search

Azure / kubernetes-keyvault-flexvol

Azure keyvault integration with Kubernetes via a Flex Volume
MIT License
253 stars 83 forks source link

[Request for help] Examples of how to access secrets in code #108

Closed markmcgookin closed 5 years ago

markmcgookin commented 5 years ago

Hi,

I've managed to get a K8s cluster setup, setup a CI pipeline for my code to be deployed to a container and pushed to my cluster, I've configured flexvolume, tested it works... but my code is failing. I assume this is because I am assuming that the default IConfiguration integration of keyvault would just work with this.

Is there something different I need to do in code (should I literally loop through the mounted volume files and create a secret store in memory?) to access these secrets? Are there any examples out there?

Regards,

Mark

kanistha commented 5 years ago

I am trying to integrate the Azure Key Vault using Kuberenetes flexvolume by using a service principal. I have done the steps for key vault configuration and able to load the secrets from flex volume following the steps in https://github.com/Azure/kubernetes-keyvault-flexvol in kubectl. Now I want to read the secrets from Flex-volume into my code. My app is in nodeJS. 

> kubectl exec -it nginx-flex-kv cat /secret1/testSecret
Defaulting container name to nginx-flex-kv.
Use 'kubectl describe pod/nginx-flex-kv -n default' to see all of the containers in this pod.
shhhhh%
apiVersion: v1
kind: Pod
metadata:
  name: nginx-flex-kv
spec:
  containers:
  - name: nginx-flex-kv
    image: nginx
    volumeMounts:
    - name: secret-test
      mountPath: /secret1
      readOnly: true
  volumes:
  - name: secret-test
    flexVolume:
      driver: "azure/kv"
      secretRef:
        name: kvcreds 
      options:
        usepodidentity: "false"
        resourcegroup: "testApp-test"
        keyvaultname: "testApp-kv"
        keyvaultobjectname: "testSecret"
        keyvaultobjecttype: secret # OPTIONS: secret, key, cert
        keyvaultobjectversion: "<ID>"
        subscriptionid: "<ID>"
        tenantid: "<ID>"

How I can load the secret value into my environment variable or a constant?

markmcgookin commented 5 years ago

Hey, I originally posted this question, so I should probably close this issue. Essentially I looped through the files in /kvmnt/ and took the file name as the secret key and the value of the contents of the file as the secret value. My code is C# but I'm sure you could update it for node easy enough. Your secret volume is called "secret-test" but I am storing my path in a config setting called "SecretsDirectory". 

if (Directory.Exists(config["SecretsDirectory"]))
{
    foreach (var file in Directory.GetFileSystemEntries(config["SecretsDirectory"]))
    {
        var filename = Path.GetFileName(file);
        var secret = File.ReadAllText(file);
        //Add the secret
        Environment.SetEnvironmentVariable(filename, secret);
    }
    //Rebuild the config to include the keyvault (if required)
    config = configBuilder.Build();
}

If you can SSH into your container, or just use bash as the entry point as a one off, you should be able to check if the directory and files are there manually by navigating to the volume and doing 'ls'

If I remember correctly to set an environment variable in node it's something like this

process.env.somesecret = 'somevalue';

rahmanyusmadi commented 4 years ago

I rather use azurerm_key_vault_secret to retrieve secret from Azure vault and create secret in AKS using kubernetes_secret which will be available as environment variable.