-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to mount secrets in SecretProviderClass as Env Vars in a Pod #157
Comments
#37 (comment) has an example that should work. The
For this This would create a K8s secret named |
Thanks, that helped! I think an example of how to do this and some documentation would really help (also, maybe the key |
Hi, Installed via Helm with sync enabled and verified the Secret: apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
name: <secret-name>
namespace: <namespace>
spec:
provider: gcp
parameters:
secrets: |
- resourceName: "projects/.../secrets/<secret-name-in-secret-manager>/versions/latest"
fileName: "secret.data"
secretObjects:
- secretName: <k8s-secret-name>
type: Opaque
data:
- objectName: secret.data
key: <key in k8s object> Pod: spec:
- name: SECRET
valueFrom:
secretKeyRef:
name: <k8s-secret-name>
key: <key in k8s object> |
@idanya : I am facing the exact same issue as yours. No logs in the driver pods. Is your issue resolved? |
It was a long time ago, but if I remember correctly, you have to mount it to the file system in order to trigger the driver, and only then it will work. |
Any update? I am currently facing the exact same issue, no logs that can help me to understand why a k8s secret is not created. Any detail you forgot to mention @tam7t? |
hey @idanya did you add the volume part as well? SecretProviderClass will not create a secret it-self. |
Here's a good example that may help: https://github.com/GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp/blob/main/test/e2e/templates/test-sync.yaml.tmpl (please replace Also, please ensure that the "Sync as Kubernetes Secret" feature is enabled on the driver: https://secrets-store-csi-driver.sigs.k8s.io/getting-started/installation.html#optional-values |
As per @idanya's suggestion, you need to
You need the mount, even though the pod may not use it, without this the driver wont provision the secret. In theory, secrets-store-csi-driver /could/ note which secrets are used by which provider classes, and then check if they are in use by new pods, rather than just check the volumes. |
Thanks for reporting this issue! There does not seem to be any further action item on this issue and hence we are closing it. Please feel free to reopen this issue or file a new one if you need further assistance. |
Question
Hi! We're trying to use the gcp provider for secret store to mount some secrets as environment variables in a pod. Checking the example provided in the repo, it only shows how to mount them as volumes.
We've been following this example to try and set them as environment variables but it seems like the "parameters" option changes depending on the provider: is there a way of achieving this with the
gcp
provider currently?The text was updated successfully, but these errors were encountered: