Kubernetes lets you mount secrets as a file inside your pod. By default, this file name will be the same as the secret. However, a common request is to be able to specify the exact file name (since it is common for apps to have this path/name hard-coded). This is especially important since when integrating Azure Kubernetes Service (AKS) with Azure Key Vault, since the name of the secret in Key Vault is subject to specific naming conventions.
For instance, you can’t have a period in the secret name in Key Vault, but apps expect to find files with period in them (the extension).
Luckily, the SecretProviderClass in the secrets-store.csi.x-k8s.io/v1 API provide the objectAlias attribute you can use to specify the exact filename you want.
Sync as Kubernetes Secret – Secrets Store CSI Driver (k8s.io)
Key Vault secret
Here is a secret I would like to mount as a file in an AKS pod. Note the name has a dash in it (app-properties)
SecretProviderClass YAML file
Here is an example of aliasing a specific secret with the filename the app expects. Note the objectAlias provides a filename with a period in it (app.properties), which isn’t a valid Key Vault secret name.
apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
name: mongo-secret-csi-more
spec:
provider: azure
secretObjects:
- secretName: app-properties
type: Opaque
data:
- objectName: app-properties
parameters:
keyvaultName: eslz-kv-b5ldjd4hmhvec
useVMManagedIdentity: "true"
userAssignedIdentityID: 06c615ea-c360-4556-8a99-f8be73ca4b56
cloudName: "AzureUSGovernment"
objects: |
array:
- |
objectName: app-properties
objectAlias: "app.properties"
objectType: secret
objectVersion: ""
tenantId: 40a3c411-b2a7-4f7b-a28e-05bf8dd7ab7bKubernetes Pod
If we exec into the pod and look for that file, we can see that the file has been renamed to the objectAlias, as the app expects.
