diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8425db614..e3200f74f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+### Added
+
+- Secrets can now be requested in a custom format ([#610]).
+
+[#610]: https://github.com/stackabletech/operator-rs/pull/610
+
 ## [0.42.2] - 2023-06-27
 
 ### Fixed
diff --git a/src/builder/pod/volume.rs b/src/builder/pod/volume.rs
index e56c570a9..d565ddc33 100644
--- a/src/builder/pod/volume.rs
+++ b/src/builder/pod/volume.rs
@@ -265,6 +265,7 @@ impl VolumeMountBuilder {
 pub struct SecretOperatorVolumeSourceBuilder {
     secret_class: String,
     scopes: Vec<SecretOperatorVolumeScope>,
+    format: Option<SecretFormat>,
     kerberos_service_names: Vec<String>,
 }
 
@@ -273,6 +274,7 @@ impl SecretOperatorVolumeSourceBuilder {
         Self {
             secret_class: secret_class.into(),
             scopes: Vec::new(),
+            format: None,
             kerberos_service_names: Vec::new(),
         }
     }
@@ -293,6 +295,11 @@ impl SecretOperatorVolumeSourceBuilder {
         self
     }
 
+    pub fn with_format(&mut self, format: SecretFormat) -> &mut Self {
+        self.format = Some(format);
+        self
+    }
+
     pub fn with_kerberos_service_name(&mut self, name: impl Into<String>) -> &mut Self {
         self.kerberos_service_names.push(name.into());
         self
@@ -322,6 +329,13 @@ impl SecretOperatorVolumeSourceBuilder {
             attrs.insert("secrets.stackable.tech/scope".to_string(), scopes);
         }
 
+        if let Some(format) = &self.format {
+            attrs.insert(
+                "secrets.stackable.tech/format".to_string(),
+                format.as_ref().to_string(),
+            );
+        }
+
         if !self.kerberos_service_names.is_empty() {
             attrs.insert(
                 "secrets.stackable.tech/kerberos.service.names".to_string(),
@@ -346,6 +360,20 @@ impl SecretOperatorVolumeSourceBuilder {
     }
 }
 
+/// A [secret format](https://docs.stackable.tech/home/stable/secret-operator/secretclass.html#format) known by secret-operator.
+///
+/// This must either match or be convertible from the corresponding secret class, or provisioning the volume will fail.
+#[derive(Clone, strum::AsRefStr)]
+#[strum(serialize_all = "kebab-case")]
+pub enum SecretFormat {
+    /// A TLS certificate formatted as a PEM triple (`ca.crt`, `tls.crt`, `tls.key`) according to Kubernetes conventions.
+    TlsPem,
+    /// A TLS certificate formatted as a PKCS#12 store.
+    TlsPkcs12,
+    /// A Kerberos keytab.
+    Kerberos,
+}
+
 #[derive(Clone)]
 enum SecretOperatorVolumeScope {
     Node,