search

HoussemDellai / aks-keyvault

Access Azure Key Vault secrets, keys and certs from AKS Pods using Secret Store CSI provider and Pod Identity.
28 stars 55 forks source link

a few issue with the instruction: #1

Closed Farzad-Jalali closed 4 years ago

Farzad-Jalali commented 4 years ago

Hi HoussemDellai,

I follow your youtube video, it was fantastic, unfortunately, when I try to follow your code in this repo, I end up with an error. In the final stage, The pod doesn't spin-up, I got 4 questions:

1- in your readme.md file, you mentioned the below comment:

doesn't work with AKS with Managed Identity!

$aks = az aks create -n $aksName -g $resourceGroupName --enable-managed-identity --kubernetes-version 1.17.3 --node-count 1 | ConvertFrom-Json

what does it mean? Can I use the --enable-managed-identity or not?

2- when I get to the below command:

echo "Providing required permissions for MIC..."
az role assignment create --role "Managed Identity Operator" --assignee $aks.servicePrincipalProfile.clientId --scope $identity.id

$aks.servicePrincipalProfile.clientId return the below value:

MSI

Question: why? I manually replace it with the id of the "ask identity profile", but I think it actually generates the next error which is question 3.

3- when I run the below command, to generate the final pod:

 kubectl describe pod nginx-secrets-store

I see that the below output 


Name:               nginx-secrets-store
Namespace:          default
Priority:           0
PriorityClassName:  <none>
Node:               aks-nodepool1-10230164-vmss000000/10.201.20.7
Start Time:         Thu, 07 May 2020 12:02:40 +0100
Labels:             aadpodidbinding=azure-kv
Annotations:        kubectl.kubernetes.io/last-applied-configuration:
                      {"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{},"labels":{"aadpodidbinding":"azure-kv"},"name":"nginx-secrets-store","namespa...
Status:             Pending
IP:
Containers:
  nginx:
    Container ID:
    Image:          nginx
    Image ID:
    Port:           <none>
    Host Port:      <none>
    State:          Waiting
      Reason:       ContainerCreating
    Ready:          False
    Restart Count:  0
    Environment:    <none>
    Mounts:
      /mnt/secrets-store from secrets-store-inline (ro)
      /var/run/secrets/kubernetes.io/serviceaccount from default-token-r84tq (ro)
Conditions:
  Type              Status
  Initialized       True
  Ready             False
  ContainersReady   False
  PodScheduled      True
Volumes:
  secrets-store-inline:
  <unknown>
  default-token-r84tq:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  default-token-r84tq
    Optional:    false
QoS Class:       BestEffort
Node-Selectors:  <none>
Tolerations:     node.kubernetes.io/not-ready:NoExecute for 300s
                 node.kubernetes.io/unreachable:NoExecute for 300s
Events:
  Type     Reason       Age                    From                                        Message
  ----     ------       ----                   ----                                        -------
  Normal   Scheduled    8m44s                  default-scheduler                           Successfully assigned default/nginx-secrets-store to aks-nodepool1-10230164-vmss000000
  Warning  FailedMount  6m40s                  kubelet, aks-nodepool1-10230164-vmss000000  Unable to attach or mount volumes: unmounted volumes=[secrets-store-inline], unattached volumes=[secrets-store-inline default-token-r84tq]: timed out waiting for the condition
  Warning  FailedMount  2m10s (x2 over 4m25s)  kubelet, aks-nodepool1-10230164-vmss000000  Unable to attach or mount volumes: unmounted volumes=[secrets-store-inline], unattached volumes=[default-token-r84tq secrets-store-inline]: timed out waiting for the condition
  Warning  FailedMount  25s (x12 over 8m44s)   kubelet, aks-nodepool1-10230164-vmss000000  MountVolume.SetUp failed for volume "secrets-store-inline" : kubernetes.io/csi: mounter.SetupAt failed: rpc error: code = Unknown desc = could not find secretproviderclass secret-provider-kv

4- The example that you put here, has it ever worked successfully?

HoussemDellai commented 4 years ago

Hi Farzad, Thank you for your feedback. I should update the readme. I have published a new script that supports both AKS with SPN and with Managed Identity: https://github.com/HoussemDellai/aks-keyvault/blob/master/commands-identity.ps1 You can choose the the option by setting the variable: $isAKSWithManagedIdentity = "false"/"true" And wait for few seconds for the Pod to be at Running status. Test it and let me know :)

Farzad-Jalali commented 4 years ago

Hi Farzad, Thank you for your feedback. I should update the readme. I have published a new script that supports both AKS with SPN and with Managed Identity: https://github.com/HoussemDellai/aks-keyvault/blob/master/commands-identity.ps1 You can choose the the option by setting the variable: $isAKSWithManagedIdentity = "false"/"true" And wait for few seconds for the Pod to be at Running status. Test it and let me know :)

Hi Houssem, Thanks for your reply, I tried it for managed identity ask, it's working really nice. I really appreciate it.

cheers Farzad