【发布时间】:2019-08-20 08:12:37
【问题描述】:
我有一个 ARM 模板,它创建一个 Azure Key Vault,然后是一个 Azure Kubernetes 服务。问题是 Azure Kubernetes 服务需要在我第一次创建它时传递一个 Service Principle 的 Client ID 和 Client Secret。所以我在production.parameters.json 文件中运行application.json,而没有kubernetes_servicePrincipalClientId 和kubernetes_servicePrincipalClientSecret 参数:
application.json
{
"comments": "Kubernetes Service Principal Client ID",
"type": "Microsoft.KeyVault/vaults/secrets",
"name": "[concat(parameters('key_vault_name'), '/KubernetesServicePrincipalClientId')]",
"apiVersion": "2018-02-14",
"properties": {
"contentType": "text/plain",
"value": "[parameters('kubernetes_servicePrincipalClientId')]"
}
},
{
"comments": "Kubernetes Service Principal Client Secret",
"type": "Microsoft.KeyVault/vaults/secrets",
"name": "[concat(parameters('key_vault_name'), '/KubernetesServicePrincipalClientSecret')]",
"apiVersion": "2018-02-14",
"properties": {
"contentType": "text/plain",
"value": "[parameters('kubernetes_servicePrincipalClientSecret')]"
}
}
第二次运行 ARM 模板时,我将以下行添加到我的 production.parameters.json 文件中,以便从我第一次运行 ARM 模板时存储的 Azure Key Vault 中检索客户端 ID 和客户端密码.
production.parameters.json
"kubernetes_servicePrincipalClientId": {
"reference": {
"keyVault": {
"id": "/subscriptions/[Subscription Id]/resourcegroups/[Resource Group Name]/providers/Microsoft.KeyVault/vaults/[Vault Name]"
},
"secretName": "KubernetesServicePrincipalClientId"
}
},
"kubernetes_servicePrincipalClientSecret": {
"reference": {
"keyVault": {
"id": "/subscriptions/[Subscription Id]/resourcegroups/[Resource Group Name]/providers/Microsoft.KeyVault/vaults/[Vault Name]"
},
"secretName": "KubernetesServicePrincipalClientSecret"
}
}
很遗憾,您似乎无法在 ARM 模板中创建服务主体。有没有更好的方法来自动配置所有这些,这样无论我是第一次还是第二次运行模板,我都不必执行任何手动步骤?
【问题讨论】:
-
你能提供你参考的文件吗?
标签: azure azure-active-directory azure-keyvault arm-template service-principal