In the past several days, I’ve been dealing with ASCP (AWS Secrets and Config Provider) on EKS Kubernetes cluster. This AWS blog post has great detail on the usage.
Here’s some gotchas that I went through
If you intend to expose secrets from AWS Secrets Manager item as Pod’s environment variables, it’s super important to set
syncSecret.enabled to true when you install
secrets-store-csi-driver. I did not turn it on when I tested it for the first time and struggled to sync
SecretProviderClass to Kubernetes
secrets resource. I followed many tutorials, but not many mentioned about it.
Later I found the solution when I read CSI driver documentation. Afterward I removed the existing helm chart and then reinstalled it with the feature enabled
2. Kubernetes secret resource not sync’ed
I expected a secret resource to be created when I create a SecretProviderClass resource. However, it was not created and I tried so many different things. Reinstalled
SecretProviderClass resources. None worked. I was thinking that the timing of Kubernetes native
secret resource to be created was when the
SecretProviderClass is created.
I was so wrong and later found this issue on the project issue page. It turned out that a Pod must mount the volume via SecretProviderClass, then a sync’ed
secret resource gets created automatically.