From f8b05b03353a3c123626c9d33d5eb1ecc4005c3f Mon Sep 17 00:00:00 2001 From: William Gabor Date: Fri, 24 Oct 2025 13:25:52 -0400 Subject: [PATCH] OSDOCS-16038_v1 updated file --- _topic_maps/_topic_map.yml | 2 + ...rnal-secrets-operator-configure-proxy.adoc | 76 +++++++++++++++++++ ...secrets-operator-proxy-considerations.adoc | 15 ++++ .../external-secrets-operator-proxy.adoc | 18 +++++ security/external_secrets_operator/index.adoc | 10 +++ 5 files changed, 121 insertions(+) create mode 100644 modules/external-secrets-operator-configure-proxy.adoc create mode 100644 modules/external-secrets-operator-proxy-considerations.adoc create mode 100644 security/external_secrets_operator/external-secrets-operator-proxy.adoc diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml index 809a132f6830..ae36e04a0989 100644 --- a/_topic_maps/_topic_map.yml +++ b/_topic_maps/_topic_map.yml @@ -1256,6 +1256,8 @@ Topics: File: external-secrets-operator-release-notes - Name: Installing the External Secrets Operator File: external-secrets-operator-install + - Name: Configuring the egress proxy + File: external-secrets-operator-proxy - Name: Uninstalling the External Secrets Operator File: external-secrets-operator-uninstall - Name: External Secrets Operator APIs diff --git a/modules/external-secrets-operator-configure-proxy.adoc b/modules/external-secrets-operator-configure-proxy.adoc new file mode 100644 index 000000000000..7840e357fdcc --- /dev/null +++ b/modules/external-secrets-operator-configure-proxy.adoc @@ -0,0 +1,76 @@ +// Module included in the following assemblies: +// +// * security/external_secrets_operator/external-secrets-operator-proxy.adoc + +:_mod-docs-content-type: PROCEDURE +[id="external-secrets-operator-configure-proxy_{context}"] += Configuring the egress proxy for the {external-secrets-operator} + +The egress proxy can be configured in the `ExternalSecretsConfig` or the `ExternalSecretsManager` custom resource. The Operator and the operand make use of the {product-title} supported Certificate Authority (CA) bundle for the proxy validations. + +.Prerequisites + +* You have access to the cluster as a user with the `cluster-admin` role. + +* You have created the `ExternalSecretsConfig` custom resource. + +.Procedure + +* To set the proxy in the `ExternalSecretsConfig` resource, perform the following steps: +. Edit the `ExternalSecretsConfig` resource by running the following command: ++ +[source,terminal] +---- +$ oc edit externalsecretsconfigs.operator.openshift.io cluster +---- + +. Edit the `spec.appConfig.proxy` section to set the proxy values as follows: ++ +[source,yaml] +---- +apiVersion: operator.openshift.io/v1alpha1 +kind: ExternalSecretsConfig +... +spec: + appConfig: + proxy: + httpProxy: + httpsProxy: + noProxy: +---- + +:: Proxy URL for the http requests. + +:: Proxy URL for the https requests. + +:: Comma-separated list of hostnames and/or CIDRs and/or IPs for which the proxy should not be used. + +* To set the proxy in the `ExternalSecretsManager` resource, perform the following steps. + +. Edit the `ExternalSecretsManager` resource by running the following command: ++ +[source,terminal] +---- +$ oc edit externalsecretsmanagers.operator.openshift.io cluster +---- + +. Edit the `spec.globalConfig.proxy` section to set the proxy values as follows: ++ +[source,yaml] +---- +apiVersion: operator.openshift.io/v1alpha1 +kind: ExternalSecretsManager +... +spec: + globalConfig: + proxy: + httpProxy: + httpsProxy: + noProxy: +---- + +:: Proxy URL for the http requests. + +:: Proxy URL for the https requests. + +:: Comma-separated list of hostnames and/or CIDRs and/or IPs for which the proxy should not be used. diff --git a/modules/external-secrets-operator-proxy-considerations.adoc b/modules/external-secrets-operator-proxy-considerations.adoc new file mode 100644 index 000000000000..c0a07e0f2c18 --- /dev/null +++ b/modules/external-secrets-operator-proxy-considerations.adoc @@ -0,0 +1,15 @@ +// Module included in the following assemblies: +// +// * security/external_secrets_operator/index.adoc + +:_mod-docs-content-type: REFERENCE +[id="external-secrets-operator-proxy-considerations_{context}"] += Security considerations + +When using the {external-secrets-operator}, there are some security concerns you should consider: + +* `external-secrets` operand fetches the secrets from the configured external providers and stores it in a Kubernetes native Secrets resource. This results in a secret zero problem. It is recommended to secure the secret objects using additional encryption. For more information, see link:https://docs.redhat.com/en/documentation/red_hat_openshift_data_foundation/4.9/html/planning_your_deployment/security-considerations_rhodf#data-encryption-options_rhodf[Data encryption options] + +* When configuring `SecretStore` and `ClusterSecretStore`, consider using short-term credential-based authorization. This approach enhances security by limiting the window of opportunity for unauthorized access, even if credentials are compromised. + +* To enhance the security of the {external-secrets-operator}, it is crucial to implement Role-Based Access Controls (RBACs). These RBACs should define and limit access to the custom resources provided by the {external-secrets-operator-short}. \ No newline at end of file diff --git a/security/external_secrets_operator/external-secrets-operator-proxy.adoc b/security/external_secrets_operator/external-secrets-operator-proxy.adoc new file mode 100644 index 000000000000..7e7eb6ec8704 --- /dev/null +++ b/security/external_secrets_operator/external-secrets-operator-proxy.adoc @@ -0,0 +1,18 @@ +:_mod-docs-content-type: ASSEMBLY +[id="external-secrets-operator-proxy"] += About the egress proxy for the {external-secrets-operator} +include::_attributes/common-attributes.adoc[] +:context: external-secrets-operator-uninstall + +toc::[] + +If a cluster-wide egress proxy is configured in {product-title}, Operator Lifecycle Manager (OLM) automatically configures Operators that it manages with the cluster-wide proxy. OLM automatically updates all of the Operator’s deployments with the `HTTP_PROXY`, `HTTPS_PROXY`, `NO_PROXY` environment variables. + +// Configure egress proxy +include::modules/external-secrets-operator-configure-proxy.adoc[leveloffset=+1] + +[role="_additional-resources"] +[id="external-resources-operator-proxy_additional-resources"] +== Additional resources + +* xref:../../operators/admin/olm-configuring-proxy-support.adoc#olm-configuring-proxy-support[Configuring proxy support in Operator Lifecycle Manager] \ No newline at end of file diff --git a/security/external_secrets_operator/index.adoc b/security/external_secrets_operator/index.adoc index f9f3c4a9c02c..2d1fafbaae04 100644 --- a/security/external_secrets_operator/index.adoc +++ b/security/external_secrets_operator/index.adoc @@ -31,3 +31,13 @@ include::modules/external-secrets-fips-support.adoc[leveloffset=+1] * xref:../../security/container_security/security-compliance.adoc#security-compliance[Understanding compliance] * xref:../../installing/overview/installing-fips.adoc#installing-fips-mode_installing-fips[Installing a cluster in FIPS mode] * xref:../../installing/overview/installing-preparing.adoc#installing-preparing-security[Do you need extra security for your cluster?] + +//egress proxy security considerations +include::modules/external-secrets-operator-proxy-considerations.adoc[leveloffset=+1] + +[role="_additional-resources"] +== Additional resources + +* link:https://docs.redhat.com/en/documentation/red_hat_openshift_data_foundation/4.19/html/planning_your_deployment/security-considerations_rhodf[Security considerations] + +* link:https://external-secrets.io/latest/guides/security-best-practices/[Security Best Practices]