openshift
diff --git a/‎_topic_maps/_topic_map.yml
Lines changed: 8 additions & 0 deletions b/‎_topic_maps/_topic_map.yml
Lines changed: 8 additions & 0 deletions
diff --git a/‎modules/external-secrets-about.adoc
Lines changed: 27 additions & 0 deletions b/‎modules/external-secrets-about.adoc
Lines changed: 27 additions & 0 deletions
diff --git a/‎modules/external-secrets-enable-metrics-operand.adoc
Lines changed: 88 additions & 0 deletions b/‎modules/external-secrets-enable-metrics-operand.adoc
Lines changed: 88 additions & 0 deletions
diff --git a/‎modules/external-secrets-enable-metrics.adoc
Lines changed: 89 additions & 0 deletions b/‎modules/external-secrets-enable-metrics.adoc
Lines changed: 89 additions & 0 deletions
diff --git a/‎modules/external-secrets-fips-support.adoc
Lines changed: 11 additions & 0 deletions b/‎modules/external-secrets-fips-support.adoc
Lines changed: 11 additions & 0 deletions
diff --git a/‎modules/external-secrets-operand-install-cli.adoc
Lines changed: 86 additions & 0 deletions b/‎modules/external-secrets-operand-install-cli.adoc
Lines changed: 86 additions & 0 deletions
@@ -1255,6 +1255,14 @@ Topics:
   Topics:
   - Name: External Secrets Operator overview
     File: index
+  - Name: External Secrets Operator release notes
+    File: external-secrets-operator-release-notes
+  - Name: Installing the External Secrets Operator
+    File: external-secrets-operator-install
+  - Name: Monitoring the External Secrets Operator
+    File: external-secrets-operator-monitoring
+  - Name: Uninstalling the External Secrets Operator
+    File: external-secrets-operator-uninstall
 - Name: Viewing audit logs
   File: audit-log-view
 - Name: Configuring the audit log policy
 
@@ -0,0 +1,27 @@
+// Module included in the following assemblies:
+//
+// * security/external_secrets_operator/index.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="external-secrets-about_{context}"]
+= About the {external-secrets-operator}
+
+Use the {external-secrets-operator} to integrate link:https://external-secrets.io/latest/[external-secrets] application with the {product-title} cluster. The `external-secrets` application fetches secrets stored in the external providers such as link:https://aws.amazon.com/secrets-manager/[AWS Secrets Manager], link:https://developer.hashicorp.com/vault[HashiCorp Vault], link:https://cloud.google.com/security/products/secret-manager[Google Secret Manager], link:https://azure.microsoft.com/en-us/products/key-vault/[Azure Key Vault], link:https://www.ibm.com/products/secrets-manager[{ibm-cloud-title} Secrets Manager], link:https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html[AWS Systems Manager Parameter Store] and integrates them with Kubernetes in a secure manner.
+
+Using the {external-secrets-operator-short} ensures the following:
+
+* Decouples applications from the secret-lifecycle management.
+* Centralizes secret storage to support compliance requirements.
+* Enables secure and automated secret rotation.
+* Supports multi-cloud secret sourcing with fine-grained access control.
+* Centralizes and audits access control.
+
+[IMPORTANT]
+====
+Do not attempt to use more than one {external-secrets-operator-short} in your cluster. If you have a community {external-secrets-operator-short} installed in your cluster, you must uninstall it before installing the {external-secrets-operator}.
+====
+
+For more information about `external-secrets` application, see link:https://external-secrets.io/latest/[external-secrets].
+
+Use the {external-secrets-operator-short} to authenticate with the external secrets store, retrieve secrets, and inject the retrieved secrets into a native Kubernetes secret. This method removes the need for applications to directly access or manage external secrets.
+
@@ -0,0 +1,88 @@
+// Module included in the following assemblies:
+//
+// * security/external_secrets_operator/external-secrets-operator-monitoring.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="external-secrets-enable-metrics-operand_{context}"]
+= Enabling monitoring for the External Secrets operand for Red Hat OpenShift by using a service monitor
+
+Enable monitoring and metrics collection for the External Secrets operand by using a service monitor to perform the custom metrics scraping.
+
+.Prerequisites
+
+* You have access to the cluster with `cluster-admin` privileges.
+* The External Secrets operand is installed.
+
+.Procedure
+
+. Enable cluster monitoring by labeling the External Secrets operand namespace by running the following command:
++
+[source,terminal]
+----
+$ oc label namespace external-secrets openshift.io/cluster-monitoring=true
+----
+
+. Create a YAML file that defines the `Role`, `RoleBinding`, and `ServiceMonitor` objects:
++
+.Example `monitoring.yaml` file
+[source,yaml]
+----
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: prometheus-k8s
+  namespace: external-secrets
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  - endpoints
+  - pods
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: prometheus-k8s
+  namespace: external-secrets
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: prometheus-k8s
+subjects:
+- kind: ServiceAccount
+  name: prometheus-k8s
+  namespace: external-secrets
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  labels:
+    app: external-secrets
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: external-secrets
+    app.kubernetes.io/name: external-secrets
+  name: external-secrets
+  namespace: external-secrets
+spec:
+  endpoints:
+  - interval: 30s
+    port: tcp-prometheus-servicemonitor
+    scheme: http
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: external-secrets
+app.kubernetes.io/name: external-secrets
+----
+
+. Create the `Role`, `RoleBinding`, and `ServiceMonitor` objects by running the following command:
++
+[source,terminal]
+----
+$ oc create -f monitoring.yaml
+----
@@ -0,0 +1,89 @@
+// Module included in the following assemblies:
+//
+// * security/external_secrets_operator/external-secrets-operator-monitoring.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="external-secrets-enable-metrics_{context}"]
+= Enabling monitoring for the {external-secrets-operator} by using a service monitor
+
+Enable monitoring and metrics collection for the {external-secrets-operator} by using a service monitor to perform the custom metrics scraping.
