我想使用 akv2k8s.io 使用 Helm Chart 将密钥保管库添加到 kubernetes 中。
apiVersion: spv.no/v2beta1
kind: AzureKeyVaultSecret
metadata:
name: secret-sync
namespace: akv-test-butfa
spec:
vault:
name: akv2k8s-butfa # name of key vault
object:
name: myusername # name of the akv object
type: secret # akv object type
output:
secret:
name: my-secret-from-butfa # kubernetes secret name
dataKey: secret-value # key to store object value in kubernetes secret
还有我的部署文件:
apiVersion: apps/v1
kind: Deployment
metadata:
name: akvs-secret-app
namespace: akv-test-butfa
labels:
app: akvs-secret-app
spec:
selector:
matchLabels:
app: akvs-secret-app
template:
metadata:
labels:
app: akvs-secret-app
spec:
containers:
- name: akv2k8s-env-test
image: spvest/akv2k8s-env-test:2.0.1
args: ["TEST_SECRET"]
env:
- name: TEST_SECRET
value: "secret-inject@azurekeyvault" # ref to akvs
我已经创建了密钥库,名称为:
akv2k8s-butfa
,带有秘密,并且我已为此设置了权限。
$kubectl -n akv-test get akvs
NAME VAULT VAULT OBJECT SECRET NAME SYNCHED AGE
secret-sync akv2k8s-test-butfa mysecret 6h26m
但是我遇到了问题:
secret-inject@azurekeyvault
waiting forever...
当我看到部署日志时。
更新:
State: Waiting
Reason: CrashLoopBackOff
Last State: Terminated
Reason: Error
Exit Code: 1
Started: Fri, 29 Oct 2021 07:50:15 +0700
Finished: Fri, 29 Oct 2021 07:50:15 +0700
Ready: False
Restart Count: 7
Environment Variables from:
my-secret-from-butfa Secret Optional: false
Environment: <none>
有趣,这周我也玩了 akv2k8s :)
您是否为 kubelet 身份创建了到 keyvault 的角色分配?
resource "azurerm_role_assignment" "akv_k8s_reader" {
scope = azurerm_key_vault.akv.id
role_definition_name = "Key Vault Secrets User"
principal_id = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id
}
或
export KUBE_ID=$(az aks show -g <resource group> -n <aks cluster name> --query identityProfile.kubeletidentity.objectId -o tsv)
export AKV_ID=$(az keyvault show -g <resource group> -n <akv name> --query id -o tsv)
az role assignment create --assignee $KUBE_ID --role "Key Vault Secrets User" --scope $AKV_ID
注意:您的 Azure KeyVault 需要启用 RBAC。
我还注意到,只有当您需要注射器功能时才需要这个:
apiVersion: spv.no/v2beta1
kind: AzureKeyVaultSecret
metadata:
name: secret-sync
namespace: akv-test-butfa
spec:
vault:
name: akv2k8s-butfa # name of key vault
object:
name: myusername # name of the akv object
type: secret # akv object
AzureKeyVaultSecret 函数中的输出用于将其用作秘密同步,然后您的 pod 清单将如下所示:
envFrom:
- secretRef:
name: my-secret-from-butfa