Volume

The primary entry point for applications is by mounting a secret into a Pod object’s volume set. This is done by using Kubernetes' EphemeralVolumeSource type. For example:

---
apiVersion: v1
kind: Pod
metadata:
  name: example-secret-consumer
spec:
  volumes:
    - name: secret
      ephemeral:
        volumeClaimTemplate:
          metadata:
            annotations:
              secrets.stackable.tech/class: secret (1)
              secrets.stackable.tech/scope: node (2)
          spec:
            storageClassName: secrets.stackable.tech (3)
            accessModes: (4)
              - ReadWriteOnce
            resources: (4)
              requests:
                storage: "1"
  containers:
    - name: ubuntu
      volumeMounts:
        - name: tls (5)
          mountPath: /tls

1	This secret is provided by the `SecretClass` named `tls`
2	This secret should be scoped by the intersection of `node`, `pod`, and the `service` named `secret-consumer`
3	Tells Kubernetes that the Stackable Secret Operator is responsible for mounting this volume
4	Kubernetes requires us to specify some boilerplate settings for a `PersistentVolumeClaim` to be well-formed
5	The injected volume can then be mounted into a container, just like any other volume. In this example, the secrets are provided in the `/tls` directory of the container.

Only ephemeral volumes are supported, the Secret Operator does not support declaring standalone PersistentVolumeClaim objects.

Attributes

`secrets.stackable.tech/class`

Required: true

The name of the SecretClass that is responsible for providing this secret.

`secrets.stackable.tech/scope`

Required: false

Default value: no scopes

The scopes used to select or provision the secret. Multiple scopes should be separated by commas (,), and scope parameters are separated by equals signs (=) where applicable.