secrets-store-csi-driver results in forbidden errors when deployed via Azure ARC onto a K3S cluster

[EliiseS]

Have you

• Read Troubleshooting Guide
• Searched on GitHub issues and Discussions

What steps did you take and what happened:

1. Create a new VM with k3s cluster running)
2. Onboarding k3s within VM as Arc-enabled cluster
3. Add extension via azure portal (akvsecretsprovider) / add extension via biscep
4. Arc monitoring pods for akvsecretsprovider are down, also secret sync does not function. Snippet:

   azureuser@device-1:~$ kubectl logs -n kube-system arc-monitoring-85d99f94d5-dvmsr fluentd 
   #<Thread:0x0000564491f875d8 /opt/td-agent/lib/ruby/gems/2.7.0/gems/fluent-plugin-kubernetes_metadata_filter-2.5.3/lib/fluent/plugin/filter_kubernetes_metadata.rb:254 run> terminated with exception (report_on_exception is true):
   /opt/td-agent/lib/ruby/gems/2.7.0/gems/fluent-plugin-kubernetes_metadata_filter-2.5.3/lib/fluent/plugin/kubernetes_metadata_watch_namespaces.rb:86:in `rescue in start_namespace_watch': start_namespace_watch: 
   Exception encountered setting up namespace watch from Kubernetes API v1 endpoint https://10.43.0.1:443/api: namespaces is forbidden: User "system:serviceaccount:kube-system:csi-secrets-store-provider-azure" cannot list resource "namespaces" in API group "" at the cluster scope ({"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"namespaces is forbidden: User \\"system:serviceaccount:kube-system:csi-secrets-store-provider-azure\\" cannot list resource \\"namespaces\\" in API group \\"\\" at the cluster scope","reason":"Forbidden","details":{"kind":"namespaces"},"code":403} (Fluent::ConfigError)

What did you expect to happen:
Secret Storage to work as expected on ARC connected K3S cluster. If there is a better place to post this issue, please let us know :)

Anything else you would like to add:

The bicep template used for deployment, where you can see that the syncSecret is enabled. I've also verified its enabled through the Azure Arc UI in Azure portal:

resource extension 'Microsoft.KubernetesConfiguration/extensions@2021-09-01' = {
  name: 'akvsecretsprovider'
  scope: cluster
  properties: {
    extensionType: 'Microsoft.AzureKeyVaultSecretsProvider'
    releaseTrain: 'stable'
    version: '1.1.3'
    configurationSettings: {
      enableSecretRotation: 'true'
      rotationPollInterval: '2m'
      'syncSecret.enabled': 'true'
    }
  }
}

Here are all of the logs in no particular order: https://gist.github.com/EliiseS/dab2821dd860e9e0402e7843b71dae82

One key takeaway for me has been that the cluster roles are missing, which is most likely the reason the service account is forbidden from doing anything.

Which access mode did you use to access the Azure Key Vault instance:
[e.g. Service Principal, Pod Identity, User Assigned Managed Identity, System Assigned Managed Identity]

Environment:

• Secrets Store CSI Driver version: (use the image tag): v2.5.0
• Azure Key Vault provider version: (use the image tag): 1.1.3
• Kubernetes version: (use kubectl version and kubectl get nodes -o wide):

$ kubectl version
.
Client Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.3", GitCommit:"aef86a93758dc3cb2c658dd9657ab4ad4afc21cb", GitTreeState:"clean", BuildDate:"2022-07-13T14:30:46Z", GoVersion:"go1.18.3", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v4.5.4
Server Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.3+k3s1", GitCommit:"990ba0e88c90f8ed8b50e0ccd375937b841b176e", GitTreeState:"clean", BuildDate:"2022-07-19T01:10:03Z", GoVersion:"go1.18.1", Compiler:"gc", Platform:"linux/amd64"}

$ kubectl get nodes -o wide
NAME       STATUS   ROLES                  AGE    VERSION        INTERNAL-IP    EXTERNAL-IP   OS-IMAGE             KERNEL-VERSION     CONTAINER-RUNTIME
device-1   Ready    control-plane,master   4d3h   v1.24.3+k3s1   172.16.128.4   <none>        Ubuntu 18.04.6 LTS   5.4.0-1086-azure   containerd://1.6.6-k3s1

• Cluster type: (e.g. AKS, aks-engine, etc): K3S
• Installation method: Use Azure Key Vault Secrets Provider extension to fetch secrets into Azure Arc-enabled Kubernetes clusters - Azure Arc | Microsoft Docs
  https://docs.microsoft.com/en-us/azure/azure-arc/kubernetes/tutorial-akv-secrets-provider

Co-author: @LeonardHd

[nilekhc]

@EliiseS Thanks for opening issue. As you mentioned the problem is with missing Roles and Role Bindings. Sync secrets and monitoring needs them to work correctly. Could you try installing them manually?

