OiO.lk Community platform!

Oio.lk is an excellent forum for developers, providing a wide range of resources, discussions, and support for those in the developer community. Join oio.lk today to connect with like-minded professionals, share insights, and stay updated on the latest trends and technologies in the development field.
  You need to log in or register to access the solved answers to this problem.
  • You have reached the maximum number of guest views allowed
  • Please register below to remove this limitation

How to mount specific fields in secretmanager using secretstore csi driver

  • Thread starter Thread starter user9163519
  • Start date Start date
U

user9163519

Guest
Trying to mount only specific keys from the aws secretmanager as file to the pods using below.

Value of aws secret mytestsecret:

Code:
{"key1": "value1", "key2": "value2"}

SecretProviderClass spec

Code:
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: secretstore-test
spec:
  provider: aws
  parameters:
    objects: |
      - objectName: "mytestsecret"
        objectType: "secretsmanager"
        jmesPath:
          - path: "key1"
          - objectAlias: "key1"

Deployment spec, removed other fields for brevity

Code:
apiVersion: apps/v1
kind: Deployment
spec:
    ...
    spec:
      containers:
        image: <>
        name: test
        volumeMounts:
        - mountPath: /mnt/secrets
          name: secrets-store-inline
      volumes:
      - csi:
          driver: secrets-store.csi.k8s.io
          readOnly: true
          volumeAttributes:
            secretProviderClass: secretstore-test
        name: secrets-store-inline

with this spec, I'm getting two files mounted


  • one file named mytestsecret with full secret content including all fields


  • second file named key1, with only the value value2

Is there a way I can avoid the full secret file mount and only have file/s for the keys mentioned in jmespath?
<p>Trying to mount only specific keys from the aws secretmanager as file to the pods using below.</p>
<p>Value of aws secret mytestsecret:</p>
<pre><code>{"key1": "value1", "key2": "value2"}
</code></pre>
<p>SecretProviderClass spec</p>
<pre><code>apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: secretstore-test
spec:
provider: aws
parameters:
objects: |
- objectName: "mytestsecret"
objectType: "secretsmanager"
jmesPath:
- path: "key1"
- objectAlias: "key1"
</code></pre>
<p>Deployment spec, removed other fields for brevity</p>
<pre><code>apiVersion: apps/v1
kind: Deployment
spec:
...
spec:
containers:
image: <>
name: test
volumeMounts:
- mountPath: /mnt/secrets
name: secrets-store-inline
volumes:
- csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: secretstore-test
name: secrets-store-inline
</code></pre>
<p>with this spec, I'm getting two files mounted</p>
<ul>
<li><p>one file named <strong>mytestsecret</strong> with full secret content including all fields</p>
</li>
<li><p>second file named <strong>key1</strong>, with only the value <strong>value2</strong></p>
</li>
</ul>
<p>Is there a way I can avoid the full secret file mount and only have file/s for the keys mentioned in jmespath?</p>
Continue reading...
 
Top