Skip to content

feat: Add annotation to provision public secret data only #676

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Techassi wants to merge 4 commits into
base: main
Choose a base branch
from
Open

feat: Add annotation to provision public secret data only #676

Techassi wants to merge 4 commits into from
+386 −244

Conversation

@Techassi
Copy link
Member

@Techassi Techassi commented Feb 6, 2026
edited
Loading

Implements stackabletech/issues#547, based on decision in https://github.com/stackabletech/decisions/issues/78.

This PR introduces a new annotation for secret volumes, called secrets.stackable.tech/tbd which allows users to only request public/non-sensitive data instead of the complete secret material like currently. For backwards compatibility, this defaults to false (potentially different value based on decision).

The following use-cases are now supported:

  • Use the autoTls backend, but only provision the ca.crt/truststore.p12 for the consumer.
  • Use the kerberosKeytab backend, but only provision the krb5.conf for the consumer
  • Use the k8sSearch backend to select Secrets which contain non-sensitive data only and support parsing the partial set of files. Explicitly requesting a format currently fails due to stricter parsing. This strict parsing is disabled when secrets.stackable.tech/tbd is used

The following example details the last use-case mentioned above:

apiVersion: v1
kind: Pod
metadata:
  name: example-just-ca-consumer
spec:
  securityContext:
    fsGroup: 1000
  volumes:
    - name: just-ca
      ephemeral:
        volumeClaimTemplate:
          metadata:
            annotations:
              secrets.stackable.tech/class: just-ca
              # The currently unsupported feature is triggered by explicitly requesting a format
              # and bringing your own ca.crt
              secrets.stackable.tech/format: tls-pkcs12
              # 👇 See here, an actual boolean can not be used here, because of K8s restrictions
              secrets.stackable.tech/tbd: "true"
              # ☝️
          spec:
            storageClassName: secrets.stackable.tech
            accessModes:
              - ReadWriteOnce
            resources:
              requests:
                storage: "1"
  containers:
    - name: test
      image: oci.stackable.tech/sdp/testing-tools:0.3.0-stackable0.0.0-dev
      stdin: true
      tty: true
      volumeMounts:
        - name: just-ca
          mountPath: /stackable/tls
---
apiVersion: secrets.stackable.tech/v1alpha1
kind: SecretClass
metadata:
  name: just-ca
spec:
  backend:
   k8sSearch:
      searchNamespace:
        pod: {}
---
apiVersion: v1
kind: Secret
metadata:
  name: just-ca-secret
  labels:
    secrets.stackable.tech/class: just-ca
stringData:
  ca.crt: |
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----

(Note: The CA was generated by the default tls SecretClass)

@Techassi Techassi self-assigned this Feb 6, 2026
@Techassi Techassi moved this to Development: In Progress in Stackable Engineering Feb 6, 2026
Techassi
Techassi commented Feb 6, 2026
View reviewed changes
Techassi
Techassi commented Feb 12, 2026
View reviewed changes
@Techassi
Copy link
Member Author

Techassi commented Feb 12, 2026

This should basically be ready to go, but is currently blocked on https://github.com/stackabletech/decisions/issues/78.

@Techassi Techassi marked this pull request as ready for review February 12, 2026 14:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@Techassi Techassi

Labels

None yet

Projects

Stackable Engineering
Status: Development: In Progress

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Techassi