I am looking into possibility that this maybe RBAC issue specific to k3s.

[LeonardHd]

@nilekhc I did some research on the issue, and I hope this helps to further pinpoint the issue.

I suspect that the helm chart does not install the rolebindings based on the conditions in the charts/csi-secrets-store-provider-azure/templates/rolebinding.yaml given that for Values.Azure.Identity.isEnabled the arc-values.yaml is currently set to false.
I am not sure how I could modify that parameter when I deploy the extension for Arc via ARM.

What I did to come to that conclusion:

1. Clone this repo and apply the helm chart with Values.Azure.Identity.isEnabled set to true.
2. Changed arc-monitoring deployment so that higher fluentd resource limits prevent OOMErrors.

Result:

• The fluent container does not return the same error.

  2022-08-01 14:29:13 +0000 [warn]: #0 failed to flush the buffer. retry_time=0 next_retry_seconds=2022-08-01 14:29:14.773655808 +0000 chunk="5e52ecb83d33d72c8c65769d35902a62" error_class=RuntimeError error="Sending data (tag=akvssd.secrets-store) to mdsd failed"
  2022-08-01 14:29:13 +0000 [warn]: #0 /opt/td-agent/lib/ruby/gems/2.7.0/gems/fluent-plugin-mdsd-0.1.9.pre.build.dev/lib/fluent/plugin/out_mdsd.rb:108:in `handle_record'
  2022-08-01 14:29:13 +0000 [warn]: #0 /opt/td-agent/lib/ruby/gems/2.7.0/gems/fluent-plugin-mdsd-0.1.9.pre.build.dev/lib/fluent/plugin/out_mdsd.rb:88:in `block in write'
  2022-08-01T14:29:13.7741560Z: error SocketClient.cc:137 Connect() SocketException: SocketClient connect(): No such file or directory
  2022-08-01T14:29:13.8955320Z: error SocketClient.cc:137 Connect() SocketException: SocketClient connect(): No such file or directory
  2022-08-01T14:29:14.0838950Z: error SocketClient.cc:137 Connect() SocketException: SocketClient connect(): No such file or directory
  2022-08-01T14:29:14.4874100Z: error SocketClient.cc:137 Connect() SocketException: SocketClient connect(): No such file or directory
  2022-08-01T14:29:15.4202530Z: error SocketClient.cc:137 Connect() SocketException: SocketClient connect(): No such file or directory
  2022-08-01T14:29:16.6483850Z: error SocketClient.cc:137 Connect() SocketException: SocketClient connect(): No such file or directory
  
  

• The prom-mdm-converter is now failing with:

  {"fileName":"/Users/nilekh/repos/prom-mdm-converter/cmd/converter.go","level":"fatal","lineNumber":63,"msg":"Required variables not set","serviceBuild":"","source":"AcsContextlessTraceLog","time":"2022-08-01T14:27:40Z"}
  

For the prom-mdm-convert the issue seems to be the missing Values.Azure.Extension.ResourceId due to my local reproduction of the issue.

[nilekhc]

@LeonardHd You are certainly debugging in right direction. Let me give you some context.

When we release new Arc extension version, we replace arc-values.yaml into values.yaml to get arc specific configuration and then pack the helm chart. Having said that, Values.Azure section is populated by Arc Extension Resource Provider when you install Arc extension. So for extension to work properly (or test properly) you must install it via cli/portal/arm template and not manually via helm chart. Arc should set Values.Azure.Identity.isEnabled to true. You can check values set for Values.Azure using helm get values <RELEASE_NAME>.

