Volume
The primary entry point for applications is by mounting a secret into a Pod object’s volume set. This is done by using Kubernetes' EphemeralVolumeSource type. For example:
--- apiVersion: v1 kind: Pod metadata: name: example-secret-consumer spec: volumes: - name: secret ephemeral: volumeClaimTemplate: metadata: annotations: secrets.stackable.tech/class: secret (1) secrets.stackable.tech/scope: node (2) spec: storageClassName: secrets.stackable.tech (3) accessModes: (4) - ReadWriteOnce resources: (4) requests: storage: "1" containers: - name: ubuntu volumeMounts: - name: tls (5) mountPath: /tls| 1 | This secret is provided by the SecretClass named tls |
| 2 | This secret should be scoped by the intersection of node, pod, and the service named secret-consumer |
| 3 | Tells Kubernetes that the Stackable Secret Operator is responsible for mounting this volume |
| 4 | Kubernetes requires us to specify some boilerplate settings for a PersistentVolumeClaim to be well-formed |
| 5 | The injected volume can then be mounted into a container, just like any other volume. In this example, the secrets are provided in the /tls directory of the container. |
Only ephemeral volumes are supported, the Secret Operator does not support declaring standalone PersistentVolumeClaim objects. |
Attributes
secrets.stackable.tech/class
Required: true
The name of the SecretClass that is responsible for providing this secret.
secrets.stackable.tech/scope
Required: false
Default value: no scopes
The scopes used to select or provision the secret. Multiple scopes should be separated by commas (,), and scope parameters are separated by equals signs (=) where applicable.