Compatibility with Secret Store CSI Driver?

[rileyhun]

Hello all,

I need to pull in a secret from a vault (a.k.a. GoogleSecretManager), but KNative doesn't let me me create the necessary volume to facilitate that through CSI. Any ideas on how to do this?

For example, it should look something like this:

apiVersion: serving.knative.dev/v1
kind: Service
metadata:
  name: seldon-request-logger
  metadata:
    labels:
    fluentd: "true"
spec:
  template:
    metadata:
      annotations:
        autoscaling.knative.dev/minScale: "1"
    spec:
      serviceAccountName: "secretsinvoker"
      containers:
      - image: docker.io/seldonio/seldon-request-logger:1.5.1
        imagePullPolicy: Always
        env:
          - name: ELASTICSEARCH_HOST
            value: "elasticsearch-opendistro-elasticsearch.logging.svc.cluster.local"
          - name: ELASTICSEARCH_PORT
            value: "9200"
          - name: ELASTICSEARCH_PROTOCOL
            value: "http"
          - name: ELASTICSEARCH_USER
            value: "admin"
          - name: ELASTICSEARCH_PASS
            valueFrom:
              secretKeyRef:
                name: elasticsecret
                key: pwd
        volumeMounts:
          - mountPath: "/var/secrets"
            name: mysecret
      volumes:
        - name: mysecret
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: "app-secrets"

Error:

Error from server (BadRequest): error when creating "logging/seldon-request-logger.yaml": admission webhook "validation.webhook.serving.knative.dev" denied the request: validation failed: expected exactly one, got neither: spec.template.spec.volumes[0].configMap, spec.template.spec.volumes[0].projected, spec.template.spec.volumes[0].secret
must not set the field(s): spec.template.spec.volumes[0].csi

[eftugahan]

Got the same error here. Have you got any solution?

[rileyhun]

Got the same error here. Have you got any solution?

I don't think there is a solution because knative doesn't allow you to mount custom volumes. I ended up using berglas instead. K8s external secrets should work as well.

[github-actions]

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Reopen the issue with /reopen. Mark the issue as
fresh by adding the comment /remove-lifecycle stale.

[jjayabal23]

Does knative have any plans to support csi drivers in the future?

[paulorpdlmillicom]

Why there is no support for CSI? Maybe this is a bug, because looking the API reference (https://knative.dev/docs/serving/reference/serving-api/#serving.knative.dev/v1.RevisionTemplateSpec), the RevisionTemplateSpec uses Kubernetes Core v1.PodSpec. This support multiple kinds of VolumeSource (https://pkg.go.dev/k8s.io/api@v0.25.2/core/v1#VolumeSource)

Looking the code, maybe is an error at OAPI CRD spec.

[erictg]

What would it take to actually support CSI? Since this is being passed off to the pods/kubernetes itself, why would knative explicitly block this functionality?

I'd be happy to look into supporting this

[knative-prow]

@erictg: You can't reopen an issue/PR unless you authored it or you are a collaborator.

In response to this:

/reopen
/remove-lifecycle stale

What would it take to actually support CSI? Since this is being passed off to the pods/kubernetes itself, why would knative explicitly block this functionality?

I'd be happy to look into supporting this

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[zzuchen]

Got the same error here. Have you got any solution?

I don't think there is a solution because knative doesn't allow you to mount custom volumes. I ended up using berglas instead. K8s external secrets should work as well.

hello, could you please tell me how to solve the problem through berglas?