Also, I see that you are pinning extension version to 1.1.3. There is newer version 1.2.1 available. I would recommend not to specify version in your Arm template while installing. When version is not specified Arc picks the latest version available and also auto upgrades if any new minor version update is available. You can also remove releaseTrain from template as it's defaulted to stable.

[nilekhc]

Here is sample output of helm get values after installing extension.

~ $ helm get values -n kube-system sscsi
USER-SUPPLIED VALUES:
Azure:
  Cluster:
    Cloud: AZUREPUBLICCLOUD
    Distribution: kind
    Infrastructure: generic
    Region: eastus2euap
    ResourceId: /subscriptions/<REDACTED>/resourceGroups/akv-arc/providers/Microsoft.Kubernetes/ConnectedClusters/ext-test
  Extension:
    Name: sscsi
    ResourceId: /subscriptions/<REDACTED>/resourceGroups/akv-arc/providers/Microsoft.Kubernetes/ConnectedClusters/ext-test/providers/Microsoft.KubernetesConfiguration/extensions/sscsi
  Identity:
    MSIAdapterYaml: |
      <REDACTED>
    Type: SystemAssigned
    isEnabled: true
  proxySettings:
    isCustomCert: false
    isProxyEnabled: false
IdentityPrincipalId: <REDACTED>
IdentityType: SystemAssigned
scope: cluster
secrets-store-csi-driver:
  enableSecretRotation: true
  rotationPollInterval: 30s
  syncSecret:
    enabled: true

[LeonardHd]

@nilekhc I have installed the extension as follows (on a new Arc-enabled k3s cluster just to be sure 🤓). I kept the version and namespace pinned for now - thanks a lot for the recommendation to not pin it / omit the release train.

helm get values returns the output as below. It seems that Values.Azure.Identity.isEnabled is false, which causes the rolebindings not to be created.

azureuser@device-1:~$ helm get values akvsecretsprovider -n kube-system
USER-SUPPLIED VALUES:
Azure:
  Cluster:
    Cloud: AZUREPUBLICCLOUD
    Distribution: k3s
    Infrastructure: generic
    Region: westeurope
    ResourceId: /subscriptions/<omitted>/resourceGroups/aksplhf-poc-rg/providers/Microsoft.Kubernetes/ConnectedClusters/device-1
  Extension:
    Name: akvsecretsprovider
    ResourceId: /subscriptions/<omitted>/resourceGroups/aksplhf-poc-rg/providers/Microsoft.Kubernetes/ConnectedClusters/device-1/providers/Microsoft.KubernetesConfiguration/extensions/akvsecretsprovider
  Identity:
    isEnabled: false
  proxySettings:
    isCustomCert: false
    isProxyEnabled: false
enableSecretRotation: true
rotationPollInterval: 2m
scope: cluster
syncSecret:
  enabled: true

I used the following bicep to deploy the extension:

param clusterName string

resource cluster 'Microsoft.Kubernetes/connectedClusters@2022-05-01-preview' existing = {
  name: clusterName
}

resource extension 'Microsoft.KubernetesConfiguration/extensions@2021-09-01' = {
  name: 'akvsecretsprovider'
  scope: cluster
  properties: {
    extensionType: 'Microsoft.AzureKeyVaultSecretsProvider'
    releaseTrain: 'stable'
    version: '1.2.1'
    scope: {
      cluster: {
        releaseNamespace: 'kube-system'
      }
    }
    configurationSettings: {
      enableSecretRotation: 'true'
      rotationPollInterval: '2m'
      'syncSecret.enabled': 'true'
    }
  }
}

[nilekhc]

@LeonardHd Could you provide me an output of kubectl get pods -n azure-arc

[LeonardHd]

Sure, no problem:

azureuser@device-1:~$ kubectl get pods -n azure-arc
NAME                                         READY   STATUS    RESTARTS   AGE
flux-logs-agent-68bc745586-2tcx4             1/1     Running   0          23m
cluster-metadata-operator-855c68dcf8-jdrnr   2/2     Running   0          23m
extension-manager-54559794d6-p5bjw           2/2     Running   0          23m
clusteridentityoperator-bd4f4f4c6-288wh      2/2     Running   0          23m
controller-manager-7fcbd6585d-r7chw          2/2     Running   0          23m
metrics-agent-7d6844cd4c-wjp9n               2/2     Running   0          23m
resource-sync-agent-5d755f9d6f-2wtqx         2/2     Running   0          23m
clusterconnect-agent-77496f7c5c-4hn22        3/3     Running   0          23m
config-agent-6f776c77b9-9g9v5                2/2     Running   0          23m
kube-aad-proxy-6cdcc5c95d-wdk54              2/2     Running   0          23m

[nilekhc]

Thanks for providing an access to your test env @LeonardHd. I tried it out and it works as expected. Here are some of the outputs.

