vcluster icon indicating copy to clipboard operation
vcluster copied to clipboard
verified publisher icon loft-sh

Failed to get secretproviderclass workspace-workspace-chakri-stre5/app-secrets-1

Open Chakravarti-Baratam opened this issue 3 years ago • 1 comments

Hi,

I am trying to setup Secrets Store CSI Driver(https://secrets-store-csi-driver.sigs.k8s.io/getting-started/installation.html#install-the-secrets-store-csi-driver) and mount Vault Secrets through Container Storage Interface (CSI) Volume in the vcluster.

When a pod with secret mounted in the vcluster is deployed, it is failing by giving this error:

MountVolume.SetUp failed for volume "secret-vol-1" : rpc error: code = Unknown desc = failed to get secretproviderclass workspace-workspace-chakri-stre5/app-secrets-1, error: SecretProviderClass.secrets-store.csi.x-k8s.io "app-secrets-2" not found

workspace-workspace-chakri-stre5 is the host cluster's namespace where vcluster is running.

So the question is: whether we can use CRD in vcluster without deploying the same CRD in the host cluster?

Please share your thoughts here.

Thanks, Chakri.

Chakravarti-Baratam avatar Sep 09 '22 09:09 Chakravarti-Baratam

@Chakravarti-Baratam to answer your question - whether we can use CRD in vcluster without deploying the same CRD in the host cluster? - it depends. Most of the time CRDs are accessed by controllers deployed in vcluster, and then there is no problem in using them. However, SecretProviderClass is different in that it seems that a component running in the host cluster is trying to get it from the API server, but it is connecting to the host API server, while the CR exists only in the virtual one.

One way you might make this work would be to create the same SercretProviderClass in the host cluster. But this will work only for a limited amount of use cases, and any changes to the SecretProviderClasses in the vcluster would effectively be ignored.

An alternative way of fixing this would be to create a vcluster plugin that would sync the SecretProviderClasses from the vcluster to the host cluster, and update them whenever the state in the vcluster changes. Here is documentation about the plugin system - https://www.vcluster.com/docs/plugins/overview and a tutorial for developing a plugin - https://www.vcluster.com/docs/plugins/tutorial . Let me know if you need more pointers on how the plugin should work.

matskiv avatar Sep 21 '22 15:09 matskiv

Now we have another an alternative to writing a plugin with the SDK, you can use our "Generic CRD Sync" plugin to sync CRDs declaratively. Docs: https://www.vcluster.com/docs/plugins/generic-crd-sync

Based on the lack of responses I will close this issue, but we can reopen based on new comments.

matskiv avatar Oct 14 '22 12:10 matskiv