Connection secrets
Deliver endpoints and passwords to apps.
When Crossplane provisions a database, something has to get the endpoint, username, and password to the app that uses it. Connection secrets are how: a managed or composite resource writes its connection details into a Kubernetes Secret you name, and the application mounts or references that Secret like any other. The developer’s claim asks for the secret; Crossplane fills it once the resource is ready.
apiVersion: acme.io/v1alpha1kind: PostgresInstancemetadata: { name: orders-db, namespace: team-orders }spec:size: smallwriteConnectionSecretToRef:name: orders-db-conn # Crossplane writes host/port/user/pass here
$ kubectl get secret orders-db-conn -n team-orders -o jsonpath='{.data}' | jq keys["endpoint","password","port","username"]# the app references this Secret — it never sees the provisioning details
Keeping them safe
Connection secrets contain live credentials, so they inherit all the Kubernetes secret concerns: encrypt etcd at rest, restrict who can read Secrets in that namespace with RBAC, and consider routing them into an external store (Vault via the External Secrets Operator) rather than leaving database passwords sitting in cluster Secrets. The convenience of auto-delivered credentials is real; so is the responsibility to protect them.