Skip to content

Secret-Based Authentication

This example demonstrates using Kubernetes Secrets to provide S3 credentials for volume-level authentication.

Features

  • Volume-level S3 credentials using Kubernetes Secrets
  • Different credentials per PV
  • Secure credential management

Deploy

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
kubectl apply -f - <<EOF
# Secret Authentication Example
# This example demonstrates using a Kubernetes Secret to provide S3 credentials for the Mountpoint S3 CSI Driver.
# This authentication method is particularly useful for:
# 1. The user wants to set their own credentials which are different than the driver level credentials
# 2. Using different credentials for different persistent volumes

# First, create a Secret containing the S3 credentials
apiVersion: v1
kind: Secret
metadata:
  name: s3-credentials
  namespace: default
type: Opaque
data:
  # Using base64 encoded values. Example:
  # echo -n "ACCESS_KEY_ID" | base64
  access_key_id: QUtJQVhYWFhYWFhYWFhYWFhY
  # echo -n "SECRET_ACCESS_KEY" | base64
  secret_access_key: U0VDUkVUWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWA==

  # You can also create the secret using kubectl:
  # kubectl create secret generic s3-credentials \
  #     --from-literal=access_key_id="ACCESS_KEY_ID" \
  #     --from-literal=secret_access_key="SECRET_ACCESS_KEY"

---
# Next, create a PersistentVolume that references the Secret
apiVersion: v1
kind: PersistentVolume
metadata:
  name: s3-pv
spec:
  capacity:
    storage: 1000Gi # ignored, required
  accessModes:
    - ReadWriteMany
  persistentVolumeReclaimPolicy: Retain
  storageClassName: "" # Required for static provisioning
  mountOptions:
    - allow-delete
  csi:
    driver: s3.csi.scality.com
    volumeHandle: s3-csi-secret-auth-volume # Must be unique across all PVs
    volumeAttributes:
      bucketName: my-bucket
      authenticationSource: secret # Set auth source to use the Secret
    nodePublishSecretRef:
      name: s3-credentials # Reference to the Secret containing credentials
      namespace: default
---
# Create a PersistentVolumeClaim that references the PV
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: s3-pvc
  namespace: default
spec:
  accessModes:
    - ReadWriteMany
  storageClassName: ""
  resources:
    requests:
      storage: 1000Gi # Ignored, required
  volumeName: s3-pv
---
# Finally, create a Pod that uses the volume
apiVersion: v1
kind: Pod
metadata:
  name: s3-app
  namespace: default
spec:
  containers:
  - name: app
    image: busybox
    command: ["tail", "-f", "/dev/null"]
    volumeMounts:
    - name: s3-storage
      mountPath: /data
  volumes:
  - name: s3-storage
    persistentVolumeClaim:
      claimName: s3-pvc
EOF

Alternative: Create Secret with kubectl

1
2
3
kubectl create secret generic s3-credentials \
    --from-literal=access_key_id="YOUR_ACCESS_KEY_ID" \
    --from-literal=secret_access_key="YOUR_SECRET_ACCESS_KEY"

Key Configuration

  • authenticationSource: secret - Enables secret-based authentication
  • nodePublishSecretRef - References the Kubernetes Secret

Check Pod-Level Access to the Mounted S3 Volume

1
2
3
kubectl get secret s3-credentials
kubectl get pod s3-app
kubectl exec s3-app -- ls -la /data

Cleanup

1
2
3
4
kubectl delete pod s3-app
kubectl delete pvc s3-pvc
kubectl delete pv s3-pv
kubectl delete secret s3-credentials

Download YAML

📁 secret_authentication.yaml