Vault与AKS的集成适用于Nginx教程Pod

Vault与AKS的集成适用于Nginx教程Pod

本文介绍了Azure Key Vault与AKS的集成适用于Nginx教程Pod,但不适用于实际项目部署的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

按照标题,我可以按照文档.

我可以部署 nginx.yaml ,大约70秒后,我可以使用以下命令打印秘密:

  kubectl exec -it nginx-cat/mnt/secrets-store/secret1 

现在,我正尝试将其应用于PostgreSQL部署进行测试,并且从Pod description 中获得以下信息:

 警告FailedMount 3s kubelet MountVolume.SetUp因卷"secrets-store01-inline"而失败.:rpc错误:代码=未知desc =未能装入用于Pod临时存储的秘密存储对象/postgres-deployment-staging-69965ff767-8hmww,错误:rpc错误:代码=未知desc =未能装入对象,错误:无法获取密钥库客户端:无法获取密钥保险库令牌:nmi响应失败,状态码:404,错误:< nil> 

并且从 nmi日志:

  E0221 22:54:32.037357 1 server.go:234]无法获得身份,错误:在16次尝试后,在CREATED状态下为pod staging/postgres-deployment-staging-69965ff767-8hmww获取分配的身份失败,重试持续时间[5] s,错误:< nil>.检查MIC Pod日志中是否存在身份分配错误I0221 22:54:32.037409 1 server.go:192]状态(404)花费了80003389208 ns用于req.method = GET reg.path =/host/token/req.remote = 127.0.0.1 

不知道为什么,因为我基本上将设置从 nignx.yaml 复制到了 postgres.yaml 中.他们在这里:

 #nginx.yaml种类:豆荚apiVersion:v1元数据:名称:nginx命名空间:暂存标签:aadpodidbinding:aks-akv-identity-binding-selector规格:容器:-名称:nginx图片:nginxvolumeMounts:-名称:secrets-store01-inlinemountPath:/mnt/secrets-storereadOnly:正确数量:-名称:secrets-store01-inlinecsi:驱动程序:secrets-store.csi.k8s.ioreadOnly:正确volumeAttributes:secretProviderClass:aks-akv-secret-provider 
 #postgres.yamlapiVersion:apps/v1种类:部署元数据:名称:postgres-deployment-stage命名空间:暂存标签:aadpodidbinding:aks-akv-identity-binding-selector规格:复制品:1选择器:matchLabels:组件:postgres模板:元数据:标签:组件:postgres规格:容器:-名称:postgres图片:postgres:13-alpine端口:-containerPort:5432volumeMounts:-名称:secrets-store01-inlinemountPath:/mnt/secrets-storereadOnly:正确-名称:postgres-storage-stagingmountPath:/var/postgresql数量:-名称:secrets-store01-inlinecsi:驱动程序:secrets-store.csi.k8s.ioreadOnly:正确volumeAttributes:secretProviderClass:aks-akv-secret-provider-名称:postgres-storage-stagingpersistentVolumeClaim:claimName:postgres-storage-staging---apiVersion:v1种类:服务元数据:名称:postgres-cluster-ip-service-staging命名空间:暂存规格:类型:ClusterIP选择器:组件:postgres端口:-端口:5432targetPort:5432 

对这里的问题有何建议?

解决方案

我的监督... aadpodidbinding 应该位于 template:中,

https://azure.github.io/aad-pod-identity/docs/best-practices/#deploymenthttpskubernetesiodocsconceptsworkloadscontrollersdeployment

生成的YAML应该是:

 #postgres.yamlapiVersion:apps/v1种类:部署元数据:名称:postgres-deployment-production命名空间:生产规格:复制品:1选择器:matchLabels:组件:postgres模板:元数据:标签:组件:postgresaadpodidbinding:aks-akv-identity-binding-selector规格:容器:-名称:postgres图片:postgres:13-alpine端口:-containerPort:5432环境:-名称:POSTGRES_DB_FILE值:/mnt/secrets-store/DEV-PGDATABASE-名称:POSTGRES_USER_FILE值:/mnt/secrets-store/DEV-PGUSER-名称:POSTGRES_PASSWORD_FILE值:/mnt/secrets-store/DEV-PGPASSWORD-名称:POSTGRES_INITDB_ARGS值:-A md5";-名称:PGDATA值:/var/postgresql/datavolumeMounts:-名称:secrets-store01-inlinemountPath:/mnt/secrets-storereadOnly:正确-名称:postgres-storage-productionmountPath:/var/postgresql数量:-名称:secrets-store01-inlinecsi:驱动程序:secrets-store.csi.k8s.ioreadOnly:正确volumeAttributes:secretProviderClass:aks-akv-secret-provider-名称:postgres-storage-productionpersistentVolumeClaim:claimerName:postgres-storage-production---apiVersion:v1种类:服务元数据:名称:postgres-cluster-ip-service-production命名空间:生产规格:类型:ClusterIP选择器:组件:postgres端口:-端口:5432targetPort:5432 

Per the title, I have the integration working following the documentation.

