In the past several days, I’ve been dealing with ASCP (AWS Secrets and Config Provider) on EKS Kubernetes cluster. This AWS blog post has great detail on the usage.
Here’s some gotchas that I went through
- Enabling
syncSecret
If you intend to expose secrets from AWS Secrets Manager item as Pod’s environment variables, it’s super important to set syncSecret.enabled to true when you install secrets-store-csi-driver. I did not turn it on when I tested it for the first time and struggled to sync SecretProviderClass to Kubernetes secrets resource. I followed many tutorials, but not many mentioned about it.
Later I found the solution when I read CSI driver documentation. Afterward I removed the existing helm chart and then reinstalled it with the feature enabled
2. Kubernetes secret resource not sync’ed
I expected a secret resource to be created when I create a SecretProviderClass resource. However, it was not created and I tried so many different things. Reinstalled secrets-store-csi-driver, recreated SecretProviderClass resources. None worked. I was thinking that the timing of Kubernetes native secret resource to be created was when the SecretProviderClass is created.
I was so wrong and later found this issue on the project issue page. It turned out that a Pod must mount the volume via SecretProviderClass, then a sync’ed secret resource gets created automatically.