Deploy pods with mounted secrets

This workshop has been deprecated and archived. The new Amazon EKS Workshop is now available at www.eksworkshop.com.

Create SecretProviderClass

Create SecretProviderClass custom resource with provider:aws . The SecretProviderClass must be in the same namespace as the pod using it later.

cat << EOF > nginx-deployment-spc.yaml
---
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: nginx-deployment-spc
spec:
  provider: aws
  parameters:
    objects: |
        - objectName: "DBSecret_eksworkshop"
          objectType: "secretsmanager"
EOF

Create custom resource.

kubectl apply -f nginx-deployment-spc.yaml

kubectl get SecretProviderClass

The output indicates the resource created successfully.


NAME                   AGE
nginx-deployment-spc   18s

Create pod and mount secrets

Configure a pod to mount volumes based on the SecretProviderClass nginx-deployment-spc created earlier and to retrieve secrets from the AWS Secrets Manager. The pod is also using a service account nginx-deployment-sa bound to the IAM role.

cat << EOF > nginx-deployment.yaml
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      serviceAccountName: nginx-deployment-sa
      containers:
      - name: nginx-deployment
        image: nginx
        ports:
        - containerPort: 80
        volumeMounts:
        - name: secrets-store-inline
          mountPath: "/mnt/secrets"
          readOnly: true
      volumes:
      - name: secrets-store-inline
        csi:
          driver: secrets-store.csi.k8s.io
          readOnly: true
          volumeAttributes:
            secretProviderClass: nginx-deployment-spc
EOF

Create the deployment and verify the creation of pods.

kubectl apply -f nginx-deployment.yaml
sleep 5
kubectl get pods -l "app=nginx"

NAME                                READY   STATUS    RESTARTS   AGE
nginx-deployment-75bfbbcf99-ws4ts   1/1     Running   0          10s

Verify the mounted secret

Finally, verify the secret mounted as a file by executing the command within the pod.

export POD_NAME=$(kubectl get pods -l app=nginx -o jsonpath='{.items[].metadata.name}')
kubectl exec -it ${POD_NAME} -- cat /mnt/secrets/DBSecret_eksworkshop; echo

{"username":"foo", "password":"super-sekret"}

The successful output shows the secret fetched from the Secrets Store and stored as the local file named /mnt/secrets/DBSecret_eksworkshop. It is now available to the pod application.

Notice value of the JSON formatted secret is available as a single string in the file. What if you would like to fetch individual values from the keys of JSON formatted secret and make it available as Kubernetes native secret object. Proceed to the next section for such results.