emqx · keynslug · Apr 24, 2026 · Apr 23, 2026
diff --git a/api/v3beta1/emqx_types_spec.go b/api/v3beta1/emqx_types_spec.go
@@ -43,10 +43,6 @@ type EMQXSpec struct {
 	// More info: https://kubernetes.io/docs/concepts/security/service-accounts
 	ServiceAccountName string `json:"serviceAccountName,omitempty"`
 
-	// Bootstrap API keys to access EMQX API.
-	// Cannot be updated.
-	BootstrapAPIKeys []BootstrapAPIKey `json:"bootstrapAPIKeys,omitempty"`
-
 	// EMQX Configuration.
 	Config Config `json:"config,omitempty"`
 
@@ -79,31 +75,6 @@ type EMQXSpec struct {
 	ListenersServiceTemplate *ServiceTemplate `json:"listenersServiceTemplate,omitempty"`
 }
 
-type BootstrapAPIKey struct {
-	// +kubebuilder:validation:Pattern:=`^[a-zA-Z\d-_]+$`
-	Key string `json:"key,omitempty"`
-	// +kubebuilder:validation:MinLength:=3
-	// +kubebuilder:validation:MaxLength:=128
-	Secret string `json:"secret,omitempty"`
-	// Reference to a Secret entry containing the EMQX API Key.
-	SecretRef *SecretRef `json:"secretRef,omitempty"`
-}
-
-type SecretRef struct {
-	// Reference to a Secret entry containing the EMQX API Key.
-	Key KeyRef `json:"key"`
-	// Reference to a Secret entry containing the EMQX API Key's secret.
-	Secret KeyRef `json:"secret"`
-}
-
-type KeyRef struct {
-	// Name of the Secret object.
-	SecretName string `json:"secretName"`
-	// Entry within the Secret data.
-	// +kubebuilder:validation:Pattern:=`^[a-zA-Z\d-_]+$`
-	SecretKey string `json:"secretKey"`
-}
-
 type Config struct {
 	// Determines how configuration updates are applied.
 	// * `Merge`: Merge the new configuration into the existing configuration.

diff --git a/api/v3beta1/zz_generated.deepcopy.go b/api/v3beta1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/apps.emqx.io_emqxes.yaml b/config/crd/bases/apps.emqx.io_emqxes.yaml
@@ -48,59 +48,6 @@ spec:
           spec:
             description: Specification of the desired state of the EMQX cluster.
             properties:
-              bootstrapAPIKeys:
-                description: |-
-                  Bootstrap API keys to access EMQX API.
-                  Cannot be updated.
-                items:
-                  properties:
-                    key:
-                      pattern: ^[a-zA-Z\d-_]+$
-                      type: string
-                    secret:
-                      maxLength: 128
-                      minLength: 3
-                      type: string
-                    secretRef:
-                      description: Reference to a Secret entry containing the EMQX
-                        API Key.
-                      properties:
-                        key:
-                          description: Reference to a Secret entry containing the
-                            EMQX API Key.
-                          properties:
-                            secretKey:
-                              description: Entry within the Secret data.
-                              pattern: ^[a-zA-Z\d-_]+$
-                              type: string
-                            secretName:
-                              description: Name of the Secret object.
-                              type: string
-                          required:
-                          - secretKey
-                          - secretName
-                          type: object
-                        secret:
-                          description: Reference to a Secret entry containing the
-                            EMQX API Key's secret.
-                          properties:
-                            secretKey:
-                              description: Entry within the Secret data.
-                              pattern: ^[a-zA-Z\d-_]+$
-                              type: string
-                            secretName:
-                              description: Name of the Secret object.
-                              type: string
-                          required:
-                          - secretKey
-                          - secretName
-                          type: object
-                      required:
-                      - key
-                      - secret
-                      type: object
-                  type: object
-                type: array
               clusterDomain:
                 default: cluster.local
                 description: Kubernetes cluster domain.

