使用 SecretProviderClass 的秘密创建不能按方面工作

Secret creation with SecretProviderClass not working as aspected

编辑: 这是一个配置错误,我设置了错误的 kv 名称:/

如标题所述,我在使用 SecretProviderClass 创建秘密时遇到问题。

我已经在 azure 上创建了我的 aks 和我的 kv(并填充了它)。然后我将使用 user-assigned 托管身份

继续执行 those 步骤

但没有 secret 资源被创建并且 pods 因安装失败而卡在创建过程中。

这些是我遵循的步骤

az extension add --name aks-preview
az extension update --name aks-preview
az aks enable-addons --addons azure-keyvault-secrets-provider -g $RESOURCE_GROUP -n $AKS_CLUSTER 
az aks update -g $RESOURCE_GROUP -n $AKS_CLUSTER --enable-managed-identity --disable-secret-rotation
$AKS_ID = (az aks show -g $RESOURCE_GROUP -n $AKS_CLUSTER --query identityProfile.kubeletidentity.clientId -o tsv)
az keyvault set-policy -n $AZUREKEYVAULT --secret-permissions get --spn $AKS_ID

我正在使用的 SecretProviderClass 清单

apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: azure-kvname
spec:
  provider: azure
  secretObjects:
  - secretName: akvsecrets
    type: Opaque
    data:
    - objectName: AzureSignalRConnectionString 
      key: AzureSignalRConnectionString
    - objectName: BlobStorageConnectionString 
      key: BlobStorageConnectionString
    - objectName: SqlRegistryConnectionString 
      key: SqlRegistryConnectionString
    - objectName: TokenSymmetricKey 
      key: TokenSymmetricKey
  parameters:
    useVMManagedIdentity: "true"
    userAssignedIdentityID: XXX # VMSS UserAssignedIdentity
    keyvaultName: "sampleaks001" # the name of the KeyVault
    objects:  |
      array:
        - |
          objectName: AzureSignalRConnectionString
          objectType: secret
        - |
          objectName: BlobStorageConnectionString
          objectType: secret
        - |
          objectName: SqlRegistryConnectionString
          objectType: secret
        - |
          objectName: TokenSymmetricKey
          objectType: secret
    resourceGroup: sample # [REQUIRED for version < 0.0.4] the resource group of the KeyVault
    subscriptionId: XXXX # [REQUIRED for version < 0.0.4] the subscription ID of the KeyVault
    tenantId: XXX # the tenant ID of the KeyVault  

和部署清单

apiVersion: apps/v1
kind: Deployment
metadata:
  name: trm-api-test
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: trm-api-test
  template:
    metadata:
      labels:
        app: trm-api-test
    spec:
      nodeSelector:
        "kubernetes.io/os": linux
      containers:
      - name: trm-api-test
        image: nginx
        resources:
          requests:
            cpu: 100m
            memory: 128Mi
          limits:
            cpu: 250m
            memory: 256Mi
        ports:
        - containerPort: 80
        env:
        - name: AzureSignalRConnectionString
          valueFrom:
            secretKeyRef:
              name: akvsecrets
              key: AzureSignalRConnectionString
        - name: TokenSymmetricKey
          valueFrom:
            secretKeyRef:
              name: akvsecrets
              key: TokenSymmetricKey
        - name: BlobStorageConnectionString
          valueFrom:
            secretKeyRef:
              name: akvsecrets
              key: BlobStorageConnectionString
        - name: SqlRegistryConnectionString
          valueFrom:
            secretKeyRef:
              name: akvsecrets
              key: SqlRegistryConnectionString
        volumeMounts:
        - name: secrets-store-inline
          mountPath: "/mnt/secrets-store"
          readOnly: true
      volumes:
        - name: secrets-store-inline
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: "azure-kvname"
---
apiVersion: v1
kind: Service
metadata:
  name: trm-api-service-test
  namespace: default
spec:
  type: ClusterIP
  selector:
    app: trm-api-test
  ports:
  - port: 80
    targetPort: 80
    protocol: TCP

我确定我遗漏了什么,但不明白是什么。 提前致谢!

您使用的是 clientId,但它应该是 kubelet 身份中的 objectId:

export KUBE_ID=$(az aks show -g <resource group> -n <aks cluster name> --query identityProfile.kubeletidentity.objectId -o tsv)
export AKV_ID=$(az keyvault show -g <resource group> -n <akv name> --query id -o tsv)
az role assignment create --assignee $KUBE_ID --role "Key Vault Secrets Officer" --scope $AKV_ID

这是我正在使用的有效 SecretProviderClass(根据您的配置进行了调整):

apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: azure-kvname
spec:
  provider: azure
  secretObjects:
  - data:
    - objectName: AzureSignalRConnectionString 
      key: AzureSignalRConnectionString
    - objectName: BlobStorageConnectionString 
      key: BlobStorageConnectionString
    - objectName: SqlRegistryConnectionString 
      key: SqlRegistryConnectionString
    - objectName: TokenSymmetricKey 
      key: TokenSymmetricKey
    secretName: akvsecrets
    type: Opaque
  parameters:
    usePodIdentity: "false"
    useVMManagedIdentity: "true"
    userAssignedIdentityID: XXX # Kubelet Client Id ( Nodepool Managed Idendity )
    keyvaultName: "sampleaks001" # the name of the KeyVault
    tenantId: XXX # the tenant ID of the KeyVault  
    objects:  |
      array:
        - |
          objectName: AzureSignalRConnectionString
          objectAlias: AzureSignalRConnectionString
          objectType: secret
        - |
          objectName: BlobStorageConnectionString
          objectAlias: BlobStorageConnectionString
          objectType: secret
        - |
          objectName: SqlRegistryConnectionString
          objectAlias: SqlRegistryConnectionString
          objectType: secret
        - |
          objectName: TokenSymmetricKey
          objectAlias: TokenSymmetricKey
          objectType: secret

您还可以查看文档 here,因为您会在 Azure 文档中找到更好的示例。