我使用过 Azure CSI,我知道的方法差不多有 2 种。
非常快速的免责声明,因为它似乎是您所要求的,没有“单线”可以从 Azure KeyVault 获取您的所有机密。这意味着如果您期望“从 AKV 中选择 *”而不指定这些秘密/密钥/证书的特定 ID,那么这个“秘密存储 CSI”将不是您所期望的。您或多或少必须有一个大小适中的 YAML 文件使其适用于所有 Azure KeyVault 机密。
也就是说,如果需要,您可以使用单个命令部署一个包含 200 个机密的非常大的 YAML 文件,这将在下面提到。
因此,我将介绍我使用的 2 种方法的优缺点,并举例说明它们的工作原理。
方法一
优点:更短的 YAML 文件,所有 AKV 机密都在一个变量中。
缺点:您所有的 AKV 机密都在一个变量中;这取决于您的应用程序可能无法正常工作。例如,这相当于挂载一个卷,Pod 可以访问您告诉它连接的所有类型的机密。
如何实施:
实际上,您拥有的示例 YAML 几乎就是如何拥有多个秘密。只需在“数组”字段中添加您希望 Azure CSI 为您注入的所有机密,下面是一个修改后的示例:
apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
name: azure-kvname-podid # This ID, is what you use in your Volume Mapping to reference this.
spec:
provider: azure
parameters:
usePodIdentity: "true"
keyvaultName: "kvname"
objects: |
array:
- |
objectName: secret1
objectType: secret
- |
objectName: key1
objectType: key
- |
objectName: your_db_password # So this ID, matches the same ID in your Azure KeyVault (AKV)
objectType: secret # object types: secret, key or cert. There no other types for AKV.
- |
objectName: your_blob_storage_password # So this ID, matches the same ID in your Azure KeyVault (AKV)
objectType: secret # object types: secret, key or cert. There no other types for AKV.
- |
objectName: even_more_secrets_in_your_AKV # So this ID, matches the same ID in your Azure KeyVault (AKV)
objectType: secret # object types: secret, key or cert. There no other types for AKV.
tenantId: "tid" # the tenant ID of the KeyVault
方法二
优点:您的秘密被分解为单独的变量,让您的部署可以灵活地选择将哪些秘密附加到哪些 Pod
缺点:这将是一个非常长的 YAML 文件,其中包含很多重复的字段。那就是说;这基本上是使用单线部署所有秘密,使用"kubectl apply -f <FILE_NAME>.yaml --namespace=<NAMESPACE>"
如何实施:
它几乎是复制/粘贴你所拥有的,只是分成多个部分。下面是 5 个 AKV 机密的示例,分为 5 个单独的变量,可以在您的应用程序中批量安装:
apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
name: akv-secret1 # This ID, is what you use in your Volume Mapping to reference this.
spec:
provider: azure
parameters:
usePodIdentity: "true"
keyvaultName: "kvname"
objects: |
array:
- |
objectName: secret1
objectType: secret
tenantId: "tid" # the tenant ID of the KeyVault
---
apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
name: akv-secret2 # This ID, is what you use in your Volume Mapping to reference this.
spec:
provider: azure
parameters:
usePodIdentity: "true"
keyvaultName: "kvname"
objects: |
array:
- |
objectName: secret2
objectType: secret
tenantId: "tid" # the tenant ID of the KeyVault
---
apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
name: akv-secret3 # This ID, is what you use in your Volume Mapping to reference this.
spec:
provider: azure
parameters:
usePodIdentity: "true"
keyvaultName: "kvname"
objects: |
array:
- |
objectName: secret3
objectType: secret
tenantId: "tid" # the tenant ID of the KeyVault
---
apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
name: akv-secret4 # This ID, is what you use in your Volume Mapping to reference this.
spec:
provider: azure
parameters:
usePodIdentity: "true"
keyvaultName: "kvname"
objects: |
array:
- |
objectName: secret4
objectType: secret
tenantId: "tid" # the tenant ID of the KeyVault
---
apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
name: akv-secret5 # This ID, is what you use in your Volume Mapping to reference this.
spec:
provider: azure
parameters:
usePodIdentity: "true"
keyvaultName: "kvname"
objects: |
array:
- |
objectName: secret5
objectType: secret
tenantId: "tid" # the tenant ID of the KeyVault