Volume

The primary entry point for applications is by mounting a secret into a Pod object’s volume set. This is done by using Kubernetes' EphemeralVolumeSource type. For example:

---
apiVersion: v1
kind: Pod
metadata:
  name: example-secret-consumer
spec:
  volumes:
    - name: secret
      ephemeral:
        volumeClaimTemplate:
          metadata:
            annotations:
              secrets.stackable.tech/class: secret (1)
              secrets.stackable.tech/scope: node (2)
          spec:
            storageClassName: secrets.stackable.tech (3)
            accessModes: (4)
              - ReadWriteOnce
            resources: (4)
              requests:
                storage: "1"
  containers:
    - name: ubuntu
      volumeMounts:
        - name: tls (5)
          mountPath: /tls

1	This secret is provided by the `SecretClass` named `tls`
2	This secret should be scoped by the intersection of `node`, `pod`, and the `service` named `secret-consumer`
3	Tells Kubernetes that the Stackable Secret Operator is responsible for mounting this volume
4	Kubernetes requires us to specify some boilerplate settings for a `PersistentVolumeClaim` to be well-formed
5	The injected volume can then be mounted into a container, just like any other volume. In this example, the secrets are provided in the `/tls` directory of the container.

Only ephemeral volumes are supported, the Secret Operator does not support declaring standalone PersistentVolumeClaim objects.

Attributes

`secrets.stackable.tech/class`

Required: true

Backends: All

The name of the SecretClass that is responsible for providing this secret.

`secrets.stackable.tech/scope`

Required: false

Default value: no scopes

Backends: All

The scopes used to select or provision the secret. Multiple scopes should be separated by commas (,), and scope parameters are separated by equals signs (=) where applicable.

`secrets.stackable.tech/format`

Required: false

Default value: default format of backend

Backends: All

The format that the secret should be written as.

This can be either the default output format of the backend, or a format that it defines a conversion into.

`secrets.stackable.tech/backend.autotls.cert.lifetime`

Required: false

Default value: 1d

Backends: secretclass.adoc#backend-autotls

The lifetime of the created certificate. Please note that you can not request a lifetime longer than allowed by maxCertificateLifetime on the SecretClass. If you do so, maxCertificateLifetime will be used as the certificate lifetime, to adhere to the requirements set by the administrator who created the SecretClass.

The format is documented in Duration format.

`secrets.stackable.tech/backend.autotls.cert.restart-buffer`

Required: false

Default value: 6h

Backends: secretclass.adoc#backend-autotls

The amount of time the Pod using the cert gets restarted before the cert expires. Keep in mind that there can be multiple Pods - such as 80 datanodes - trying to shut down at the same time. It can take some hours until all Pods are restarted in a rolling fashion.

The format is documented in Duration format.

`secrets.stackable.tech/kerberos.service.names`

Required: false

Default value: HTTP

Backends: secretclass.adoc#backend-kerberoskeytab

The service names to be prepended to the provisioned principals. The provisioned principals will have the form service/scope@realm. Multiple service names should be separated by commas (,).