How does application appsettings.json access the values once the key or secret is mounted in the container file system

Azure / kubernetes-keyvault-flexvol

Azure keyvault integration with Kubernetes via a Flex Volume

MIT License

253 stars 84 forks source link

How does application appsettings.json access the values once the key or secret is mounted in the container file system #71

Open chetanku opened 5 years ago

chetanku commented 5 years ago

I am working on a .net core 2 application and trying to do a POC on this. But I am not able to understand how the application should be set up to read the secrets, keys etc for eg, or does this replace the appsettings.json file itself? any tutorial will be awesome. thanks

ritazh commented 5 years ago

@chetanku Since the secret data is mounted to your pod as a file, there are two ways you could get the value for your application:

Update your .net core application to read the value from the mounted file instead of the appsettings.json
If you want to continue to use the appsettings.json to retrieve this value, you could add a script before your main process starts in the container to get the value from this mounted file, then update the values in appsettings.json. Here is an example: https://github.com/Azure/kubernetes-keyvault-flexvol/issues/28#issuecomment-453249243

MinghuaJiang commented 5 years ago

@ritazh I have the similar question, I tried to use config.AddKeyPerFile in my asp.net core application to read the mounted folder, but it seems like I failed to read the secret file. run kubectl exec can give me the value of the file though.

ritazh commented 5 years ago

Can you please help provide repro steps, sample code snippets? Thanks!

MinghuaJiang commented 5 years ago

apiVersion: v1 kind: Pod metadata: name: pod-keyvault spec: containers:

name: pod-keyvault image: nginx volumeMounts:
- name: kvsecret1 mountPath: /kvsecret1 readOnly: true volumes:
name: kvsecret1 flexVolume: driver: "azure/kv" secretRef: name: kvcreds

I have an asp.net core app which I deployed to aks. if (context.HostingEnvironment.IsProduction()) { if (!Directory.Exists("/kvsecret1")){ throw new FileNotFoundException("folder not exists"); } config.AddKeyPerFile(directoryPath: "/kvsecret1", optional: false); }

this part would throw FileNotFoundException since it can't find a location where /kvsret1 exists. I'm wondering whether that mount path is accessible outside the container, if so, how? @ritazh

ritazh commented 5 years ago

So kubectl exec -it pod-keyvault ls /kvsecret1 shows each secret listed inkeyvaultobjectnames as files, but Directory.Exists("/kvsecret1") in your asp.net app does not work?

MinghuaJiang commented 5 years ago

Yes. @ritazh.

adnanalawiyat commented 5 years ago

one way is to save the content of azure key vault secret as a json. Then parse (mounted secret) as json in your app. below is an example for a nodejs app utilizing nconf lib. (assuming the secret is mounted as "/secrets/mysecret"

content of mysecret:

{
"systemX": {
"clientId": "foo",
"secret": "bar"
}
}

then app can consume the secret as follows:

const nconf = require('nconf');
nconf.file('systemX', {file: '/secrets/mysecret'});
let creds = nconf.get('systemX');
console.log(`clientId: ${creds.clientId}`);
console.log(`secret: ${creds.secret}`);

output:

clientId: foo
secret: bar

macpak commented 4 years ago

I've tried to do the same what @MinghuaJiang described and it worked for me.