mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
178 lines
5.2 KiB
Plaintext
178 lines
5.2 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * security/external_secrets_operator/external-secrets-operator-migrate-downstream-upstream.adoc
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="external-secrets-operator-create-externalsecretsconfig_{context}"]
|
|
= Creating the ExternalSecretsConfig Operator
|
|
|
|
[role="_abstract"]
|
|
Create the `ExternalSecretsConfig` resource to install and configure the core `external-secrets` component. This setup helps ensure that features like Bitwarden and cert-manager support are correctly enabled.
|
|
|
|
.Prerequisites
|
|
|
|
* {external-secrets-operator} is installed.
|
|
|
|
* {cert-manager-operator} is installed.
|
|
|
|
* You have access to the cluster with `cluster-admin` privileges.
|
|
|
|
.Procedure
|
|
|
|
. Create an `externalsecretsconfig` file by defining a YAML file with the following content:
|
|
+
|
|
[source,yml]
|
|
----
|
|
apiVersion: operator.openshift.io/v1alpha1
|
|
kind: ExternalSecretsConfig
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: cluster
|
|
name: cluster
|
|
spec:
|
|
appConfig:
|
|
logLevel: 1
|
|
controllerConfig:
|
|
networkPolicies:
|
|
- componentName: ExternalSecretsCoreController
|
|
egress:
|
|
- {}
|
|
name: allow-external-secrets-egress
|
|
plugins: {}
|
|
----
|
|
|
|
. Create the `ExternalSecretsConfig` object by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc create -f externalsecretsconfig.yaml
|
|
----
|
|
|
|
.Verification
|
|
|
|
Verify that all custom resources (CRs) are present and that the APIs are using `v1` instead of `v1beta1`. There CRs are retained and automatically converted by the new Operator.
|
|
|
|
. To verify that the `external-secrets` pods are in a `running` state, run the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get pods -n external-secret
|
|
----
|
|
+
|
|
The following is example output that the `external-secrets` pods are in a `running` state.
|
|
+
|
|
[source,terminal]
|
|
----
|
|
NAME READY STATUS RESTARTS AGE
|
|
bitwarden-sdk-server-5b4cf48766-w7zp7 1/1 Running 0 5m
|
|
external-secrets-5854b85dd5-m6zf9 1/1 Running 0 5m
|
|
external-secrets-webhook-5cb85b8fdb-6jtqb 1/1 Running 0 5m
|
|
----
|
|
|
|
. To verify that the `SecretStore` CR is present, run the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get secretstores.external-secrets.io -A
|
|
----
|
|
+
|
|
The following is example output from validating that the `SecretStore` is present:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
NAMESPACE NAME AGE STATUS CAPABILITIES READY
|
|
external-secrets-1 gcp-store 18min Valid ReadWrite True
|
|
external-secrets-2 aws-secretstore 11min Valid ReadWrite True
|
|
external-secrets bitwarden-secretsmanager 20min Valid Readwrite True
|
|
----
|
|
|
|
. To verify that the `ExternalSecret` CR is present, run the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get externalsecrets.external-secrets.io -A
|
|
----
|
|
+
|
|
The following is example output from validating that the `SecretStore` is present:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
NAMESPACE NAME STORE REFRESH INTERVAL STATUS READY
|
|
external-secrets-1 gcp-externalsecret gcp-store 1hr SecretSynced True
|
|
external-secrets-2 aws-external-secret aws-secret-store 1hr SecretSynced True
|
|
external-secrets bitwarden bitwarden-secretsmanager 1hr SecretSynced True
|
|
----
|
|
|
|
. To verify that the `SecretStore` is `apiVersion: external-secrets.io/v1`, run the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get secretstores.external-secrets.io -n external-secrets-1 gcp-store -o yaml
|
|
----
|
|
+
|
|
The following is example output that the `SecretStore` is `apiVersion: external-secrets.io/v1`.
|
|
+
|
|
[source,yml]
|
|
----
|
|
apiVersion: external-secrets.io/v1
|
|
kind: SecretStore
|
|
metadata:
|
|
creationTimestamp: "2025-10-27T11:38:19Z"
|
|
generation: 1
|
|
name: gcp-store
|
|
namespace: external-secrets-1
|
|
resourceVersion: "104519"
|
|
uid: 7bccb0cc-2557-4f4a-9caa-1577f0108f4b
|
|
spec:
|
|
.
|
|
.
|
|
.
|
|
status:
|
|
capabilities: ReadWrite
|
|
conditions:
|
|
- lastTransitionTime: "2025-10-27T11:38:19Z"
|
|
message: store validated
|
|
reason: Valid
|
|
status: "True"
|
|
type: Ready
|
|
----
|
|
|
|
. To verify that the `ExternalSecret` is `apiVersion: external-secrets.io/v1`, run the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get externalsecrets.external-secrets.io -n external-secrets-1 gcp-externalsecret -o yaml
|
|
----
|
|
+
|
|
The following is example output that the `ExternalSecret` is `apiVersion: external-secrets.io/v1`.
|
|
+
|
|
[source,yml]
|
|
----
|
|
apiVersion: external-secrets.io/v1
|
|
kind: ExternalSecret
|
|
metadata:
|
|
creationTimestamp: "2025-10-27T11:39:03Z"
|
|
generation: 1
|
|
name: gcp-externalsecret
|
|
namespace: external-secrets-1
|
|
resourceVersion: "104532"
|
|
uid: 93a3295a-a3ad-4304-90e1-1328d951e5fb
|
|
spec:
|
|
.
|
|
.
|
|
.
|
|
status:
|
|
binding:
|
|
name: k8s-secret-gcp
|
|
conditions:
|
|
- lastTransitionTime: "2025-10-27T11:39:03Z"
|
|
message: secret synced
|
|
reason: SecretSynced
|
|
status: "True"
|
|
type: Ready
|
|
refreshTime: "2025-10-27T12:13:15Z"
|
|
syncedResourceVersion: 1-f47fe3c0b255b6dd8047cdffa772587bb829efe7a1cb70febeda2eb2
|
|
----
|
|
|
|
|