The {external-secrets-operator} is a cluster-wide service that provides lifecycle management for secrets fetched from external secret management systems.
These release notes track the development of {external-secrets-operator-short}.
For more information, see xref:../../security/external_secrets_operator/index.adoc#external-secrets-operator-about[{external-secrets-operator-short} overview].
Version 1.0.0 of the {external-secrets-operator} is based on the upstream external-secrets project, version v0.19.0. For more information, see the link:https://github.com/external-secrets/external-secrets/releases/tag/v0.19.0[external-secrets project release notes for v0.19.0].
* Before this release, many of the APIs listed in the console for the {external-secrets-operator} were missing descriptions. With this release, the API descriptions have been added. (link:https://issues.redhat.com/browse/OCPBUGS-61081[OCPBUGS-61081])
With this release, the Operator API, `externalsecrets.operator.openshift.io` has been renamed to `externalsecretsconfigs.operator.openshift.io` to avoid confusion with the external-secrets provided API that has the same name, but a different purpose. The external-secrets provided API has also been restructured and new features are added.
For more information, see link:https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html-single/security_and_compliance/index#external-secrets-operator-api[External Secrets Operator for Red Hat OpenShift APIs].
*Support to collect metrics of {external-secrets-operator-short}*
With this release, the {external-secrets-operator} supports collecting metrics for both the Operator and operands. This is optional and must be enabled.
For more information, see link:https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html-single/security_and_compliance/index#external-secrets-monitoring[Monitoring the External Secrets Operator for Red Hat OpenShift].
For more information, see link:https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html-single/security_and_compliance/index#external-secrets-operator-proxy[About the egress proxy for the External Secrets Operator for Red Hat OpenShift].
*Root filesystem is read-only for {external-secrets-operator} containers*
With this release, to improve security, the {external-secrets-operator} and all its operands have the `readOnlyRootFilesystem` security context set to true by default. This enhancement hardens the containers and prevents a potential attacker from modifying the contents of the container’s root file system.
*Network policy hardening is now available for {external-secrets-operator-short} components*
With this release, {external-secrets-operator} includes pre-defined `NetworkPolicy` resources designed for enhanced security by governing ingress and egress traffic for operand components. These policies cover essential internal traffic, such as ingress to the metrics and webhook servers, and egress to the OpenShift API server and DNS server. Note that deployment of the `NetworkPolicy` is enabled by default and egress allow policies must be explicitly defined in the `ExternalSecretsConfig` custom resource for the `external-secrets` component to fetch secrets from external providers.
For more information, see link:https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html-single/security_and_compliance/index#external-secrets-operator-config-net-policy[Configuring network policy for the operand].
Version `0.1.0` of the {external-secrets-operator} is based on the upstream external-secrets version `0.14.3`. For more information, see the link:https://github.com/external-secrets/external-secrets/releases/tag/v0.14.3[external-secrets project release notes for v0.14.3].