~$ az connectedk8s connect -n k3s-test -g arc-ext
This operation might take a while...

Downloading helm client for first time. This can take few minutes...

{
  "agentPublicKeyCertificate": "<REDACTED>",
  "agentVersion": null,
  "connectivityStatus": "Connecting",
  "distribution": "k3s",
  "id": "/subscriptions/<REDACTED>/resourceGroups/arc-ext/providers/Microsoft.Kubernetes/connectedClusters/k3s-test",
  "identity": {
    "principalId": "<REDACTED>",
    "tenantId": "<REDACTED>",
    "type": "SystemAssigned"
  },
  "infrastructure": "generic",
  "kubernetesVersion": null,
  "lastConnectivityTime": null,
  "location": "eastus2euap",
  "managedIdentityCertificateExpirationTime": null,
  "name": "k3s-test",
  "offering": null,
  "provisioningState": "Succeeded",
  "resourceGroup": "arc-ext",
  "systemData": {
    "createdAt": "2022-08-01T22:17:13.260943+00:00",
    "createdBy": "<REDACTED>",
    "createdByType": "User",
    "lastModifiedAt": "2022-08-01T22:17:13.260943+00:00",
    "lastModifiedBy": "<REDACTED>",
    "lastModifiedByType": "User"
  },
  "tags": {},
  "totalCoreCount": null,
  "totalNodeCount": null,
  "type": "microsoft.kubernetes/connectedclusters"
}

~$ az k8s-extension create \
        --name k3stest \
       --extension-type Microsoft.AzureKeyVaultSecretsProvider \
       --scope cluster \
       --cluster-name k3s-test \
       --resource-group arc-ext \
       --cluster-type connectedClusters \
       --release-namespace kube-system \
       --configuration-settings 'secrets-store-csi-driver.enableSecretRotation=true' \
         'secrets-store-csi-driver.rotationPollInterval=30s' \
         'secrets-store-csi-driver.syncSecret.enabled=true'
{
  "aksAssignedIdentity": null,
  "autoUpgradeMinorVersion": true,
  "configurationProtectedSettings": {},
  "configurationSettings": {
    "secrets-store-csi-driver.enableSecretRotation": "true",
    "secrets-store-csi-driver.rotationPollInterval": "30s",
    "secrets-store-csi-driver.syncSecret.enabled": "true"
  },
  "customLocationSettings": null,
  "errorInfo": null,
  "extensionType": "microsoft.azurekeyvaultsecretsprovider",
  "id": "/subscriptions/<REDACTED>/resourceGroups/arc-ext/providers/Microsoft.Kubernetes/connectedClusters/k3s-test/providers/Microsoft.KubernetesConfiguration/ex
tensions/k3stest",
  "identity": {
    "principalId": "<REDACTED>",
    "tenantId": null,
    "type": "SystemAssigned"
  },
  "name": "k3stest",
  "packageUri": null,
  "provisioningState": "Succeeded",
  "releaseTrain": "Stable",
  "resourceGroup": "arc-ext",
  "scope": {
    "cluster": {
      "releaseNamespace": "kube-system"
    },
    "namespace": null
  },
  "statuses": [],
  "systemData": {
    "createdAt": "2022-08-01T22:25:02.943164+00:00",
    "createdBy": null,
    "createdByType": null,
    "lastModifiedAt": "2022-08-01T22:25:02.943164+00:00",
    "lastModifiedBy": null,
    "lastModifiedByType": null
  },
  "type": "Microsoft.KubernetesConfiguration/extensions",
  "version": "1.2.1"
}

Output of helm get values k3stest -n kube-system does show that Identity.isEnabled is set to true

