Skip to content

feat: Add annotation to provision public secret data only#676

Open
Techassi wants to merge 4 commits intomainfrom
feat/provision-public-secret-data-only
Open

feat: Add annotation to provision public secret data only#676
Techassi wants to merge 4 commits intomainfrom
feat/provision-public-secret-data-only

Conversation

@Techassi
Copy link
Member

@Techassi Techassi commented Feb 6, 2026
edited
Loading

Implements stackabletech/issues#547, based on decision in https://github.com/stackabletech/decisions/issues/78.

This PR introduces a new annotation for secret volumes, called secrets.stackable.tech/tbd which allows users to only request public/non-sensitive data instead of the complete secret material like currently. For backwards compatibility, this defaults to false (potentially different value based on decision).

The following use-cases are now supported:

  • Use the autoTls backend, but only provision the ca.crt/truststore.p12 for the consumer.
  • Use the kerberosKeytab backend, but only provision the krb5.conf for the consumer
  • Use the k8sSearch backend to select Secrets which contain non-sensitive data only and support parsing the partial set of files. Explicitly requesting a format currently fails due to stricter parsing. This strict parsing is disabled when secrets.stackable.tech/tbd is used

The following example details the last use-case mentioned above:

apiVersion: v1
kind: Pod
metadata:
  name: example-just-ca-consumer
spec:
  securityContext:
    fsGroup: 1000
  volumes:
    - name: just-ca
      ephemeral:
        volumeClaimTemplate:
          metadata:
            annotations:
              secrets.stackable.tech/class: just-ca
              # The currently unsupported feature is triggered by explicitly requesting a format
              # and bringing your own ca.crt
              secrets.stackable.tech/format: tls-pkcs12
              # 👇 See here, an actual boolean can not be used here, because of K8s restrictions
              secrets.stackable.tech/tbd: "true"
              # ☝️
          spec:
            storageClassName: secrets.stackable.tech
            accessModes:
              - ReadWriteOnce
            resources:
              requests:
                storage: "1"
  containers:
    - name: test
      image: oci.stackable.tech/sdp/testing-tools:0.3.0-stackable0.0.0-dev
      stdin: true
      tty: true
      volumeMounts:
        - name: just-ca
          mountPath: /stackable/tls
---
apiVersion: secrets.stackable.tech/v1alpha1
kind: SecretClass
metadata:
  name: just-ca
spec:
  backend:
   k8sSearch:
      searchNamespace:
        pod: {}
---
apiVersion: v1
kind: Secret
metadata:
  name: just-ca-secret
  labels:
    secrets.stackable.tech/class: just-ca
stringData:
  ca.crt: |
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----

(Note: The CA was generated by the default tls SecretClass)

@Techassi Techassi self-assigned this Feb 6, 2026
@Techassi Techassi moved this to Development: In Progress in Stackable Engineering Feb 6, 2026
Techassi
Techassi commented Feb 6, 2026
View reviewed changes
Techassi
Techassi commented Feb 12, 2026
View reviewed changes
@Techassi
Copy link
Member Author

Techassi commented Feb 12, 2026

This should basically be ready to go, but is currently blocked on https://github.com/stackabletech/decisions/issues/78.

@Techassi Techassi marked this pull request as ready for review February 12, 2026 14:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@Techassi Techassi

Labels

None yet

Projects

Stackable Engineering
Status: Development: In Progress

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Techassi