Usage

The operator injects secret data into Volume mounts that declare a CSI volume with driver: secrets.stackable.tech.

A minimal secret-consuming Pod looks like this:

---
apiVersion: v1
kind: Pod
metadata:
  name: example-secret-consumer
spec:
  volumes:
    - name: tls
      ephemeral:
        volumeClaimTemplate:
          metadata:
            annotations:
              secrets.stackable.tech/class: secret
              secrets.stackable.tech/scope: node,pod,service=secret-consumer-nginx
          spec:
            storageClassName: secrets.stackable.tech
            accessModes:
              - ReadWriteOnce
            resources:
              requests:
                storage: "1"
  containers:
    - name: ubuntu
      image: ubuntu
      stdin: true
      tty: true
      volumeMounts:
        - name: tls
          mountPath: /tls

SecretClass defines where the secrets come from. For example, the following SecretClass issues TLS certificates, storing its CA certificate in the Kubernetes Secret object named secret-provisioner-tls-ca:

---
apiVersion: secrets.stackable.tech/v1alpha1
kind: SecretClass
metadata:
  name: tls
spec:
  backend:
    autoTls:
      ca:
        secret:
          name: secret-provisioner-tls-ca
          namespace: default
        autoGenerate: true
      maxCertificateLifetime: 15d
The default CA lifetime is 365 days. This will be reduced over time.