+
+.Prerequisites
+
+* You have access to the cluster with `cluster-admin` privileges.
+* The {external-secrets-operator-short} is installed.
+
+.Procedure
+
+. Enable cluster monitoring by labeling the {external-secrets-operator-short} namespace by running the following command:
++
+[source,terminal]
+----
+$ oc label namespace external-secrets-operator openshift.io/cluster-monitoring=true
+----
+
+. Create a YAML file that defines the `Role`, `RoleBinding`, and `ServiceMonitor` objects:
++
+.Example `monitoring.yaml` file
+[source,yaml]
+----
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: prometheus-k8s
+  namespace: external-secrets-operator
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  - endpoints
+  - pods
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: prometheus-k8s
+  namespace: external-secrets-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: prometheus-k8s
+subjects:
+- kind: ServiceAccount
+  name: prometheus-k8s
+  namespace: external-secrets-operator
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  labels:
+    app: external-secrets
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: external-secrets
+    app.kubernetes.io/name: external-secrets
+  name: external-secrets
+  namespace: external-secrets-operator
+spec:
+  endpoints:
+  - interval: 30s
+    port: tcp-prometheus-servicemonitor
+    scheme: http
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: controller
+      app.kubernetes.io/instance: external-secrets
+app.kubernetes.io/name: external-secrets
+----
+
+. Create the `Role`, `RoleBinding`, and `ServiceMonitor` objects by running the following command:
++
+[source,terminal]
+----
+$ oc create -f monitoring.yaml
+----
+
@@ -0,0 +1,11 @@
+// Module included in the following assemblies:
+//
+// * security/external_secrets_operator/index.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="external-secrets-fips-support_{context}"]
+= About FIPS compliance for {external-secrets-operator}
+
+The {external-secrets-operator} supports FIPS compliance. When running on {product-title} in FIPS mode, {external-secrets-operator-short} uses the RHEL cryptographic libraries submitted to NIST for FIPS validation on the x86_64, ppc64le, and s390X architectures. For more information about the NIST validation program, see link:https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules[Cryptographic module validation program]. For more information about the latest NIST status for the individual versions of the RHEL cryptographic libraries submitted for validation, see link:https://access.redhat.com/articles/2918071#fips-140-2-and-fips-140-3-2[Compliance activities and government standards].
+
+To enable FIPS mode, install the {external-secrets-operator-short} on an {product-title} cluster that runs in FIPS mode. For more information, see "Do you need extra security for your cluster?".
@@ -0,0 +1,86 @@
+// Module included in the following assemblies:
+//
+// * security/external_secrets_operator/external-secrets-operator-install.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="external-secrets-operand-install-cli_{context}"]
+= Installing the External Secrets operand for Red Hat OpenShift by using the CLI
+
+You can use the command-line interface (CLI) to install the External Secrets operand.
+
+.Prerequisites
+
+* You have access to the cluster with `cluster-admin` privileges.
+
+.Procedure
+
+. Create a `externalsecrets.openshift.operator.io` object by defining a YAML file with the following content:
++
+.Example `externalsecrets.yaml` file
+[source,yaml]
+----
+apiVersion: operator.openshift.io/v1alpha1
+kind: ExternalSecrets
+metadata:
+  labels:
+    app.kubernetes.io/name: external-secrets-operator
+  name: cluster
+spec: {}
+----
++
+For more information on spec configuration, see "External Secrets Operator for Red Hat OpenShift APIs".
+
+. Create the `externalsecrets.openshift.operator.io` object by running the following command:
++
+[source,terminal]
+----
+$ oc create -f externalsecrets.yaml
+----
+
+.Verification
+
+. Verify that the `external-secrets` pods are running by entering the following command:
++
+[source,terminal]
+----
+$ oc get pods -n external-secrets
+----
++
+.Example output
+[source,terminal]
+----
+NAME                                                READY   STATUS    RESTARTS   AGE
+external-secrets-75d47cb9c8-6p4n2                   1/1     Running   0          4h5m
+external-secrets-cert-controller-676444b897-qb6ft   1/1     Running   0          4h5m
+external-secrets-webhook-b566658ff-7m4d5            1/1     Running   0          4h5m
+----
+
+. Verify that the `external-secrets-operator` deployment object reports a successful status by running the following command:
++
+[source,terminal]
+----
+$ oc get externalsecrets.operator.openshift.io cluster -n external-secrets-operator -o jsonpath='{.status.conditions}' | jq .
+----
++
+.Example output
+[source,terminal]
+----
+[
+  {
+    "lastTransitionTime": "2025-06-17T14:57:04Z",
+    "message": "",
+    "observedGeneration": 1,
+    "reason": "Ready",
+    "status": "False",
+    "type": "Degraded"
+  },
+  {
+    "lastTransitionTime": "2025-06-17T14:57:04Z",
+    "message": "reconciliation successful",
+    "observedGeneration": 1,
+    "reason": "Ready",
+    "status": "True",
+    "type": "Ready"
+  }
+]
+----