How to use acr secret saved in azure vault for image pull?

With azure vault and csi driver, able to create secrets and access them as single files in container.

I followed this approach to create basic secrets.

Can accessible the secrets from the container as secret files inside it.

But, when I tried to create a secret from it and use the same for imagePull, it is not working..

apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
  name: azure-kvname
  namespace: default
spec:
  provider: azure
  secretObjects:
  - secretName: acr-test
    type: kubernetes.io/dockerconfigjson
    data:
     - objectName: martrepo
       key: .dockerconfigjson
  parameters:
    usePodIdentity: "false"
    useVMManagedIdentity: "false"
    userAssignedIdentityID: ""
    keyvaultName: "secret-store-dummy"
    objects: |
      array:
        - |
          objectName: secret1              
          objectType: secret
          objectVersion: ""
        - |
          objectName: martrepo              
          objectType: secret
          objectVersion: ""    
    tenantId: "f33abe27-86cd-46d6-ae2b-b918362ab160"

---
kind: Pod
apiVersion: v1
metadata:
  name: busybox-secrets-store-inline
spec:
  containers:
  - name: busybox
    image: k8s.gcr.io/e2e-test-images/busybox:1.29
    command:
      - "/bin/sleep"
      - "10000"
    volumeMounts:
    - name: secrets-store-inline
      mountPath: "/mnt/secrets-store"
      readOnly: true
  volumes:
    - name: secrets-store-inline
      csi:
        driver: secrets-store.csi.k8s.io
        readOnly: true
        volumeAttributes:
          secretProviderClass: "azure-kvname"
        nodePublishSecretRef:                       # Only required when using service principal mode
          name: secrets-store-creds 

The above acr-test secret, I tried to use in deployment of an app at imagePullSecrets, but it didn't wotk as the events showing issues with pulling the image.

Please guide me if the approach is wrong.

And also, how to use these secrets as a part of existing configmap?


I don't believe that this is achievable. The CSI driver mounts the secret inside the container as a volume, but the image pull secret is needed prior to the container being created and the volume mounted, so the secret will not be available.

You will need to set this up as standard static Kubernetes secret.