Env in pod is not loading as expected

[ghost]

I am using below secretproviderclass and it is creating secret and loading it as an env in pod but the format is not correct.

apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: pp-dev-pp-webapp namespace: pp-dev spec: provider: aws secretObjects:

• secretName: csi-secret-newrelic type: Opaque data:
  • key: NEW_RELIC_LICENSE_KEY objectName: NEW_RELIC_LICENSE_KEY parameters: objects: |
    • objectName: "arn:aws:secretsmanager:us-east-1:1xxxxxx:secret:xxxxxxxx" objectAlias: "NEW_RELIC_LICENSE_KEY" objectType: "secretsmanager" .. .. ..

volumes:

• name: pod-webapp csi: driver: secrets-store.csi.k8s.io readOnly: true volumeAttributes: secretProviderClass: "pp-dev-pp-webapp" containers:
  • name: {{ include "helm.name" . }} image: {{ .Values.imageRepository }}/{{ .Values.imageName }}:{{ .Values.imageTag }} imagePullPolicy: {{ .Values.imagePullPolicy }} volumeMounts:
    • name: pod-webapp mountPath: "/mnt" readOnly: true env:
      • name: test_name valueFrom: secretKeyRef: name: csi-secret-newrelic key: NEW_RELIC_LICENSE_KEY .. .. .. The env is loading in below format

test_name={"NEW_RELIC_LICENSE_KEY":"xxxxxxxxxxxxxxxx"}

but it should be in format

NEW_RELIC_LICENSE_KEY":"xxxxxxxxxxxxxxxx

Tried editing secretstoredriver and deployment by commenting out test_name reference but it did not help

[YuvalShAz]

Hi nihit001raj, I have looked into this issue and have reproduced the behavior you detail in your comment with a few key assumptions:

1. I assume your secret is JSON in nature (this is because of how your env is currently loading: {"NEW_RELIC_LICENSE_KEY":"xxxxxxxxxxxxxxxx”})
2. I assume all-else-equal re: the choice of image, image pull policy, etc… (between your implementation and mine)
3. I assume that when you “comment[ed] out test_name” you had added it back in somewhere else. This field is needed or the following error is reported:

Given these assumptions my conclusion is that you most likely need to use the jmesPath parameter when ingesting a secret object (ctrl-f “jmesPath” in README.md). This automatically parses your json secret and gives each key-path you have specified an alias which can be used to create a kube-secret which can then be used to create an env variable. (This produces the behavior NEW_RELIC_LICENSE_KEY":"xxxxxxxxxxxxxxxx)

Without using this jmesPath specifier, the secret will indeed be ingested as if it were a raw string (not json formatted) and loaded into the env with the name you specify in the deployment file. (This produces the behavior test_name={"NEW_RELIC_LICENSE_KEY":"xxxxxxxxxxxxxxxx”})