How to pass azure key vault secrets to kubernetes pod using file in helm charts

Question

I am using azure key vault to save secrets and use as env variables in deployment.yaml.

but issue is I can see these secrets in azure kubernetes cluster in azure portal.

I read in kubernetes documentation that we can use these variables as file instead of env variables for more secure deployment.

What changes do I need do for achieving this

Here are my helm charts -

SecretProviderClass.yaml

apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
  name: azure-keyvault 
spec:
  provider: azure
  secretObjects:
  - secretName: database-configs
    type: Opaque
    data:
    - objectName: DB-URL
      key: DB-URL

  parameters:
    usePodIdentity: "false"
    useVMManagedIdentity: "true"
    userAssignedIdentityID: {{ .Values.spec.parameters.userAssignedIdentityID }} 
    resourceGroup: {{ .Values.spec.parameters.resourceGroup }} 
    keyvaultName: {{ .Values.spec.parameters.keyvaultName }} 
    tenantId: {{ .Values.spec.parameters.tenantId }} 
    objects: |
      array:
        - |
          objectName: DB-URL
          objectType: secret
          objectAlias: DB-URL

deployment.yaml

env:
          - name: DB-URL
            valueFrom:
              secretKeyRef:
                name: database-configs
                key: DB-URL
          volumeMounts:
          - mountPath: "/mnt/azure"
            name: volume
          - mountPath: "mnt/secrets-store"
            name: secrets-mount
            readOnly: true
      volumes:
        - name: volume
          persistentVolumeClaim:
            claimName: azure-managed-disk      
        - name: secrets-mount
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: "azure-keyvault"

file where helm substituting these values at deployment time-

settings.ini -

[server]
hostname = "localhost"
hot_deployment = false
url = "$env{DB-URL}"

[user_store]
type = "read_only_ldap"

Any help will be really appreciated.

I am looking for secure way to use key vault and kubernetes together

Answer 1

I am still looking for a better answer, but this is what I tried.

Deployed a small dummy deployment with all secrets mapped to volume map and environment variable, matching with SecretProviderClass. This creates secrets in K8S.

Now deploying helmchart using those secrets works.

I know this is overhead to deploy unwanted things + it needs to be Highly Available. But could not find any workaround.

Looking for better answer!