如何从外部秘密创建多密钥 Kube.netes 秘密?
[英]How to create a multy-key Kubernetes secret from an external secret?
问题描述
I have an external secret storage - Azure Key Vault with a secret password.
我有一个外部秘密存储 - 带有秘密密码的 Azure Key Vault。
I need to create a Kube.netes secret with multiple fields : password - only comes from an Azure Key Vault, username hardcoded, url hardcoded, with hardcoded annotations and lables.我需要创建一个包含多个字段的 Kube.netes 秘密:密码 - 仅来自 Azure Key Vault,用户名硬编码,url 硬编码,带有硬编码注释和标签。
Like this:像这样:
apiVersion: v1
kind: Secret
metadata:
name: my-external-secret
labels:
mylable: external
annotations:
myannotation: external
type: Opaque
stringData:
name: credentials
url: https://example.com
username: user
password: <from-Azure-Key-Vault>
I use Azure Kube.netes Service if it matters.如果重要的话,我使用 Azure Kube.netes 服务。
2 个解决方案
解决方案1
0 2023-01-11 18:21:15
The azure key vault integration with AKS creates and controls the secret, so you wont be able to modify it. azure Key Vault 与 AKS 集成创建并控制机密,因此您将无法修改它。
I would suggest moving the non KV secrets to their own secret, then in your deployment mount both secrets.我建议将非 KV 秘密移动到它们自己的秘密,然后在您的部署中安装这两个秘密。
解决方案2
0 2023-01-19 21:45:48
This can be easily achieved with external-secrets software installed in a Kube.nets cluster.这可以通过安装在 Kube.nets 集群中的external-secrets软件轻松实现。 external-secrets supports many different secret storages including Azure Key Vault. external-secrets支持许多不同的秘密存储,包括 Azure Key Vault。 external-secrets has a template engine and can generate a secret with multiple fields and labels and annotations. external-secrets有一个模板引擎,可以生成一个包含多个字段、标签和注释的秘密。
Example: Connect with external-secrets to a Key Vault using managed identity示例:使用托管标识将外部机密连接到 Key Vault
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: external-secrets-kv
namespace: myspace
spec:
provider:
azurekv:
authType: ManagedIdentity
identityId: "<ManagedIdentityID>"
vaultUrl: "https://<keyvault-name>.vault.azure.net"
Now lets create a template with annotations and labels and multiple fields:现在让我们创建一个带有注释和标签以及多个字段的模板:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: template-my-external-secret
namespace: myspace
spec:
refreshInterval: 1h
secretStoreRef:
kind: SecretStore
name: external-secrets-kv
target:
name: my-external-secret
template:
type: Opaque
engineVersion: v2
metadata:
labels:
mylable: external
annotations:
myannotation: external
data:
name: credentials
url: https://example.com
password: '{{ .password }}'
username: '{{ .username }}'
data:
- secretKey: password
remoteRef:
key: azure-kv-password
- secretKey: username
remoteRef:
key: azure-kv-username
Then external-secrets will create a real secret with username and password fields with values from Azure Key Vault.然后external-secrets将创建一个真正的秘密,其用户名和密码字段的值来自 Azure Key Vault。
apiVersion: v1
kind: Secret
metadata:
name: my-external-secret
namespace: myspace
labels:
mylable: external
annotations:
myannotation: external
type: Opaque
stringData:
name: credentials
url: https://example.com
username: <from-Azure-Key-Vault>
password: <from-Azure-Key-Vault>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.