Skip to content

spec.secretObjects are not created correctly unless corresponding spec.parameters.objects are ordered first #2018

Open
Open
spec.secretObjects are not created correctly unless corresponding spec.parameters.objects are ordered first#2018
Labels
kind/bugCategorizes issue or PR as related to a bug.needs-triageIndicates an issue or PR lacks a `triage/foo` label and requires one.
@james-wakefield-onetwo

Description

@james-wakefield-onetwo
james-wakefield-onetwo
opened on Apr 1, 2026

What steps did you take and what happened:

Given the following SecretProviderClass:

---
# Source: app/templates/ascp.yaml
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: ascp-secrets-web
spec:
  provider: aws
  parameters:
    objects: |
      - objectName: foobar-redis-password
        objectType: secretsmanager
      - objectName: foobar-oauth2-google-client-id
        objectType: secretsmanager
      - objectName: foobar-oauth2-google-client-secret
        objectType: secretsmanager
  secretObjects:
  - secretName: oauth2-google-creds
    type: Opaque
    data:
    - objectName: foobar-oauth2-google-client-id
      key: clientID
    - objectName: foobar-oauth2-google-client-secret
      key: clientSecret

The Secret resource created from the specified secretObjects entry is:

apiVersion: v1
data:
  clientID: NTXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX29t
kind: Secret
metadata:
  creationTimestamp: "2026-03-30T23:29:36Z"
  labels:
    secrets-store.csi.k8s.io/managed: "true"
  name: oauth2-google-creds
  namespace: foobar
  ownerReferences:
  - apiVersion: apps/v1
    kind: ReplicaSet
    name: web-7fb8446c8f
    uid: 7c6f6486-42b2-494f-8f22-dbddd1632aff
  resourceVersion: "1006955349"
  uid: 89fbc10c-f96f-4a99-90d9-5c995e9f69c2
type: Opaque

What did you expect to happen:

data to contain both clientID and clientSecret, as per the SecretProviderClass

Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]

I have a successful workaround of moving the spec.parameters.objects entries that are referenced in the secretObjects entry to the top, above the entry that is not referenced in secretObjects.

Which provider are you using:
AWS Secrets Manager

Environment:

  • Secrets Store CSI Driver version: (use the image tag): registry.k8s.io/csi-secrets-store/driver:v1.5.3
  • Kubernetes version: (use kubectl version):
Client Version: v1.34.1
Kustomize Version: v5.7.1
Server Version: v1.29.15-eks-3a10415
Warning: version difference between client (1.34) and server (1.29) exceeds the supported minor version skew of +/-1

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugCategorizes issue or PR as related to a bug.needs-triageIndicates an issue or PR lacks a `triage/foo` label and requires one.

    Type

    No type

    Projects

    SIG Auth

    Status

    Subprojects - Needs Triage

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions