Skip to main content
Version: Release 26.1

Using Secret References in CR

This topic illustrates how to replace the CR values that are in clear-text format in the CR with the secret references.

note

You can use this feature only for custom updates, and it is not available through the xl kube installation process.

In Release operator, the following fields support secret references:

  • spec.auth.adminPassword
  • spec.license
  • spec.external.db.main.username
  • spec.external.db.main.password
  • spec.external.db.report.username
  • spec.external.db.report.password
  • spec.keystore.keystore
  • spec.keystore.passphrase
  • spec.truststore.password
  • spec.oidc.clientId
  • spec.oidc.clientSecret
  • spec.oidc.clientAuthJwt.keyStore.password
  • spec.oidc.clientAuthJwt.key.password
  • spec.oidc.accessToken.secretKey
  • spec.ssl.keystorePassword
  • spec.ssl.keystoreKeypassword

Steps to Replace Clear-text with Secret References in CR

In this topic, the spec.keystore.keystore and spec.keystore.passphrase fields are used for illustrative purposes to explain how clear-text is replaced with Secret references in CR.

  1. Run the following command to get the current keystore values:
kubectl get Digitalaireleases dai-xlr -n digitalai -o jsonpath='{.spec.keystore}'
  1. Run the following command to create a new secret with the values from the previous response:
kubectl create secret generic xlr-keystore -n digitalai \
  --from-literal=keystore=zs7OzgAAAAIAAAABAAAAAwAWZGVwbG95aXQtcGFzc3N3b3JkLWtleQAAAYqzHF0crO0ABXNyADNjb20uc3VuLmNyeXB0by5wcm92aWRlci5TZWFsZWRPYmplY3RGb3JLZXlQcm90ZWN0b3LNV8pZ5zC7UwIAAHhyABlqYXZheC5jcnlwdG8uU2VhbGVkT2JqZWN0PjY9psO3VHACAARbAA1lbmNvZGVkUGFyYW1zdAACW0JbABBlbmNyeXB0ZWRDb250ZW50cQB+AAJMAAlwYXJhbXNBbGd0ABJMamF2YS9sYW5nL1N0cmluZztMAAdzZWFsQWxncQB+AAN4cHVyAAJbQqzzF/gGCFTgAgAAeHAAAAARMA8ECNNyGqIOBMilAgMDDUB1cQB+AAUAAACQi1cIQB/VetbbVwuLvnpkJoAYpIldYJVCPJF8CDhPWUT070Sih/D79VGhgJymi+JrpHGzaSktmEAqjgicsb9QgVa96tLHmMuvOmCBUx2SbVr9bB4L0UQ9g64+qNpmZz5LzlPOj2OUWwcqRrYYoNU2AjmFabWRiS2cuZwS5BnnJUajuGOrk09r41Rz4uCNRrVHdAAWUEJFV2l0aE1ENUFuZFRyaXBsZURFU3QAFlBCRVdpdGhNRDVBbmRUcmlwbGVERVNd8qtG/jgaTQ82zLM9SM15Pkc17w== \
  --from-literal=passphrase=hK01yZ2bqVYTLCTq
  1. Update the CR with references to the new secret in the keystore-secret-patch.yaml file.
cat << EOF >> keystore-secret-patch.yaml
spec:
  keystore:
    keystore:
      valueFrom:
        secretKeyRef:
          name: xlr-keystore
          key: keystore
    passphrase: 
      valueFrom:
        secretKeyRef:
          name: xlr-keystore
          key: passphrase
EOF

kubectl patch -n digitalai digitalaireleases.xlr.digital.ai dai-xlr \
  --type=merge --patch-file keystore-secret-patch.yaml
  1. The pods will now restart with new references to the secrets.
  2. Run the following command to check the CR values, and will have a reference to the secret:
kubectl get Digitalaireleases dai-xlr -n digitalai -o jsonpath='{.spec.keystore}'