I would like to use akv2k8s.io for adding key vault into kubernetes using helm chart.
apiVersion: spv.no/v2beta1
kind: AzureKeyVaultSecret
metadata:
name: secret-sync
namespace: akv-test-butfa
spec:
vault:
name: akv2k8s-butfa # name of key vault
object:
name: myusername # name of the akv object
type: secret # akv object type
output:
secret:
name: my-secret-from-butfa # kubernetes secret name
dataKey: secret-value # key to store object value in kubernetes secret
And my deployment file:
apiVersion: apps/v1
kind: Deployment
metadata:
name: akvs-secret-app
namespace: akv-test-butfa
labels:
app: akvs-secret-app
spec:
selector:
matchLabels:
app: akvs-secret-app
template:
metadata:
labels:
app: akvs-secret-app
spec:
containers:
- name: akv2k8s-env-test
image: spvest/akv2k8s-env-test:2.0.1
args: ["TEST_SECRET"]
env:
- name: TEST_SECRET
value: "secret-inject@azurekeyvault" # ref to akvs
I have created keyvault is name: akv2k8s-butfa
with secret and I have set permission for that.
$kubectl -n akv-test get akvs
NAME VAULT VAULT OBJECT SECRET NAME SYNCHED AGE
secret-sync akv2k8s-test-butfa mysecret 6h26m
But I got issuse:
secret-inject@azurekeyvault
waiting forever...
When I see logs of deployment.
Update:
State: Waiting
Reason: CrashLoopBackOff
Last State: Terminated
Reason: Error
Exit Code: 1
Started: Fri, 29 Oct 2021 07:50:15 +0700
Finished: Fri, 29 Oct 2021 07:50:15 +0700
Ready: False
Restart Count: 7
Environment Variables from:
my-secret-from-butfa Secret Optional: false
Environment: <none>
Funny, i also played this week with akv2k8s :)
Did you create a role assignment for the kubelet identity to your keyvault?
resource "azurerm_role_assignment" "akv_k8s_reader" {
scope = azurerm_key_vault.akv.id
role_definition_name = "Key Vault Secrets User"
principal_id = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id
}
or
export KUBE_ID=$(az aks show -g <resource group> -n <aks cluster name> --query identityProfile.kubeletidentity.objectId -o tsv)
export AKV_ID=$(az keyvault show -g <resource group> -n <akv name> --query id -o tsv)
az role assignment create --assignee $KUBE_ID --role "Key Vault Secrets User" --scope $AKV_ID
NOTE: Your Azure KeyVault needs RBAC enabled.
I also noticed that you only need this if you need the injector function:
apiVersion: spv.no/v2beta1
kind: AzureKeyVaultSecret
metadata:
name: secret-sync
namespace: akv-test-butfa
spec:
vault:
name: akv2k8s-butfa # name of key vault
object:
name: myusername # name of the akv object
type: secret # akv object
The output in the AzureKeyVaultSecret function is for using it as secret sync and then your pod manifest would look like this:
envFrom:
- secretRef:
name: my-secret-from-butfa