Azure:
  Cluster:
    Cloud: AZUREPUBLICCLOUD
    Distribution: k3s
    Infrastructure: generic
    Region: eastus2euap
    ResourceId: /subscriptions/<REDACTED>/resourceGroups/arc-ext/providers/Microsoft.Kubernetes/ConnectedClusters/k3s-test
  Extension:
    Name: k3stest
    ResourceId: /subscriptions/<REDACTED>/resourceGroups/arc-ext/providers/Microsoft.Kubernetes/ConnectedClusters/k3s-test/providers/Microsoft.KubernetesConfigura
tion/extensions/k3stest
  Identity:
    Type: SystemAssigned
    isEnabled: true
  proxySettings:
    isCustomCert: false
    isProxyEnabled: false
IdentityPrincipalId: <REDACTED>
IdentityType: SystemAssigned
scope: cluster
secrets-store-csi-driver:
  enableSecretRotation: true
  rotationPollInterval: 30s
  syncSecret:
    enabled: true

After creating workload pod it was able to mount secret on the volume.

~$ kubectl exec -it busybox-secrets-store-inline -- cat /mnt/secrets-store/secret1
test

[LeonardHd]

@nilekhc I have managed to dig further, and I believe I have found the issue.
Possible findings in short

• Azure Portal extension deployment arc/portal_gallery_package/DeploymentTemplates/DefaultTemplate.json for Azure Arc-enabled clusters is missing an identity of type SystemAssigned. Causing missing rolebindings on the target cluster.
• Microsoft docs: Missing identity in the docs' ARM template (Use the Azure Key Vault Secrets Provider extension to fetch secrets into Azure Arc-enabled Kubernetes clusters).

Details
Installing via the az CLI indeed works as expected, however, the issue persisted deploying the extension via the Azure Portal and ARM/Bicep.

In fact, when deploying via the Arc Extension Tab the Values.Azure.Identity.isEnabled is false (see Azure Portal Deployment Helm Values below). This currently does not cause an error in the installation process.

The difference I noticed between CLI and Portal/ARM is that the az CLI creates always an identity (as of your output; and I also tracked down the corresponding code in the az cli here (DefaultExtension.py line 52).

This made me add a SystemAssigned identity to my bicep template (see Bicep template below), and this seems to resolve the issue with Values.Azure.Identity.isEnabled being false. The helm get values also returns a more 'reasonable' output.

ARM/Bicep deployment with SystemAssigned identity

param clusterName string

resource cluster 'Microsoft.Kubernetes/connectedClusters@2022-05-01-preview' existing = {
  name: clusterName
}

resource extension 'Microsoft.KubernetesConfiguration/extensions@2021-09-01' = {
  name: 'akvsecretsprovider'
  scope: cluster
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    extensionType: 'Microsoft.AzureKeyVaultSecretsProvider'
    releaseTrain: 'stable'
    version: '1.2.1'
    scope: {
      cluster: {
        releaseNamespace: 'kube-system'
      }
    }
    configurationSettings: {
      enableSecretRotation: 'true'
      rotationPollInterval: '2m'
      'syncSecret.enabled': 'true'
    }
  }
}

helm get values for ARM/Bicep deployment with SystemAssigned identity

azureuser@device-1:~$ helm get values akvsecretsprovider -n kube-system
USER-SUPPLIED VALUES:
Azure:
  Cluster:
    Cloud: AZUREPUBLICCLOUD
    Distribution: k3s
    Infrastructure: generic
    Region: westeurope
    ResourceId: /subscriptions/<REDACTED>/resourceGroups/aksplhf-poc-rg/providers/Microsoft.Kubernetes/ConnectedClusters/device-1
  Extension:
    Name: akvsecretsprovider
    ResourceId: /subscriptions/<REDACTED>/resourceGroups/aksplhf-poc-rg/providers/Microsoft.Kubernetes/ConnectedClusters/device-1/providers/Microsoft.KubernetesConfiguration/extensions/akvsecretsprovider
  Identity:
    MSIAdapterYaml: |
      - name: EXTENSION_ARMID
        value: /subscriptions/<REDACTED>/resourceGroups/aksplhf-poc-rg/providers/Microsoft.Kubernetes/ConnectedClusters/device-1/providers/Microsoft.KubernetesConfiguration/extensions/akvsecretsprovider
      - name: EXTENSION_NAME
        value: akvsecretsprovider
      - name: CLUSTER_IDENTITY
        value: "false"
      - name: CLUSTER_TYPE
        value: ConnectedClusters
      - name: MANAGED_IDENTITY_AUTH
        value: "true"
      - name: TEST_MODE
        value: "false"
      - name: TEST_FILE
        value: "/data/token"
      image: mcr.microsoft.com/azurearck8s/msi-adapter:1.0.0
      securityContext:
        capabilities:
          add:
            - NET_ADMIN
            - NET_RAW
      livenessProbe:
        httpGet:
          path: /healthz
          port: 9090
          scheme: "HTTP"
        initialDelaySeconds: 10
        periodSeconds: 15
      resources:
        limits:
          cpu: 50m
          memory: 100Mi
        requests:
          cpu: 20m
          memory: 50Mi
    Type: SystemAssigned
    isEnabled: true
  proxySettings:
    isCustomCert: false
    isProxyEnabled: false
IdentityPrincipalId: <REDACTED>
IdentityType: SystemAssigned
enableSecretRotation: true
rotationPollInterval: 2m
scope: cluster
syncSecret:
  enabled: true

