Creating the SecretProviderClass Custom Resource to mount secrets
Creating K8s SecretProviderClass CRs in the DuploCloud Portal
DuploCloud Portal provides the ability to create Custom Resource (CR) SecretProviderClass
.
This capability allows Kubernetes (K8s) to mount secrets stored in external secrets stores into the Pods as volumes. After the volumes are attached, the data is mounted into the container’s file system.
Prerequisites
An Administrator must set the Infrastructure setting Enable Secrets CSI Driver
as True
. This setting is available by navigating to Administrator -> Infrastructure, selecting your Infrastructure, and clicking Settings).
Creating the K8s SecretProviderClass
In the DuploCloud Portal, navigate to Kubernetes -> Secret Provider.
Click Add. The Add Kubernetes Sercet Provider Class page displays.
Map the
AWS Secrets
andSSM Parameters
configured in DuploCloud Portal (Cloud Services -> App Integration) to the Parameters section of the configuration.Optionally, use the Secret Objects field to define the desired state of the synced Kubernetes secret objects.
The following is an example SecretProviderClass
configuration where AWS secrets and Kubernetes Secret Objects are configured:
Creating a Kubernetes Service and mounting volumes based on the configured secrets
To ensure your application is using the Secrets Store CSI driver, you need to configure your deployment to reference the SecretProviderClass
resource created in the previous step.
The following is an example of configuring a Pod to mount a volume based on the SecretProviderClass
created in prior steps to retrieve secrets from Secrets Manager.
It's important to note that SPC timeouts can occur due to issues related to Secret Auto Rotation, which is enabled by default. This feature checks every two (2) minutes if the secrets need to be updated from the values in AWS Secrets Manager. During a service deployment, if a secret is deleted due to a redeployment while a rotation check is attempted, it can lead to timeouts. This deletion happens because the secret is generated from the volume mount in the service Pod, and when the Pod is destroyed, the secret is also destroyed.
In the DuploCloud Portal, create a Kubernetes Service by navigating to Kubernetes -> Services and clicking Add.
Complete the required fields and click Next to display the Advanced Options page.
On the Advanced Options page, in the Cloud Credentials list box, select From Kubernetes.
Add code to the Other Pod Config field, as in the example below.
Add code for
VolumeMounts
in the Other Container Config field, as in the example below.Click Create to create the Kubernetes service.
Configure and use Kubernetes Secret Objects
Before you can sync Kubernetes Secret Objects, you must Create a Kubernetes Service and mount volumes based on the configured secrets.
Optionally, you can define secretObjects
in the SecretProviderClass
to define the desired state of your synced Kubernetes secret objects.
The following is an example of how to create a SecretProviderClass
CR that syncs a secret from AWS Secrets Manager to a Kubernetes secret:
Configuring Secret Objects in deployments
In the Other Container Config field, specify mount details with the secretobject-name
. Refer to the following example:
Configuring Secret Objects using Environment Variables
Set environment variables in your deployment to refer to your Kubernetes secrets.
Refer to the following example using the Environment Variables field in the Basic Options page when creating a Service.
While powerful, integrating secrets into Kubernetes deployments requires careful management to avoid issues such as SPC timeouts. Understanding the underlying mechanisms, such as Secret Auto Rotation and the lifecycle of secrets in Pod deployments, is crucial for smooth operations.
Last updated