秘密注入@azurekeyvault 永远等待

secret-inject@azurekeyvault waiting forever

我想使用 akv2k8s.io 通过 helm chart 将密钥保管库添加到 kubernetes 中。

apiVersion: spv.no/v2beta1
kind: AzureKeyVaultSecret
metadata:
  name: secret-sync 
  namespace: akv-test-butfa
spec:
  vault:
    name: akv2k8s-butfa # name of key vault
    object:
      name: myusername # name of the akv object
      type: secret # akv object type
  output: 
    secret: 
      name: my-secret-from-butfa # kubernetes secret name
      dataKey: secret-value # key to store object value in kubernetes secret

还有我的部署文件:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: akvs-secret-app
  namespace: akv-test-butfa
  labels:
    app: akvs-secret-app
spec:
  selector:
    matchLabels:
      app: akvs-secret-app
  template:
    metadata:
      labels:
        app: akvs-secret-app
    spec:
      containers:
      - name: akv2k8s-env-test
        image: spvest/akv2k8s-env-test:2.0.1
        args: ["TEST_SECRET"]
        env:
        - name: TEST_SECRET
          value: "secret-inject@azurekeyvault" # ref to akvs

我创建了 keyvault is name: akv2k8s-butfa with secret 并且我已经设置了权限。

$kubectl -n akv-test get akvs
    NAME          VAULT                VAULT OBJECT   SECRET NAME   SYNCHED   AGE
    secret-sync   akv2k8s-test-butfa   mysecret                               6h26m

但我遇到了问题:

secret-inject@azurekeyvault
waiting forever...

当我看到部署日志时。

更新:

State:          Waiting
  Reason:       CrashLoopBackOff
Last State:     Terminated
  Reason:       Error
  Exit Code:    1
  Started:      Fri, 29 Oct 2021 07:50:15 +0700
  Finished:     Fri, 29 Oct 2021 07:50:15 +0700
Ready:          False
Restart Count:  7
Environment Variables from:
  my-secret-from-butfa  Secret  Optional: false
Environment:            <none>

有趣,我这周也玩了akv2k8s :)

您是否为您的密钥库创建了 kubelet 身份的角色分配?

resource "azurerm_role_assignment" "akv_k8s_reader" {
  scope                = azurerm_key_vault.akv.id
  role_definition_name = "Key Vault Secrets User"
  principal_id         = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id
}

export KUBE_ID=$(az aks show -g <resource group> -n <aks cluster name> --query identityProfile.kubeletidentity.objectId -o tsv)
export AKV_ID=$(az keyvault show -g <resource group> -n <akv name> --query id -o tsv)
az role assignment create --assignee $KUBE_ID --role "Key Vault Secrets User" --scope $AKV_ID

注意:您的 Azure KeyVault 需要启用 RBAC。

我还注意到,只有在需要注入器功能时才需要这个:

apiVersion: spv.no/v2beta1
kind: AzureKeyVaultSecret
metadata:
  name: secret-sync 
  namespace: akv-test-butfa
spec:
  vault:
    name: akv2k8s-butfa # name of key vault
    object:
      name: myusername # name of the akv object
      type: secret # akv object 

AzureKeyVaultSecret 函数中的输出用于将其用作秘密同步,然后您的 pod 清单将如下所示:

  envFrom:
  - secretRef:
      name: my-secret-from-butfa