I can deploy the nginx.yaml and after about 70 seconds I can print out secrets with:

kubectl exec -it nginx -- cat /mnt/secrets-store/secret1

Now I'm trying to apply it to a PostgreSQL deployment for testing and I get the following from the Pod description:

  Warning  FailedMount             3s    kubelet                  MountVolume.SetUp failed for volume "secrets-store01-inline" : rpc error: code = Unknown desc = failed to mount secrets store objects for pod staging/postgres-deployment-staging-69965ff767-8hmww, err: rpc error: code = Unknown desc = failed to mount objects, error: failed to get keyvault client: failed to get key vault token: nmi response failed with status code: 404, err: <nil>

And from the nmi logs:

E0221 22:54:32.037357       1 server.go:234] failed to get identities, error: getting assigned identities for pod staging/postgres-deployment-staging-69965ff767-8hmww in CREATED state failed after 16 attempts, retry duration [5]s, error: <nil>. Check MIC pod logs for identity assignment errors
I0221 22:54:32.037409       1 server.go:192] status (404) took 80003389208 ns for req.method=GET reg.path=/host/token/ req.remote=127.0.0.1

Not sure why since I basically copied the settings from the nignx.yaml into the postgres.yaml. Here they are:

# nginx.yaml
kind: Pod
apiVersion: v1
metadata:
  name: nginx
  namespace: staging
  labels:
    aadpodidbinding: aks-akv-identity-binding-selector
spec:
  containers:
    - name: nginx
      image: nginx
      volumeMounts:
      - name: secrets-store01-inline
        mountPath: /mnt/secrets-store
        readOnly: true
  volumes:
    - name: secrets-store01-inline
      csi:
        driver: secrets-store.csi.k8s.io
        readOnly: true
        volumeAttributes:
          secretProviderClass: aks-akv-secret-provider
# postgres.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: postgres-deployment-staging
  namespace: staging
  labels:
    aadpodidbinding: aks-akv-identity-binding-selector
spec:
  replicas: 1
  selector:
    matchLabels:
      component: postgres
  template:
    metadata:
      labels:
        component: postgres
    spec:
      containers:
        - name: postgres
          image: postgres:13-alpine
          ports:
            - containerPort: 5432
          volumeMounts:
          - name: secrets-store01-inline
            mountPath: /mnt/secrets-store
            readOnly: true
          - name: postgres-storage-staging
            mountPath: /var/postgresql
      volumes:
        - name: secrets-store01-inline
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: aks-akv-secret-provider
        - name: postgres-storage-staging
          persistentVolumeClaim:
            claimName: postgres-storage-staging

---
apiVersion: v1
kind: Service
metadata:
  name: postgres-cluster-ip-service-staging
  namespace: staging
spec:
  type: ClusterIP
  selector:
    component: postgres
  ports:
    - port: 5432
      targetPort: 5432

Suggestions for what the issue is here?

解决方案

Oversight on my part... the aadpodidbinding should be in the template: per:

https://azure.github.io/aad-pod-identity/docs/best-practices/#deploymenthttpskubernetesiodocsconceptsworkloadscontrollersdeployment

The resulting YAML should be:

# postgres.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: postgres-deployment-production
  namespace: production
spec:
  replicas: 1
  selector:
    matchLabels:
      component: postgres
  template:
    metadata:
      labels:
        component: postgres
        aadpodidbinding: aks-akv-identity-binding-selector
    spec:
      containers:
        - name: postgres
          image: postgres:13-alpine
          ports:
            - containerPort: 5432
          env:
            - name: POSTGRES_DB_FILE
              value: /mnt/secrets-store/DEV-PGDATABASE
            - name: POSTGRES_USER_FILE
              value: /mnt/secrets-store/DEV-PGUSER
            - name: POSTGRES_PASSWORD_FILE
              value: /mnt/secrets-store/DEV-PGPASSWORD
            - name: POSTGRES_INITDB_ARGS
              value: "-A md5"
            - name: PGDATA
              value: /var/postgresql/data
          volumeMounts:
          - name: secrets-store01-inline
            mountPath: /mnt/secrets-store
            readOnly: true
          - name: postgres-storage-production
            mountPath: /var/postgresql
      volumes:
        - name: secrets-store01-inline
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: aks-akv-secret-provider
        - name: postgres-storage-production
          persistentVolumeClaim:
            claimName: postgres-storage-production
---
apiVersion: v1
kind: Service
metadata:
  name: postgres-cluster-ip-service-production
  namespace: production
spec:
  type: ClusterIP
  selector:
    component: postgres
  ports:
    - port: 5432
      targetPort: 5432

这篇关于Azure Key Vault与AKS的集成适用于Nginx教程Pod,但不适用于实际项目部署的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

09-01 21:53