The primary entry point for applications is by mounting a secret into a Pod object’s volume set. This is done by using Kubernetes' EphemeralVolumeSource type. For example:

apiVersion: v1
kind: Pod
  name: example-secret-consumer
    - name: secret
              secrets.stackable.tech/class: secret (1)
              secrets.stackable.tech/scope: node (2)
            storageClassName: secrets.stackable.tech (3)
            accessModes: (4)
              - ReadWriteOnce
            resources: (4)
                storage: "1"
    - name: ubuntu
        - name: tls (5)
          mountPath: /tls
1 This secret is provided by the SecretClass named tls
2 This secret should be scoped by the intersection of node, pod, and the service named secret-consumer
3 Tells Kubernetes that the Stackable Secret Operator is responsible for mounting this volume
4 Kubernetes requires us to specify some boilerplate settings for a PersistentVolumeClaim to be well-formed
5 The injected volume can then be mounted into a container, just like any other volume. In this example, the secrets are provided in the /tls directory of the container.
Only ephemeral volumes are supported, the Secret Operator does not support declaring standalone PersistentVolumeClaim objects.



Required: true

Backends: All

The name of the SecretClass that is responsible for providing this secret.


Required: false

Default value: no scopes

Backends: All

The scopes used to select or provision the secret. Multiple scopes should be separated by commas (,), and scope parameters are separated by equals signs (=) where applicable.


Required: false

Default value: default format of backend

Backends: All

The format that the secret should be written as.

This can be either the default output format of the backend, or a format that it defines a conversion into.


Required: false

Default value: 1d

The lifetime of the created certificate. Please note that you can not request a lifetime longer than allowed by maxCertificateLifetime on the SecretClass. If you do so, maxCertificateLifetime will be used as the certificate lifetime, to adhere to the requirements set by the administrator who created the SecretClass.

The format is documented in Duration format.


Required: false

Default value: 6h

The amount of time the Pod using the cert gets restarted before the cert expires. Keep in mind that there can be multiple Pods - such as 80 datanodes - trying to shut down at the same time. It can take some hours until all Pods are restarted in a rolling fashion.

The format is documented in Duration format.


Required: false

Default value: 0.2

Up to this part of the Certificate’s lifetime may be removed for jittering.

Must be within 0.0 and 1.0.

For example, given a requested lifetime of 1 day and a jitter factor of 0.2, the certificate’s lifetime would be shortened by a random amount between 0 and 4.8 hours, leaving a certificate that will be valid for between 19.2 and 24 hours.

Jittering may be disabled by setting the jitter factor to 0.


Required: false

Default value: HTTP

The service names to be prepended to the provisioned principals. The provisioned principals will have the form service/scope@realm. Multiple service names should be separated by commas (,).