Overview
Search
⌃K
Links

SecretProviderClass custom resource

DuploCloud Portal provides the ability to create Custom Resource SecretProvider Class.
This capability allows Kubernetes to mount secrets stored in external secrets stores into the pods as volumes. After the volumes are attached, the data is mounted into the container’s file system.

Step1: Enable Secret Provider Class

As a pre-requisite, Administrator needs to set the Infrastructure setting for Enable Secrets CSI Driver as True. This setting is available (Admin > Infrastructure > select your infrastructure > Settings).

Step2: Create K8s Secret Provider Class

Navigate to DevOps > Container > EKS/Native > K8s Secret Provider Class.
You can map the AWS Secrets and SSM Parameters configured in DuploCloud Portal (DevOps > App Integration ) under the Parameters section of the configuration.
Use the optional Secret Objects field to define the desired state of the synced Kubernetes secret objects.
The following is an example SecretProviderClass configuration where AWS secrets and Kubernetes Secret Objects are configured.
K8s Secret Provider Class Page

Step3: Mount Volumes based on the configured secrets

To ensure your application is using the Secrets Store CSI driver, you need to configure your deployment to use the reference of the SecretProviderClass resource created in the previous step.
The following is an example of how to configure a pod to mount a volume based on the SecretProviderClass created in prior steps to retrieve secrets from Secrets Manager.
While creating Service (DevOps > Containers > EKS/Native > Service),
Select Cloud Credentials value as From Kubernetes
Select Cloud Credentials
Advance Options Service Page
  • Add Other Pod Config field as the following example.
Other Pod Config field
Volumes:
- Name: secretvolume-name
Csi:
driver: secrets-store.csi.k8s.io
readOnly: true
VolumeAttributes:
secretProviderClass: my-secret-provider-class
  • Add mount details in Other Container Config field
Other Container Config field
VolumesMounts:
- Name: secretvolume-name
MountPath: /mnt/secrets
readOnly: true

Using SecretObjects

Configuring Secret Objects

You can use the optional secretObjects field to define the desired state of your synced Kubernetes secret objects. The volume mount is required for the sync.
Referring to the example which we are following from prior steps, we have defined SecretObjects in Secret Object field (K8s Secret Provider Class).
The following is an example SecretProviderClass custom resource that will sync a secret from AWS Secrets Manager to a Kubernetes secret:
K8s Secret Provider Class Page

Configuring Secret Objects in deployment

Create Service with all the configurations specified in Step3
In Other Container Config field, you can specify mount details with the object name. Refer following example.
Other Container Config field
VolumesMounts:
- Name: secretvolume-name
MountPath: /mnt/secrets
readOnly: true
EnvFrom:
- SecretRef:
Name: secretobject-name

Configuring Secret Objects in Environment Variables

Set environment variables in your deployment to refer your new Kubernetes secrets.
Refer following example. Specify below in Environment Variables field
Environment Variables field
- name: SECRET_USERNAME
valueFrom:
secretKeyRef:
name: secretobject-name
key: secret-text
Last modified 1mo ago