Available on December 27

Thanks Raza!

There is an additional setting that you need to enable for auto sync. I don't remember exactly which one, but you should be able to find in official docs.

Hi timam, Can please help me explain how you managed to expose the secrets as env variables? I managed to mount and in the path i can see the values from secret manager but env doesn't showthe values. Do we need to create the secret also to expose as environment variables.

it's working now, I missed this step to set the two parameters value to true when running the helm chart. enableSecretRotation=true syncSecret.enabled=true. In this video also i missed the section where Anton explains about the cluster role permission to sync with kubernetes secrets. Thanks for the video Anton

Glad that it helped, were you able to find a way to expose secret value as an environment variable and not as a json object?

welcome, I didn't get a question. Here is the secret name - github.com/antonputra/tutorials/blob/main/lessons/079/nginx/3-deployment.yaml#L31

I know it's not very convenient :) At the time of creating that tutorial, only Azure supported key/value. It's possible that they will improve it soon; as a workaround, you can use init container, fetch the json secret, parse and provide as env for the main container.

Thanks Dilan!

Do you mean you want to create "Kubernetes Secret" using values from Secret Manager? Not sure if it's supported, but why would you want to do it? In that way you just add additional object that you need to maintain (rotate/delete etc)..

you could use helm with crds or something like kubectl terraform provider to apply the whole folder including crds - github.com/antonputra/tutorials/blob/main/lessons/079/secrets-store-csi-driver/0-secretproviderclasses-crd.yaml

I understand, at that time it was impossible. Most likely this feature already implemented.

@@AntonPutra could you please point me to a document on how to do that? I have been stuck on this for longer that I should :)

Thanks Ferat!

I haven't tried it yet with fargate..

Yes, it's safe mount it as a volume or ENV variable. Just have a rotation mechanism in place.

It can, there is another setting for that. This tutorial does not cover it.

Do you mean EKS running on prem, or just k8s?

Did you mean EFS driver? I'm not sure if it works with secrets manager or even has a plugin.

@@AntonPutra yes I'm referring EFS driver only.

To be honest, I don't really remember all the specifics

Should be posible, instead of creating IAM OIDC Provider just attach IAM policies directly to the nodes.

@@AntonPutra, thanks for replying. I tried to create a policy and attach to Ec2 instance profile, was able to access in with AWS cli but not with provider.

you can use irsa or simply add another policy to the worker node instance profile/role

Welcome! :)

Thank you Francis! You can enable auto rotation of mounted contents and synced Kubernetes Secrets by following this tutorial - secrets-store-csi-driver.sigs.k8s.io/topics/secret-auto-rotation.html. I decided not to include this in the lesson since it's still early for it and it's in alpha stage. I wouldn't recommend using in prod.

Thanks for that link, Anton! I'll have a read through that. Also, I just realised that you have to delete the secret so it can recreate itself with a new value as you restart the pod. It's just interesting to notice that the mounted secret file doesn't require this step as a pod restart would suffice. Thanks again for this great video - I'll make sure I go through the other helpful videos in your channel!

I haven't tried it on fargate, let me see if it works.

Thanks, try to find an error in the contoller log

At the current stage, it's not possible.

Welcome, but unfortunately it's been a while since I used it and can help with new annotations

in clouds you can use native IAM or IAM for service accounts. With those tokens generated on demand

@@AntonPutra I am in Iran and do not have access to AWS services. i use akeyless services and get secrets with api in code.What should you do in such cases? ... thanks

Thanks for feedback, no more music lol

Have you tried the latest version of both controllers? Is there a specific error, or did you not find that functionality?

@@AntonPutra Making sure the controllers where up-to-date seems to have done the trick. Restarting my pods is now updating the secret. There was no specific error but the new secret wasn't being grabbed. Many thanks, love your videos, always super helpful.

@@joshualegg3750 I'll release the updated version in about a week. The biggest difference is the ability to parse JSON secrets and mount them as single values, such as 'devops123', instead of {'password': 'devops123'}.

It should be by this time, pls check docs

I have updated version of this tutorial and the source code as well, please take a look - kzbin.info/www/bejne/pqGti2ejadljmKs

@@AntonPutra I did the same thing but still my pod is not able to fetch the secrets as env, it is able to store the secret in specified volume but not working as env to start the application. Any help please ?

@@KishanKushwaha-x4r check the controller logs, most likely it does not have permissions to create secrets and convert them to envs, this must be enabled - github.com/antonputra/tutorials/blob/main/lessons/196/terraform/21-secrets-store-csi-driver.tf#L11-L12 Also, try to create exactlly the same secrets and test using my examples, after you make it work you can update to your requirements - github.com/antonputra/tutorials/tree/main/lessons/196/12-example

noted

check controller log, you'll get more info to debug

sorry for being dumb but how can i get controller log because when trying kubectl logs deployment/nginx -n production getting Error from server (BadRequest): container "nginx" in pod "nginx-6b944c497-xx7t8" is waiting to start: ContainerCreating @@AntonPutra

seems the isuue is when trying to use env variable and for one week i was like

@@aashishnagpal9907 try checking logs gtom pod from this daemonset - github.com/antonputra/tutorials/blob/main/lessons/079/secrets-store-csi-driver/5-daemonset.yaml

Thank you! I'll try it out

@@koushik4531 to be honest, I chose different solution and now I'm using onepassword operator+connect. It works perfectly for me.

Thanks for feedback! I don't use music anymore.

@@AntonPutra would you please share how to encrypt secrets with kms

yeap

Welcome! I'll release the updated version in about a week. The biggest difference is the ability to parse JSON secrets and mount them as single values, such as 'devops123', instead of {'password': 'devops123'}.

😊

😊

Thanks for the feedback. I don't use background music anymore, and as far as I can tell, my new tutorials are slow-paced.

thanks i don't use music anymore

Any suggestions?

@@AntonPutra get a vaction to CA. then ur cover won't be so dark ... even I know u wanna have some hacker style. Or buy some good NFTs, it would help u.

it's been a while, most likely from the lesson dir

Unfortunately, I don't have a lot of experience with ECS(Elastic Container Service) just yet. I may create some tutorials in the future. Are you referring to the AWS auth token to access AWS services or a token that you store in the AWS secrets manager? If the last, I can think of only doing it manually, you can always write the script to synchronize the secret from AWS secrets manager and Jenkins. Or, perhaps you can retry in the Jenkins, and if you get an error such as permissions denied or token is expired, go and get a new one from Secret Manager.

nevermind I fixed it, Thank you for this demo.

Hi Anton, but I am seeing two problems, 1. secrets are passed in as a JSON inside the containe. Is there any way, if we can export environments individually? right now I am using bash & jq to convert json env variables & parse locally using export but i wish if there's a way we can configure in .yml file. 2. auto-rotations - I know clouple of folks mentioned to use auto rotation but do you have a process or step by step video to do?

How did you solve it ?