How do I enrol already present secret to be managed by secret store

[thulasidassrinivasan]

Hi Team,

I have some kubernetes secrets deployed in AKS cluster. I want to know how do I enroll these secrets so that they are managed by secret store driver without impacting the application

What I tried:

I created a secret provider class that gets the secrets from azure key vault and in the "secretName" I gave the secret name that is already present in the cluster in same namespace where I am deploying the class.

To verify all is good, I deleted the secret and restarted the pod and expect the secret to appear again, but it is not.

I also tried adding the label secrets-store.csi.k8s.io/managed: "true" to the secret and tried deleting and restarting the pod, still not luck. What am I missing ??

What is expected:

The secret should reappear when I am trying to run the pod.

[thulasidassrinivasan]

@aramase - Any advise here please ?

[aramase]

Hello 👋🏻 Here is our quickstart guide - https://azure.github.io/secrets-store-csi-driver-provider-azure/docs/demos/standard-walkthrough/. I would recommend trying it out to see what configuration changes are required.

If you're using the driver to sync as Kubernetes secret in addition to mount, then ensure you have set the required flags during installation - https://azure.github.io/secrets-store-csi-driver-provider-azure/docs/configurations/sync-with-k8s-secrets/.

Here is our troubleshooting guide - https://azure.github.io/secrets-store-csi-driver-provider-azure/docs/troubleshooting/

[thulasidassrinivasan]

Thanks for reply and documents however it is not having the information I am after. Here is my scenario

I have application A running in AKS and using secret S . I created secret provider class to sync with k8s secret. (Note: Kubernetes secret is already present in AKS in same namespace at this time) What I expected is once the secret provider class is created the secret object in Kubernetes is automatically enrolled even if it is already present.

What happened:

Secret provider class is created but the secret object is not managed by it.

How I tested it ?
I deleted the secret object in AKS and deleted the pod using kubectl delete -f dep.yml . I then proceeded to create the deployment again using kubectl create -f dep.yml. I was hoping the secret will be created again since it is not there, however it is not the case, my pod got stuck complaining the secret is not there.

[aramase]

I have application A running in AKS and using secret S . I created secret provider class to sync with k8s secret. (Note: Kubernetes secret is already present in AKS in same namespace at this time) What I expected is once the secret provider class is created the secret object in Kubernetes is automatically enrolled even if it is already present.

@thulasidassrinivasan After SecretProviderClass is created, it needs to be referenced in a pod as part of the volume mount. Only then the secret will also be synced as Kubernetes secret. There is no adding existing Kubernetes secret to be managed by Secrets Store CSI Driver. It's just setting up the pod and referencing the SecretProviderClass after which the k8s secret will be created. These details should be part of the docs I shared and the example in quick start.

[thulasidassrinivasan]

That did the trick. Thanks for your help.