diff --git a/docs/en_US/reference/v3beta1-reference.md b/docs/en_US/reference/v3beta1-reference.md
@@ -13,24 +13,6 @@ Package v3beta1 contains API Schema definitions for the apps.emqx.io v3beta1 API
 
 
 
-#### BootstrapAPIKey
-
-
-
-
-
-
-
-_Appears in:_
-- [EMQXSpec](#emqxspec)
-
-| Field | Description | Default | Validation |
-| --- | --- | --- | --- |
-| `key` _string_ |  |  | Pattern: `^[a-zA-Z\d-_]+$` <br /> |
-| `secret` _string_ |  |  | MaxLength: 128 <br />MinLength: 3 <br /> |
-| `secretRef` _[SecretRef](#secretref)_ | Reference to a Secret entry containing the EMQX API Key. |  |  |
-
-
 #### Config
 
 
@@ -279,7 +261,6 @@ _Appears in:_
 | `imagePullPolicy` _[PullPolicy](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#pullpolicy-v1-core)_ | Container image pull policy.<br />One of `Always`, `Never`, `IfNotPresent`.<br />Defaults to `Always` if `:latest` tag is specified, or `IfNotPresent` otherwise.<br />More info: https://kubernetes.io/docs/concepts/containers/images#updating-images |  |  |
 | `imagePullSecrets` _[LocalObjectReference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#localobjectreference-v1-core) array_ | ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec.<br />If specified, these secrets will be passed to individual puller implementations for them to use.<br />More info: https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod |  |  |
 | `serviceAccountName` _string_ | ServiceAccount name.<br />Managed ReplicaSets and StatefulSets are associated with the specified ServiceAccount for authentication purposes.<br />More info: https://kubernetes.io/docs/concepts/security/service-accounts |  |  |
-| `bootstrapAPIKeys` _[BootstrapAPIKey](#bootstrapapikey) array_ | Bootstrap API keys to access EMQX API.<br />Cannot be updated. |  |  |
 | `config` _[Config](#config)_ | EMQX Configuration. |  |  |
 | `clusterDomain` _string_ | Kubernetes cluster domain. | cluster.local |  |
 | `revisionHistoryLimit` _integer_ | Number of old ReplicaSets to retain to allow rollback. | 3 |  |
@@ -353,23 +334,6 @@ _Appears in:_
 | `Disabled` |  |
 
 
-#### KeyRef
-
-
-
-
-
-
-
-_Appears in:_
-- [SecretRef](#secretref)
-
-| Field | Description | Default | Validation |
-| --- | --- | --- | --- |
-| `secretName` _string_ | Name of the Secret object. |  |  |
-| `secretKey` _string_ | Entry within the Secret data. |  | Pattern: `^[a-zA-Z\d-_]+$` <br /> |
-
-
 #### NodeEvacuationStatus
 
 
@@ -432,23 +396,6 @@ _Appears in:_
 | `maxSurge` _[IntOrString](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.32/#intorstring-intstr-util)_ | MaxSurge is the number of extra replicant pods allowed above the desired replica count on the<br />new ReplicaSet during a template rollout. Integers are absolute; strings are percentages of desired replicas.<br />Defaults to 0. |  | XIntOrString: \{\} <br /> |
 
 
-#### SecretRef
-
-
-
-
-
-
-
-_Appears in:_
-- [BootstrapAPIKey](#bootstrapapikey)
-
-| Field | Description | Default | Validation |
-| --- | --- | --- | --- |
-| `key` _[KeyRef](#keyref)_ | Reference to a Secret entry containing the EMQX API Key. |  |  |
-| `secret` _[KeyRef](#keyref)_ | Reference to a Secret entry containing the EMQX API Key's secret. |  |  |
-
-
 #### ServiceTemplate
 
