The primary entry point for applications is by mounting a secret into a
volume set. This is done by using Kubernetes'
--- apiVersion: v1 kind: Pod metadata: name: example-secret-consumer spec: volumes: - name: secret ephemeral: volumeClaimTemplate: metadata: annotations: secrets.stackable.tech/class: secret (1) secrets.stackable.tech/scope: node (2) spec: storageClassName: secrets.stackable.tech (3) accessModes: (4) - ReadWriteOnce resources: (4) requests: storage: "1" containers: - name: ubuntu volumeMounts: - name: tls (5) mountPath: /tls
|1||This secret is provided by the
|2||This secret should be scoped by the intersection of
|3||Tells Kubernetes that the Stackable Secret Operator is responsible for mounting this volume|
|4||Kubernetes requires us to specify some boilerplate settings for a
|5||The injected volume can then be mounted into a container, just like any other volume. In this example, the secrets are provided in the
Only ephemeral volumes are supported, the Secret Operator does not support declaring standalone
The name of the
SecretClass that is responsible for providing this secret.
Default value: no scopes
The scopes used to select or provision the secret. Multiple scopes should be separated by commas (
,), and scope parameters are separated by equals signs (
=) where applicable.
Default value: HTTP
The service names to be prepended to the provisioned principals. The provisioned principals will have the form
service/scope@realm. Multiple service names should
be separated by commas (