[英]How to connect Azure-key-vault with a AKS pod?
I have nodeJs application with docker file deployed in AKS with HelmChart, and I have azure key vault with some keys in Azure Portal and I need to connect my running POD with that KeyVault.我有带有 docker 文件的 nodeJs 应用程序,在 AKS 中使用 HelmChart 部署,我有 azure 密钥保管库,其中一些密钥在 Azure 需要连接我的 P
Akv2k8s contains two main components: Akv2k8s 包含两个主要组件:
Diagram:图表:
Before you start with the installation I suggest to read How it works?在开始安装之前,我建议阅读它是如何工作的? page.
页。
Later on, Follow installation overview page in order to set up the environment.稍后,按照安装概述页面设置环境。
In case you want to install akv2k8s with helm.如果你想用 helm 安装 akv2k8s。 I created this code snippet for my CI\CD process:
我为我的 CI\CD 进程创建了这个代码片段:
# Create a dedicated namespace for akv2k8s
kubectl create ns akv2k8s
# Add Helm repository
helm repo add spv-charts http://charts.spvapi.no
helm repo update
# Install the Controller (and the "AzureKeyVaultSecret" CRD)
helm install azure-key-vault-controller spv-charts/azure-key-vault-controller --namespace akv2k8s
# Install the Env-Injector
helm install azure-key-vault-env-injector spv-charts/azure-key-vault-env-injector --set installCrd=false --namespace akv2k8s
cat << EOF | kubectl apply -f -
apiVersion: spv.no/v1alpha1
kind: AzureKeyVaultSecret
metadata:
name: secret-sync
namespace: $(K8S_NAMESPACE)
spec:
vault:
name: ${KEY_VAULT_NAME} # name of key vault
object:
name: $(KEY_VALUT_OBJECT_NAME) # name of the akv object
type: $(KEY_VALUT_TYPE) # akv object type
EOF
An alternative to existing answer (and I think this existing answer is the way to go) would be using AAD Pod Identity .现有答案的替代方案(我认为这个现有答案是可行的方法)将使用AAD Pod Identity 。 Basically its a way for you to have an identity for the application inside the pod.
基本上,它是一种让您在 pod 内拥有应用程序身份的方式。 This way you dont have to micromanage the identity and dont have to pass credentials to the application (just use the internal endpoint).
这样您就不必对身份进行微观管理,也不必将凭据传递给应用程序(只需使用内部端点)。 Similarly to the managed identity in Azure outside of kubernetes.
与 kubernetes 之外的 Azure 中的托管标识类似。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.