Kubernetes Secret References
Fuzzball CRD fields that accept credentials — passwords, API keys, TLS certificates, and image pull secrets — support references to Kubernetes Secrets as an alternative to inline plaintext values. Using Secret references keeps credentials out of the CRD and is recommended for production deployments.
Automatic Migration
When the operator reconciles a FuzzballOrchestrate or FuzzballFederate CR that contains
inline plaintext credentials, it automatically migrates them to Secret references:
- The operator detects inline credential fields that do not already have a corresponding
*Refset. - It creates (or updates) a Kubernetes Secret named
fuzzball-credentials-{cr-name}in thefuzzball-systemnamespace containing all the plaintext values. - It patches the CR to replace each inline value with a
*Refpointing to that Secret and clears the plaintext value from the CR.
Existing deployments with inline credentials are migrated automatically on the next reconcile after upgrading — no manual action is required.
Some SecretKeyReference (*Ref) fields are auto-migrated. TLS secrets (secretName) and image
pull secrets (credentialsSecretName) are never auto-migrated because they require a specific
Secret type — see the per-field table below for per-field behavior.
Reference Patterns
SecretKeyReference (*Ref fields)
Used for individual credential values: passwords, API keys, SSH keys. Points to a specific key within a generic Kubernetes Secret.
keycloak:
create:
passwordRef:
name: my-secret
key: keycloak-password
namespace: fuzzball-system # optional — defaults to fuzzball-system
Create the Secret:
$ kubectl create secret generic my-secret \
--from-literal=keycloak-password=my-secure-password \
-n fuzzball-system
TLS Secret (secretName fields)
Used for TLS certificate/key pairs. Points to a kubernetes.io/tls Secret containing tls.crt
and tls.key.
keycloak:
create:
ingress:
tls:
secretName: keycloak-tls
Create the Secret:
$ kubectl create secret tls keycloak-tls \
--cert=path/to/tls.crt \
--key=path/to/tls.key \
-n fuzzball-system
Image Pull Secret (credentialsSecretName fields)
Used for container registry credentials. Points to a kubernetes.io/dockerconfigjson Secret.
image:
credentialsSecretName: depot-pull-secret
Create the Secret:
$ kubectl create secret docker-registry depot-pull-secret \
--docker-server=depot.ciq.com \
--docker-username=my-depot-user \
--docker-password=my-depot-token \
-n fuzzball-system
Fields That Support Secret References
Image
| Field | Pattern | Replaces | Auto-migrated |
|---|---|---|---|
image.credentialsSecretName | Image pull secret | image.username + image.password | No |
Database
| Field | Pattern | Replaces | Auto-migrated |
|---|---|---|---|
database.external.credentials.passwordRef | SecretKeyReference | credentials.password | Yes |
database.external.certificate.caCertRef | SecretKeyReference | certificate.caCert | No |
database.external.certificate.clientCertRef | SecretKeyReference | certificate.clientCert | No |
database.external.certificate.clientKeyRef | SecretKeyReference | certificate.clientKey | No |
Keycloak
| Field | Pattern | Replaces | Auto-migrated |
|---|---|---|---|
keycloak.create.passwordRef | SecretKeyReference | keycloak.create.password | Yes |
keycloak.create.defaultUserPasswordRef | SecretKeyReference | keycloak.create.defaultUserPassword | Yes |
keycloak.create.ldap.bindPasswordRef | SecretKeyReference | keycloak.create.ldap.bindPassword | Yes |
keycloak.create.ingress.tls.secretName | TLS secret | ingress.tls.cert + ingress.tls.key | No |
keycloak.external.passwordRef | SecretKeyReference | keycloak.external.password | Yes |
Slurm / PBS Provisioner
| Field | Pattern | Replaces | Auto-migrated |
|---|---|---|---|
fuzzball.orchestrator.provisioner.slurm.passwordRef | SecretKeyReference | slurm.password | Yes |
fuzzball.orchestrator.provisioner.slurm.sshPrivateKeyPemRef | SecretKeyReference | slurm.sshPrivateKeyPem | Yes |
fuzzball.orchestrator.provisioner.slurm.sshPrivateKeyPassPhraseRef | SecretKeyReference | slurm.sshPrivateKeyPassPhrase | Yes |
fuzzball.orchestrator.provisioner.pbs.passwordRef | SecretKeyReference | pbs.password | Yes |
fuzzball.orchestrator.provisioner.pbs.sshPrivateKeyPemRef | SecretKeyReference | pbs.sshPrivateKeyPem | Yes |
fuzzball.orchestrator.provisioner.pbs.sshPrivateKeyPassPhraseRef | SecretKeyReference | pbs.sshPrivateKeyPassPhrase | Yes |
AWS Provisioner
| Field | Pattern | Replaces | Auto-migrated |
|---|---|---|---|
fuzzball.orchestrator.provisioner.aws.sshPrivateKeyPemRef | SecretKeyReference | aws.sshPrivateKeyPem | Yes |
fuzzball.orchestrator.provisioner.aws.depotAccessTokenRef | SecretKeyReference | aws.depotAccessToken | Yes |
Other
| Field | Pattern | Replaces | Auto-migrated |
|---|---|---|---|
fuzzball.config.jwtKeyRef | SecretKeyReference | fuzzball.config.jwtKey | Yes |
fuzzball.agent.workflowGenerate.fuzzAIKeyRef | SecretKeyReference | fuzzball.agent.workflowGenerate.fuzzAIKey | Yes |
fuzzball.clusterAdmin.setup.storageDriverCredentialsContentRef | SecretKeyReference | storageDriverCredentialsContent | Yes |
fuzzball.clusterAdmin.setup.storageDriverAccessKeyIdRef | SecretKeyReference | storageDriverAccessKeyId | Yes |
fuzzball.clusterAdmin.setup.storageDriverSecretAccessKeyRef | SecretKeyReference | storageDriverSecretAccessKey | Yes |
Cross-Namespace References
By default the operator looks for Secrets in fuzzball-system. To use a Secret from another
namespace, set the optional namespace field:
keycloak:
create:
passwordRef:
name: my-secret
key: keycloak-password
namespace: my-secrets-namespace
Why Use Secret References
Storing credentials inline in a CRD means they appear in:
kubectl get/kubectl describeoutput- Kubernetes audit logs
- Any etcd backup
Keeping credentials in Secrets limits their exposure to workloads and users that have explicit RBAC access to those Secrets. The operator's auto-migration ensures that even deployments that started with inline credentials are moved to this safer pattern automatically.