Reputation: 105
How to fetch secret values for K8s environment variables using GCP Secret Store CSI Driver
I have a requirement to fetch secrets stored in GCP Secret Manager and use them in my GKE Kubernetes pods. I am using the GCP Secret Store CSI driver to achieve this. While I am able to successfully establish the connection and retrieve the secrets, I am facing an issue with retrieving specific key values from the secret and assigning them to environment variables in the Kubernetes pods.
I have successfully set up a similar configuration in AWS using the CSI driver, where I can retrieve specific key-value pairs. However, when performing the same setup in GCP, I am unable to retrieve just the key-value pair. Instead, the entire secret JSON is being retrieved.
For example, if my secret is: {"admin_user":"test-admin","admin_password":"password"}
I expect the environment variable ADMIN_USER to have the value test-admin. But currently, it is taking the whole secret JSON value instead: ADMIN_USER={"admin_user":"test-admin","admin_password":"password"}.
How can I configure the GCP Secret Store CSI driver to retrieve specific key values and assign them to environment variables in Kubernetes pods?
Below is the secretProviderClass definition:
---
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: test-secret
spec:
provider: gcp
parameters:
secrets: |
- resourceName: "projects/<project-id>/secrets/testpassword/versions/latest"
path: admin.txt
objects: |
- objectName: "testpassword"
objectType: secretsmanager
jmesPath:
- path: "admin_user"
objectAlias: "admin_user"
- path: "admin_password
objectAlias: "admin_password"
secretObjects:
- secretName: testpassword
type: Opaque
data:
- objectName: admin.txt
key: admin_user
- objectName: admin.txt
key: admin_password
Pod definition:
---
apiVersion: v1
kind: Pod
metadata:
name: test-pod
namespace: default
spec:
serviceAccountName: app-sa
containers:
- image: gcr.io/google.com/cloudsdktool/cloud-sdk:slim
name: mypod
env:
- name: "ADMIN_USER"
valueFrom:
secretKeyRef:
name: "testpassword"
key: admin_user
- name: "ADMIN_PASSWORD"
valueFrom:
secretKeyRef:
name: "testpassword"
key: admin_password
resources:
requests:
cpu: 100m
tty: true
volumeMounts:
- mountPath: "/secrets"
name: vol-secret
readOnly: true
volumes:
- name: vol-secret
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: "test-secret"
Upvotes: 0
Views: 132
Answers (1)
Reputation: 385
I tried to replicate the same configuration as yours and ended up fetching the entire JSON instead of the specific value. Check this existing public feature request and feel free to upvote on the feature to prioritize it accordingly.
For additional reference regarding the issue, you may refer to Extract JSON key-value pairs from secrets.
Upvotes: 1
Related Questions
- How to change the project in GCP using CLI commands
- Secret is not creating in AKS after fetching it with CSI Driver
- Setting environment variables in kubernetes manifest using "kubectl set env"
- .Net core configuration provider for AKS Kubernetes CSI Driver for secrets from Azure Key Vault
- Getting AKV variables into an application with Secret Store CSI Driver
- K8S deployments with shared environment variables
- Retrieve secrets from Vault using csi driver returning “permission denied”
- What is the purpose of using a secret injector in k8s instead of coding in my software the stuff to handle my secrets in a vault like google SM