SecretProviderClass custom resource
DuploCloud Portal provides the ability to create Custom Resource
SecretProvider
Class.This capability allows Kubernetes to mount secrets stored in external secrets stores into the pods as volumes. After the volumes are attached, the data is mounted into the container’s file system.
As a pre-requisite, Administrator needs to set the Infrastructure setting for
Enable Secrets CSI Driver
as True
. This setting is available (Admin > Infrastructure > select your infrastructure > Settings).Navigate to DevOps > Container > EKS/Native > K8s Secret Provider Class.
You can map the
AWS Secrets
and SSM Parameters
configured in DuploCloud Portal (DevOps > App Integration ) under the Parameters section of the configuration.Use the optional Secret Objects field to define the desired state of the synced Kubernetes secret objects.
The following is an example SecretProviderClass configuration where AWS secrets and Kubernetes Secret Objects are configured.

K8s Secret Provider Class Page
To ensure your application is using the Secrets Store CSI driver, you need to configure your deployment to use the reference of the
SecretProviderClass
resource created in the previous step.The following is an example of how to configure a pod to mount a volume based on the SecretProviderClass created in prior steps to retrieve secrets from Secrets Manager.
While creating Service (DevOps > Containers > EKS/Native > Service),
Select Cloud Credentials value as
From Kubernetes

Select Cloud Credentials

Advance Options Service Page
- Add Other Pod Config field as the following example.
Other Pod Config field
Volumes:
- Name: secretvolume-name
Csi:
driver: secrets-store.csi.k8s.io
readOnly: true
VolumeAttributes:
secretProviderClass: my-secret-provider-class
- Add mount details in Other Container Config field
Other Container Config field
VolumesMounts:
- Name: secretvolume-name
MountPath: /mnt/secrets
readOnly: true
You can use the optional secretObjects field to define the desired state of your synced Kubernetes secret objects. The volume mount is required for the sync.
Referring to the example which we are following from prior steps, we have defined
SecretObjects
in Secret Object field (K8s Secret Provider Class). The following is an example SecretProviderClass custom resource that will sync a secret from AWS Secrets Manager to a Kubernetes secret:

K8s Secret Provider Class Page
In Other Container Config field, you can specify mount details with the object name. Refer following example.
Other Container Config field
VolumesMounts:
- Name: secretvolume-name
MountPath: /mnt/secrets
readOnly: true
EnvFrom:
- SecretRef:
Name: secretobject-name
Set environment variables in your deployment to refer your new Kubernetes secrets.
Refer following example. Specify below in Environment Variables field
Environment Variables field
- name: SECRET_USERNAME
valueFrom:
secretKeyRef:
name: secretobject-name
key: secret-text
Last modified 1mo ago