0

我想使用 akv2k8s.io 使用 helm chart 将密钥库添加到 kubernetes 中。

apiVersion: spv.no/v2beta1
kind: AzureKeyVaultSecret
metadata:
  name: secret-sync 
  namespace: akv-test-butfa
spec:
  vault:
    name: akv2k8s-butfa # name of key vault
    object:
      name: myusername # name of the akv object
      type: secret # akv object type
  output: 
    secret: 
      name: my-secret-from-butfa # kubernetes secret name
      dataKey: secret-value # key to store object value in kubernetes secret

还有我的部署文件:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: akvs-secret-app
  namespace: akv-test-butfa
  labels:
    app: akvs-secret-app
spec:
  selector:
    matchLabels:
      app: akvs-secret-app
  template:
    metadata:
      labels:
        app: akvs-secret-app
    spec:
      containers:
      - name: akv2k8s-env-test
        image: spvest/akv2k8s-env-test:2.0.1
        args: ["TEST_SECRET"]
        env:
        - name: TEST_SECRET
          value: "secret-inject@azurekeyvault" # ref to akvs

我已经创建了 keyvault is name: akv2k8s-butfawith secret 并且我已经为此设置了权限。

$kubectl -n akv-test get akvs
    NAME          VAULT                VAULT OBJECT   SECRET NAME   SYNCHED   AGE
    secret-sync   akv2k8s-test-butfa   mysecret                               6h26m

但我有问题:

secret-inject@azurekeyvault
waiting forever...

当我看到部署日志时。

更新:

State:          Waiting
  Reason:       CrashLoopBackOff
Last State:     Terminated
  Reason:       Error
  Exit Code:    1
  Started:      Fri, 29 Oct 2021 07:50:15 +0700
  Finished:     Fri, 29 Oct 2021 07:50:15 +0700
Ready:          False
Restart Count:  7
Environment Variables from:
  my-secret-from-butfa  Secret  Optional: false
Environment:            <none>

在此处输入图像描述

4

1 回答 1

1

有趣的是,我这周也玩了 akv2k8s :)

您是否为您的 keyvault 的 kubelet 身份创建了角色分配?

resource "azurerm_role_assignment" "akv_k8s_reader" {
  scope                = azurerm_key_vault.akv.id
  role_definition_name = "Key Vault Secrets User"
  principal_id         = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id
}

或者

export KUBE_ID=$(az aks show -g <resource group> -n <aks cluster name> --query identityProfile.kubeletidentity.objectId -o tsv)
export AKV_ID=$(az keyvault show -g <resource group> -n <akv name> --query id -o tsv)
az role assignment create --assignee $KUBE_ID --role "Key Vault Secrets User" --scope $AKV_ID

注意:您的 Azure KeyVault 需要启用 RBAC。

我还注意到,只有在需要注入器功能时才需要它:

apiVersion: spv.no/v2beta1
kind: AzureKeyVaultSecret
metadata:
  name: secret-sync 
  namespace: akv-test-butfa
spec:
  vault:
    name: akv2k8s-butfa # name of key vault
    object:
      name: myusername # name of the akv object
      type: secret # akv object

AzureKeyVaultSecret 函数中的输出用于将其用作秘密同步,然后您的 pod 清单将如下所示:

  envFrom:
  - secretRef:
      name: my-secret-from-butfa
于 2021-10-28T18:12:38.640 回答