azureazure-securityazure-secrets

Azure Cloud no matches for kind "SecretProviderClass" in version "secrets-store.csi.k8s.io/v1alpha1"


I am working in azure cloud and wanted to add a simple ServiceProviderClass using the doc from Azure Azure / secrets-store-csi-driver-provider-azure replacing the secret, keyvaultName and tenantId

apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
  name: azure-kvname
spec:
  provider: azure
  parameters:
    usePodIdentity: "false"         # [OPTIONAL] if not provided, will default to "false"
    keyvaultName: "kvname"          # the name of the KeyVault
    cloudName: ""          # [OPTIONAL for Azure] if not provided, azure environment will default to AzurePublicCloud 
    objects:  |
      array:
        - |
          objectName: secret1
          objectType: secret        # object types: secret, key or cert
          objectVersion: ""         # [OPTIONAL] object versions, default to latest if empty
    tenantId: "tid"                    # the tenant ID of the KeyVault  

And when I try to apply it to my cluser using the Azure Cloud Bash:

hacker@Azure:~$ kubectl apply -f secrets-provider.yaml
error: unable to recognize "secrets-provider.yaml.yaml": no matches for kind "SecretProviderClass" in version "secrets-store.csi.k8s.io/v1alpha1"

It seems to be that kind and version are incompatible eventhough they are everywhere on the doc.


Solution

  • The problem is actually really simple, the secret-store-csi-driver was not yet install. Thus it was not recognized. Basically make sure you follow the pre-requisistes.

    From the Azure Cloud Terminal you can use Helm to install the driver:

    helm repo add secrets-store-csi-driver https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/master/charts
    helm install csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver
    

    There is an ongoing issue with the driver secrets-store-csi-driver-provider-azure#259, for azure you need to explicitly specify --grpc-supported-providers=azure

    And now it works:

    hacker@Azure:~$ kubectl apply -f secrets-provider.yaml
    secretproviderclass.secrets-store.csi.x-k8s.io/azure-kvname created
    hacker@Azure:~$ kubectl get SecretProviderClass
    NAME           AGE
    azure-kvname   39s
    

    Hopefully that will help.