This document highlights the current limitations when using secrets-store-csi-driver.
- When the secret/key is updated in external secrets store after the initial pod deployment, the updated secret is not automatically reflected in the pod mount or the Kubernetes secret.
- When the
SecretProviderClassis updated after the pod was initially created.
- Adding/deleting objects and updating keys in existing
secretObjectsdoesn’t result in update of Kubernetes secrets.
The CSI driver is invoked by kubelet only during the pod volume mount. So subsequent changes in the
SecretProviderClass after the pod has started doesn’t trigger an update to the content in volume mount or Kubernetes secret.
How to fetch the latest content with release
v0.0.14 and earlier or without
Auto rotation feature enabled?
- If the
secretObjectsdefined, then delete the Kubernetes secret.
- Restart the application pod.
When the pod is recreated,
kubelet invokes the CSI driver for mounting the volume. As part of this mount request, the latest content will be fetched from external secrets store and populated in the pod. The same content is then mirrored in the Kubernetes secret data.