Skip to main content
Version: Deploy 26.1

Using Secret References in CR

This topic illustrates how to replace the CR values that are in clear-text format in the CR with the secret references.

note

You can use this feature only for custom updates, and it is not available through the xl kube installation process.

In Deploy operator, the following fields support secret references:

  • spec.auth.adminPassword
  • spec.license
  • spec.external.db.main.username
  • spec.external.db.main.password
  • spec.external.db.report.username
  • spec.external.db.report.password
  • spec.external.mq.username
  • spec.external.mq.username
  • spec.keystore.keystore
  • spec.keystore.passphrase
  • spec.truststore.password
  • spec.oidc.clientId
  • spec.oidc.clientSecret
  • spec.oidc.clientAuthJwt.keyStore.password
  • spec.oidc.clientAuthJwt.key.password
  • spec.oidc.accessToken.secretKey
  • spec.ssl.keystorePassword
  • spec.ssl.keystoreKeypassword

Steps to Replace Clear-text with Secret References in CR

In this topic, for illustrative purposes we have used the spec.keystore.keystore and spec.keystore.passphrase fields to explain how clear-text is replaced with Secret references in CR.

  1. Run the following command to get the current keystore values:
kubectl get Digitalaideploys dai-xld -n digitalai -o jsonpath='{.spec.keystore}'
  1. Run the following command to create a new secret with the values from the previous response:
kubectl create secret generic xld-keystore -n digitalai \
  --from-literal=keystore=zs7OzgAAAAIAAAABAAAAAwAWZGVwbG95aXQtcGFzc3N3b3JkLWtleQAAAYqzHF0crO0ABXNyADNjb20uc3VuLmNyeXB0by5wcm92aWRlci5TZWFsZWRPYmplY3RGb3JLZXlQcm90ZWN0b3LNV8pZ5zC7UwIAAHhyABlqYXZheC5jcnlwdG8uU2VhbGVkT2JqZWN0PjY9psO3VHACAARbAA1lbmNvZGVkUGFyYW1zdAACW0JbABBlbmNyeXB0ZWRDb250ZW50cQB+AAJMAAlwYXJhbXNBbGd0ABJMamF2YS9sYW5nL1N0cmluZztMAAdzZWFsQWxncQB+AAN4cHVyAAJbQqzzF/gGCFTgAgAAeHAAAAARMA8ECNNyGqIOBMilAgMDDUB1cQB+AAUAAACQi1cIQB/VetbbVwuLvnpkJoAYpIldYJVCPJF8CDhPWUT070Sih/D79VGhgJymi+JrpHGzaSktmEAqjgicsb9QgVa96tLHmMuvOmCBUx2SbVr9bB4L0UQ9g64+qNpmZz5LzlPOj2OUWwcqRrYYoNU2AjmFabWRiS2cuZwS5BnnJUajuGOrk09r41Rz4uCNRrVHdAAWUEJFV2l0aE1ENUFuZFRyaXBsZURFU3QAFlBCRVdpdGhNRDVBbmRUcmlwbGVERVNd8qtG/jgaTQ82zLM9SM15Pkc17w== \
  --from-literal=passphrase=hK01yZ2bqVYTLCTq
  1. Update the CR with references to the new secret in the keystore-secret-patch.yaml file.
cat << EOF >> keystore-secret-patch.yaml
spec:
  keystore:
    keystore:
      valueFrom:
        secretKeyRef:
          name: xld-keystore
          key: keystore
    passphrase: 
      valueFrom:
        secretKeyRef:
          name: xld-keystore
          key: passphrase
EOF
kubectl patch -n digitalai digitalaideploys.xld.digital.ai dai-xld \
  --type=merge --patch-file keystore-secret-patch.yaml
  1. Restart the Deploy pods.
kubectl delete sts dai-xld-digitalai-deploy-master -n digitalai
kubectl delete sts dai-xld-digitalai-deploy-worker -n digitalai
  1. Run the following command to check the CR values, and will have a reference to the secret:
kubectl get Digitalaideploys dai-xld -n digitalai -o jsonpath='{.spec.keystore}'