Azure Portal ARM Deployment

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "releaseTrain": {
            "defaultValue": "stable",
            "type": "String"
        },
        "releaseNamespace": {
            "defaultValue": "kube-system",
            "type": "String"
        },
        "extensionName": {
            "defaultValue": "akvsecretsprovider",
            "type": "String"
        },
        "connectedClusterName": {
            "type": "String"
        },
        "enableSecretRotation": {
            "defaultValue": "false",
            "type": "String"
        },
        "rotationPollInterval": {
            "defaultValue": "2m",
            "type": "String"
        },
        "enableSyncSecret": {
            "defaultValue": "false",
            "type": "String"
        },
        "tagsByResource": {
            "defaultValue": {},
            "type": "Object"
        }
    },
    "variables": {},
    "functions": [],
    "resources": [
        {
            "type": "Microsoft.KubernetesConfiguration/extensions",
            "apiVersion": "2021-09-01",
            "name": "[parameters('extensionName')]",
            "tags": "[ if(contains(parameters('tagsByResource'), 'Microsoft.KubernetesConfiguration/extensions'), parameters('tagsByResource')['Microsoft.KubernetesConfiguration/extensions'], json('{}')) ]",
            "properties": {
                "extensionType": "Microsoft.AzureKeyVaultSecretsProvider",
                "releaseTrain": "[parameters('releaseTrain')]",
                "scope": {
                    "cluster": {
                        "releaseNamespace": "[parameters('releaseNamespace')]"
                    }
                },
                "configurationSettings": {
                    "secrets-store-csi-driver.enableSecretRotation": "[parameters('enableSecretRotation')]",
                    "secrets-store-csi-driver.rotationPollInterval": "[parameters('rotationPollInterval')]",
                    "secrets-store-csi-driver.syncSecret.enabled": "[parameters('enableSyncSecret')]"
                }
            },
            "scope": "[concat('Microsoft.Kubernetes/connectedClusters/', parameters('connectedClusterName'))]"
        }
    ]
}

Azure Portal Deployment Helm Values:

azureuser@device-1:~$ helm get values akvsecretsprovider -n kube-system
USER-SUPPLIED VALUES:
Azure:
  Cluster:
    Cloud: AZUREPUBLICCLOUD
    Distribution: k3s
    Infrastructure: generic
    Region: westeurope
    ResourceId: /subscriptions/<REDACTED>/resourceGroups/akspport-poc-rg/providers/Microsoft.Kubernetes/ConnectedClusters/device-1
  Extension:
    Name: akvsecretsprovider
    ResourceId: /subscriptions/<REDACTED>/resourceGroups/akspport-poc-rg/providers/Microsoft.Kubernetes/ConnectedClusters/device-1/providers/Microsoft.KubernetesConfiguration/extensions/akvsecretsprovider
  Identity:
    isEnabled: false
  proxySettings:
    isCustomCert: false
    isProxyEnabled: false
scope: cluster
secrets-store-csi-driver:
  enableSecretRotation: true
  rotationPollInterval: 2m
  syncSecret:
    enabled: true

[nilekhc]

Thanks @LeonardHd for debugging and a PR. I'll review the same

[nilekhc]

@LeonardHd I have also released these changes in portal.