authzed
diff --git a/‎config/crds/authzed.com_spicedbclusters.yaml‎
Lines changed: 66 additions & 0 deletions b/‎config/crds/authzed.com_spicedbclusters.yaml‎
Lines changed: 66 additions & 0 deletions
diff --git a/‎e2e/cluster_test.go‎
Lines changed: 1 addition & 1 deletion b/‎e2e/cluster_test.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎pkg/apis/authzed/v1alpha1/types.go‎
Lines changed: 39 additions & 0 deletions b/‎pkg/apis/authzed/v1alpha1/types.go‎
Lines changed: 39 additions & 0 deletions
diff --git a/‎pkg/apis/authzed/v1alpha1/zz_generated.deepcopy.go‎
Lines changed: 50 additions & 0 deletions b/‎pkg/apis/authzed/v1alpha1/zz_generated.deepcopy.go‎
Lines changed: 50 additions & 0 deletions
@@ -91,6 +91,72 @@ spec:
                 description: Config values to be passed to the cluster
                 type: object
                 x-kubernetes-preserve-unknown-fields: true
+              credentials:
+                description: |-
+                  Credentials configures per-field secret references for sensitive config.
+                  Mutually exclusive with SecretRef.
+                properties:
+                  datastoreURI:
+                    description: DatastoreURI configures the source for the datastore
+                      connection string.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key within the Secret. Defaults to the standard SpiceDB key
+                          name for this credential (datastore_uri or preshared_key) if omitted.
+                        type: string
+                      secretName:
+                        description: SecretName is the name of the Kubernetes Secret
+                          in the same namespace.
+                        type: string
+                      skip:
+                        description: |-
+                          Skip instructs the operator not to validate or inject this credential.
+                          Use when the credential is provided externally (CSI driver, workload
+                          identity, sidecar proxy). When true, SecretName and Key are ignored.
+                        type: boolean
+                    type: object
+                  migrationSecrets:
+                    description: MigrationSecrets configures the source for the migration
+                      secrets.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key within the Secret. Defaults to the standard SpiceDB key
+                          name for this credential (datastore_uri or preshared_key) if omitted.
+                        type: string
+                      secretName:
+                        description: SecretName is the name of the Kubernetes Secret
+                          in the same namespace.
+                        type: string
+                      skip:
+                        description: |-
+                          Skip instructs the operator not to validate or inject this credential.
+                          Use when the credential is provided externally (CSI driver, workload
+                          identity, sidecar proxy). When true, SecretName and Key are ignored.
+                        type: boolean
+                    type: object
+                  presharedKey:
+                    description: PresharedKey configures the source for the gRPC preshared
+                      key.
+                    properties:
+                      key:
+                        description: |-
+                          Key is the key within the Secret. Defaults to the standard SpiceDB key
+                          name for this credential (datastore_uri or preshared_key) if omitted.
+                        type: string
+                      secretName:
+                        description: SecretName is the name of the Kubernetes Secret
+                          in the same namespace.
+                        type: string
+                      skip:
+                        description: |-
+                          Skip instructs the operator not to validate or inject this credential.
+                          Use when the credential is provided externally (CSI driver, workload
+                          identity, sidecar proxy). When true, SecretName and Key are ignored.
+                        type: boolean
+                    type: object
+                type: object
               patches:
                 description: |-
                   Patches is a list of patches to apply to generated resources.
 
@@ -167,7 +167,7 @@ var _ = Describe("SpiceDBClusters", func() {
 				logr.FromContextOrDiscard(ctx).Info("watch event", "status", c.Status)
 				return condition == nil
 			})
-			Expect(condition).To(EqualCondition(v1alpha1.NewInvalidConfigCondition("", fmt.Errorf("[datastoreEngine is a required field, couldn't find channel for datastore \"\": no channel found for datastore \"\", no update found in channel, secret must be provided]"))))
+			Expect(condition).To(EqualCondition(v1alpha1.NewInvalidConfigCondition("", fmt.Errorf("[datastoreEngine is a required field, couldn't find channel for datastore \"\": no channel found for datastore \"\", no update found in channel, credentials or secretName must be provided]"))))
 		})
 	})
 
 
@@ -93,6 +93,11 @@ type ClusterSpec struct {
 	// +optional
 	SecretRef string `json:"secretName,omitempty"`
 
+	// Credentials configures per-field secret references for sensitive config.
+	// Mutually exclusive with SecretRef.
+	// +optional
+	Credentials *ClusterCredentials `json:"credentials,omitempty"`
+
 	// Patches is a list of patches to apply to generated resources.
 	// If multiple patches apply to the same object and field, later patches
 	// in the list take precedence over earlier ones.
@@ -106,6 +111,40 @@ type ClusterSpec struct {
 	BaseImage string `json:"baseImage,omitempty"`
 }
 
+// ClusterCredentials configures where the operator reads sensitive credentials.
+type ClusterCredentials struct {
+	// DatastoreURI configures the source for the datastore connection string.
+	// +optional
+	DatastoreURI *CredentialRef `json:"datastoreURI,omitempty"`
+
+	// PresharedKey configures the source for the gRPC preshared key.
+	// +optional
+	PresharedKey *CredentialRef `json:"presharedKey,omitempty"`
+
+	// MigrationSecrets configures the source for the migration secrets.
+	// +optional
+	MigrationSecrets *CredentialRef `json:"migrationSecrets,omitempty"`
+}
+
+// CredentialRef describes where to read a single credential value.
+// Either SecretName must be set, or Skip must be true.
+type CredentialRef struct {
+	// SecretName is the name of the Kubernetes Secret in the same namespace.
+	// +optional
+	SecretName string `json:"secretName,omitempty"`
+
+	// Key is the key within the Secret. Defaults to the standard SpiceDB key
+	// name for this credential (datastore_uri or preshared_key) if omitted.
+	// +optional
+	Key string `json:"key,omitempty"`
+
+	// Skip instructs the operator not to validate or inject this credential.
+	// Use when the credential is provided externally (CSI driver, workload
+	// identity, sidecar proxy). When true, SecretName and Key are ignored.
+	// +optional
+	Skip bool `json:"skip,omitempty"`
+}
+
 // Patch represents a single change to apply to generated manifests
 type Patch struct {
 	// Kind targets an object by its kubernetes Kind name.