 

diff --git a/internal/controller/add_bootstrap_resource.go b/internal/controller/add_bootstrap_resource.go
@@ -1,8 +1,6 @@
 package controller
 
 import (
-	"context"
-
 	emperror "emperror.dev/errors"
 	corev1 "k8s.io/api/core/v1"
 	k8sErrors "k8s.io/apimachinery/pkg/api/errors"
@@ -20,67 +18,27 @@ type addBootstrap struct {
 }
 
 func (a *addBootstrap) reconcile(r *reconcileRound, instance *crd.EMQX) subResult {
-	bootstrapAPIKeys, err := a.getAPIKeyString(r.ctx, instance)
-	if err != nil {
-		return subResult{err: emperror.Wrap(err, "failed to get bootstrap api keys")}
-	}
-
 	for _, resource := range []client.Object{
 		generateNodeCookieSecret(instance, r.conf),
-		generateBootstrapAPIKeySecret(instance, bootstrapAPIKeys),
+		generateBootstrapAPIKeySecret(instance),
 	} {
 		if err := ctrl.SetControllerReference(instance, resource, a.Scheme); err != nil {
 			return subResult{err: emperror.Wrap(err, "failed to set controller reference")}
 		}
 		if err := a.Create(r.ctx, resource); err != nil {
 			if !k8sErrors.IsAlreadyExists(err) {
-				return subResult{err: emperror.Wrap(err, "failed to create bootstrap configMap")}
+				return subResult{err: emperror.Wrap(err, "failed to create bootstrap secret")}
 			}
 		}
 	}
 
 	return subResult{}
 }
 
-func (a *addBootstrap) getAPIKeyString(ctx context.Context, instance *crd.EMQX) (string, error) {
-	var bootstrapAPIKeys string
-
-	for _, apiKey := range instance.Spec.BootstrapAPIKeys {
-		if apiKey.SecretRef != nil {
-			keyValue, err := a.readSecret(ctx, instance, apiKey.SecretRef.Key.SecretName, apiKey.SecretRef.Key.SecretKey)
-			if err != nil {
-				return "", err
-			}
-			secretValue, err := a.readSecret(ctx, instance, apiKey.SecretRef.Secret.SecretName, apiKey.SecretRef.Secret.SecretKey)
-			if err != nil {
-				return "", err
-			}
-			bootstrapAPIKeys += keyValue + ":" + secretValue + "\n"
-		} else {
-			bootstrapAPIKeys += apiKey.Key + ":" + apiKey.Secret + "\n"
-		}
-	}
-
-	return bootstrapAPIKeys, nil
-}
-
-func (a *addBootstrap) readSecret(ctx context.Context, instance *crd.EMQX, name string, key string) (string, error) {
-	secret := &corev1.Secret{}
-	if err := a.Client.Get(ctx, instance.NamespacedName(name), secret); err != nil {
-		return "", emperror.Wrap(err, "failed to get secret")
-	}
-
-	if _, ok := secret.Data[key]; !ok {
-		return "", emperror.NewWithDetails("secret does not contain the key", "secret", secret.Name, "key", key)
-	}
-
-	return string(secret.Data[key]), nil
-}
-
-func generateBootstrapAPIKeySecret(instance *crd.EMQX, bootstrapAPIKeys string) *corev1.Secret {
-	defPassword, _ := password.Generate(64, 10, 0, true, true)
-	bootstrapAPIKeys += resources.DefaultBootstrapAPIKey + ":" + defPassword
-	return resources.BootstrapAPIKey(instance).Secret(bootstrapAPIKeys)
+func generateBootstrapAPIKeySecret(instance *crd.EMQX) *corev1.Secret {
+	password, _ := password.Generate(64, 10, 0, true, true)
+	content := resources.DefaultBootstrapAPIKey + ":" + password
+	return resources.BootstrapAPIKey(instance).Secret(content)
 }
 
 func generateNodeCookieSecret(instance *crd.EMQX, conf *config.EMQX) *corev1.Secret {