search

Azure / kubernetes-keyvault-flexvol

Azure keyvault integration with Kubernetes via a Flex Volume
MIT License
253 stars 84 forks source link

Use kubernetes-keyvault-flexvol in a deployment #63

Closed empiricaldevops closed 5 years ago

empiricaldevops commented 5 years ago

I could get this working on a pod. But how can I use it in a deployment, where I will have multiple pods spread across nodes. Each pod has to access the volume that contains the key.

Is there any alternate solution for such a scenario?

Thanks

ritazh commented 5 years ago

@Ramk22 Please take a look at #64. Let me know how this works for you.

badalk commented 5 years ago

Here is a working example

apiVersion: apps/v1beta1
kind: Deployment
metadata:
  name: <servicename>
  namespace: <namespace>
spec:
  replicas: 2
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 1
  minReadySeconds: 5
  template:
    metadata:
      labels:
        app: myappname
        aadpodidbinding: <selector mentioned in your AzureIdentityBinding>
        namespace: <namespace>
    spec:
      containers:
      - name: <anyname>
        image: <reference-to-image>
        imagePullPolicy: Always
        # mount the volume created below from key-vault flexvolume driver
        volumeMounts:
        - name: test
          mountPath: /etc/kvmnt
          readOnly: true
        ports:
        - name: http
          containerPort: 80
          protocol: TCP
        - name: https
          containerPort: 443
          protocol:  TCP
        resources:
          requests:
            cpu: 100m
          limits:
            cpu: 200m
      volumes:
      - name: test
        flexVolume:
          driver: "azure/kv"
          options:
            usepodidentity: "true"         # [OPTIONAL] if not provided, will default to "false"
            keyvaultname: "<keyvaultname>"               # the name of the KeyVault
            keyvaultobjectnames: "secret1;secret2"        # list of KeyVault object names (semi-colon separated)
            keyvaultobjecttypes: "secret;secret"    # list of KeyVault object types: secret, key or cert (semi-colon separated)
            keyvaultobjectversions: "47b45e##5d6###ae75####ddcf6;3c6c##########f0009693bee;"     # [OPTIONAL] list of KeyVault object versions (semi-colon separated), will get latest if empty
            resourcegroup: "<key vault resourcegroup name>"              # the resource group of the KeyVault
            subscriptionid: "########-####-####-####-############"             # the subscription ID of the KeyVault
            tenantid: "########-####-####-####-############"

Hope this helps

empiricaldevops commented 5 years ago

@ritazh That worked. Thank you.