigate to Ecosystem → Installed Operators.

2. Verify that External Secrets Operator is listed with a Status of Succeeded in the external-secrets-operator namespace.

Installing the External Secrets Operator for Red Hat OpenShift by using the CLI

You can use the command-line interface (CLI) to install the External Secrets Operator for Red Hat OpenShift.

Prerequisites

• You have access to the cluster with cluster-admin privileges.

Procedure

1. Create a new project named external-secrets-operator by running the following command:

   $ oc new-project external-secrets-operator

2. Create an OperatorGroup object by defining a YAML file with the following content:

   apiVersion: operators.coreos.com/v1
   kind: OperatorGroup
   metadata:
     name: openshift-external-secrets-operator
     namespace: external-secrets-operator
   spec:
     targetNamespaces: []

3. Create the OperatorGroup object by running the following command:

   $ oc create -f operatorGroup.yaml

4. Create a Subscription object by defining a YAML file with the following content:

   The following is an example of a subscription.yaml file.

   apiVersion: operators.coreos.com/v1alpha1
   kind: Subscription
   metadata:
     name: openshift-external-secrets-operator
     namespace: external-secrets-operator
   spec:
     channel: stable-v1
     name: openshift-external-secrets-operator
     source: redhat-operators
     sourceNamespace: openshift-marketplace
     installPlanApproval: Automatic
     startingCSV: external-secrets-operator.v1.0.0

5. Create the Subscription object by running the following command:

   $ oc create -f subscription.yaml

Verification

1. Verify that the OLM subscription is created by running the following command:

   $ oc get subscription -n external-secrets-operator

   The following is example output verifying the OLM subscription is created.

   NAME                                  PACKAGE                               SOURCE             CHANNEL
   openshift-external-secrets-operator   openshift-external-secrets-operator   redhat-operators   stable-v1

2. Verify whether the Operator is successfully installed by running the following command:

   $ oc get csv -n external-secrets-operator

   The following is example output verifying that the Operator is installed.

   NAME                               DISPLAY                                           VERSION   REPLACES   PHASE
   external-secrets-operator.v1.0.0   External Secrets Operator for Red Hat OpenShift   1.0.0                Succeeded

3. Verify that the status of the External Secrets Operator is Running by entering the following command:

   $ oc get pods -n external-secrets-operator

   The following is example output verifying the External Secrets Operator is Running.

   NAME                                                            READY   STATUS    RESTARTS   AGE
   external-secrets-operator-controller-manager-5699f4bc54-kbsmn   1/1     Running   0          25h

Additional resources

• Adding Operators to a cluster

Installing the External Secrets operand by using the CLI

Install the External Secrets operand on OpenShift Container Platform by using the CLI to create the necessary configuration object. By completing this task, you ensure that the External Secrets Operator is properly configured to manage secrets from external APIs on your cluster.

Prerequisites

• You have access to the cluster with cluster-admin privileges.

Procedure

1. Create an externalsecretsconfig.openshift.operator.io object by defining a YAML file with the following content:

   Example externalsecretsconfig.yaml file.

   apiVersion: operator.openshift.io/v1alpha1
   kind: ExternalSecretsConfig
   metadata:
     labels:
       app: external-secrets-operator
       app.kubernetes.io/name: cluster
     name: cluster
   spec:
     controllerConfig:
       networkPolicies:
       - componentName: ExternalSecretsCoreController
         egress:
         - {}
         name: allow-external-secrets-egress

   For more information on spec configuration, see "External Secrets Operator for Red Hat OpenShift APIs".

2. Create the externalsecretsconfigs.openshift.operator.io object by running the following command:

   $ oc create -f externalsecretsconfig.yaml

Verification

1. Verify that the external-secrets pods are running by entering the following command:

   $ oc get pods -n external-secrets

   Example output

   NAME                                                READY   STATUS    RESTARTS   AGE
   external-secrets-75d47cb9c8-6p4n2                   1/1     Running   0          4h5m
   external-secrets-cert-controller-676444b897-qb6ft   1/1     Running   0          4h5m
   external-secrets-webhook-b566658ff-7m4d5            1/1     Running   0          4h5m

2. Verify that the external-secrets-operator deployment object reports a successful status by running the following command:

   $ oc get externalsecretsconfig.operator.openshift.io cluster -n external-secrets-operator -o jsonpath='{.status.conditions}' | jq .

   Example output

   [
     {
       "lastTransitionTime": "2025-06-17T14:57:04Z",
       "message": "",
       "observedGeneration": 2,
       "reason": "Ready",
       "status": "False",
       "type": "Degraded"
     },
     {
       "lastTransitionTime": "2025-11-27T05:58:38Z,
       "message": "reconciliation successful",
       "observedGeneration": 2,
       "reason": "Ready",
       "status": "True",
       "type": "Ready"
     }
   ]

Next step

• Configure the network policies of the operand as described in "Configuring network policy for the operand".

Understanding update channels of the External Secrets Operator for Red Hat OpenShift

Control the version of the External Secrets Operator for Red Hat OpenShift in your cluster by selecting an update channel. By using this mechanism, you can declare a specific version track, ensuring your environment receives only the updates you require for stability.

The External Secrets Operator for Red Hat OpenShift offers the following update channels:

• stable-v1

• stable-v1.y

About the External Secrets Operator for Red Hat OpenShift stable-v1 channel

Select the stable-v1 channel to install and update the latest release of the External Secrets Operator for Red Hat OpenShift. By selecting this channel, you can use the most recent stable release for your Operator.

Note

The stable-v1 channel is the default and suggested channel while installing the External Secrets Operator for Red Hat OpenShift.

The stable-v1 channel offers the following update approval strategies:

Automatic

If you choose automatic updates for an installed External Secrets Operator for Red Hat OpenShift, a new version of the External Secrets Operator for Red Hat OpenShift is available in the stable-v1 channel. The Operator Lifecycle Manager (OLM) automatically upgrades the running instance of your Operator without human intervention.

Manual

If you select manual updates, when a newer version of the External Secrets Operator for Red Hat OpenShift is available, OLM creates an update request. As a cluster administrator, you must then manually approve that update request to have the cert-manager Operator for Red Hat OpenShift updated to the new version.

About the External Secrets Operator for Red Hat OpenShift stable-v1.y channel

Select the stable-v1 channel to install and update the latest release of the External Secrets Operator for Red Hat OpenShift. By selecting this channel, you can use the latest stable release and allows you to choose between automatic and manual updates.

The y-stream version of the External Secrets Operator for Red Hat OpenShift installs updates from the stable-v1.y channels such as stable-v1.0, stable-v1.1, and stable-v1.2. Select the stable-v1.y channel if you want to use the y-stream version and stay updated to the z-stream version of the External Secrets Operator for Red Hat OpenShift.

The stable-v1.y channel offers the following update approval strategies:

Automatic

If you choose automatic updates for an installed External Secrets Operator for Red Hat OpenShift, a new z-stream version of the External Secrets Operator for Red Hat OpenShift is available in the stable-v1.y channel. OLM automatically upgrades the running instance of your Operator without human intervention.

Manual

If you select manual updates, when a newer version of the External Secrets Operator for Red Hat OpenShift is available, OLM creates an update request. As a cluster administrator, you must then manually approve that update request to have the External Secrets Operator for Red Hat OpenShift updated to the new version of the z-stream releases.

Additional resources

• Adding Operators to a cluster

• Updating installed Operators