With azure vault and csi driver, able to create secrets and access them as single files in container.
I followed this approach to create basic secrets.
Can accessible the secrets from the container as secret files inside it.
But, when I tried to create a secret from it and use the same for imagePull, it is not working..
apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
name: azure-kvname
namespace: default
spec:
provider: azure
secretObjects:
- secretName: acr-test
type: kubernetes.io/dockerconfigjson
data:
- objectName: martrepo
key: .dockerconfigjson
parameters:
usePodIdentity: "false"
useVMManagedIdentity: "false"
userAssignedIdentityID: ""
keyvaultName: "secret-store-dummy"
objects: |
array:
- |
objectName: secret1
objectType: secret
objectVersion: ""
- |
objectName: martrepo
objectType: secret
objectVersion: ""
tenantId: "f33abe27-86cd-46d6-ae2b-b918362ab160"
---
kind: Pod
apiVersion: v1
metadata:
name: busybox-secrets-store-inline
spec:
containers:
- name: busybox
image: k8s.gcr.io/e2e-test-images/busybox:1.29
command:
- "/bin/sleep"
- "10000"
volumeMounts:
- name: secrets-store-inline
mountPath: "/mnt/secrets-store"
readOnly: true
volumes:
- name: secrets-store-inline
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: "azure-kvname"
nodePublishSecretRef: # Only required when using service principal mode
name: secrets-store-creds
The above acr-test secret, I tried to use in deployment of an app at imagePullSecrets, but it didn't wotk as the events showing issues with pulling the image.
Please guide me if the approach is wrong.
And also, how to use these secrets as a part of existing configmap?
I don't believe that this is achievable. The CSI driver mounts the secret inside the container as a volume, but the image pull secret is needed prior to the container being created and the volume mounted, so the secret will not be available.
You will need to set this up as standard static Kubernetes secret.