Skip to content

secret 25.11.0 manifests (wip) #20

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
razvan wants to merge 6 commits into from
Closed

secret 25.11.0 manifests (wip) #20

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
af96ec5
secret op with crd versioning
razvan Sep 18, 2025
d53059c
delete tls from manifests
razvan Sep 19, 2025
89b67ce
update to latest version of the helm chart
razvan Oct 23, 2025
75a0a1f
move secret op deployment to manifests
razvan Oct 23, 2025
348f60c
remove crd manifests
razvan Oct 23, 2025
41fc53d
delete readme
razvan Oct 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
320 changes: 320 additions & 0 deletions operators/stackable-secret-operator/25.11.0/manifests/secret-operator-manifests.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,320 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: secret-operator-deployer-manifests
data:
stackable-secret-operator-scc.yaml: |
---
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: stackable-secret-operator-scc
annotations:
kubernetes.io/description: SCC for Stackable secret operator
allowHostDirVolumePlugin: true
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: true # Needed because otherwise we get spec.template.spec.containers[0].volumeMounts.mountPropagation: Forbidden: Bidirectional mount propagation is available only to privileged containers
allowedCapabilities: null
defaultAddCapabilities: null
fsGroup:
type: RunAsAny
groups: []
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities:
- MKNOD
runAsUser:
type: RunAsAny
seLinuxContext:
type: MustRunAs
supplementalGroups:
type: RunAsAny
users: []
volumes:
- downwardAPI
- projected
- hostPath
- emptyDir

csidriver.yaml: |
---
# Source: secret-operator/templates/csidriver.yaml
apiVersion: storage.k8s.io/v1
kind: CSIDriver
metadata:
name: secrets.stackable.tech
labels:
app.kubernetes.io/name: secret-operator
app.kubernetes.io/instance: secret-operator
stackable.tech/vendor: Stackable
app.kubernetes.io/version: "0.0.0-pr648"
spec:
attachRequired: false
podInfoOnMount: true
fsGroupPolicy: File
volumeLifecycleModes:
- Ephemeral
- Persistent

storageclass.yaml: |
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: secrets.stackable.tech
labels:
app.kubernetes.io/name: secret-operator
app.kubernetes.io/instance: secret-operator
stackable.tech/vendor: Stackable
app.kubernetes.io/version: "0.0.0-pr648"
provisioner: secrets.stackable.tech

service.yaml: |
---
# Source: secret-operator/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
name: secret-operator
labels:
app.kubernetes.io/name: secret-operator
app.kubernetes.io/instance: secret-operator
stackable.tech/vendor: Stackable
app.kubernetes.io/version: "0.0.0-pr648"
spec:
selector:
webhook.stackable.tech/conversion: enabled
app.kubernetes.io/name: secret-operator
app.kubernetes.io/instance: secret-operator
stackable.tech/vendor: Stackable
ports:
- name: conversion-webhook
protocol: TCP
port: 8443
targetPort: 8443

