问题
I have nodeJs application with docker file deployed in AKS with HelmChart, and I have azure key vault with some keys in Azure Portal and I need to connect my running POD with that KeyVault.
回答1:
I use akv2k8s.
Akv2k8s contains two main components:
- The akv2k8s Controller syncs Azure Key Vault objects to Kubernetes as native Secret's
- The akv2k8s Injector injects Azure Key Vault objects as environment variables directly into your application.
Diagram:
Before you start with the installation I suggest to read How it works? page.
Later on, Follow installation overview page in order to set up the environment.
In case you want to install akv2k8s with helm. I created this code snippet for my CI\CD process :
# Create a dedicated namespace for akv2k8s
kubectl create ns akv2k8s
# Add Helm repository
helm repo add spv-charts http://charts.spvapi.no
helm repo update
# Install the Controller (and the "AzureKeyVaultSecret" CRD)
helm install azure-key-vault-controller spv-charts/azure-key-vault-controller --namespace akv2k8s
# Install the Env-Injector
helm install azure-key-vault-env-injector spv-charts/azure-key-vault-env-injector --set installCrd=false --namespace akv2k8s
simple example:
cat << EOF | kubectl apply -f -
apiVersion: spv.no/v1alpha1
kind: AzureKeyVaultSecret
metadata:
name: secret-sync
namespace: $(K8S_NAMESPACE)
spec:
vault:
name: ${KEY_VAULT_NAME} # name of key vault
object:
name: $(KEY_VALUT_OBJECT_NAME) # name of the akv object
type: $(KEY_VALUT_TYPE) # akv object type
EOF
回答2:
An alternative to existing answer (and I think this existing answer is the way to go) would be using AAD Pod Identity. Basically its a way for you to have an identity for the application inside the pod. This way you dont have to micromanage the identity and dont have to pass credentials to the application (just use the internal endpoint). Similarly to the managed identity in Azure outside of kubernetes.
来源:https://stackoverflow.com/questions/62878289/how-to-connect-azure-key-vault-with-a-aks-pod