search

Azure / secrets-store-csi-driver-provider-azure

Azure Key Vault provider for Secret Store CSI driver allows you to get secret contents stored in Azure Key Vault instance and use the Secret Store CSI driver interface to mount them into Kubernetes pods.
https://azure.github.io/secrets-store-csi-driver-provider-azure/
MIT License
432 stars 191 forks source link

Backstage (https://backstage.io/) Application Deployment on AKS: Unable to expose Azure key vault secrets as environment variables #1522

Closed flrajjaladi closed 2 months ago

flrajjaladi commented 3 months ago

Hi Team, I have a backstage application running on k8 cluster (AKS) and have config which mounts azure secrets at location /mnt/secrets which is working as intended able to verify the secret has been mounted properly. Now the goal is exposing these as env variable so that backstage app able to read and utilize them dynamically.

Having issues with achieving the above goal providing my config for SecretProviderClass and part of my deployment.yaml

SecretProviderClass.yml
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: secretProviderClass
metadata:
  name: azure-kv-name
spec:
  provider: azure
  parameters:
    usePodIdentity: "true"
    clientID: <redacted>
    keyvaultName: <redacted>
    objects:  |
      array:
        - |
          objectName: AZURE-CLIENT-ID
          objectType: string
          objectAlias: AZURE_CLIENT_ID
        - |
          objectName: AZURE-CLIENT-SECRET
          objectType: string
          objectAlias: AZURE_CLIENT_SECRET
        - |
          objectName: EXAMPLESECRET
          objectType: secret
          objectAlias: EXAMPLESECRET
        - |
          objectName: POSTGRES-HOST
          objectType: secret
          objectAlias: POSTGRES_HOST
        - |
          objectName: POSTGRES-PORT
          objectType: secret
          objectAlias: POSTGRES_PORT
        - |
          objectName: POSTGRES-USER
          objectType: secret
          objectAlias: POSTGRES_USER
        - |
          objectName: POSTGRES-PASSWORD
          objectType: secret
          objectAlias: POSTGRES_PASSWORD
    tenantId: <redacted>
deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: backstage
  namespace: backstage-dev
spec:
  replicas: 1
  selector:
    matchLabels:
      app: backstage
  template:
    metadata:
      labels:
        app: backstage
    spec:
      imagePullSecrets:
        - name: <redacted>
      containers:
        - name: backstage
          image: <redacted>
          env:
            - name: AZURE_TENANT_ID
              valueFrom:
                secretKeyRef:
                  name: azure-kv-name
                  key: AZURE_TENANT_ID
            - name: AZURE_CLIENT_ID
              valueFrom:
                secretKeyRef:
                  name: azure-kv-name
                  key: AZURE_CLIENT_ID
            - name: AZURE_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  key: AZURE_CLIENT_SECRET
                  name: azure-kv-name
          imagePullPolicy: IfNotPresent
          volumeMounts:
             - name: azure-secrets
               mountPath: "/mnt/secrets"
               readOnly: true
          ports:
            - name: http
              containerPort: 7007
      volumes:
         - name: azure-secrets
           csi:
             driver: secrets-store.csi.k8s.io
             readOnly: true
             volumeAttributes:
               secretProviderClass: "azure-kv-name"

Please let me know if i need to provide any additional information required to debug.Any help is greatly appreciated. Thanks.

csuzw commented 3 months ago

You need to define a kubernetes secret that your secretProviderClass will create which your deployment can then reference. To do this you need to add a secretObjects section to your secretProviderClass. For example:

SecretProviderClass.yml
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: secretProviderClass
metadata:
  name: azure-kv-name
spec:
  provider: azure
  parameters:
    usePodIdentity: "true"
    clientID: <redacted>
    keyvaultName: <redacted>
    objects:  |
      array:
        - |
          objectName: AZURE-CLIENT-ID
          objectType: string
          objectAlias: AZURE_CLIENT_ID
        - |
          objectName: AZURE-CLIENT-SECRET
          objectType: string
          objectAlias: AZURE_CLIENT_SECRET
        - |
          objectName: EXAMPLESECRET
          objectType: secret
          objectAlias: EXAMPLESECRET
        - |
          objectName: POSTGRES-HOST
          objectType: secret
          objectAlias: POSTGRES_HOST
        - |
          objectName: POSTGRES-PORT
          objectType: secret
          objectAlias: POSTGRES_PORT
        - |
          objectName: POSTGRES-USER
          objectType: secret
          objectAlias: POSTGRES_USER
        - |
          objectName: POSTGRES-PASSWORD
          objectType: secret
          objectAlias: POSTGRES_PASSWORD
    tenantId: <redacted>
  secretObjects:
  - data:
    - key: AZURE-TENANT-ID
      objectName: AZURE-TENANT-ID
    - key: AZURE-CLIENT-ID
      objectName: AZURE-CLIENT-SECRET
    - key: AZURE-CLIENT-ID
      objectName: AZURE-CLIENT-SECRET
    secretName: your-secret-name
    type: Opaque

Then in your Deployment file, the name value under each secretKeyRef section should be your-secret-name.

github-actions[bot] commented 2 months ago

This issue is stale because it has been open 14 days with no activity. Please comment or this will be closed in 7 days.

github-actions[bot] commented 2 months ago

This issue was closed because it has been stalled for 21 days with no activity. Feel free to re-open if you are experiencing the issue again.