'Sync Azure Key Vault Secret with Kubernetes dockerconfigjson Secret

I am trying to sync an Azure Key Vault Secret with a Kubernetes Secret of type dockerconfigjson by applying the following yaml manifest with the 4 objects Pod, SecretProviderClass, AzureIdentity and AzureIdentityBinding.

All configuration around key vault access and managed identity RBAC rules have been done and proven to work, as I have access to the Azure Key Vault secret from within the running Pod.

But, when applying this manifest, and according to the documentation here, I expect to see the kubernetes secret regcred reflecting the Azure Key Vault Secret when I create the Pod with mounted secret volume, but the kubernetes secret remains unchanged. I have also tried to recreate the Pod in an attempt to trigger the sync but in vain.

Since this is a very declarative way of configuring this functionality, I am also confused where to look at logs for troubleshooting.

Can someone lead me to what may I be doing wrong?

apiVersion: v1
kind: Pod
metadata:
  name: demo
  labels:
    aadpodidbinding: webapp
spec:
  containers:
  - name: demo
    image: mcr.microsoft.com/oss/azure/aad-pod-identity/demo:v1.6.3
    volumeMounts:
      - name: web-app-secret
        mountPath: "/mnt/secrets"
        readOnly: true
  nodeSelector:
    kubernetes.io/os: linux
  volumes:
    - name: web-app-secret
      csi:
        driver: secrets-store.csi.k8s.io
        readOnly: true
        volumeAttributes:
          secretProviderClass: web-app-secret-provide
---
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: web-app-secret-provide
spec:
  provider: azure
  parameters:
    usePodIdentity: "true"
    keyvaultName: <key-vault-name>
    objects:  |
      array:
        - |
          objectName: registryPassword
          objectType: secret            
    tenantId: <tenant-id> 
  secretObjects:
  - data:
    - key: .dockerconfigjson
      objectName: registryPassword
    secretName: regcred
    type: kubernetes.io/dockerconfigjson                        
---
apiVersion: "aadpodidentity.k8s.io/v1"
kind: AzureIdentity
metadata:
  name: kv-managed-identity
spec:
  type: 0
  resourceID: <resource-id>
  clientID: <client-id>
---
apiVersion: "aadpodidentity.k8s.io/v1"
kind: AzureIdentityBinding
metadata:
  name: kv-managed-binding
spec:
  azureIdentity: kv-managed-identity
  selector: web-app
azurekubernetesazure-keyvault


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions