CoursesCrossplaneIntermediate

Connection secrets

Deliver endpoints and passwords to apps.

Intermediate10 min · lesson 8 of 12

When Crossplane provisions a database, something has to get the endpoint, username, and password to the app that uses it. Connection secrets are how: a managed or composite resource writes its connection details into a Kubernetes Secret you name, and the application mounts or references that Secret like any other. The developer’s claim asks for the secret; Crossplane fills it once the resource is ready.

claim.yaml
apiVersion: acme.io/v1alpha1
kind: PostgresInstance
metadata: { name: orders-db, namespace: team-orders }
spec:
size: small
writeConnectionSecretToRef:
name: orders-db-conn # Crossplane writes host/port/user/pass here
terminal
$ kubectl get secret orders-db-conn -n team-orders -o jsonpath='{.data}' | jq keys
["endpoint","password","port","username"]
# the app references this Secret — it never sees the provisioning details

Keeping them safe

Connection secrets contain live credentials, so they inherit all the Kubernetes secret concerns: encrypt etcd at rest, restrict who can read Secrets in that namespace with RBAC, and consider routing them into an external store (Vault via the External Secrets Operator) rather than leaving database passwords sitting in cluster Secrets. The convenience of auto-delivered credentials is real; so is the responsibility to protect them.

A connection Secret is a live credential
The Secret Crossplane writes holds a working database password or endpoint token, readable by anyone with get on Secrets in that namespace. Scope that RBAC tightly, encrypt secrets at rest, and do not let connection secrets sprawl into namespaces that do not need them — they are exactly the kind of credential an attacker who lands in the cluster goes looking for.