Volume

The primary entry point for applications is by mounting a secret into a Pod object’s volume set. This is done by using Kubernetes' EphemeralVolumeSource type. For example:

---
apiVersion: v1
kind: Pod
metadata:
  name: example-secret-consumer
spec:
  volumes:
    - name: secret
      ephemeral:
        volumeClaimTemplate:
          metadata:
            annotations:
              secrets.stackable.tech/class: secret (1)
              secrets.stackable.tech/scope: node (2)
          spec:
            storageClassName: secrets.stackable.tech (3)
            accessModes: (4)
              - ReadWriteOnce
            resources: (4)
              requests:
                storage: "1"
  containers:
    - name: ubuntu
      volumeMounts:
        - name: tls (5)
          mountPath: /tls
1 This secret is provided by the SecretClass named tls
2 This secret should be scoped by the intersection of node, pod, and the service named secret-consumer
3 Tells Kubernetes that the Stackable Secret Operator is responsible for mounting this volume
4 Kubernetes requires us to specify some boilerplate settings for a PersistentVolumeClaim to be well-formed
5 The injected volume can then be mounted into a container, just like any other volume. In this example, the secrets are provided in the /tls directory of the container.
Only ephemeral volumes are supported, the Secret Operator does not support declaring standalone PersistentVolumeClaim objects.

Attributes

secrets.stackable.tech/class

Required: true

Backends: All

The name of the SecretClass that is responsible for providing this secret.

secrets.stackable.tech/scope

Required: false

Default value: no scopes

Backends: All

The scopes used to select or provision the secret. Multiple scopes should be separated by commas (,), and scope parameters are separated by equals signs (=) where applicable.

secrets.stackable.tech/format

Required: false

Default value: default format of backend

Backends: All

The format that the secret should be written as.

This can be either the default output format of the backend, or a format that it defines a conversion into.

secrets.stackable.tech/kerberos.service.names

Required: false

Default value: HTTP

Backends: secretclass.adoc#backend-kerberoskeytab

The service names to be prepended to the provisioned principals. The provisioned principals will have the form service/scope@realm. Multiple service names should be separated by commas (,).