Comments (14)
Okay... NM, I think it is working now. @miki79 - not sure if you've since given up on this but the docs I linked above might have been outdated last year? I noticed that earlier this year I upgraded to v0.3.0
and there are newer versions.
- I upgraded my Secrets Store CSI Driver to
v1.0.1
(note, they just releasedv1.1.0
but I'm not on that yet). I don't see a release in the chart yet. - I upgraded my secret to
apiVersion: secrets-store.csi.x-k8s.io/v1
- After updating my pod I'm able to connect. I see the docker secret created and no events logged for an invalid ImagePullSecret.
More info for anyone else trying from scratch:
- AWS SSM - SecureString - contains JSON format of the docker-registry secret
- I have a ServiceAccount annotated with the correct role to the SSM secure string AND KMS key to decrypt the value (if needed)
- My secret looks like the example in the issue, copied here for reference:
--- apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: docker-hub spec: provider: aws secretObjects: - secretName: docker-hub type: kubernetes.io/dockerconfigjson data: - objectName: "docker-configjson" key: ".dockerconfigjson" parameters: region: us-east-1 objects: | - objectName: "/secret/docker_config" objectAlias: docker-configjson objectType: "ssmparameter"
- Volume and Mounts like so:
volumes: - name: secrets-store-inline csi: driver: secrets-store.csi.k8s.io readOnly: true volumeAttributes: secretProviderClass: "docker-hub" volumeMounts: - name: secrets-store-inline mountPath: "/mnt/secrets-store" readOnly: true
- ServiceAccount attached to pod
- ImagePullSecrets added for secret reference:
imagePullSecrets: - name: "docker-hub"
from secrets-store-csi-driver-provider-aws.
All along I was missing the --set syncSecret.enabled=true for the driver installation. It just worked after that installation. I'm good now.
helm install -n kube-system csi-secrets-store
--set syncSecret.enabled=true
secrets-store-csi-driver/secrets-store-csi-driver
from secrets-store-csi-driver-provider-aws.
Thanks so much for that. You homed right in on the bit I was missing - that the K8s secret is created with the volume creation as opposed to the volume mount.
I was doing a bit of a mix of implementation and research. Yes, I am trying to implement this, but I can't implement things without first trying my best to understand how they work.
No, my implementation was not working. I was trying to understand the process and decided that it did not make sense how it worked, so I was homing in on that problem rather than finding my - ahem - typo :). It works now.
That all said, there is still a bit I don't get. I tried experimenting to include the volumes in my pod spec, but not include the volume mounts. If what you say, (and my current understanding) is correct, then I would expect the volume to still get created in this scenario and then the password could still be synced. But that did not work. No volume mount - no K8s secret.
Maybe the tool is looking to see if a volumeMount exists in the spec before syncing the secret, as opposed to waiting for the mount to become realized. That would make sense, but much as I would like to get a deeper understanding of this, I don't have time to dig through the code right now.
The above test was primarily an exercise in me trying to build my understanding of the process, but in addition to that, it would be nice to not be exposing my private repo credentials inside the container. That seems unnecessarily exposed.
I guess the solution to this, without exposing the registry secret to the running containers, is to have some utility pod/sidecar that mounts the secret that contains said credentials.
Still seems a little hacky :/
from secrets-store-csi-driver-provider-aws.
Thank you for opening this issue - we are looking into it.
from secrets-store-csi-driver-provider-aws.
Have a similar issue.
The Secrets are mounted to /mnt/secrets-store
as expected, but the secret (no matter of the type) that should have been created is not created.
Is there any way I can debug this issue ?
from secrets-store-csi-driver-provider-aws.
same
from secrets-store-csi-driver-provider-aws.
Facing the same issue. I thought I had incorrect configuration #38
from secrets-store-csi-driver-provider-aws.
Any updates on this @lasred? According to the secrets store CSI driver docs, the type kubernetes.io/dockerconfigjson
is supported.
from secrets-store-csi-driver-provider-aws.
@JRemitz I trust you, I haven't investigated further as we found a different way so we are not using csi for docker secrets anymore.
from secrets-store-csi-driver-provider-aws.
@JRemitz for the life of me I can't get this to actually pull the image. I get as far as mounting the secret with the CSI driver, but there must be something off at the parameter store that I'm not doing right I think.
Can you provide an example of this here: 1. AWS SSM - SecureString - contains JSON format of the docker-registry secret
from secrets-store-csi-driver-provider-aws.
Sure thing, @Luis-DevOps . This is what that SSM secret located at /secret/docker_config
would look like:
{
"auths": {
"index.docker.io": {
"username": "docker-user",
"password": "docker-password",
"email": "[email protected]",
"auth": "<base64 of 'username:password' above>"
}
}
}
So the value of auth
is the result of echo "username:password" | base64
from secrets-store-csi-driver-provider-aws.
@JRemitz That's interesting. That's actually exactly what I've been doing. So I'm still in the same place. It's very puzzling right now.
from secrets-store-csi-driver-provider-aws.
This issue confuses me. I don't see how it's possible that this can work.
It's my understanding that in order to sync the secret to a Kubernetes secret, the container needs to come up so that the volumes can be mounted.
But in order for that to happen, it first needs to pull the container. For that to happen, it needs the image pull secret. And for that to happen it needs to sync.
And now we have a circular dependency, unless I am missing something fundamental about how this works.
I guess you could circumvent that problem by having some other pod( or sidecar) running that uses the same service account and an image from a repository that needs no auth. That pod then mounts the AWS Secrets Manager secret and the K8s secrets can then be synced.
That is a lot of extra mucking about and relies on the organisation allowing anonymous image pulling.
Am I missing something here?
from secrets-store-csi-driver-provider-aws.
Are you trying to get it to work and can't or just researching? I have to assume it is the order of operations on the details of what is happening between the volume creation and the mounting. So likely what you're missing is the volume creation, versus the volume mounting. The secret gets created with the volume not the mount. If it were an environment variable within the container then it would first need to be mounted. Presumably, but I haven't dug through the code to explain with references.
from secrets-store-csi-driver-provider-aws.
Related Issues (20)
- error connecting to provider "aws": provider not found: provider "aws"
- Set default toleration value to avoid `error connecting to provider "aws"` HOT 1
- README has conflicting information about EKS/ECS HOT 1
- Ignore
- Provide a way for customers to configure the underlying Secrets Manager Client. HOT 1
- Link for the Chart to download as dependency in Helm / ArgoCD HOT 2
- Documentation on how to use a secret as an env var HOT 2
- CSI secret store driver fails to create secret
- Env in pod is not loading as expected HOT 1
- Add high priority to DaemonSet HOT 2
- When adding nodeSelector and tolerations to schedule onto a specific node, secrets can no longer be fetched. HOT 3
- Pod Identity Association not recognised by secrets store CSI driver HOT 17
- [Question] Inside .yaml, there is a way to retrieve all aws secrets without pass keys? HOT 1
- Unable to mount secret, "Failed fetching secret <secretName>: RequestCanceled: request context canceled" HOT 1
- Expose Additional Security Context Settings in Helm Chart HOT 1
- Is it possible to use this outside of EKS? HOT 3
- Allow setting `driver-writes-secrets` argument via Helm values HOT 1
- Please consider changing the object parameter format. HOT 2
- AWS provider pod failing with "panic: runtime error: invalid memory address or nil pointer dereference" HOT 2
- Provider socket does not exist if provider pod starts before driver pod
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from secrets-store-csi-driver-provider-aws.