I am new to the Kubernetes, I am facing issue to get secret from the keyvault, Basically I want to deploy a container having secret(servicebus connectionstring) which is storing in the Azure Key vault, so need to access the secret key from azure key vault, In this sample yaml i have hard coded the secret SERVICEBUS_CONNECTIONSTRING . A sample yaml could help us.
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx-deployment
spec:
replicas: 3
selector:
matchLabels:
app: nginx-deployment
strategy: {}
template:
metadata:
labels:
app: nginx-deployment
spec:
containers:
- image: nginx
name: nginx
env:
- name: SERVICEBUS_CONNECTIONSTRING
value: "Endpoint=sb://servicebus-keda-aks-03.servicebus.windows.net/;SharedAccessKeyName=keda-aks-01;SharedAccessKey=lsTj32UdliVMlHYJhbSdKcEZkqCSX FqClQWpBvr2da=;EntityPath=my-queue"
CodePudding user response:
I haven't tried it myself, but these pages are describing what you need if I am not mistaken:
- https://docs.microsoft.com/en-us/azure/aks/csi-secrets-store-driver
- https://samcogan.com/creating-kubernetes-secrets-from-azure-key-vault-with-the-csi-driver/
- https://shailender-choudhary.medium.com/access-secrets-from-azure-key-vault-in-azure-kubernetes-service-e8efffe49427
CodePudding user response:
Assuming you are using AKS cluster, pulling secrets after the pods are created can get really messy. You may need to set permissions(service principals) for specific pods to access keyvaults. Or you may need to configure a CNI on your cluster, depending on the networking policy used while creating the AKS.
A better way is to store these in kubernetes secrets. You could manually create them before deploying your pods. Below would work:
secret.yml:
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
username: SB_CONN_STR
password: <base64 encoded connection string>
deployment.yml:
spec:
containers:
- name: mycontainer
image: nginx
env:
- name: SERVICEBUS_CONNECTIONSTRING
valueFrom:
secretKeyRef:
name: SB_CONN_STR
key: username
OR
you want to automate this, you can do it in your CI/CD job or pipeline by pulling secrets from keyvault as env-vars and then using kubectl command to create secret.
kubectl create secret generic mysecret \
--from-literal=username=SB_CONN_STR \
--from-literal=password='S!B\*d$zDsb='
Hope this helps.