Join Log in
Score:0
uday avatar Server

How to use acr secret saved in azure vault for image pull?

ke flag
uday

With azure vault and csi driver, able to create secrets and access them as single files in container.

I followed this approach to create basic secrets.

Can accessible the secrets from the container as secret files inside it.

But, when I tried to create a secret from it and use the same for imagePull, it is not working..

apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
  name: azure-kvname
  namespace: default
spec:
  provider: azure
  secretObjects:
  - secretName: acr-test
    type: kubernetes.io/dockerconfigjson
    data:
     - objectName: martrepo
       key: .dockerconfigjson
  parameters:
    usePodIdentity: "false"
    useVMManagedIdentity: "false"
    userAssignedIdentityID: ""
    keyvaultName: "secret-store-dummy"
    objects: |
      array:
        - |
          objectName: secret1              
          objectType: secret
          objectVersion: ""
        - |
          objectName: martrepo              
          objectType: secret
          objectVersion: ""    
    tenantId: "f33abe27-86cd-46d6-ae2b-b918362ab160"

---
kind: Pod
apiVersion: v1
metadata:
  name: busybox-secrets-store-inline
spec:
  containers:
  - name: busybox
    image: k8s.gcr.io/e2e-test-images/busybox:1.29
    command:
      - "/bin/sleep"
      - "10000"
    volumeMounts:
    - name: secrets-store-inline
      mountPath: "/mnt/secrets-store"
      readOnly: true
  volumes:
    - name: secrets-store-inline
      csi:
        driver: secrets-store.csi.k8s.io
        readOnly: true
        volumeAttributes:
          secretProviderClass: "azure-kvname"
        nodePublishSecretRef:                       # Only required when using service principal mode
          name: secrets-store-creds

The above acr-test secret, I tried to use in deployment of an app at imagePullSecrets, but it didn't wotk as the events showing issues with pulling the image.

Please guide me if the approach is wrong.

And also, how to use these secrets as a part of existing configmap?

160
1 + 4
ng flag
Sam Cogan
Are you using AKS for your kubernetes cluster? If so then I would suggest not using a secret for ACR pulling, just grant the AKS service principal or managed identity access
0
Reply
uday avatar
ke flag
uday
The acr is in different account and in differetn subscription completely, so using as secret
0
Reply
ng flag
Sam Cogan
Different Tenant?
0
Reply
uday avatar
ke flag
uday
Yes all are different, not linked at all.
0
Reply
Score:1
avatar Server
ng flag
Sam Cogan

I don't believe that this is achievable. The CSI driver mounts the secret inside the container as a volume, but the image pull secret is needed prior to the container being created and the volume mounted, so the secret will not be available.

You will need to set this up as standard static Kubernetes secret.

0 + 2
uday avatar
ke flag
uday
Is it possible to create a init container and link from there?
0
Reply
ng flag
Sam Cogan
Only if you have the init container create a kubernetes secret based on the KV secret that is then accessible to the main container.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.