Stackable Secret Operator

This is an operator for Kubernetes that provisions and injects credentials (such as TLS certificates and Kerberos keytabs) into Kubernetes Pods, so that they can authenticate each others' identities.

Kubernetes Secrets contain sensitive payloads such as passwords, tokens or keys. These objects are usually self-contained and static in the sense that their contents remain unchanged as long as their owners do not update them. Kubernetes also has little-to-no built-in support for dealing with Secrets that have to vary depending on details of the target Pod, such as its assigned Node or the individual Pod identity (when created from a template controller, such as a Deployment or StatefulSet).

The Stackable Secret Operator introduces a new mechanism to mount secrets depending on different aspects of the target Pod. It also allows administrators to dictate cluster-wide policies for how these credentials are provisioned. For example, TLS certificates can be provisioned manually (but with the ability to select the correct certificate automatically), by a built-in certificate authority, or by delegating to cert-manager.