How to use acr secret saved in azure vault for image pull?

Question

With azure vault and csi driver, able to create secrets and access them as single files in container.

I followed this approach to create basic secrets.

Can accessible the secrets from the container as secret files inside it.

But, when I tried to create a secret from it and use the same for imagePull, it is not working..

apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
  name: azure-kvname
  namespace: default
spec:
  provider: azure
  secretObjects:
  - secretName: acr-test
    type: kubernetes.io/dockerconfigjson
    data:
     - objectName: martrepo
       key: .dockerconfigjson
  parameters:
    usePodIdentity: "false"
    useVMManagedIdentity: "false"
    userAssignedIdentityID: ""
    keyvaultName: "secret-store-dummy"
    objects: |
      array:
        - |
          objectName: secret1              
          objectType: secret
          objectVersion: ""
        - |
          objectName: martrepo              
          objectType: secret
          objectVersion: ""    
    tenantId: "f33abe27-86cd-46d6-ae2b-b918362ab160"

---
kind: Pod
apiVersion: v1
metadata:
  name: busybox-secrets-store-inline
spec:
  containers:
  - name: busybox
    image: k8s.gcr.io/e2e-test-images/busybox:1.29
    command:
      - "/bin/sleep"
      - "10000"
    volumeMounts:
    - name: secrets-store-inline
      mountPath: "/mnt/secrets-store"
      readOnly: true
  volumes:
    - name: secrets-store-inline
      csi:
        driver: secrets-store.csi.k8s.io
        readOnly: true
        volumeAttributes:
          secretProviderClass: "azure-kvname"
        nodePublishSecretRef:                       # Only required when using service principal mode
          name: secrets-store-creds

The above acr-test secret, I tried to use in deployment of an app at imagePullSecrets, but it didn't wotk as the events showing issues with pulling the image.

Please guide me if the approach is wrong.

And also, how to use these secrets as a part of existing configmap?

Are you using AKS for your kubernetes cluster? If so then I would suggest not using a secret for ACR pulling, just grant the AKS service principal or managed identity access — Sam Cogan, Jul 28 '21 at 14:23
The acr is in different account and in differetn subscription completely, so using as secret — uday, Jul 28 '21 at 14:29

score 1 · Answer 1 · answered Jul 28 '21 at 14:33

1

I don't believe that this is achievable. The CSI driver mounts the secret inside the container as a volume, but the image pull secret is needed prior to the container being created and the volume mounted, so the secret will not be available.

You will need to set this up as standard static Kubernetes secret.

answered Jul 28 '21 at 14:33

Sam Cogan

38,158
6
77
113

Is it possible to create a init container and link from there? – uday Jul 28 '21 at 15:21
Only if you have the init container create a kubernetes secret based on the KV secret that is then accessible to the main container. – Sam Cogan Jul 28 '21 at 15:51

How to use acr secret saved in azure vault for image pull?

1 Answers1