✅ Kubernetes Secret-provider to env variables

R

restingphantomOP•1/14/25, 2:51 PM

apiVersion: apps/v1
kind: Deployment
metadata:
  name: service-login-deployment
  namespace: brewingstand
spec:
  replicas: 1
  selector:
    matchLabels:
      app: service-login
  template:
    metadata:
      labels:
        app: service-login
    spec:
      containers:
        - name: service-login
          image: ghcr.io/brewing-stand/service-login:master
          ports:
            - containerPort: 8080
          resources:
            requests:
              memory: "512Mi"
              cpu: "250m"
            limits:
              memory: "1Gi"
              cpu: "500m"
          volumeMounts:
            - name: secrets-store
              mountPath: "/mnt/secrets-store"
              readOnly: true
      volumes:
        - name: secrets-store
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: "brewing-secretsprovider"

apiVersion: apps/v1
kind: Deployment
metadata:
  name: service-login-deployment
  namespace: brewingstand
spec:
  replicas: 1
  selector:
    matchLabels:
      app: service-login
  template:
    metadata:
      labels:
        app: service-login
    spec:
      containers:
        - name: service-login
          image: ghcr.io/brewing-stand/service-login:master
          ports:
            - containerPort: 8080
          resources:
            requests:
              memory: "512Mi"
              cpu: "250m"
            limits:
              memory: "1Gi"
              cpu: "500m"
          volumeMounts:
            - name: secrets-store
              mountPath: "/mnt/secrets-store"
              readOnly: true
      volumes:
        - name: secrets-store
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: "brewing-secretsprovider"

apiVersion: apps/v1
kind: Deployment
metadata:
  name: service-login-deployment
  namespace: brewingstand
spec:
  replicas: 1
  selector:
    matchLabels:
      app: service-login
  template:
    metadata:
      labels:
        app: service-login
    spec:
      containers:
        - name: service-login
          image: ghcr.io/brewing-stand/service-login:master
          ports:
            - containerPort: 8080
          resources:
            requests:
              memory: "512Mi"
              cpu: "250m"
            limits:
              memory: "1Gi"
              cpu: "500m"
          volumeMounts:
            - name: secrets-store
              mountPath: "/mnt/secrets-store"
              readOnly: true
      volumes:
        - name: secrets-store
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: "brewing-secretsprovider"

apiVersion: apps/v1
kind: Deployment
metadata:
  name: service-login-deployment
  namespace: brewingstand
spec:
  replicas: 1
  selector:
    matchLabels:
      app: service-login
  template:
    metadata:
      labels:
        app: service-login
    spec:
      containers:
        - name: service-login
          image: ghcr.io/brewing-stand/service-login:master
          ports:
            - containerPort: 8080
          resources:
            requests:
              memory: "512Mi"
              cpu: "250m"
            limits:
              memory: "1Gi"
              cpu: "500m"
          volumeMounts:
            - name: secrets-store
              mountPath: "/mnt/secrets-store"
              readOnly: true
      volumes:
        - name: secrets-store
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: "brewing-secretsprovider"

R

restingphantomOP•1/14/25, 2:51 PM

# This is a SecretProviderClass example using user-assigned identity to access your key vault
# Service Connector sets up the Azure resource connection, users only need create the SecretProviderClass and workload resources
# For the variables to fill in, you may get their values from Service Connector Azure Portal


apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name:  brewing-secretsprovider
  namespace: brewingstand
spec:
  provider: azure
  parameters:
    usePodIdentity: "false"
    useVMManagedIdentity: "true"                        # Set to true for using managed identity
    userAssignedIdentityID: MyId   # Set the clientID of the user-assigned managed identity to use
    keyvaultName: brewingKeys               # Set to the name of your key vault
    objects:  |                             # Secrets in Azure Key Vault
      array: 
        - |
          objectName: appsettings-allowedorigins      
          objectType: secret
        - |
          objectName: connectionstrings-azureblobstorage
          objectType: secret
        - |
          objectName: connectionstrings-postgresql-db
          objectType: secret
        - |
          objectName: gitsecrets-client
          objectType: secret
        - |
          objectName: gitsecrets-secret
          objectType: secret
        - |
          objectName: jwtsettings-secretkey
          objectType: secret
        - |
          objectName: logging-loglevel-default
          objectType: secret
        - |
          objectName: logging-loglevel-microsoftaspnetcore
          objectType: secret
    tenantId: myId             # The tenant ID of the key vault

