Closed markmcgookin closed 5 years ago
I am trying to integrate the Azure Key Vault using Kuberenetes flexvolume by using a service principal. I have done the steps for key vault configuration and able to load the secrets from flex volume following the steps in https://github.com/Azure/kubernetes-keyvault-flexvol in kubectl. Now I want to read the secrets from Flex-volume into my code. My app is in nodeJS.
> kubectl exec -it nginx-flex-kv cat /secret1/testSecret
Defaulting container name to nginx-flex-kv.
Use 'kubectl describe pod/nginx-flex-kv -n default' to see all of the containers in this pod.
shhhhh%
apiVersion: v1
kind: Pod
metadata:
name: nginx-flex-kv
spec:
containers:
- name: nginx-flex-kv
image: nginx
volumeMounts:
- name: secret-test
mountPath: /secret1
readOnly: true
volumes:
- name: secret-test
flexVolume:
driver: "azure/kv"
secretRef:
name: kvcreds
options:
usepodidentity: "false"
resourcegroup: "testApp-test"
keyvaultname: "testApp-kv"
keyvaultobjectname: "testSecret"
keyvaultobjecttype: secret # OPTIONS: secret, key, cert
keyvaultobjectversion: "<ID>"
subscriptionid: "<ID>"
tenantid: "<ID>"
How I can load the secret value into my environment variable or a constant?
Hey, I originally posted this question, so I should probably close this issue. Essentially I looped through the files in /kvmnt/ and took the file name as the secret key and the value of the contents of the file as the secret value. My code is C# but I'm sure you could update it for node easy enough. Your secret volume is called "secret-test" but I am storing my path in a config setting called "SecretsDirectory".
if (Directory.Exists(config["SecretsDirectory"]))
{
foreach (var file in Directory.GetFileSystemEntries(config["SecretsDirectory"]))
{
var filename = Path.GetFileName(file);
var secret = File.ReadAllText(file);
//Add the secret
Environment.SetEnvironmentVariable(filename, secret);
}
//Rebuild the config to include the keyvault (if required)
config = configBuilder.Build();
}
If you can SSH into your container, or just use bash as the entry point as a one off, you should be able to check if the directory and files are there manually by navigating to the volume and doing 'ls'
If I remember correctly to set an environment variable in node it's something like this
process.env.somesecret = 'somevalue';
I rather use azurerm_key_vault_secret to retrieve secret from Azure vault and create secret in AKS using kubernetes_secret which will be available as environment variable.
Hi,
I've managed to get a K8s cluster setup, setup a CI pipeline for my code to be deployed to a container and pushed to my cluster, I've configured flexvolume, tested it works... but my code is failing. I assume this is because I am assuming that the default IConfiguration integration of keyvault would just work with this.
Is there something different I need to do in code (should I literally loop through the mounted volume files and create a secret store in memory?) to access these secrets? Are there any examples out there?
Regards,
Mark