Marti Jorda Roca
10/27/2023, 11:54 AMflyte-core
chart. We have defined our chart values as follow:
databaseSecret:
name: db-pass
volume:
- name: db-pass
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: aws-db-secrets
secretManifest:
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: aws-db-secrets
spec:
provider: aws
parameters:
objects: |
- objectName: "<our secret arn>
jmesPath:
- path: password
objectAlias: dbpassword
But the _helpers.tpl
overrides the helm template with a volumes value that is not the required for AWS to work.
How we can avoid that? Do we need to change the _helpers.tpl
to add this option?
Thank you 🫶Samhita Alla
Marti Jorda Roca
10/30/2023, 10:05 AMWarning FailedMount 26m (x371 over 3d) kubelet Unable to attach or mount volumes: unmounted volumes=[db-pass], unattached volumes=[kube-api-access-jgj6s aws-iam-token db-pass config-volume]: timed out waiting for the condition
volumes:
- name: db-pass
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: aws-db-secrets
volumes:
- name: db-pass
secret:
secretName: db-pass
Samhita Alla
Marti Jorda Roca
10/30/2023, 3:41 PMdatabaseSecret:
name: db-pass
secretManifest:
apiVersion: <http://secrets-store.csi.x-k8s.io/v1|secrets-store.csi.x-k8s.io/v1>
kind: SecretProviderClass
metadata:
name: aws-db-secrets-spc
spec:
provider: aws
parameters:
objects: |
- objectName: "{{ .Values.userSettings.db_secret }}"
objectType: "secretsmanager"
jmesPath:
- path: password
objectAlias: dbpassword
# Create k8s secret. It requires volume mount first in the pod and then sync.
secretObjects:
- secretName: db-pass
type: Opaque
data:
- objectName: dbpassword
key: dbpassword
With this the aws csi driver creats a base k8s secret and works 🤟David Espejo (he/him)
10/30/2023, 3:59 PMdbpassword
secret ends up mounted as the db-pass
volume on flyteadmin
right?Marti Jorda Roca
10/30/2023, 4:12 PMdatacatalog:
# mount another db secret to activate secret-store-csi to create db-pass k8s secret.
additionalVolumes:
- name: aws-secret
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: aws-db-secrets-spc
additionalVolumeMounts:
- name: aws-secret
mountPath: "/mnt/aws-secrets"
readOnly: true
databaseSecret.volume
David Espejo (he/him)
10/30/2023, 9:12 PMMarti Jorda Roca
10/31/2023, 11:31 AMDavid Espejo (he/him)
10/31/2023, 3:28 PMflyte-core