I am new to the Kubernetes, I am facing issue to get secret from the keyvault, Basically I want to deploy a container having secret(servicebus connectionstring) which is storing in the Azure Key vault, so need to access the secret key from azure key vault, In this sample yaml i have hard coded the secret SERVICEBUS_CONNECTIONSTRING . A sample yaml could help us.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  labels:
    app: nginx-deployment
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx-deployment
  strategy: {}
  template:
    metadata:
      labels:
        app: nginx-deployment
    spec:
      containers:
      - image: nginx
        name: nginx
        env:
        - name: SERVICEBUS_CONNECTIONSTRING 
          value: "Endpoint=sb://servicebus-keda-aks-03.servicebus.windows.net/;SharedAccessKeyName=keda-aks-01;SharedAccessKey=lsTj32UdliVMlHYJhbSdKcEZkqCSX FqClQWpBvr2da=;EntityPath=my-queue"

CodePudding user response：

I haven't tried it myself, but these pages are describing what you need if I am not mistaken:

• https://docs.microsoft.com/en-us/azure/aks/csi-secrets-store-driver
• https://samcogan.com/creating-kubernetes-secrets-from-azure-key-vault-with-the-csi-driver/
• https://shailender-choudhary.medium.com/access-secrets-from-azure-key-vault-in-azure-kubernetes-service-e8efffe49427

CodePudding user response：

Assuming you are using AKS cluster, pulling secrets after the pods are created can get really messy. You may need to set permissions(service principals) for specific pods to access keyvaults. Or you may need to configure a CNI on your cluster, depending on the networking policy used while creating the AKS.

A better way is to store these in kubernetes secrets. You could manually create them before deploying your pods. Below would work:

secret.yml:

apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  username: SB_CONN_STR 
  password: <base64 encoded connection string>

deployment.yml:

spec:
  containers:
  - name: mycontainer
    image: nginx
    env:
      - name: SERVICEBUS_CONNECTIONSTRING
        valueFrom:
          secretKeyRef:
            name: SB_CONN_STR
            key: username

OR

you want to automate this, you can do it in your CI/CD job or pipeline by pulling secrets from keyvault as env-vars and then using kubectl command to create secret.

    kubectl create secret generic mysecret \
  --from-literal=username=SB_CONN_STR \
  --from-literal=password='S!B\*d$zDsb='

Hope this helps.