Volume
The primary entry point for applications is by mounting a secret into a Pod object’s volume set.
This is done by using Kubernetes' EphemeralVolumeSource type.
For example:
---
apiVersion: v1
kind: Pod
metadata:
  name: example-secret-consumer
spec:
  volumes:
    - name: secret
      ephemeral:
        volumeClaimTemplate:
          metadata:
            annotations:
              secrets.stackable.tech/class: secret (1)
              secrets.stackable.tech/scope: node,pod,service=secret-consumer (2)
          spec:
            storageClassName: secrets.stackable.tech (3)
            accessModes: (4)
              - ReadWriteOnce
            resources: (4)
              requests:
                storage: "1"
  containers:
    - name: ubuntu
      volumeMounts:
        - name: tls (5)
          mountPath: /tls| 1 | This secret is provided by the SecretClass named tls | 
| 2 | This secret should be scoped by the intersection of node,pod, and theservicenamedsecret-consumer | 
| 3 | Tells Kubernetes that the Stackable Secret Operator is responsible for mounting this volume | 
| 4 | Kubernetes requires us to specify some boilerplate settings for a PersistentVolumeClaimto be well-formed | 
| 5 | The injected volume can then be mounted into a container, just like any other volume. In this example, the secrets are provided in the /tlsdirectory of the container. | 
| Only ephemeral volumes are supported, the Secret Operator does not support declaring standalone PersistentVolumeClaim objects. | 
Attributes
secrets.stackable.tech/class
Required: true
Backends: All
The name of the SecretClass that is responsible for providing this secret.
secrets.stackable.tech/scope
Required: false
Default value: no scopes
Backends: All
The scopes used to select or provision the secret. Multiple scopes should be separated by commas (,), and scope parameters are separated by equals signs (=) where applicable.
secrets.stackable.tech/format
Required: false
Default value: default format of backend
Backends: All
The format that the secret should be written as.
This can be either the default output format of the backend, or a format that it defines a conversion into.
secrets.stackable.tech/format.tls-pkcs12.keystore-name
Required: false
Default value: keystore.p12
Backends: secretclass.adoc#backend-autotls
An alternative name for the keystore file.
Has no effect if the format is not tls-pkcs12.
secrets.stackable.tech/format.tls-pkcs12.truststore-name
Required: false
Default value: truststore.p12
Backends: secretclass.adoc#backend-autotls
An alternative name for the truststore file.
Has no effect if the format is not tls-pkcs12.
secrets.stackable.tech/format.tls-pem.cert-name
Required: false
Default value: tls.crt
Backends: secretclass.adoc#backend-autotls
An alternative name for TLS PEM certificate.
Has no effect if the format is not tls-pem.
secrets.stackable.tech/format.tls-pem.key-name
Required: false
Default value: tls.key
Backends: secretclass.adoc#backend-autotls
An alternative name for TLS PEM certificate key.
Has no effect if the format is not tls-pem.
secrets.stackable.tech/format.tls-pem.ca-name
Required: false
Default value: ca.crt
Backends: secretclass.adoc#backend-autotls
An alternative name for TLS PEM certificate authority.
Has no effect if the format is not tls-pem.
secrets.stackable.tech/backend.autotls.cert.lifetime
Required: false
Default value: 1d
Backends: secretclass.adoc#backend-autotls
The lifetime of the created certificate.
Please note that you can not request a lifetime longer than allowed by maxCertificateLifetime on the SecretClass.
If you do so, maxCertificateLifetime will be used as the certificate lifetime, to adhere to the requirements set by the administrator who created the SecretClass.
The format is documented in Duration format.
secrets.stackable.tech/backend.autotls.cert.restart-buffer
Required: false
Default value: 6h
Backends: secretclass.adoc#backend-autotls
The amount of time the Pod using the cert gets restarted before the cert expires. Keep in mind that there can be multiple Pods - such as 80 datanodes - trying to shut down at the same time. It can take some hours until all Pods are restarted in a rolling fashion.
The format is documented in Duration format.
secrets.stackable.tech/backend.autotls.cert.jitter-factor
Required: false
Default value: 0.2
Backends: secretclass.adoc#backend-autotls
Up to this part of the Certificate’s lifetime may be removed for jittering.
Must be within 0.0 and 1.0.
For example, given a requested lifetime of 1 day and a jitter factor of 0.2, the certificate’s lifetime would be shortened by a random amount between 0 and 4.8 hours, leaving a certificate that will be valid for between 19.2 and 24 hours.
Jittering may be disabled by setting the jitter factor to 0.
secrets.stackable.tech/backend.cert-manager.cert.lifetime
Required: false
Default value: 1d (configured by the backend)
Backends: secretclass.adoc#backend-autotls
The lifetime of the created certificate.
The format is documented in Duration format.
secrets.stackable.tech/kerberos.service.names
Required: false
Default value: HTTP
Backends: secretclass.adoc#backend-kerberoskeytab
The service names to be prepended to the provisioned principals.
The provisioned principals will have the form service/scope@realm.
Multiple service names should be separated by commas (,).