AWS Secrets and Configuration Provider (ASCP)
The prepare-environment script we ran in the previous step has already installed the AWS Secrets and Configuration Provider (ASCP) for the Kubernetes Secrets Store CSI Driver required for this lab.
Let's validate that the addons were deployed correctly.
First, check the Secret Store CSI driver DaemonSet and its Pods:
NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
daemonset.apps/csi-secrets-store-secrets-store-csi-driver 3 3 3 3 3 kubernetes.io/os=linux 3m57s
NAME READY STATUS RESTARTS AGE
pod/csi-secrets-store-secrets-store-csi-driver-bzddm 3/3 Running 0 3m57s
pod/csi-secrets-store-secrets-store-csi-driver-k7m6c 3/3 Running 0 3m57s
pod/csi-secrets-store-secrets-store-csi-driver-x2rs4 3/3 Running 0 3m57s
Next, check the CSI Secrets Store Provider for AWS driver DaemonSet and its Pods:
NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
daemonset.apps/secrets-store-csi-driver-provider-aws 3 3 3 3 3 kubernetes.io/os=linux 2m3s
NAME READY STATUS RESTARTS AGE
pod/secrets-store-csi-driver-provider-aws-4jf8f 1/1 Running 0 2m2s
pod/secrets-store-csi-driver-provider-aws-djtf5 1/1 Running 0 2m2s
pod/secrets-store-csi-driver-provider-aws-dzg9r 1/1 Running 0 2m2s
To provide access to secrets stored in AWS Secrets Manager via the CSI driver, you'll need a SecretProviderClass - a namespaced custom resource that provides driver configurations and parameters matching the information in AWS Secrets Manager.
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: catalog-spc
namespace: catalog
spec:
provider: aws
parameters:
objects: |
- objectName: "$SECRET_NAME"
objectType: "secretsmanager"
jmesPath:
- path: username
objectAlias: username
- path: password
objectAlias: password
secretObjects:
- secretName: catalog-secret
type: Opaque
data:
- objectName: username
key: username
- objectName: password
key: password
Let's create this resource and examine its two main configuration sections:
First, the objects parameter points to a secret named $SECRET_NAME that we created in AWS Secrets Manager in the previous step. Note that we're using jmesPath to extract specific key-value pairs from the JSON-formatted secret:
- objectName: "eks-workshop-catalog-secret-WDD8yS"
objectType: "secretsmanager"
jmesPath:
- path: username
objectAlias: username
- path: password
objectAlias: password
Second, the secretObjects section defines how to create and sync a Kubernetes Secret with data from the AWS Secrets Manager secret. When mounted to a Pod, the SecretProviderClass will create a Kubernetes Secret (if it doesn't exist) named catalog-secret and sync the values from AWS Secrets Manager:
- data:
- key: username
objectName: username
- key: password
objectName: password
secretName: catalog-secret
type: Opaque
The Secret Store CSI Driver acts as an intermediary between Kubernetes and external secrets providers like AWS Secrets Manager. When configured with a SecretProviderClass, it can both mount secrets as files in Pod volumes and create synchronized Kubernetes Secret objects, providing flexibility in how applications consume these secrets.