我正在尝试将 Kubernetes 部署中的 Azure Key Vault 中的机密用作环境变量,但一直难以做到。我使用 Azure pod 标识,机密已安装到文件中,并且可行,但我希望它们可以作为环境变量访问。
这是我的 secrets.yml 文件:
apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
name: azure-kvname
spec:
provider: azure
secretObjects:
- secretName: test-secret
type: Opaque
data:
- objectName: test-db-user
key: dbuser
- objectName: test-db-pass
key: dbpassword
parameters:
usePodIdentity: "true"
keyvaultName: "test-keyvault"
cloudName: ""
objects: |
array:
- |
objectName: test-db-user
objectType: secret
objectVersion: ""
- |
objectName: test-db-pass
objectType: secret
objectVersion: ""
tenantId: "<tenantID>"
我的deployment.yml:
apiVersion: v1
kind: Pod
metadata:
name: nginx-secrets-store-inline
labels:
aadpodidbinding: aadpodidbinding
spec:
containers:
- name: nginx
image: nginx
volumeMounts:
- name: secrets-store-inline
mountPath: "/mnt/secrets-store"
readOnly: true
env:
- name: DB_USER
valueFrom:
secretKeyRef:
name: test-secret
key: dbuser
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: test-secret
key: dbpassword
volumes:
- name: secrets-store-inline
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: azure-kvname
当我应用这两个文件时,我得到了CreateContainerConfigError:Error: secret "test-secret" not found
答案1
事实证明,我没有启用正确的 RBAC 角色:
将它们添加到我的集群后,一切都运行正常。