Install External Secrets Operator in Tanzu Application Platform
This topic tells you how to install the External Secrets Operator from the Tanzu Application Platform (commonly known as TAP) package repository.
ImportantExternal Secrets Operator is not included or installed with any Tanzu Application Platform profile.
Prerequisites
Before installing External Secrets Operator:
- Complete all prerequisites to install the Tanzu Application Platform. For more information, see Prerequisites.
Install
To install External Secrets Operator:
-
List version information for the package by running:
tanzu package available list external-secrets.apps.tanzu.vmware.com -n tap-installFor example:
NAME VERSION RELEASED-AT external-secrets.apps.tanzu.vmware.com 0.9.4+tanzu.2 2023-11-10 00:00:00 -0500 EST -
(Optional) For Tanzu Application Platform v1.7.1 and later, you can create a YAML values file to specify optional configuration for the External Secrets Operator. In this release, there is only one setting:
kubernetes_distribution, which you can set to"openshift"or"".-
To run External Secrets Operator on an OpenShift cluster, set the
kubernetes_distributionvalue toopenshift. This setting removes some of the default security settings in External Secrets Operator so that OpenShift can replace the security settings with its own. -
If you are running the External Secrets Operator on any other platform, leave
kubernetes_distributionas an empty string or omit the value entirely.
Note
The
kubernetes_distributionsetting is available as of External Secrets Operator v0.9.4+tanzu.2, which is available in Tanzu Application Platform v1.7.1. External Secrets Operator v0.9.4+tanzu.1 and earlier might not be able to run on OpenShift clusters.If you try to run older releases of the External Secrets Operator on OpenShift clusters, you might see the following error status in any of the
ReplicaSetresources:message: 'pods "external-secrets-6888645d7f-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, spec.containers[0].securityContext.runAsUser: Invalid value: 1000: must be in the ranges: [1001220000, 1001229999], provider "restricted": Forbidden: not usable by user or serviceaccount, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]' -
-
Install the package by running:
tanzu package install external-secrets \ --package external-secrets.apps.tanzu.vmware.com \ --version VERSION-NUMBER \ --values-file VALUES-FILE.yaml \ # The use of this file is optional --namespace tap-installWhere:
VERSION-NUMBERis the package version you retrieved earlier.- (Optional)
VALUES-FILEis the YAML file you created earlier containing the values used to configure External Secrets Operator.
For example:
$ tanzu package install external-secrets \ --package external-secrets.apps.tanzu.vmware.com \ --version 0.6.1+tap.6 \ --values-file external-secrets-values.yaml \ --namespace tap-install \ Installing package 'external-secrets.apps.tanzu.vmware.com' | Getting package metadata for 'external-secrets.apps.tanzu.vmware.com' | Creating service account 'external-secrets-tap-install-sa' / Creating cluster admin role 'external-secrets-tap-install-cluster-role' | Creating cluster role binding 'external-secrets-tap-install-cluster-rolebindin / Creating cluster role binding 'external-secrets-tap-install-cluster-rolebindin \ Creating cluster role binding 'external-secrets-tap-install-cluster-rolebindin | Creating cluster role binding 'external-secrets-tap-install-cluster-rolebinding' \ Creating package resource Waiting for 'PackageInstall' reconciliation for 'external-secrets' 'PackageInstall' resource install status: Reconciling 'PackageInstall' resource install status: ReconcileSucceeded Added installed package 'external-secrets' -
Verify the package installation by running:
tanzu package installed get external-secrets --namespace tap-installFor example:
tanzu package installed get external-secrets -n tap-install NAME: external-secrets PACKAGE-NAME: external-secrets.apps.tanzu.vmware.com PACKAGE-VERSION: 0.9.4+tanzu.2 STATUS: Reconcile succeeded CONDITIONS: [{ReconcileSucceeded True }] USEFUL-ERROR-MESSAGE:
