ritazh
commented
5 years ago @serbrech Thank you for adding this! Can you maybe also add an example yaml/script that creates a X.509 Cert from the three resources you mentioned using openssl pkcs12?
Closed serbrech closed 5 years ago
ritazh
commented
5 years ago @serbrech Thank you for adding this! Can you maybe also add an example yaml/script that creates a X.509 Cert from the three resources you mentioned using openssl pkcs12?
ritazh
commented
5 years ago @serbrech bump
serbrech
commented
5 years ago I'm working on it. it's just not that straight forward to get a useful example. getting closer with a traefik ingress. nginx just won't take a file...
ibattat
commented
4 years ago I'm working on it. it's just not that straight forward to get a useful example. getting closer with a traefik ingress. nginx just won't take a file...
Hi, there is any progress with that? right now we can't use AzureKeyVault via FlexVolume for Nginx at all. There is any way to download one certificate through different formats? could not find any solution on web...
serbrech
commented
4 years ago The issue isn’t with keyvault or flexvol, but with the nginx-ingress implementation, which won’t take a file as explained above. I have not looked into this since my initial investigation.
On Sun, Apr 19, 2020 at 10:10 ibattat notifications@github.com wrote:
I'm working on it. it's just not that straight forward to get a useful example. getting closer with a traefik ingress. nginx just won't take a file...
Hi, there is any progress with that? right now we can't use AzureKeyVault via FlexVolume for Nginx at all. There is any way to download one certificate through different formats? could not find any solution on web...
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Azure/kubernetes-keyvault-flexvol/pull/59#issuecomment-616185137, or unsubscribe https://github.com/notifications/unsubscribe-auth/AACNDTO6TNSLIFL6PMPJKV3RNMWANANCNFSM4GO6EMQA .
--
Stéphane Erbrech
ibattat
commented
4 years ago Hello Stéphane Erbrech, What a quick response. The main issue is with the format download in each one of the types cert, key and secret. Nginx requires certificate in PEM format. We are trying to get data from rotating certificate and integrate it with nginx ssl configuration.
serbrech
commented
4 years ago @ibattat I'm pretty sure that what you are looking for is this, as documented for traefik in that PR :) :
ritazh
commented
4 years ago Thanks for following up on this issue @ibattat! We are deprecating this solution in favor of the Secrets store csi driver implementation as flexvols are getting deprecated in Kubernetes. I have created this PR to mount the cert content returned from Azure keyvault in PEM or pfx format. Would love your feedback on it.
ibattat
commented
4 years ago @serbrech as it mentioned in the url you provided The nginx-ingress implementation doesn't provide any way (to my knowledge) to configure the certificate from file, only kubernetes secrets are supported
I believe this is not the tight solution for nginx deployment in k8s
ibattat
commented
4 years ago @ritazh I'll take a look at this PR and I'll try to deploy this in our environment
ibattat
commented
4 years ago @ritazh file does not exist or auth issue.
regarding documentation on section 4
ritazh
commented
4 years ago @ibattat Thanks for the feedback. We will update that doc to reflect the latest. Once you have installed the secrets store csi driver, you can follow specific steps to work with the Azure provider: https://github.com/Azure/secrets-store-csi-driver-provider-azure#install-the-azure-key-vault-provider
As you go down the readme, you will see steps for updating and creating a https://github.com/Azure/secrets-store-csi-driver-provider-azure#create-secretproviderclasses. Then you will need to update your deployment yaml to use the Secrets Store CSI driver and reference the secretProviderClass resource created in the previous step.
ibattat
commented
4 years ago @ritazh Thanks for the quick response. Although in the readme file you specify this deployment works on k8s version 1.14 but it doesn't the csi volume type is not recognised
PVC: Ignoring the PVC: didn't find a plugin capable of expanding the volume; waiting for an external controller to process this PVC.
ritazh
commented
4 years ago We have the following in the readme of the csi driver and the azure provider. Please let me know if that is missing in any of the doc you are using. Can you please try with 1.16.0+ and inline volume?
Recommended Kubernetes version: v1.16.0+
Also feel free to open an issue in the azure provider of the secrets store csi driver repo as that might be more relevant than this repo. Thanks!
ibattat
commented
4 years ago @ritazh how can we use the PR? the nginx pods are running but the certificate format is still not suit the nginx. How can we test the PR you created?
Thanks for following up on this issue @ibattat! We are deprecating this solution in favor of the Secrets store csi driver implementation as flexvols are getting deprecated in Kubernetes. I have created this PR to mount the cert content returned from Azure keyvault in PEM or pfx format. Would love your feedback on it.
Adds more documentation about KeyVault, in particular how to fetch the different parts of a KeyVault Certificate using keyvault flexvol.