External Secrets Operator for Red Hat OpenShift release notes

The External Secrets Operator for Red Hat OpenShift is a cluster-wide service that provides lifecycle management for secrets fetched from external secret management systems.

These release notes track the development of External Secrets Operator.

For more information, see External Secrets Operator overview.

Release notes for External Secrets Operator for Red Hat OpenShift 1.0.0 (General Availability)

Issued: 2025-11-03

The following advisories are available for the External Secrets Operator for Red Hat OpenShift 1.0.0:

• RHBA-2025:19416

• RHBA-2025:19417

• RHBA-2025:19418

• RHBA-2025:19463

Version 1.0.0 of the External Secrets Operator for Red Hat OpenShift is based on the upstream external-secrets project, version v0.19.0. For more information, see the external-secrets project release notes for v0.19.0.

Bug fixes

• Before this release, many of the APIs listed in the console for the External Secrets Operator for Red Hat OpenShift were missing descriptions. With this release, the API descriptions have been added. (OCPBUGS-61081)

New features and enhancements

Renaming and improvements on the Operator API

With this release, the Operator API, externalsecrets.operator.openshift.io has been renamed to externalsecretsconfigs.operator.openshift.io to avoid confusion with the external-secrets provided API that has the same name, but a different purpose. The external-secrets provided API has also been restructured and new features are added.

For more information, see External Secrets Operator for Red Hat OpenShift APIs.

Support to collect metrics of External Secrets Operator

With this release, the External Secrets Operator for Red Hat OpenShift supports collecting metrics for both the Operator and operands. This is optional and must be enabled.

For more information, see Monitoring the External Secrets Operator for Red Hat OpenShift.

Support to configure proxy for External Secrets Operator

With this release, the External Secrets Operator for Red Hat OpenShift supports configuring proxy for both the Operator and operand.

For more information, see About the egress proxy for the External Secrets Operator for Red Hat OpenShift.

Root filesystem is read-only for External Secrets Operator for Red Hat OpenShift containers

With this release, to improve security, the External Secrets Operator for Red Hat OpenShift and all its operands have the readOnlyRootFilesystem security context set to true by default. This enhancement hardens the containers and prevents a potential attacker from modifying the contents of the container’s root file system.

Network policy hardening is now available for External Secrets Operator components

With this release, External Secrets Operator for Red Hat OpenShift includes pre-defined NetworkPolicy resources designed for enhanced security by governing ingress and egress traffic for operand components. These policies cover essential internal traffic, such as ingress to the metrics and webhook servers, and egress to the OpenShift API server and DNS server. Note that deployment of the NetworkPolicy is enabled by default and egress allow policies must be explicitly defined in the ExternalSecretsConfig custom resource for the external-secrets component to fetch secrets from external providers.

For more information, see Configuring network policy for the operand.

Release notes for External Secrets Operator for Red Hat OpenShift 0.1.0 (Technology Preview)

Issued: 2025-06-26

The following advisories are available for the External Secrets Operator for Red Hat OpenShift 0.1.0:

• RHBA-2025:9747

• RHBA-2025:9746

• RHBA-2025:9757

• RHBA-2025:9763

Version 0.1.0 of the External Secrets Operator for Red Hat OpenShift is based on the upstream external-secrets version 0.14.3. For more information, see the external-secrets project release notes for v0.14.3.

New features and enhancements

• This is the initial, Technology Preview release of the External Secrets Operator for Red Hat OpenShift.