Description
When installing the aws-secrets-store-csi-driver-provider as an EKS managed addon, setting secrets-store-csi-driver.syncSecret.enabled: true via configuration_values is accepted by the EKS API without error, but the configuration is not propagated to the bundled secrets-store-csi-driver Helm sub-chart. As a result, the required RBAC resources (ClusterRole secrets-store-csi-driver-secret-syncing and its binding) are never created, and syncing secrets to Kubernetes native Secrets does not work.
Steps to Reproduce
- Install the addon with the following configuration via Terraform (or
aws eks create-addon):
{
"secrets-store-csi-driver": {
"syncSecret": {
"enabled": true
}
}
}
- Confirm the config is stored in EKS:
aws eks describe-addon \
--cluster-name <cluster> \
--addon-name aws-secrets-store-csi-driver-provider \
--query 'addon.configurationValues' \
--output text
# Returns: {"secrets-store-csi-driver":{"syncSecret":{"enabled":true}}}
- Check that the RBAC was created:
kubectl get clusterrole | grep secrets-store
# Only shows: aws-secrets-store-csi-driver-provider-cluster-role
# Missing: secrets-store-csi-driver-secret-syncing
Expected Behavior
The secrets-store-csi-driver-secret-syncing ClusterRole and ClusterRoleBinding should be created, enabling the CSI driver to sync mounted secrets as Kubernetes native Secrets via secretObjects in SecretProviderClass.
Actual Behavior
The ClusterRole secrets-store-csi-driver-secret-syncing is not created. The config is stored in the EKS addon API but appears to have no effect on the bundled secrets-store-csi-driver sub-chart.
Environment
- Addon version:
v2.2.2-eksbuild.2
- EKS version:
1.32
- Region:
eu-west-1
Additional Context
The secrets-store-csi-driver.syncSecret key is present in the addon's JSON configuration schema (as returned by aws eks describe-addon-configuration), which is why the API accepts the value without error:
aws eks describe-addon-configuration \
--addon-name aws-secrets-store-csi-driver-provider \
--addon-version v2.2.2-eksbuild.2 \
--query configurationSchema --output text | jq '.properties["secrets-store-csi-driver"]'
This suggests the schema is correctly defined but the value is not being forwarded to the sub-chart during Helm rendering.
Workaround
Manually apply the RBAC resources from the upstream chart:
Description
When installing the
aws-secrets-store-csi-driver-provideras an EKS managed addon, settingsecrets-store-csi-driver.syncSecret.enabled: trueviaconfiguration_valuesis accepted by the EKS API without error, but the configuration is not propagated to the bundledsecrets-store-csi-driverHelm sub-chart. As a result, the required RBAC resources (ClusterRolesecrets-store-csi-driver-secret-syncingand its binding) are never created, and syncing secrets to Kubernetes native Secrets does not work.Steps to Reproduce
aws eks create-addon):{ "secrets-store-csi-driver": { "syncSecret": { "enabled": true } } }Expected Behavior
The
secrets-store-csi-driver-secret-syncingClusterRole and ClusterRoleBinding should be created, enabling the CSI driver to sync mounted secrets as Kubernetes native Secrets viasecretObjectsinSecretProviderClass.Actual Behavior
The ClusterRole
secrets-store-csi-driver-secret-syncingis not created. The config is stored in the EKS addon API but appears to have no effect on the bundledsecrets-store-csi-driversub-chart.Environment
v2.2.2-eksbuild.21.32eu-west-1Additional Context
The
secrets-store-csi-driver.syncSecretkey is present in the addon's JSON configuration schema (as returned byaws eks describe-addon-configuration), which is why the API accepts the value without error:This suggests the schema is correctly defined but the value is not being forwarded to the sub-chart during Helm rendering.
Workaround
Manually apply the RBAC resources from the upstream chart: