[英]Mounting AWS Secrets Manager on Kubernetes/Helm chart
I have created an apps cluster deployment on AWS EKS that is deployed using Helm.我在使用 Helm 部署的 AWS EKS 上创建了一个应用集群部署。 For proper operation of my app, I need to set env variables, which are secrets stored in AWS Secrets manager.
为了我的应用程序正常运行,我需要设置环境变量,这些变量是存储在 AWS Secrets Manager 中的秘密。 Referencing a tutorial , I set up my values in
values.yaml
file someway like this参考教程,我在
values.yaml
文件中设置了我的值,就像这样
secretsData:
secretName: aws-secrets
providerName: aws
objectName: CodeBuild
Now I have created a secrets provider class as AWS recommends: secret-provider.yaml
现在我已经按照 AWS 的建议创建了一个秘密提供者 class:
secret-provider.yaml
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: aws-secret-provider-class
spec:
provider: {{ .Values.secretsData.providerName }}
parameters:
objects: |
- objectName: "{{ .Values.secretsData.objectName }}"
objectType: "secretsmanager"
jmesPath:
- path: SP1_DB_HOST
objectAlias: SP1_DB_HOST
- path: SP1_DB_USER
objectAlias: SP1_DB_USER
- path: SP1_DB_PASSWORD
objectAlias: SP1_DB_PASSWORD
- path: SP1_DB_PATH
objectAlias: SP1_DB_PATH
secretObjects:
- secretName: {{ .Values.secretsData.secretName }}
type: Opaque
data:
- objectName: SP1_DB_HOST
key: SP1_DB_HOST
- objectName: SP1_DB_USER
key: SP1_DB_USER
- objectName: SP1_DB_PASSWORD
key: SP1_DB_PASSWORD
- objectName: SP1_DB_PATH
key: SP1_DB_PATH
I mount this secret object in my deployment.yaml
, the relevant section of the file looks like this:我将这个秘密 object 安装在我的
deployment.yaml
中,文件的相关部分如下所示:
volumeMounts:
- name: secrets-store-volume
mountPath: "/mnt/secrets"
readOnly: true
env:
- name: SP1_DB_HOST
valueFrom:
secretKeyRef:
name: {{ .Values.secretsData.secretName }}
key: SP1_DB_HOST
- name: SP1_DB_PORT
valueFrom:
secretKeyRef:
name: {{ .Values.secretsData.secretName }}
key: SP1_DB_PORT
further down in same deployment file, I define secrets-store-volume
as:在同一个部署文件中,我将
secrets-store-volume
定义为:
volumes:
- name: secrets-store-volume
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: aws-secret-provider-class
All drivers are installed into cluster and permissions are set accordingly所有驱动程序都安装到集群中并相应地设置权限
with helm install mydeployment helm-folder/ --dry-run
I can see all the files and values are populated as expected.使用
helm install mydeployment helm-folder/ --dry-run
我可以看到所有文件和值都按预期填充。 Then with helm install mydeployment helm-folder/
I install the deployment into my cluster but with kubectl get all
I can see the pod is stuck at Pending
with warning Error: 'aws-secrets' not found
and eventually gets timeout.然后使用
helm install mydeployment helm-folder/
我将部署安装到我的集群中,但是使用kubectl get all
我可以看到 pod 卡在Pending
并出现警告Error: 'aws-secrets' not found
并最终超时。 In AWS CloudTrail log, I can see that the cluster made request to access the secret and there was no error fetching it.在 AWS CloudTrail 日志中,我可以看到集群发出了访问机密的请求并且没有错误获取它。 How can I solve this or maybe further debug it?
我该如何解决这个问题或者进一步调试它? Thank you for your time and efforts.
感谢您的时间和努力。
Error: 'aws-secrets' not found
- looks like CSI Driver isn't creating kube.netes secret that you're using to reference values Error: 'aws-secrets' not found
- 看起来 CSI 驱动程序没有创建您用来引用值的 kube.netes 秘密
Since yaml files looks correctly, I would say it's probably CSI Driver configuration Sync as Kube.netes secret - syncSecret.enabled
(which is false by default)由于 yaml 文件看起来正确,我想说这可能是 CSI 驱动程序配置Sync as Kube.netes secret -
syncSecret.enabled
(默认情况下为 false)
So make sure that secrets-store-csi-driver runs with this flag set to true, for example:因此,请确保 secrets-store-csi-driver 在此标志设置为 true 的情况下运行,例如:
helm upgrade --install csi-secrets-store \
--namespace kube-system secrets-store-csi-driver/secrets-store-csi-driver \
--set grpcSupportedProviders="aws" --set syncSecret.enabled="true"
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.