# This is a SecretProviderClass example using user-assigned identity to access your key vault
# Service Connector sets up the Azure resource connection, users only need create the SecretProviderClass and workload resources
# For the variables to fill in, you may get their values from Service Connector Azure Portal


apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name:  brewing-secretsprovider
  namespace: brewingstand
spec:
  provider: azure
  parameters:
    usePodIdentity: "false"
    useVMManagedIdentity: "true"                        # Set to true for using managed identity
    userAssignedIdentityID: MyId   # Set the clientID of the user-assigned managed identity to use
    keyvaultName: brewingKeys               # Set to the name of your key vault
    objects:  |                             # Secrets in Azure Key Vault
      array: 
        - |
          objectName: appsettings-allowedorigins      
          objectType: secret
        - |
          objectName: connectionstrings-azureblobstorage
          objectType: secret
        - |
          objectName: connectionstrings-postgresql-db
          objectType: secret
        - |
          objectName: gitsecrets-client
          objectType: secret
        - |
          objectName: gitsecrets-secret
          objectType: secret
        - |
          objectName: jwtsettings-secretkey
          objectType: secret
        - |
          objectName: logging-loglevel-default
          objectType: secret
        - |
          objectName: logging-loglevel-microsoftaspnetcore
          objectType: secret
    tenantId: myId             # The tenant ID of the key vault

# This is a SecretProviderClass example using user-assigned identity to access your key vault
# Service Connector sets up the Azure resource connection, users only need create the SecretProviderClass and workload resources
# For the variables to fill in, you may get their values from Service Connector Azure Portal


apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name:  brewing-secretsprovider
  namespace: brewingstand
spec:
  provider: azure
  parameters:
    usePodIdentity: "false"
    useVMManagedIdentity: "true"                        # Set to true for using managed identity
    userAssignedIdentityID: MyId   # Set the clientID of the user-assigned managed identity to use
    keyvaultName: brewingKeys               # Set to the name of your key vault
    objects:  |                             # Secrets in Azure Key Vault
      array: 
        - |
          objectName: appsettings-allowedorigins      
          objectType: secret
        - |
          objectName: connectionstrings-azureblobstorage
          objectType: secret
        - |
          objectName: connectionstrings-postgresql-db
          objectType: secret
        - |
          objectName: gitsecrets-client
          objectType: secret
        - |
          objectName: gitsecrets-secret
          objectType: secret
        - |
          objectName: jwtsettings-secretkey
          objectType: secret
        - |
          objectName: logging-loglevel-default
          objectType: secret
        - |
          objectName: logging-loglevel-microsoftaspnetcore
          objectType: secret
    tenantId: myId             # The tenant ID of the key vault

# This is a SecretProviderClass example using user-assigned identity to access your key vault
# Service Connector sets up the Azure resource connection, users only need create the SecretProviderClass and workload resources
# For the variables to fill in, you may get their values from Service Connector Azure Portal


apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name:  brewing-secretsprovider
  namespace: brewingstand
spec:
  provider: azure
  parameters:
    usePodIdentity: "false"
    useVMManagedIdentity: "true"                        # Set to true for using managed identity
    userAssignedIdentityID: MyId   # Set the clientID of the user-assigned managed identity to use
    keyvaultName: brewingKeys               # Set to the name of your key vault
    objects:  |                             # Secrets in Azure Key Vault
      array: 
        - |
          objectName: appsettings-allowedorigins      
          objectType: secret
        - |
          objectName: connectionstrings-azureblobstorage
          objectType: secret
        - |
          objectName: connectionstrings-postgresql-db
          objectType: secret
        - |
          objectName: gitsecrets-client
          objectType: secret
        - |
          objectName: gitsecrets-secret
          objectType: secret
        - |
          objectName: jwtsettings-secretkey
          objectType: secret
        - |
          objectName: logging-loglevel-default
          objectType: secret
        - |
          objectName: logging-loglevel-microsoftaspnetcore
          objectType: secret
    tenantId: myId             # The tenant ID of the key vault

R

restingphantomOP•1/14/25, 2:52 PM

im new to kubernetes and azure and I need some direction on what I can use to map my secrets to my C# application

R

restingphantomOP•1/14/25, 2:53 PM

I have already looked a bit at configmaps, but I dont know how they work exactly and how I can implement it while also getting my secrets from my keyvault

Rrestingphantom I have succesfully set my secrets form my secretsprovider class into my service,...

K

Keswiik•1/14/25, 4:07 PM

What do you mean by wrong place? Where should they be instead?

R

restingphantomOP•1/14/25, 4:09 PM

I would preferibly would have all of them in my appsettings.json as a json instead of each having their own separate file

R

restingphantomOP•1/14/25, 4:10 PM

Changing the path is no issue, just getting them from all separate files into one singular appsettings file (or env if that would work as well) is what I'm struggling with

K

Keswiik•1/14/25, 5:18 PM

not sure if you really need the azure key store for something like logging levels

R

restingphantomOP•1/14/25, 5:22 PM

Yeah, I don't need to put those in there, but I do however need my git secrets :/

K

Keswiik•1/14/25, 5:41 PM

well, not sure if there's any good way to transform multiple secrets into an appsettings.json file

✅ Kubernetes Secret-provider to env variables

Similar Threads

Similar Threads

Similar Threads