This repository contains External Secrets Operator for Red Hat OpenShift. The operator runs in external-secrets-operator namespace.
The External Secrets Operator provides the ability to deploy external-secrets using different configurations
The External Secrets Operator for Red Hat OpenShift operates as a cluster-wide service to deploy and manage the external-secrets application. The external-secrets application integrates with external secrets management systems and performs secret fetching, refreshing, and provisioning within the cluster.
Use the External Secrets Operator for Red Hat OpenShift to integrate external-secrets application with the OpenShift Container Platform cluster. The external-secrets application fetches secrets stored in the external providers such as AWS Secrets Manager, HashiCorp Vault, Google Secrets Manager, Azure Key Vault, IBM Cloud Secrets Manager, AWS Systems Manager Parameter Store and integrates them with Kubernetes in a secure manner.
Using the External Secrets Operator ensures the following:
- Decouples applications from the secret-lifecycle management.
- Centralizes secret storage to support compliance requirements.
- Enables secure and automated secret rotation.
- Supports multi-cloud secret sourcing with fine-grained access control.
- Centralizes and audits access control.
The External Secrets Operator for Red Hat OpenShift uses the external-secrets helm charts
to install application. The operator has three controllers to achieve the same:
external_secrets_managercontroller: This is responsible for- reconciling the
externalsecretsmanagers.openshift.operator.ioresource. - providing the status of other controllers.
- reconciling the
external_secretscontroller: This is responsible for- reconciling the
externalsecrets.openshift.operator.ioresource. - installing and managing the
external-secretsapplication based on the user defined configurations inexternalsecrets.openshift.operator.ioresource. - reconciling the
externalsecretsmanagers.openshift.operator.ioresource for the global configurations and updates theexternal-sceretsdeployment accordingly.
- reconciling the
crd_annotatorcontroller:- This is responsible for adding
cert-manager.io/inject-ca-fromannotation in theexternal-secretsprovided CRDs. - This is an optional controller, which will be activated only when
cert-manageris installed. - When
cert-manageris installed after External Secrets Operator installation,external-secrets-operator-controller-managerdeployment must be restarted to activate the controller.
- This is responsible for adding
The operator automatically creates a cluster-scoped externalsecretsmanagers.openshift.operator.io object named cluster.
For more information about
external-secrets-operator for Red Hat OpenShift, refer to the linkexternal-secretsapplication, refer to the link.cert-manager Operator for Red Hat OpenShift, refer to the link
- go version 1.23.6+
- docker version 17.03+.
- kubectl version v1.32.1+.
- Access to a Kubernetes v1.32.1+ cluster.
Build and push your image to the location specified by IMG:
make docker-build docker-push IMG=<some-registry>/external-secrets-operator:<tag>NOTE: This image ought to be published in the personal registry you specified. And it is required to have access to pull the image from the working environment. Make sure you have the proper permission to the registry if the above commands don’t work.
Install the CRDs into the cluster:
make installDeploy the Manager to the cluster with the image specified by IMG:
make deploy IMG=<some-registry>/external-secrets-operator:<tag>NOTE: If you encounter RBAC errors, you may need to grant yourself cluster-admin privileges or be logged in as admin.
Create instances of your solution You can apply the samples (examples) from the config/sample:
kubectl apply -k config/samples/NOTE: Ensure that the samples has default values to test it out.
Delete the instances (CRs) from the cluster:
kubectl delete -k config/samples/Delete the APIs(CRDs) from the cluster:
make uninstallUnDeploy the controller from the cluster:
make undeployFollowing are the steps to build the installer and distribute this project to users.
- Build the installer for the image built and published in the registry:
make build-installer IMG=<some-registry>/external-secrets-operator:tagNOTE: The makefile target mentioned above generates an 'install.yaml' file in the dist directory. This file contains all the resources built with Kustomize, which are necessary to install this project without its dependencies.
- Using the installer
Users can just run kubectl apply -f to install the project, i.e.:
kubectl apply -f https://raw.githubusercontent.com/<org>/external-secrets-operator/<tag or branch>/dist/install.yamlNOTE: Run
make helpfor more information on all potentialmaketargets
More information can be found via the Kubebuilder Documentation
We welcome contributions from the community! To contribute:
- Fork this repository and create a new branch.
- Make your changes and test them thoroughly.
- Run make targets to verify the behavior.
- Submit a Pull Request describing your changes and the motivation behind them.
- Run make help to view all available development targets.
We appreciate issues, bug reports, feature requests, and feedback!
Copyright 2025.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.