openshift · joyrex2001 · Jun 20, 2026 · Jun 20, 2026
diff --git a/api/v1alpha1/external_secrets_config_types.go b/api/v1alpha1/external_secrets_config_types.go
@@ -191,6 +191,13 @@ type ComponentConfig struct {
 	// +listMapKey=name
 	// +optional
 	OverrideEnv []corev1.EnvVar `json:"overrideEnv,omitempty"`
+
+	// extraArgs specifies additional command-line arguments for this component's container.
+	// These are appended (de-duped) to the operator's default args for the component.
+	// +kubebuilder:validation:MaxItems:=50
+	// +listType=atomic
+	// +optional
+	ExtraArgs []string `json:"extraArgs,omitempty"`
 }
 
 // DeploymentConfig defines configuration overrides for a Kubernetes Deployment resource.

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/bundle/manifests/openshift-external-secrets-operator.clusterserviceversion.yaml b/bundle/manifests/openshift-external-secrets-operator.clusterserviceversion.yaml
@@ -220,7 +220,7 @@ metadata:
     categories: Security
     console.openshift.io/disable-operand-delete: "true"
     containerImage: openshift.io/external-secrets-operator:latest
-    createdAt: "2026-06-19T12:17:03Z"
+    createdAt: "2026-06-20T09:38:01Z"
     features.operators.openshift.io/cnf: "false"
     features.operators.openshift.io/cni: "false"
     features.operators.openshift.io/csi: "false"

diff --git a/bundle/manifests/operator.openshift.io_externalsecretsconfigs.yaml b/bundle/manifests/operator.openshift.io_externalsecretsconfigs.yaml
@@ -1330,6 +1330,15 @@ spec:
                               minimum: 1
                               type: integer
                           type: object
+                        extraArgs:
+                          description: |-
+                            extraArgs specifies additional command-line arguments for this component's container.
+                            These are appended (de-duped) to the operator's default args for the component.
+                          items:
+                            type: string
+                          maxItems: 50
+                          type: array
+                          x-kubernetes-list-type: atomic
                         overrideEnv:
                           description: |-
                             overrideEnv specifies custom environment variables for this component's container. These are merged with operator-managed environment variables, with user-defined values taking precedence.

diff --git a/config/crd/bases/operator.openshift.io_externalsecretsconfigs.yaml b/config/crd/bases/operator.openshift.io_externalsecretsconfigs.yaml
@@ -1330,6 +1330,15 @@ spec:
                               minimum: 1
                               type: integer
                           type: object
+                        extraArgs:
+                          description: |-
+                            extraArgs specifies additional command-line arguments for this component's container.
+                            These are appended (de-duped) to the operator's default args for the component.
+                          items:
+                            type: string
+                          maxItems: 50
+                          type: array
+                          x-kubernetes-list-type: atomic
                         overrideEnv:
                           description: |-
                             overrideEnv specifies custom environment variables for this component's container. These are merged with operator-managed environment variables, with user-defined values taking precedence.

diff --git a/docs/api_reference.md b/docs/api_reference.md
@@ -130,6 +130,7 @@ _Appears in:_
 | `componentName` _[ComponentName](#componentname)_ | componentName identifies which external-secrets component this configuration applies to.<br />Valid component names: ExternalSecretsCoreController, Webhook, CertController, BitwardenSDKServer. |  | Enum: [ExternalSecretsCoreController Webhook CertController BitwardenSDKServer] <br /> |
 | `deploymentConfigs` _[DeploymentConfig](#deploymentconfig)_ | deploymentConfigs specifies overrides for the Kubernetes Deployment resource of this component. |  |  |
 | `overrideEnv` _[EnvVar](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#envvar-v1-core) array_ | overrideEnv specifies custom environment variables for this component's container. These are merged with operator-managed environment variables, with user-defined values taking precedence.<br />Names starting with 'KUBERNETES_' or 'EXTERNAL_SECRETS_' are reserved prefixes and will be rejected.<br />The exact names 'HOSTNAME', 'SSL_CERT_DIR', and 'SSL_CERT_FILE' are also reserved. |  | MaxItems: 50 <br /> |
+| `extraArgs` _string array_ | extraArgs specifies additional command-line arguments for this component's container.<br />These are appended (de-duped) to the operator's default args for the component. |  | MaxItems: 50 <br /> |
 
 
 #### ComponentName

diff --git a/pkg/controller/external_secrets/deployments.go b/pkg/controller/external_secrets/deployments.go
@@ -5,6 +5,7 @@ import (
 	"maps"
 	"os"
 	"slices"
+	"strings"
 	"time"
 	"unsafe"
 
@@ -815,6 +816,16 @@ func (r *Reconciler) applyUserDeploymentConfigs(deployment *appsv1.Deployment, e
 					}
 				}
 			}
+
+			// Apply ExtraArgs only to the target component container.
+			if len(i.ExtraArgs) > 0 {
+				for j := range deployment.Spec.Template.Spec.Containers {
+					if deployment.Spec.Template.Spec.Containers[j].Name == containerName {
+						mergeArgs(&deployment.Spec.Template.Spec.Containers[j], i.ExtraArgs)
+						break
+					}
+				}
+			}
 			break
 		}
 	}
@@ -844,6 +855,29 @@ func mergeUserEnvVars(container *corev1.Container, overrideEnv []corev1.EnvVar)
 	}
 }
 
+// mergeArgs merges user-defined extra arguments into a container, user-defined values take precedence over existing values.
+func mergeArgs(container *corev1.Container, extraArgs []string) {
+	if container.Args == nil {
+		container.Args = []string{}
+	}
+
+	for _, extra := range extraArgs {
+		extraKey, _, _ := strings.Cut(extra, "=")
+		found := false
+		for i, existing := range container.Args {
+			existingKey, _, _ := strings.Cut(existing, "=")
+			if existingKey == extraKey {
+				container.Args[i] = extra // User-defined value takes precedence
+				found = true
+				break
+			}
+		}
+		if !found {
+			container.Args = append(container.Args, extra)
+		}
+	}
+}
+
 // getComponentNameFromAsset maps asset file names to ComponentName enum values and container names.
 func getComponentNameFromAsset(assetName string) (operatorv1alpha1.ComponentName, string, error) {
 	switch assetName {