Usage
The operator injects secret data into Volume mounts that declare a CSI volume with driver: secrets.stackable.tech
.
A minimal secret-consuming Pod looks like this:
---
apiVersion: v1
kind: Pod
metadata:
name: example-secret-consumer
spec:
volumes:
- name: tls
ephemeral:
volumeClaimTemplate:
metadata:
annotations:
secrets.stackable.tech/class: secret
secrets.stackable.tech/scope: node,pod,service=secret-consumer-nginx
spec:
storageClassName: secrets.stackable.tech
accessModes:
- ReadWriteOnce
resources:
requests:
storage: "1"
containers:
- name: ubuntu
image: ubuntu
stdin: true
tty: true
volumeMounts:
- name: tls
mountPath: /tls
SecretClass
defines where the secrets come from. For example, the following SecretClass
issues TLS certificates, storing its CA certificate in the Kubernetes Secret object named secret-provisioner-tls-ca
:
---
apiVersion: secrets.stackable.tech/v1alpha1
kind: SecretClass
metadata:
name: tls
spec:
backend:
autoTls:
ca:
secret:
name: secret-provisioner-tls-ca
namespace: default
autoGenerate: true
maxCertificateLifetime: 15d
The default CA lifetime is 365 days. This will be reduced over time. |