SecretProviderClass custom resource

DuploCloud Portal provides the ability to create Custom Resource SecretProvider Class.

This capability allows Kubernetes to mount secrets stored in external secrets stores into the pods as volumes. After the volumes are attached, the data is mounted into the container’s file system.

Step 1: Enable Secret Provider Class

As a pre-requisite, Administrator needs to set the Infrastructure setting for Enable Secrets CSI Driver as True. This setting is available by navigating to Administrator -> Infrastructure, selecting your Infrastructure, and clicking Settings).

Step 2: Create K8s Secret Provider Class

Navigate to Kubernetes -> Sec. Provider Class.

You can map the AWS Secrets and SSM Parameters configured in DuploCloud Portal (Cloud Services -> App Integration) under the Parameters section of the configuration.

Use the optional Secret Objects field to define the desired state of the synced Kubernetes secret objects.

The following is an example SecretProviderClass configuration where AWS secrets and Kubernetes Secret Objects are configured.

Step 3: Mount Volumes based on the configured secrets

To ensure your application is using the Secrets Store CSI driver, you need to configure your deployment to use the reference of the SecretProviderClass resource created in the previous step.

The following is an example of how to configure a pod to mount a volume based on the SecretProviderClass created in prior steps to retrieve secrets from Secrets Manager.

While creating Service (Kubernetes -> Service),

Select Cloud Credentials value as From Kubernetes

  • Add Other Pod Config field as the following example.

Other Pod Config field
  - Name: secretvolume-name
      readOnly: true
        secretProviderClass: my-secret-provider-class
  • Add mount details in Other Container Config field

Other Container Config field
  - Name: secretvolume-name
    MountPath: /mnt/secrets
    readOnly: true

Using SecretObjects

Configuring Secret Objects

You can use the optional secretObjects field to define the desired state of your synced Kubernetes secret objects. The volume mount is required for the sync.

Referring to the example which we are following from prior steps, we have defined SecretObjects in Secret Object field (K8s Secret Provider Class).

The following is an example SecretProviderClass custom resource that will sync a secret from AWS Secrets Manager to a Kubernetes secret:

Configuring Secret Objects in deployment

Create Service with all the configurations specified in Step 3

In Other Container Config field, you can specify mount details with the object name. Refer following example.

Other Container Config field
  - Name: secretvolume-name
    MountPath: /mnt/secrets
    readOnly: true
  - SecretRef:
      Name: secretobject-name

Configuring Secret Objects in Environment Variables

Set environment variables in your deployment to refer your new Kubernetes secrets.

Refer following example. Specify below in Environment Variables field

Environment Variables field
      name: secretobject-name
      key: secret-text

Last updated


© DuploCloud, Inc. All rights reserved. DuploCloud trademarks used herein are registered trademarks of DuploCloud and affiliates