azure keyvault secrets provider

패스워드 같은 민감한 정보들은 yaml에 직접 사용하는게 아닌 keyvault에서 불러오기 위함

 

 

az command로 provider를 활성화 합니다.

az aks addon enable --addon azure-keyvault-secrets-provider -n AKS-DevOps -g devops

 

keyvault를 생성하고 secret를 생성합니다.
[ RBAC 기반으로 만듭니다 --enable-rbac-authorization true ]

 

KV=aks-test01
SECRET1=password1
VALUE1=123
SECRET2=password2
VALUE2=123
k8sRG=K8S
storageRG=storage
CLUSTER=Backend-Test
region=KoreaCentral

az aks addon enable --addon azure-keyvault-secrets-provider -n $CLUSTER -g $k8sRG

az keyvault create --name $KV --resource-group $storageRG --location $region \
    --enable-rbac-authorization true
 
SUBSCRIPTION_ID=$(az account show --query id -o tsv)

# 로그인 되어 있는 계정의 ID를 가져와서 Keyvault에 권한을 넣습니다.
USER_OBJECT_ID=$(az ad signed-in-user show --query id -o tsv)

az role assignment create --assignee-object-id $USER_OBJECT_ID --role "Key Vault Administrator" \
    --scope /subscriptions/$SUBSCRIPTION_ID/resourceGroups/$storageRG/providers/Microsoft.KeyVault/vaults/$KV

az keyvault secret set --vault-name $KV --name $SECRET1 --value $VALUE1
az keyvault secret set --vault-name $KV --name $SECRET2 --value $VALUE2

 

 

aks 리소스 그룹의 ID를 가져오고, 해당 ID를 사용할 keyvault에 비밀 관리자로 권한 부여 합니다.

resourceGroupID=$(az identity show -g Backend-Test_KoreaCentral \
                   --name azurekeyvaultsecretsprovider-Backend-Test \
                   --query principalId -o tsv)
    
az role assignment create --assignee-object-id $resourceGroupID \
   --role "Key Vault Administrator"  --scope /subscriptions/$sub/resourceGroups/$storageRG/providers/Microsoft.KeyVault/vaults/$KV

 

SecretProviderClass에서 사용할 userAssignedIdentityID를 가져옵니다

az aks show -g $k8sRG -n $CLUSTER \
    --query addonProfiles.azureKeyvaultSecretsProvider.identity.clientId -o tsv

 

SecretProviderClass를 생성 합니다.

apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: azure-kvname-system-msi
spec:
  provider: azure
  secretObjects:
  - secretName: password
    type: Opaque
    data:
    - objectName: "password1"
      key: password
  parameters:
    usePodIdentity: "false"
    useVMManagedIdentity: "true"    
    userAssignedIdentityID: "{id}"     
    keyvaultName: aks
    cloudName: "AzurePublicCloud"                   
    objects:  |
      array:
        - |
          objectName: password1
          objectType: secret        
          objectVersion: ""        
    tenantId: xxxxxxxxxxxxxxxxxxxxxxxxx
    resourceGroup: "storage"  
    subscriptionId: "{sub}"

 

[sample] Deployment를 생성 합니다.

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: secretpods
  name: secretpods
spec:
  replicas: 1
  selector:
    matchLabels:
      app: secretpods
  template:
    metadata:
      labels:
        app: secretpods
    spec:
      containers:
      - image: ubuntu:latest
        name: ubuntu
        command: [ "/bin/bash", "-c", "--" ]
        args: [ "while true; do sleep 30; done;" ]
        env:
        - name: password
          valueFrom:
            secretKeyRef:
              name: password
              key: password1
        volumeMounts:
          - name:  secret-store
            mountPath:  "mnt/secret-store"
            readOnly: true
      volumes:
        - name:  secret-store
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: "azure-kvname-system-msi"

 

결과 확인