I am working in azure cloud and wanted to add a simple ServiceProviderClass using the doc from Azure Azure /
secrets-store-csi-driver-provider-azure replacing the secret
, keyvaultName
and tenantId
apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
name: azure-kvname
spec:
provider: azure
parameters:
usePodIdentity: "false" # [OPTIONAL] if not provided, will default to "false"
keyvaultName: "kvname" # the name of the KeyVault
cloudName: "" # [OPTIONAL for Azure] if not provided, azure environment will default to AzurePublicCloud
objects: |
array:
- |
objectName: secret1
objectType: secret # object types: secret, key or cert
objectVersion: "" # [OPTIONAL] object versions, default to latest if empty
tenantId: "tid" # the tenant ID of the KeyVault
And when I try to apply it to my cluser using the Azure Cloud Bash:
hacker@Azure:~$ kubectl apply -f secrets-provider.yaml
error: unable to recognize "secrets-provider.yaml.yaml": no matches for kind "SecretProviderClass" in version "secrets-store.csi.k8s.io/v1alpha1"
It seems to be that kind and version are incompatible eventhough they are everywhere on the doc.
The problem is actually really simple, the secret-store-csi-driver
was not yet install. Thus it was not recognized. Basically make sure you follow the pre-requisistes.
From the Azure Cloud Terminal you can use Helm to install the driver:
helm repo add secrets-store-csi-driver https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/master/charts
helm install csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver
There is an ongoing issue with the driver secrets-store-csi-driver-provider-azure#259, for azure you need to explicitly specify
--grpc-supported-providers=azure
And now it works:
hacker@Azure:~$ kubectl apply -f secrets-provider.yaml
secretproviderclass.secrets-store.csi.x-k8s.io/azure-kvname created
hacker@Azure:~$ kubectl get SecretProviderClass
NAME AGE
azure-kvname 39s
Hopefully that will help.