Creating the SecretProviderClass Custom Resource to mount secrets

DuploCloud Portal provides the ability to create Custom Resource (CR) SecretProviderClass.

This capability allows Kubernetes (K8s) to mount secrets stored in external secrets stores into the Pods as volumes. After the volumes are attached, the data is mounted into the container’s file system.

Prerequisites

An Administrator must set the Infrastructure setting Enable Secrets CSI Driver as True. This setting is available by navigating to Administrator -> Infrastructure, selecting your Infrastructure, and clicking Settings).

Creating the K8s SecretProviderClass

1. In the DuploCloud Portal, navigate to Kubernetes -> Secret Provider.

2. Click Add. The Add Kubernetes Sercet Provider Class page displays.

3. Map the AWS Secrets and SSM Parameters configured in DuploCloud Portal (Cloud Services -> App Integration) to the Parameters section of the configuration.

4. Optionally, use the Secret Objects field to define the desired state of the synced Kubernetes secret objects.

The following is an example SecretProviderClass configuration where AWS secrets and Kubernetes Secret Objects are configured:

Creating a Kubernetes Service and mounting volumes based on the configured secrets

To ensure your application is using the Secrets Store CSI driver, you need to configure your deployment to reference the SecretProviderClass resource created in the previous step.

The following is an example of configuring a Pod to mount a volume based on the SecretProviderClass created in prior steps to retrieve secrets from Secrets Manager.

1. In the DuploCloud Portal, create a Kubernetes Service by navigating to Kubernetes -> Services and clicking Add.

2. Complete the required fields and click Next to display the Advanced Options page.

   

3. On the Advanced Options page, in the Cloud Credentials list box, select From Kubernetes.

   

4. Add code to the Other Pod Config field, as in the example below.

5. Add code for VolumeMounts in the Other Container Config field, as in the example below.

6. Click Create to create the Kubernetes service.

Volumes:
  - Name: secretvolume-name
    Csi:
      driver: secrets-store.csi.k8s.io
      readOnly: true
      VolumeAttributes:
        secretProviderClass: my-secret-provider-class

VolumesMounts:
  - Name: secretvolume-name
    MountPath: /mnt/secrets
    readOnly: true

Configure and use Kubernetes Secret Objects

Optionally, you can define secretObjects in the SecretProviderClass to define the desired state of your synced Kubernetes secret objects.

The following is an example of how to create a SecretProviderClass CR that syncs a secret from AWS Secrets Manager to a Kubernetes secret:

Configuring Secret Objects in deployments

In the Other Container Config field, specify mount details with the secretobject-name. Refer to the following example:

VolumesMounts:
  - Name: secretvolume-name
    MountPath: /mnt/secrets
    readOnly: true
EnvFrom:
  - SecretRef:
      Name: secretobject-name

Configuring Secret Objects using Environment Variables

Set environment variables in your deployment to refer to your Kubernetes secrets.

Refer to the following example using the Environment Variables field in the Basic Options page when creating a Service.

- name: SECRET_USERNAME
  valueFrom:
    secretKeyRef:
      name: secretobject-name
      key: secret-text