azure-docs mounting secrets without mounting pod

mounting secrets without mounting pod

Documentation states The example here demonstrates access to a secret through env variables and through volume/volumeMount. This is for illustrative purposes. These two methods can exist independently from the other.

this does not work for us, I am using AKS with windows pods, with add-on enabled (tried it with or without sync-enabled), and if I do not mount volumes I am receiving message: 'Error: secret "xxxx" not found' as stated in this issue here https://github.com/Azure/secrets-store-csi-driver-provider-azure/issues/714 but as I understand the documentation this should work independently of the volume mounting thanks

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

ID: 409a3be9-4831-9401-0bb3-c65209bb3f42
Version Independent ID: 4cf81213-5989-f36c-7456-70accfe452c2
Content: Use the Azure Key Vault Provider for Secrets Store CSI Driver for Azure Kubernetes Service secrets - Azure Kubernetes Service
Content Source: articles/aks/csi-secrets-store-driver.md
Service: container-service
GitHub Login: @Nickomang
Microsoft Alias: nickoman

Sep 23 '22 07:09 kaza

@kaza

Thanks for your feedback! We will investigate and update as appropriate.

Sep 23 '22 09:09 RamanathanChinnappan-MSFT

@Nickomang

Can you please check and add your comments on this doc update request as applicable.

Sep 27 '22 07:09 SourAv-Dutta66

I concur that the content is misleading where the document says "The example here demonstrates access to a secret through env variables and through volume/volumeMount. This is for illustrative purposes. These two methods can exist independently from the other"

In order to access a secret through an env variable, it first needs to be mounted as a volume on at least one pod. Additionally, the secretproviderclass must have a SecretObject definition (which syncs the content with a kubernetes secret). Once these two conditions are met, the kubernetes secret can be referenced via an env variable. See 1) https://azure.github.io/secrets-store-csi-driver-provider-azure/docs/configurations/sync-with-k8s-secrets/ and 2) https://azure.github.io/secrets-store-csi-driver-provider-azure/docs/configurations/set-env-var/

Notice where it says "The secrets will only sync once you start a pod mounting the secrets. Solely relying on the syncing with Kubernetes secrets feature thus does not work" on this page https://azure.github.io/secrets-store-csi-driver-provider-azure/docs/configurations/sync-with-k8s-secrets/

Oct 20 '22 20:10 larryclaman

I'm pushing a clarification to this note. Should be visible shortly.

Edit: The note now says: "The example here demonstrates access to a secret through env variables and through volume/volumeMount. This is for illustrative purposes; a typical application would use one method or the other. However, be aware that in order for a secret to be available through env variables, it first must be mounted by at least one pod."

Oct 20 '22 20:10 larryclaman

Thank you @kaza for the feedback!

We've added an item to our backlog and will prioritize accordingly.

#please-close

Jan 20 '23 23:01 schaffererin