Usage

The operator injects secret data into Volume mounts that declare a CSI volume with driver: secrets.stackable.tech.

A minimal secret-consuming Pod looks like this:

--- apiVersion: v1 kind: Pod metadata: name: example-secret-consumer spec: volumes: - name: tls ephemeral: volumeClaimTemplate: metadata: annotations: secrets.stackable.tech/class: secret secrets.stackable.tech/scope: node,pod,service=secret-consumer-nginx spec: storageClassName: secrets.stackable.tech accessModes: - ReadWriteOnce resources: requests: storage: "1" containers: - name: ubuntu image: ubuntu stdin: true tty: true volumeMounts: - name: tls mountPath: /tls

SecretClass defines where the secrets come from. For example, the following SecretClass issues TLS certificates, storing its CA certificate in the Kubernetes Secret object named secret-provisioner-tls-ca:

--- apiVersion: secrets.stackable.tech/v1alpha1 kind: SecretClass metadata: name: tls spec: backend: autoTls: ca: secret: name: secret-provisioner-tls-ca namespace: default autoGenerate: true maxCertificateLifetime: 15d