Share via

Configure Azure Key Vault Provider for Secrets Store CSI Driver volumes as single volume

Timo Holm 71 Reputation points
2023-07-28T12:31:50.8766667+00:00

I am using https://learn.microsoft.com/en-us/azure/aks/csi-secrets-store-driver to configure multiple microservices to each connect KeyVault to fetch secret. Configuring each volume causes following lines to duplicate to each microservice configuration

 volumes:
    - name: secrets-store01-inline
      csi:
        driver: secrets-store.csi.k8s.io
        readOnly: true
        volumeAttributes:
          secretProviderClass: "azure-sync"

Is it possible to configure volume only once (eg persistentVolumeClaim ?) and refer to that in configuration instead of duplicating volume?

Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,260 questions
Accepted answer
  1. mutaz-msft 2,346 Reputation points Microsoft Employee
    2023-07-31T14:28:04.5733333+00:00

    Hi Timo Holm,

    The addon Secrets Store CSI Driver is ephemeral and ephemeral volumes are specified inline in the Pod spec, so I don't think this will work.
    User's image

    Also, you only need to create secretProviderclass once and use it in your deployments.

    But you can try to edit the secret csi driver to persistent ( not recommended and no guarantee to work) and try to create pv and pvc for your secrets, you can refer to these files ( pv-secrets-store-csi.yaml ,pvc-secrets-store-csi-static.yaml , nginx-pod-secrets-store-pvc.yaml ).

    Hope this helps, and please "Accept as Answer" if it helped, so that it can help others in the community looking for help on similar topics.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.