OpenShift 4

A installation guide for Operator Lifecycle Manager, Sealed Secrets Operator (Helm), Sealed Secrets and kubeseal command line interface in OpenShift 4.x (OCP, OKD, CRC).

Note

You have to be in the cluster-admin ClusterRole to install all prerequisites, the operator and Sealed Secrets.

Prerequisites

OpenShift Container Platform OKD - The Community Distribution of Kubernetes CodeReady Containers

As usual you need to have access to an up and running OpenShift 4.x cluster.

Operator Installation

It’s possible to install the operator using the Operator Lifecycle Manager or manually.

Note

The operator manages a single namespace installation of Sealed Secrets. Therefore you have to install the operator and Sealed Secrets in the same namespace. For simplicity we recommend creating a namespace sealed-secrets.

Operator Lifecycle Manager

This installation method installs the operator using an OLM Catalog.

git clone
oc apply -f guides/ocp4/olm/namespace.yaml
oc apply -f guides/ocp4/olm/catalog-source.yaml
oc apply -f guides/ocp4/olm/operator-group.yaml
oc apply -f guides/ocp4/olm/subscription.yaml

oc rollout status -w deployment/sealed-secrets-operator-helm -n sealed-secrets

Manual

You can install the operator from local sources without having to install an OLM Catalog. This can be helpful if your cluster runs in an isolated environment with no direct internet access.

Note

No channel subscription and automatic operator updates available with this method.

git clone
oc apply -f guides/ocp4/manual/namespace.yaml
oc apply -f guides/ocp4/manual/service-account.yaml
oc apply -f guides/ocp4/manual/role.yaml
oc apply -f guides/ocp4/manual/role-binding.yaml
oc apply -f guides/ocp4/manual/crd.yaml
oc apply -f guides/ocp4/manual/deployment.yaml

oc rollout status -w deployment/sealed-secrets-operator-helm -n sealed-secrets

Sealed Secrets Installation

Install Sealed Secrets Controller and kubeseal command line interface.

Sealed Secrets Controller

Note

This operator shares all configuration values from the Sealed Secrets Helm Chart.

git clone
oc apply -f examples/ocp.yaml -n sealed-secrets

oc get SealedSecretControllers sealed-secret-controller -n sealed-secrets

oc rollout status -w deployment/sealed-secret-controller-sealed-secrets -n sealed-secrets

kubeseal

Install the kubeseal command line interface by downloading the binary from Sealed Secrets releases and read about kubeseal usage on Sealed Secrets docs.

Cleanup

Ants are very clean species too!

Sealed Secrets Controller installation

The uninstallation process will remove the Sealed Secrets installation (CRD) but NOT the CRs. You have to remove them manually:

oc delete SealedSecretController sealed-secret-controller -n sealed-secrets

oc delete crd sealedsecrets.bitnami.com

Operator Marketplace deinstallation

oc delete -f guides/ocp4/olm/subscription.yaml
oc delete csv sealed-secrets-operator-helm.v0.0.1 -n sealed-secrets
oc delete crd sealedsecretcontrollers.bitnami.com
oc delete -f guides/ocp4/olm/catalog-source.yaml
oc delete -f guides/ocp4/olm/operator-group.yaml
oc delete -f guides/ocp4/olm/namespace.yaml

Manual deinstallation

oc delete -f guides/ocp4/manual/deployment.yaml
oc delete -f guides/ocp4/manual/crd.yaml
oc delete -f guides/ocp4/manual/role-binding.yaml
oc delete -f guides/ocp4/manual/role.yaml
oc delete -f guides/ocp4/manual/service-account.yaml
oc delete -f guides/ocp4/manual/namespace.yaml