merging 2 azure keyvault secret inside 1 k8s secret

[Antse]

Hello 👋 ,

i'm trying to use the following class to sync keyvault password with my k8s cluster.

The pod is not starting because he can not find the key username inside the secret mycreds.

By fetching the secret on my k8s cluster , inside mycreds secret, i only have the password key in the data object.

How can have the two keys username and password in the data object of my mycreds secret ?

myclass.yaml

---
apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
  name: "myclass" 
spec:
  provider: azure
  secretObjects:
  - secretName: mycreds
    type: Opaque
    data:
      - objectName: my-pass
        key: password
  - secretName: mycreds
    type: Opaque
    data:
      - objectName: my-user
        key: username
  parameters:
    keyvaultName: "vault-name"       # The name of the Azure Key Vault
    useVMManagedIdentity: "true"         
    userAssignedIdentityID: "my_identity" # The clientId of the addon-created managed identity
    cloudName: ""                         # [OPTIONAL for Azure] if not provided, Azure environment will default to AzurePublicCloud 
    objects:  |
      array:
        - |
          objectName: my-pass
          objectType: secret
        - |
          objectName: my-user
          objectType: secret
    tenantId: "mytenant_id"               # the tenant ID containing the Azure Key Vault instance

pod.yaml

kind: Pod
apiVersion: v1
metadata:
  name: busybox-secrets-store-inline
spec:
  containers:
  - image: k8s.gcr.io/e2e-test-images/busybox:1.29
    name: busybox
    command:
    - "/bin/sleep"
    - "10000"
    volumeMounts:
    - name: secrets-store01-inline
      mountPath: "/mnt/secrets-store"
      readOnly: true
    env:
    - name: USERNAME
      valueFrom:
        secretKeyRef:
          name: mycreds
          key: username
    - name: PASS
      valueFrom:
        secretKeyRef:
          name: mycreds
          key: password
  volumes:
    - name: secrets-store01-inline
      csi:
        driver: secrets-store.csi.k8s.io
        readOnly: true
        volumeAttributes:
          secretProviderClass: "myclass"

[Antse]

I found the trick

just need to replace this :

  - secretName: mycreds
    type: Opaque
    data:
      - objectName: my-pass
        key: password
  - secretName: mycreds
    type: Opaque
    data:
      - objectName: my-user
        key: username

by this

  - secretName: mycreds
    type: Opaque
    data:
      - objectName: my-pass
        key: password
     - objectName: my-user
        key: username
      

[Antse]

maybe this can be clarified in the documentation

[mark-geary]

thank you so much documenting this - I also did this and was wondering why the keys on my secrets kept changing!