search

HoussemDellai / aks-keyvault

Access Azure Key Vault secrets, keys and certs from AKS Pods using Secret Store CSI provider and Pod Identity.
28 stars 55 forks source link

works just fine for pod but doesn't work with deployment #2

Open Farzad-Jalali opened 4 years ago

Farzad-Jalali commented 4 years ago

Dear Houssem,

Thank you for sharing your code, It's really nice and I have to admit that I impressed, please continue the good work.

I'm playing with your code (the one in the below URL), it works just fine when you deploy your pods directly. https://github.com/HoussemDellai/aks-keyvault/blob/master/commands-identity.ps1

But I noticed when I use the "deployment kind" instead of the pod kind, something like the below example then it won't work, 


 kind: Deployment
apiVersion: apps/v1
metadata:
  name: nginx-secrets-store
...

When I describe the pods to see what is the error, I see the below output:


Events:
  Type     Reason       Age        From                                        Message
  ----     ------       ----       ----                                        -------
  Normal   Scheduled    <unknown>  default-scheduler                           Successfully assigned default/nginx-secrets-store-7f648c9df6-sv2cr to aks-nodepool1-32392463-vmss000000
  Warning  FailedMount  37s        kubelet, aks-nodepool1-32392463-vmss000000  MountVolume.SetUp failed for volume "secrets-store-inline" : kubernetes.io/csi: mounter.SetupAt failed: rpc error: code = Unknown desc = error mounting secret time="2020-05-26T21:43:40Z" level=fatal msg="[error] : failed to get keyvaultClient: failed 
to get key vault token: nmi response failed with status code: 404"
 for pod: 1e6fc7fa-058c-480c-9a0f-66d6fce385bb, ns: default

Here is the deployment yaml


kind: Deployment
apiVersion: apps/v1
metadata:                                          
  name: nginx-secrets-store
  labels:
    aadpodidbinding: azure-kv   
    app: nginx-secrets-store    
spec:
  selector:
    matchLabels:
      app: nginx-secrets-store  
  template:
    metadata:   
      labels:
        app: nginx-secrets-store
    spec:
      containers:
      - name: nginx
        image: nginx
        volumeMounts:
        - name: secrets-store-inline
          mountPath: "/mnt/secrets-store"
          readOnly: true
      volumes:
      - name: secrets-store-inline
        csi:
          driver: secrets-store.csi.k8s.io
          readOnly: true
          volumeAttributes:
            secretProviderClass: secret-provider-kv

here is the full error:

TimCohn commented 4 years ago

Try moving aadpodidbinding to be under spec/template/metadata/labels like:

kind: Deployment
apiVersion: apps/v1
metadata:
  name: nginx-secrets-store
  labels:
    app: nginx-secrets-store
spec:
  selector:
    matchLabels:
      app: nginx-secrets-store
  template:
    metadata:
      labels:
        app: nginx-secrets-store
        aadpodidbinding: azure-kv
    spec:
      containers:
      - name: nginx
        image: nginx
        volumeMounts:
        - name: secrets-store-inline
          mountPath: "/mnt/secrets-store"
          readOnly: true
      volumes:
      - name: secrets-store-inline
        csi:
          driver: secrets-store.csi.k8s.io
          readOnly: true
          volumeAttributes:
            secretProviderClass: secret-provider-kv