Don't rely on pod creation to mount to Kubernetes secrets

[djj0809]

Describe the solution you'd like

Currently, when you choose to sync to Kubernetes secrets, pulling secrets/certs/keys from Key vault always happen on pod creation and you also need to mount SecretProviderClass to specific pod to make it work.

If we have issues with Key Vault access (managed identity is not working, things are deleted accidently in Key Vault or Key Vault API is unavailable), things will start to fail when pod gets restart/recreated. And it's even worse for cronjobs, it will try to retrieve secrets/certs/keys from Key Vault every time a new pod is created under this cronjob, but as Key Vault is down, you can no longer create ANY new pod in production.

I hope this library can simply sync secrets/certs/keys to Kubernetes secrets at deploy time and don't need to rely on any pod to mount them, thus I don't have to worry about Key Vault availability after deployment.

Anything else you would like to add: [Miscellaneous information that will assist in solving the issue.]

Environment:

• Secrets Store CSI Driver version: (use the image tag):
• Kubernetes version: (use kubectl version):

[mustaFAB53]

+1

[maxbeaudoin]

+1

[MostefaKamalLala]

This should be the default behaviour...! +1000

[kamimanzoor]

+1 Would be great to have this feature. There are many usecases where one needs secret without mounts. For instance, we are currently implementing istio and gateway requires tls secrets. Even the official document from MS is showing to have a dummy pod to mount secret which does not really make much sense.