Skip to content

Kubernetes

secrets-store-csi-driver-provider-azure

https://github.com/Azure/secrets-store-csi-driver-provider-azure

Azure Key Vault provider for Secret Store CSI driver allows you to get secret contents stored in Azure Key Vault instance and use the Secret Store CSI driver interface to mount them into Kubernetes pods.

troubleshoot key-vault-csi-secrets-store-csi-driver

https://learn.microsoft.com/en-us/troubleshoot/azure/azure-kubernetes/extensions/troubleshoot-key-vault-csi-secrets-store-csi-driver

check secrets store provider logs

kubectl get pods \
    --selector 'app in (csi-secrets-store-provider-azure, secrets-store-provider-azure)' \
    --all-namespaces \
    --output wide
kubectl logs <provider-pod-name> --since=1h | grep ^E

Check Secrets Store CSI driver logs

kubectl get pods --selector app=secrets-store-csi-driver --all-namespaces --output wide
kubectl logs <driver-pod-name> --container secrets-store --since=1h | grep ^E

keyvault to aks container

https://medium.com/@bashaus/3-4-configuring-key-vault-to-expose-environment-variables-to-azure-kubernetes-services-48b633ec9e67

To establish a connection between a Key Vault and an AKS container, we need to configure the following resources:

  • Azure Key Vault (with some keys, secrets or certificates).

  • A servicve principalusing Role-Based Access Control (RBAC).

  • A SecretProviderClass — a Kubernetes resource (which requires installation) that describes instructions for how keys/secrets/certificates can be pulled from a Key Vault and stored as Secrets.

  • A Secret — a Kubernetes resource (which comes out of the box) that stores secrets in Kubernetes for use by other resources — it will be automatically generated by the ServiceProviderClass.

  • A deployment or pod to consume the Secret.

mount secret as env var

containers:
  - name: tfs-agent
    env:
      - name: ENV_VAR_K8S_SECRET
        valueFrom:
          secretKeyRef:
            name: k8s_secret
            key: name

mount azure keyvault secret as env var

https://serverfault.com/questions/1075149/aks-with-azure-key-vault-env-variables-dont-load

secrets.yaml

apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
  name: azure-kv-secrets
  namespace: dev
spec:
  provider: azure
  parameters:
    usePodIdentity: "true"
    keyvaultName: "my-keyvault"                  
    objects:  |
      array:
        - |
          objectName: my-db-user
          objectType: secret
          #ObjectAlias: user.json
          objectVersion: ""
        - |
          objectName: my-db-pass
          objectType: secret
          #ObjectAlias: pass.json
          objectVersion: ""
    tenantId: "<tenantID>"

azure SecretProviderClass not create k8s secret

https://github.com/Azure/secrets-store-csi-driver-provider-azure/issues/714

  • set secrets-store-csi-driver.syncSecret.enabled=true when installing the driver and provider with helm

  • install both driver and provider: The charts in this repo https://github.com/Azure/secrets-store-csi-driver-provider-azure/tree/master/charts/csi-secrets-store-provider-azure have the driver charts as dependency and will install the driver and provider

  • must mount the azure key-vault secret to a path in the pod to force creating the k8s secret: https://azure.github.io/secrets-store-csi-driver-provider-azure/docs/configurations/sync-with-k8s-secrets/#how-to-sync-mounted-content-with-kubernetes-secret