Volume
The primary entry point for applications is by mounting a secret into a Pod
object’s volume
set. This is done by using Kubernetes'
EphemeralVolumeSource
type.
For example:
---
apiVersion: v1
kind: Pod
metadata:
name: example-secret-consumer
spec:
volumes:
- name: secret
ephemeral:
volumeClaimTemplate:
metadata:
annotations:
secrets.stackable.tech/class: secret (1)
secrets.stackable.tech/scope: node (2)
spec:
storageClassName: secrets.stackable.tech (3)
accessModes: (4)
- ReadWriteOnce
resources: (4)
requests:
storage: "1"
containers:
- name: ubuntu
volumeMounts:
- name: tls (5)
mountPath: /tls
1 | This secret is provided by the SecretClass named tls |
2 | This secret should be scoped by the intersection of node , pod , and the service named secret-consumer |
3 | Tells Kubernetes that the Stackable Secret Operator is responsible for mounting this volume |
4 | Kubernetes requires us to specify some boilerplate settings for a PersistentVolumeClaim to be well-formed |
5 | The injected volume can then be mounted into a container, just like any other volume. In this example, the secrets are provided in the /tls directory of the container. |
Only ephemeral volumes are supported, the Secret Operator does not support declaring standalone PersistentVolumeClaim objects.
|
Attributes
secrets.stackable.tech/class
Required: true
Backends: All
The name of the SecretClass
that is responsible for providing this secret.
secrets.stackable.tech/scope
Required: false
Default value: no scopes
Backends: All
The scopes used to select or provision the secret. Multiple scopes should be separated by commas (,
), and scope parameters are separated by equals signs (=
) where applicable.
secrets.stackable.tech/kerberos.service.names
Required: false
Default value: HTTP
Backends: secretclass.adoc#backend-kerberoskeytab
The service names to be prepended to the provisioned principals. The provisioned principals will have the form service/scope@realm
. Multiple service names should
be separated by commas (,
).