Secret fails to mount if objectName contains file path separator (`/`)

jcogilvie commented 1 year ago

What steps did you take and what happened: Created a secret in AWS with a valid ARN, of the form "arn:aws:secretsmanager:us-east-1:...:secret:api-key/foobar"

Like so:

Broken:

spec:
  parameters:
    objects: >
      - objectName:
      "arn:aws:secretsmanager:us-east-1:...:secret:api-key/foobar"
  provider: aws
  secretObjects:
    - data:
        - key: authsharedkeylocal-key
          objectName:"arn:aws:secretsmanager:us-east-1:...:secret:api-key/foobar"
      secretName: authsharedkeylocal
      type: Opaque

Working:

spec:
  parameters:
    objects: >
      - objectName:
      "arn:aws:secretsmanager:us-east-1:...:secret:api-key/foobar"
        objectAlias: myAlias
  provider: aws
  secretObjects:
    - data:
        - key: authsharedkeylocal-key
          objectName:"myAlias"
      secretName: authsharedkeylocal
      type: Opaque

Received errors:

file matching objectName arn:aws:secretsmanager:us-east-1:...:secret:api-key/foobar not found in the pod

What did you expect to happen: Secret is mounted successfully.

Anything else you would like to add: This works if the secret is renamed to not include a / or if an objectAlias is used.

Which provider are you using: AWS

Environment: EKS 1.26

Secrets Store CSI Driver version: (use the image tag): registry.k8s.io/csi-secrets-store/driver:v1.3.4
Kubernetes version: (use kubectl version): Server Version: version.Info{Major:"1", Minor:"26+", GitVersion:"v1.26.6-eks-a5565ad", GitCommit:"895ed80e0cdcca657e88e56c6ad64d4998118590", GitTreeState:"clean", BuildDate:"2023-06-16T17:34:03Z", GoVersion:"go1.19.10", Compiler:"gc", Platform:"linux/amd64"}

k8s-triage-robot commented 8 months ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue as fresh with /remove-lifecycle stale
Close this issue with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

jcogilvie commented 8 months ago

/remove-lifecycle stale

k8s-triage-robot commented 5 months ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue as fresh with /remove-lifecycle stale
Close this issue with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

aramase commented 5 months ago

/remove-lifecycle stale /lifecycle frozen

kubernetes-sigs / secrets-store-csi-driver

Secret fails to mount if objectName contains file path separator (`/`) #1329