How to use acr secret saved in azure vault for image pull?

azure kubernetes vault

With azure vault and csi driver, able to create secrets and access them as single files in container.

I followed this approach to create basic secrets.

Can accessible the secrets from the container as secret files inside it.

But, when I tried to create a secret from it and use the same for imagePull, it is not working..

apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
  name: azure-kvname
  namespace: default
spec:
  provider: azure
  secretObjects:
  - secretName: acr-test
    type: kubernetes.io/dockerconfigjson
    data:
     - objectName: martrepo
       key: .dockerconfigjson
  parameters:
    usePodIdentity: "false"
    useVMManagedIdentity: "false"
    userAssignedIdentityID: ""
    keyvaultName: "secret-store-dummy"
    objects: |
      array:
        - |
          objectName: secret1              
          objectType: secret
          objectVersion: ""
        - |
          objectName: martrepo              
          objectType: secret
          objectVersion: ""    
    tenantId: "f33abe27-86cd-46d6-ae2b-b918362ab160"

---
kind: Pod
apiVersion: v1
metadata:
  name: busybox-secrets-store-inline
spec:
  containers:
  - name: busybox
    image: k8s.gcr.io/e2e-test-images/busybox:1.29
    command:
      - "/bin/sleep"
      - "10000"
    volumeMounts:
    - name: secrets-store-inline
      mountPath: "/mnt/secrets-store"
      readOnly: true
  volumes:
    - name: secrets-store-inline
      csi:
        driver: secrets-store.csi.k8s.io
        readOnly: true
        volumeAttributes:
          secretProviderClass: "azure-kvname"
        nodePublishSecretRef:                       # Only required when using service principal mode
          name: secrets-store-creds

The above acr-test secret, I tried to use in deployment of an app at imagePullSecrets, but it didn't wotk as the events showing issues with pulling the image.

Please guide me if the approach is wrong.

And also, how to use these secrets as a part of existing configmap?


I don't believe that this is achievable. The CSI driver mounts the secret inside the container as a volume, but the image pull secret is needed prior to the container being created and the volume mounted, so the secret will not be available.

You will need to set this up as standard static Kubernetes secret.

Related

Limit number of available archives in syslog rotation
Install Internet explorer on Server 2019 Standard
mysqltuner script to optimize my mysql database
iPXE to iSCSI target - missing parameter and naming confusion
Boot xen server through ipxe
iSCSI read errors during iPXE boot
What exactly is the "Data Sharing service" in Windows Server 2016?
Windows Server 2008 (x64) won't boot past BIOS screen
Reload Apache Using ACME User
css files are reported as text/plain by mimetype on ubuntu machine
$\sigma(n) \equiv 1 \space \pmod{n}$ if and only if $n$ is prime
An interesting algorithm about prime numbers that I thought today