Windows nodes support

[ibaki-p]

We are deploying a mix of Linux & Windows containers in an EKS cluster. Although the Kubernetes Secrets Store CSI Driver supports both Linux & Windows. This AWS provider does not seem to support Windows. Is that the case? Any workaround you can think of? Thanks

[jbct]

Hi ibaki-p. Could we get some more information on your deployment configuration?

[mklinke]

@jbct I'm not ibaki-p and don't have any information about their setup. However, I have the same question and would be happy to share some (hopefully relevant) information about our setup.

We're using mostly Linux nodes and everything works fine for these. In addition, we're running a Windows node in the cluster to host a component in a more production-like scenario for testing. This component needs credentials to connect to another component and we would like to map the secrets to the Windows pod in the same way as it's working on Linux.

Let me know if you need further information. Thanks in advance for looking into this!

[ibaki-p]

Hi all, sorry about the delay. We decided to migrate our workloads to run on Linux only. If it can help, at the time I created this issue, we were deploying an EKS cluster that had both Linux managed nodes and Windows self-managed nodes. The workloads running on these nodes (a mix of Windows and Linux containers of course) required access to secrets in AWS Secret Manager. We were therefore using the AWS Secrets Store CSI driver to mount secrets. It was working all well and good for the Linux workloads but not for the Windows workloads.

[saedx1]

@jbct I actually have a PR up to add support. Not much work once you figure out what's different for windows (just some path separator thing and closing the file before renaming it). I did add a Dockerfile and added an image to the deployment/installer. It passes all the tests, and I've tested it on EKS with a windows worker node, 6 different deployments, and mounted secrets as well as used them as env vars.

I'd appreciate it if the PR gets merged and if we get a public windows docker image on ecr.

[jbct]

Thanks for the context everyone, and thanks Saed for the PR. At the moment, Secrets Manager doesn't plan on supporting Windows explicitly. However, you might be able to use the flag driver-writes-secrets which bypasses the plugin and may solve the issues you're encountering on the Windows platform. I'll leave this issue open as a feature request while we discuss future opportunities to expand support for the plugin.

[saedx1]

@jbct Can you elaborate more on this, please? Won't you still need it to be running on the windows node regardless of who ends up writing?

[mhatreas]

@jbct We are also facing similar challenges in using AWS Secrets Manager or AWS parameter store with EKS for our Windows PODs running on Windows worker node.
We have raised Support case too with AWS Support, but really looking forward for this feature or mean while if any alternate way we can achieve the desired results.

Kindly elaborate more on how to set flag driver-writes-secrets true?
We have enabled CSI secret driver for windows and it has its daemon set running on Widnows Worker node of EKS, but AWS provider daemon set is only running on Linux worker node and not available for Windows. How to bypass AWS provided and use direct integration with AWS Secrets/SSM parameter store just by using CSI secret driver?

[simonmarty]

As of the latest Helm release, you should be able to set the pod affinity of the CSI Driver Provider to deploy to only non-Windows nodes. We're still investigating first-class Windows support.

[buckleyGI]

Support for windows pods would by great as we are also running a hybrid setup