Skip to main content
Version: Release 24.1

Using Secret References in CR

This topic illustrates how to replace the CR values that are in clear-text format in the CR with the secret references.

Note: You can use this feature only for custom updates, and it is not available through the xl kube installation process.

In Release operator, the following fields support secret references:

  • spec.auth.adminPassword
  • spec.license
  • spec.external.db.main.username
  • spec.external.db.main.password
  • spec.external.db.report.username
  • spec.external.db.report.password
  • spec.external.mq.username
  • spec.external.mq.username
  • spec.keystore.keystore
  • spec.keystore.passphrase
  • spec.truststore.password
  • spec.oidc.clientId
  • spec.oidc.clientSecret
  • spec.oidc.clientAuthJwt.keyStore.password
  • spec.oidc.clientAuthJwt.key.password
  • spec.oidc.accessToken.secretKey
  • spec.ssl.keystorePassword
  • spec.ssl.keystoreKeypassword

Steps to Replace Clear-text with Secret References in CR

In this topic, for illustrative purposes we have used the spec.keystore.keystore and spec.keystore.passphrase fields to explain how clear-text is replaced with Secret references in CR.

  1. Run the following command to get the current keystore values:
kubectl get Digitalaireleases dai-xlr -n digitalai -o jsonpath='{.spec.keystore}'
  1. Run the following command to create a new secret with the values from the previous response:
kubectl create secret generic xlr-keystore -n digitalai \
  --from-literal=keystore=zs7OzgAAAAIAAAABAAAAAwAWZGVwbG95aXQtcGFzc3N3b3JkLWtleQAAAYqzHF0crO0ABXNyADNjb20uc3VuLmNyeXB0by5wcm92aWRlci5TZWFsZWRPYmplY3RGb3JLZXlQcm90ZWN0b3LNV8pZ5zC7UwIAAHhyABlqYXZheC5jcnlwdG8uU2VhbGVkT2JqZWN0PjY9psO3VHACAARbAA1lbmNvZGVkUGFyYW1zdAACW0JbABBlbmNyeXB0ZWRDb250ZW50cQB+AAJMAAlwYXJhbXNBbGd0ABJMamF2YS9sYW5nL1N0cmluZztMAAdzZWFsQWxncQB+AAN4cHVyAAJbQqzzF/gGCFTgAgAAeHAAAAARMA8ECNNyGqIOBMilAgMDDUB1cQB+AAUAAACQi1cIQB/VetbbVwuLvnpkJoAYpIldYJVCPJF8CDhPWUT070Sih/D79VGhgJymi+JrpHGzaSktmEAqjgicsb9QgVa96tLHmMuvOmCBUx2SbVr9bB4L0UQ9g64+qNpmZz5LzlPOj2OUWwcqRrYYoNU2AjmFabWRiS2cuZwS5BnnJUajuGOrk09r41Rz4uCNRrVHdAAWUEJFV2l0aE1ENUFuZFRyaXBsZURFU3QAFlBCRVdpdGhNRDVBbmRUcmlwbGVERVNd8qtG/jgaTQ82zLM9SM15Pkc17w== \
  --from-literal=passphrase=hK01yZ2bqVYTLCTq
  1. Update the CR with references to the new secret in the keystore-secret-patch.yaml file.
cat << EOF >> keystore-secret-patch.yaml
spec:
  keystore:
    keystore:
      valueFrom:
        secretKeyRef:
          name: xlr-keystore
          key: keystore
    passphrase: 
      valueFrom:
        secretKeyRef:
          name: xlr-keystore
          key: passphrase
EOF

kubectl patch -n digitalai digitalaireleases.xlr.digital.ai dai-xlr \
  --type=merge --patch-file keystore-secret-patch.yaml
  1. The pods will now restart with new references to the secrets.
  2. Run the following command to check the CR values, and will have a reference to the secret:
kubectl get Digitalaireleases dai-xlr -n digitalai -o jsonpath='{.spec.keystore}'