1

Below is my app definition that uses azure csi store provider. Unfortunately, this definition throws Error: secret 'my-kv-secrets' not found why is that?

SecretProviderClass

apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
  name: my-app-dev-spc
spec:
  provider: azure
  secretObjects:
  - secretName: my-kv-secrets
    type: Opaque
    data: 
    - objectName: DB-HOST
      key: DB-HOST
  parameters:
    keyvaultName: my-kv-name
    objects: |
      array:
        - |
          objectName: DB-HOST
          objectType: secret
    tenantId: "xxxxx-yyyy-zzzz-rrrr-vvvvvvvv"

Pod

apiVersion: v1
kind: Pod
metadata:
  labels:
    run: debug
  name: debug
spec:
  containers:
  - args:
    - sleep
    - 1d
    name: debug
    image: alpine
    env:
    - name: DB_HOST
      valueFrom:
        secretKeyRef:
          name: my-kv-secrets
          key: DB-HOST
  volumes:
  - name: kv-secrets
    csi:
      driver: secrets-store.csi.k8s.io
      readOnly: true
      volumeAttributes:
        secretProviderClass: my-app-dev-spc
      nodePublishSecretRef:
        name: my-sp-secrets
Lukasz Dynowski
  • 11,169
  • 9
  • 81
  • 124

1 Answers1

6

It turned out that secrets store csi works only with volumeMounts. So if you forget to specify it in your yaml definition then it will not work! Below is fix.

Pod

apiVersion: v1
kind: Pod
metadata:
  labels:
    run: debug
  name: debug
spec:
  containers:
  - args:
    - sleep
    - 1d
    name: debug
    image: alpine
    env:
    - name: DB_HOST
      valueFrom:
        secretKeyRef:
          name: my-kv-secrets
          key: DB-HOST
    volumeMounts:
    - name: kv-secrets
      mountPath: /mnt/kv_secrets
      readOnly: true
  volumes:
  - name: kv-secrets
    csi:
      driver: secrets-store.csi.k8s.io
      readOnly: true
      volumeAttributes:
        secretProviderClass: my-app-dev-spc
      nodePublishSecretRef:
        name: my-sp-secrets
Lukasz Dynowski
  • 11,169
  • 9
  • 81
  • 124