AKS with Azure Key Vault - env variables don't load

dywan666

12/20/22, 9:18 AM

I'm trying to use secrets from Azure Key Vault in my Kubernetes deployment as env variables and I'm struggling to do so. I'm using Azure pod identity and the secrets get mounted to the file and that works, however I want them to be accessible as env variables.

Here is my secrets.yml file:

apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
  name: azure-kvname
spec:
  provider: azure
  secretObjects:
  - secretName: test-secret
    type: Opaque
    data:
    - objectName: test-db-user
      key: dbuser
    - objectName: test-db-pass
      key: dbpassword
  parameters:
    usePodIdentity: "true"
    keyvaultName: "test-keyvault"      
    cloudName: ""               
    objects:  |
      array:
        - |
          objectName: test-db-user
          objectType: secret
          objectVersion: ""
        - |
          objectName: test-db-pass
          objectType: secret
          objectVersion: ""
    tenantId: "<tenantID>"

And my deployment.yml:

apiVersion: v1
kind: Pod
metadata:
  name: nginx-secrets-store-inline
  labels:
    aadpodidbinding: aadpodidbinding
spec:
  containers:
    - name: nginx
      image: nginx
      volumeMounts:
        - name: secrets-store-inline
          mountPath: "/mnt/secrets-store"
          readOnly: true
      env:
        - name: DB_USER
          valueFrom:
            secretKeyRef:
              name: test-secret
              key: dbuser
        - name: DB_PASSWORD
          valueFrom:
            secretKeyRef:
              name: test-secret
              key: dbpassword
  volumes:
    - name: secrets-store-inline
      csi:
        driver: secrets-store.csi.k8s.io
        readOnly: true
        volumeAttributes:
          secretProviderClass: azure-kvname

I've been following the examples provided by Azure: secret, deployment

When I apply both files, I get the CreateContainerConfigError: Error: secret "test-secret" not found

640

1 + 0

azure

kubernetes

aks

Score:0

Server

dywan666

12/20/22, 2:34 PM

Turns out, I did not have the proper RBAC roles enabled:

https://azure.github.io/secrets-store-csi-driver-provider-azure/troubleshooting/#failed-to-create-kubernetes-secret-errsecrets-is-forbidden-user-systemserviceaccountdefaultsecrets-store-csi-driver-cannot-create-resource-secrets-in-api-group--in-the-namespace-default

After adding them to my cluster, everything works perfectly.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: AKS with Azure Key Vault - env variables don't load

TH: AKS พร้อม Azure Key Vault - ตัวแปร env ไม่โหลด

RO: AKS cu Azure Key Vault - variabilele env nu se încarcă

RU: AKS с Azure Key Vault — переменные env не загружаются

VI: AKS với Azure Key Vault - biến env không tải

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.