What steps did you take and what happened:
When I simple mount a secret using AWS as provider all works fine:
kubectl exec -it secret-test -- cat /mnt/secrets-store/databasecredentials
{"database-name":"sampleapp","database-password":"securedatabasepassword","database-port":"5432","database-username":"sampleappuser"}
But if I try to sync the secret as a kubernetes secret and use as variable, the container fails saying: Error: secret "database-name" not found
What did you expect to happen:
Use the secrets values as ENV variables.
Anything else you would like to add:
The secret definition:
apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
name: sample-app-secret
spec:
provider: aws
secretObjects:
- data:
- key: database-name
objectName: databasecredentials
secretName: database-name
type: Opaque
parameters:
objects: |
- objectName: "sample-app"
objectType: "secretsmanager"
objectAlias: "databasecredentials"
The pod when it fails:
---
apiVersion: v1
kind: Pod
metadata:
name: secret-test
spec:
serviceAccountName: sample-app-role
volumes:
- name: api-secret
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: "sample-app-secret"
containers:
- name: application
image: busybox
command:
- "sleep"
- "3600"
env:
- name: API_KEY
valueFrom:
secretKeyRef:
name: database-name
key: database-name
volumeMounts:
- name: api-secret
mountPath: "/mnt/secrets-store"
readOnly: true
The pod definition when works, but I don't have the env, only the secret file
---
apiVersion: v1
kind: Pod
metadata:
name: secret-test
spec:
serviceAccountName: sample-app-role
volumes:
- name: api-secret
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: "sample-app-secret"
containers:
- name: application
image: busybox
command:
- "sleep"
- "3600"
# env:
# - name: API_KEY
# valueFrom:
# secretKeyRef:
# name: database-name
# key: database-name
volumeMounts:
- name: api-secret
mountPath: "/mnt/secrets-store"
readOnly: true
Which provider are you using:
AWS secret manager.
The installation was done on eks 1.20 using helm to install the driver:
resource "helm_release" "secrets-store-csi-driver" {
name = "secrets-store-csi-driver"
chart = "secrets-store-csi-driver"
repository = "https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/master/charts"
namespace = "kube-system"
}
and then I install the AWS provider
kubectl apply -f https://raw.githubusercontent.com/aws/secrets-store-csi-driver-provider-aws/main/deployment/aws-provider-installer.yaml
Environment:
- Secrets Store CSI Driver version: (use the image tag):
k8s.gcr.io/csi-secrets-store/driver:v0.0.23
public.ecr.aws/aws-secrets-manager/secrets-store-csi-driver-provider-aws:1.0.r1-10-g1942553-2021.06.04.00.07-linux-amd64
- Kubernetes version: (use
kubectl version
):
Client Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.2", GitCommit:"52c56ce7a8272c798dbc29846288d7cd9fbae032", GitTreeState:"clean", BuildDate:"2020-04-16T11:56:40Z", GoVersion:"go1.13.9", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"20+", GitVersion:"v1.20.4-eks-6b7464", GitCommit:"6b746440c04cb81db4426842b4ae65c3f7035e53", GitTreeState:"clean", BuildDate:"2021-03-19T19:33:03Z", GoVersion:"go1.15.8", Compiler:"gc", Platform:"linux/amd64"}