OpenShift 4

A installation guide for Operator Lifecycle Manager, Sealed Secrets Operator (Helm), Sealed Secrets and kubeseal command line interface in OpenShift 4.x (OCP, OKD, CRC).


You have to be in the cluster-admin ClusterRole to install all prerequisites, the operator and Sealed Secrets.


OpenShift Container Platform OKD - The Community Distribution of Kubernetes CodeReady Containers

As usual you need to have access to an up and running OpenShift 4.x cluster.

Operator Installation

It’s possible to install the operator using the Operator Lifecycle Manager or manually.


The operator manages a single namespace installation of Sealed Secrets. Therefore you have to install the operator and Sealed Secrets in the same namespace. For simplicity we recommend creating a namespace sealed-secrets.

Operator Lifecycle Manager

This installation method installs the operator using an OLM Catalog.

git clone
oc apply -f guides/ocp4/olm/namespace.yaml
oc apply -f guides/ocp4/olm/catalog-source.yaml
oc apply -f guides/ocp4/olm/operator-group.yaml
oc apply -f guides/ocp4/olm/subscription.yaml

oc rollout status -w deployment/sealed-secrets-operator-helm -n sealed-secrets


You can install the operator from local sources without having to install an OLM Catalog. This can be helpful if your cluster runs in an isolated environment with no direct internet access.


No channel subscription and automatic operator updates available with this method.

git clone
oc apply -f guides/ocp4/manual/namespace.yaml
oc apply -f guides/ocp4/manual/service-account.yaml
oc apply -f guides/ocp4/manual/role.yaml
oc apply -f guides/ocp4/manual/role-binding.yaml
oc apply -f guides/ocp4/manual/crd.yaml
oc apply -f guides/ocp4/manual/deployment.yaml

oc rollout status -w deployment/sealed-secrets-operator-helm -n sealed-secrets

Sealed Secrets Installation

Install Sealed Secrets Controller and kubeseal command line interface.

Sealed Secrets Controller


This operator shares all configuration values from the Sealed Secrets Helm Chart.

git clone
oc apply -f examples/ocp.yaml -n sealed-secrets

oc get SealedSecretControllers sealed-secret-controller -n sealed-secrets

oc rollout status -w deployment/sealed-secret-controller-sealed-secrets -n sealed-secrets


Install the kubeseal command line interface by downloading the binary from Sealed Secrets releases and read about kubeseal usage on Sealed Secrets docs.


Ants are very clean species too!

Sealed Secrets Controller installation

The uninstallation process will remove the Sealed Secrets installation (CRD) but NOT the CRs. You have to remove them manually:

oc delete SealedSecretController sealed-secret-controller -n sealed-secrets

oc delete crd

Operator Marketplace deinstallation

oc delete -f guides/ocp4/olm/subscription.yaml
oc delete csv sealed-secrets-operator-helm.v0.0.1 -n sealed-secrets
oc delete crd
oc delete -f guides/ocp4/olm/catalog-source.yaml
oc delete -f guides/ocp4/olm/operator-group.yaml
oc delete -f guides/ocp4/olm/namespace.yaml

Manual deinstallation

oc delete -f guides/ocp4/manual/deployment.yaml
oc delete -f guides/ocp4/manual/crd.yaml
oc delete -f guides/ocp4/manual/role-binding.yaml
oc delete -f guides/ocp4/manual/role.yaml
oc delete -f guides/ocp4/manual/service-account.yaml
oc delete -f guides/ocp4/manual/namespace.yaml