daemonset.yaml: |
---
# Source: secret-operator/templates/csi-node-driver-daemonset.yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: secret-operator-csi-node-driver
labels:
app.kubernetes.io/name: secret-operator
app.kubernetes.io/instance: secret-operator
stackable.tech/vendor: Stackable
app.kubernetes.io/version: "0.0.0-pr648"
spec:
selector:
matchLabels:
app.kubernetes.io/name: secret-operator
app.kubernetes.io/instance: secret-operator
stackable.tech/vendor: Stackable
template:
metadata:
annotations:
internal.stackable.tech/image: "oci.stackable.tech/sdp/secret-operator:0.0.0-pr648"
labels:
app.kubernetes.io/name: secret-operator
app.kubernetes.io/instance: secret-operator
stackable.tech/vendor: Stackable
spec:
# NOTE (@Techassi): Does it maybe make sense to have two different service accounts?
serviceAccountName: secret-operator-serviceaccount
securityContext: {}
containers:
- name: csi-node-service
securityContext:
privileged: true
runAsUser: 0
image: "oci.stackable.tech/sdp/secret-operator:0.0.0-pr648"
imagePullPolicy: IfNotPresent
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi
# The arguments passed to the command being run in the container. The final command will
# look like `secret-operator run csi-server [OPTIONS]`. The CSI server needs to run on
# every Kubernetes cluster node and as such is deployed as a DaemonSet.
args:
- run
- csi-node-service
env:
# The following env vars are passed as clap (think CLI) arguments to the operator.
# They are picked up by clap using the structs defied in the operator.
# (which is turn pulls in https://github.com/stackabletech/operator-rs/blob/main/crates/stackable-operator/src/cli.rs)
# You can read there about the expected values and purposes.
- name: CSI_ENDPOINT
value: /csi/csi.sock
- name: PRIVILEGED
value: "true"
# Sometimes products need to know the operator image, e.g. the opa-bundle-builder OPA
# sidecar uses the operator image.
- name: OPERATOR_IMAGE
# Tilt can use annotations as image paths, but not env variables
valueFrom:
fieldRef:
fieldPath: metadata.annotations['internal.stackable.tech/image']
# Namespace the operator Pod is running in, e.g. used to construct the conversion
# webhook endpoint.
- name: OPERATOR_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
# The name of the Kubernetes Service that point to the operator Pod, e.g. used to
# construct the conversion webhook endpoint.
- name: OPERATOR_SERVICE_NAME
value: secret-operator
# Operators need to know the node name they are running on, to e.g. discover the
# Kubernetes domain name from the kubelet API.
- name: KUBERNETES_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
# The namespace that the TLS Certificate Authority is installed into.
# Internally defaults to the namespace where secret-operator is installed.
volumeMounts:
- name: csi
mountPath: /csi
- name: mountpoint
mountPath: /var/lib/kubelet/pods
mountPropagation: Bidirectional
- name: tmp
mountPath: /tmp
- name: external-provisioner
image: "oci.stackable.tech/sdp/sig-storage/csi-provisioner:v5.3.0"
imagePullPolicy: IfNotPresent
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi
args:
- --csi-address=/csi/csi.sock
- --feature-gates=Topology=true
- --extra-create-metadata
volumeMounts:
- name: csi
mountPath: /csi
- name: node-driver-registrar
image: "oci.stackable.tech/sdp/sig-storage/csi-node-driver-registrar:v2.15.0"
imagePullPolicy: IfNotPresent
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi
args:
- --csi-address=/csi/csi.sock
- --kubelet-registration-path=/var/lib/kubelet/plugins/secrets.stackable.tech/csi.sock
volumeMounts:
- name: registration-sock
mountPath: /registration
- name: csi
mountPath: /csi
volumes:
- name: registration-sock
hostPath:
# node-driver-registrar appends a driver-unique filename to this path to avoid conflicts
# see https://github.com/stackabletech/secret-operator/issues/229 for why this path should not be too long
path: /var/lib/kubelet/plugins_registry
- name: csi
hostPath:
path: /var/lib/kubelet/plugins/secrets.stackable.tech/
- name: mountpoint
hostPath:
path: /var/lib/kubelet/pods/
- name: tmp
emptyDir: {}
deployment.yaml: |
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: secret-operator
labels:
app.kubernetes.io/name: secret-operator
app.kubernetes.io/instance: secret-operator
stackable.tech/vendor: Stackable
app.kubernetes.io/version: "0.0.0-pr648"
spec:
selector:
matchLabels:
app.kubernetes.io/name: secret-operator
app.kubernetes.io/instance: secret-operator
stackable.tech/vendor: Stackable
template:
metadata:
annotations:
internal.stackable.tech/image: "oci.stackable.tech/sdp/secret-operator:0.0.0-pr648"
labels:
webhook.stackable.tech/conversion: enabled
app.kubernetes.io/name: secret-operator
app.kubernetes.io/instance: secret-operator
stackable.tech/vendor: Stackable
spec:
# NOTE (@Techassi): Does it maybe make sense to have two different service accounts?
serviceAccountName: secret-operator-serviceaccount
securityContext: {}
containers:
- name: secret-operator
securityContext:
runAsUser: 0
image: "oci.stackable.tech/sdp/secret-operator:0.0.0-pr648"
imagePullPolicy: IfNotPresent
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi
# The arguments passed to the command being run in the container. The final command will
# look like `secret-operator run controller [OPTIONS]`. The controller needs to only run
# once in a Kubernetes cluster and as such is deployed as a Deployment with a single
# replica.
args:
- run
- controller
env:
# The following env vars are passed as clap (think CLI) arguments to the operator.
# They are picked up by clap using the structs defied in the operator.
# (which is turn pulls in https://github.com/stackabletech/operator-rs/blob/main/crates/stackable-operator/src/cli.rs)
# You can read there about the expected values and purposes.

# Sometimes products need to know the operator image, e.g. the opa-bundle-builder OPA
# sidecar uses the operator image.
- name: OPERATOR_IMAGE
# Tilt can use annotations as image paths, but not env variables
valueFrom:
fieldRef:
fieldPath: metadata.annotations['internal.stackable.tech/image']
# Namespace the operator Pod is running in, e.g. used to construct the conversion
# webhook endpoint.
- name: OPERATOR_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
# The name of the Kubernetes Service that point to the operator Pod, e.g. used to
# construct the conversion webhook endpoint.
- name: OPERATOR_SERVICE_NAME
value: secret-operator
# Operators need to know the node name they are running on, to e.g. discover the
# Kubernetes domain name from the kubelet API.
- name: KUBERNETES_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
313 changes: 313 additions & 0 deletions ...-operator/25.11.0/manifests/stackable-secret-operator.v25.11.0.clusterserviceversion.yaml
View file
Open in desktop

Large diffs are not rendered by default.

10 changes: 10 additions & 0 deletions operators/stackable-secret-operator/25.11.0/metadata/annotations.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
---
annotations:
operators.operatorframework.io.bundle.channel.default.v1: "25.11"
operators.operatorframework.io.bundle.channels.v1: "stable,25.11"
operators.operatorframework.io.bundle.manifests.v1: manifests/
operators.operatorframework.io.bundle.mediatype.v1: registry+v1
operators.operatorframework.io.bundle.metadata.v1: metadata/
operators.operatorframework.io.bundle.package.v1: stackable-secret-operator

com.redhat.openshift.versions: v4.11-v4.19