stackoom
  简体   繁体   中英

Trying to pass secret from Azure KeyVault via Azure pipeline as env var to an app deployed on AKS

 原文  2022-09-29 15:44:32       azure/ kubernetes/ azure-pipelines/ azure-aks/ kubernetes-secrets

Question

I am trying to get a secret named "ApplicationInsightsInstrumentationKey" from an Azure Key Vault and make it available as environment variable to the well-known Microsoft Weather Forecast example ASP.Net Core application , which I deploy to AKS.

So in the Azure pipeline file I have these 2 tasks (the "Namespace" pipeline parameter value is "ccg-afarber-v3" and I use it for the overall secret name too. And the Key Vault is "ccg-afarber-v3-kv"):

- task: AzureKeyVault@2
  displayName: Read secrets from KV
  inputs:
    azureSubscription: $(armConnection)
    KeyVaultName: '${{ parameters.Namespace }}-kv'
    SecretsFilter: '*'
    RunAsPreJob: false

- task: AzureCLI@2
  displayName: Set secrets in AKS
  inputs:
    azureSubscription: $(armConnection)
    scriptType: 'bash'
    scriptLocation: 'inlineScript'
    inlineScript: |
      az aks get-credentials --resource-group ccg-config --name ccg-config-cluster
      kubectl delete 'secrets/${{ parameters.Namespace }}'
      kubectl create secret generic ${{ parameters.Namespace }} --from-literal=ApplicationInsightsInstrumentationKey=$(ApplicationInsightsInstrumentationKey)

The tasks succeed and I can see the secret in the AKS:

天蓝色的截图

After that I try to deploy the app via the following pipeline task:

- task: KubernetesManifest@0
  displayName: Deploy to AKS
  inputs:
    action: deploy
    namespace: ${{ parameters.Namespace }}
    kubernetesServiceConnection: $(aksConnection)
    manifests: |
      $(Build.ArtifactStagingDirectory)/manifests/deployment.yml
      $(Build.ArtifactStagingDirectory)/manifests/service.yml
    containers: |
      $(containerRegistry)/$(imageRepository):$(imageTag)

The task is using the deployment.yml file listed below:

metadata:
  name: exampleapplication 
spec:
  replicas: 1
  selector:
    matchLabels:
      app: exampleapplication
  template:
    metadata:
      labels:
        app: exampleapplication 
    spec:
      containers:
        - name: exampleapplication 
          image: ccgconfigregistry.azurecr.io/exampleapplication:3a5e80a684c83e8037c2ccb07a45c8345501d154
          ports:
          - containerPort: 80
          env:
          - name: ApplicationInsightsInstrumentationKey
            valueFrom:
              secretKeyRef:
                name: ccg-afarber-v3
                key: ApplicationInsightsInstrumentationKey
                optional: false

Unfortunately, the deployment is stuck with:

# kubectl get pod --namespace ccg-afarber-v3
NAME                                 READY   STATUS                       RESTARTS   AGE
exampleapplication-c76448f49-hds2s   0/1     CreateContainerConfigError   0          19m

The kubectl describe pod --namespace ccg-afarber-v3 command prints: 

Events:
  Type     Reason     Age                 From               Message
  ----     ------     ----                ----               -------
  Normal   Scheduled  20m                 default-scheduler  Successfully assigned ccg-afarber-v3/exampleapplication-c76448f49-hds2s to aks-nodepool1-84765107-vmss000003
  Warning  Failed     18m (x12 over 20m)  kubelet            Error: secret "ccg-afarber-v3" not found
  Normal   Pulled     17s (x97 over 20m)  kubelet            Container image "ccgconfigregistry.azurecr.io/exampleapplication:3a5e80a684c83e8037c2ccb07a45c8345501d154" already present on machine

I keep re-reading the docs:

but I don't understand, why is secret "ccg-afarber-v3" not found .

1 answers

solution1
 0 ACCPTED  2022-09-29 16:41:51

I have found my mistake - I was creating the Kube.netes secret in the "default" namespace, while my app was trying to retrieve it in the "ccg-afarber-v3" namespace.

The following pipeline task with the added --namespace=ccg-afarber-v3 parameters has resolved my problem:

- task: AzureCLI@2
  displayName: Set secrets in AKS
  inputs:
    azureSubscription: $(armConnection)
    scriptType: 'bash'
    scriptLocation: 'inlineScript'
    inlineScript: |
      az aks get-credentials --resource-group ccg-config --name ccg-config-cluster
      kubectl delete 'secrets/${{ parameters.Namespace }}' --namespace=${{ parameters.Namespace }}
      kubectl create secret generic ${{ parameters.Namespace }} --from-literal=ApplicationInsightsInstrumentationKey=$(ApplicationInsightsInstrumentationKey) --namespace=${{ parameters.Namespace }}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Read Azure KeyVault Secret from Function App How to trigger a Azure devops pipeline whenever there is azure keyvault secret change? How to access Azure KeyVault from Asp.net Core Docker container deployed in Azure Kubernetes Service (AKS) as pod? SecretClient - get secret from azure KeyVault How to Load multiple key value pairs as ENV variables into a k8s POD from Azure keyvault secret Get Secret from Azure Keyvault using nodejs Azure Devops Release Pipeline - Keyvault with special characters in the secret Is it possible to deploy multiple azure functions from different projects can be deployed in single Azure function app via Azure Devops pipeline? Using secret from Azure KeyVault in Azure ARM Template Get secret from azure keyvault azure Java servlet
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM