Azure Key Vault与AKS的集成适用于Nginx教程Pod,但不适用于实际项目部署 [英] Azure Key Vault integration with AKS works for nginx tutorial Pod, but not actual project deployment
本文介绍了Azure Key Vault与AKS的集成适用于Nginx教程Pod,但不适用于实际项目部署的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
按照标题,我可以按照文档.
我可以部署 nginx.yaml ,大约70秒后,我可以使用以下命令打印秘密:
kubectl exec -it nginx-cat/mnt/secrets-store/secret1 现在,我正尝试将其应用于PostgreSQL部署进行测试,并且从Pod description 中获得以下信息:
警告FailedMount 3s kubelet MountVolume.SetUp因卷"secrets-store01-inline"而失败.:rpc错误:代码=未知desc =未能装入用于Pod临时存储的秘密存储对象/postgres-deployment-staging-69965ff767-8hmww,错误:rpc错误:代码=未知desc =未能装入对象,错误:无法获取密钥库客户端:无法获取密钥保险库令牌:nmi响应失败,状态码:404,错误:< nil> 并且从 nmi日志:
E0221 22:54:32.037357 1 server.go:234]无法获得身份,错误:在16次尝试后,在CREATED状态下为pod staging/postgres-deployment-staging-69965ff767-8hmww获取分配的身份失败,重试持续时间[5] s,错误:< nil>.检查MIC Pod日志中是否存在身份分配错误I0221 22:54:32.037409 1 server.go:192]状态(404)花费了80003389208 ns用于req.method = GET reg.path =/host/token/req.remote = 127.0.0.1 不知道为什么,因为我基本上将设置从 nignx.yaml 复制到了 postgres.yaml 中.他们在这里:
#nginx.yaml种类:豆荚apiVersion:v1元数据:名称:nginx命名空间:暂存标签:aadpodidbinding:aks-akv-identity-binding-selector规格:容器:-名称:nginx图片:nginxvolumeMounts:-名称:secrets-store01-inlinemountPath:/mnt/secrets-storereadOnly:正确数量:-名称:secrets-store01-inlinecsi:驱动程序:secrets-store.csi.k8s.ioreadOnly:正确volumeAttributes:secretProviderClass:aks-akv-secret-provider #postgres.yamlapiVersion:apps/v1种类:部署元数据:名称:postgres-deployment-stage命名空间:暂存标签:aadpodidbinding:aks-akv-identity-binding-selector规格:复制品:1选择器:matchLabels:组件:postgres模板:元数据:标签:组件:postgres规格:容器:-名称:postgres图片:postgres:13-alpine端口:-containerPort:5432volumeMounts:-名称:secrets-store01-inlinemountPath:/mnt/secrets-storereadOnly:正确-名称:postgres-storage-stagingmountPath:/var/postgresql数量:-名称:secrets-store01-inlinecsi:驱动程序:secrets-store.csi.k8s.ioreadOnly:正确volumeAttributes:secretProviderClass:aks-akv-secret-provider-名称:postgres-storage-stagingpersistentVolumeClaim:claimName:postgres-storage-staging---apiVersion:v1种类:服务元数据:名称:postgres-cluster-ip-service-staging命名空间:暂存规格:类型:ClusterIP选择器:组件:postgres端口:-端口:5432targetPort:5432 对这里的问题有何建议?
解决方案
我的监督... aadpodidbinding 应该位于 template:中,
生成的YAML应该是:
#postgres.yamlapiVersion:apps/v1种类:部署元数据:名称:postgres-deployment-production命名空间:生产规格:复制品:1选择器:matchLabels:组件:postgres模板:元数据:标签:组件:postgresaadpodidbinding:aks-akv-identity-binding-selector规格:容器:-名称:postgres图片:postgres:13-alpine端口:-containerPort:5432环境:-名称:POSTGRES_DB_FILE值:/mnt/secrets-store/DEV-PGDATABASE-名称:POSTGRES_USER_FILE值:/mnt/secrets-store/DEV-PGUSER-名称:POSTGRES_PASSWORD_FILE值:/mnt/secrets-store/DEV-PGPASSWORD-名称:POSTGRES_INITDB_ARGS值:-A md5";-名称:PGDATA值:/var/postgresql/datavolumeMounts:-名称:secrets-store01-inlinemountPath:/mnt/secrets-storereadOnly:正确-名称:postgres-storage-productionmountPath:/var/postgresql数量:-名称:secrets-store01-inlinecsi:驱动程序:secrets-store.csi.k8s.ioreadOnly:正确volumeAttributes:secretProviderClass:aks-akv-secret-provider-名称:postgres-storage-productionpersistentVolumeClaim:claimerName:postgres-storage-production---apiVersion:v1种类:服务元数据:名称:postgres-cluster-ip-service-production命名空间:生产规格:类型:ClusterIP选择器:组件:postgres端口:-端口:5432targetPort:5432 Per the title, I have the integration working following the documentation.
I can deploy the nginx.yaml and after about 70 seconds I can print out secrets with:
kubectl exec -it nginx -- cat /mnt/secrets-store/secret1
Now I'm trying to apply it to a PostgreSQL deployment for testing and I get the following from the Pod description:
Warning FailedMount 3s kubelet MountVolume.SetUp failed for volume "secrets-store01-inline" : rpc error: code = Unknown desc = failed to mount secrets store objects for pod staging/postgres-deployment-staging-69965ff767-8hmww, err: rpc error: code = Unknown desc = failed to mount objects, error: failed to get keyvault client: failed to get key vault token: nmi response failed with status code: 404, err: <nil>
And from the nmi logs:
E0221 22:54:32.037357 1 server.go:234] failed to get identities, error: getting assigned identities for pod staging/postgres-deployment-staging-69965ff767-8hmww in CREATED state failed after 16 attempts, retry duration [5]s, error: <nil>. Check MIC pod logs for identity assignment errors
I0221 22:54:32.037409 1 server.go:192] status (404) took 80003389208 ns for req.method=GET reg.path=/host/token/ req.remote=127.0.0.1
Not sure why since I basically copied the settings from the nignx.yaml into the postgres.yaml. Here they are:
# nginx.yaml
kind: Pod
apiVersion: v1
metadata:
name: nginx
namespace: staging
labels:
aadpodidbinding: aks-akv-identity-binding-selector
spec:
containers:
- name: nginx
image: nginx
volumeMounts:
- name: secrets-store01-inline
mountPath: /mnt/secrets-store
readOnly: true
volumes:
- name: secrets-store01-inline
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: aks-akv-secret-provider
# postgres.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: postgres-deployment-staging
namespace: staging
labels:
aadpodidbinding: aks-akv-identity-binding-selector
spec:
replicas: 1
selector:
matchLabels:
component: postgres
template:
metadata:
labels:
component: postgres
spec:
containers:
- name: postgres
image: postgres:13-alpine
ports:
- containerPort: 5432
volumeMounts:
- name: secrets-store01-inline
mountPath: /mnt/secrets-store
readOnly: true
- name: postgres-storage-staging
mountPath: /var/postgresql
volumes:
- name: secrets-store01-inline
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: aks-akv-secret-provider
- name: postgres-storage-staging
persistentVolumeClaim:
claimName: postgres-storage-staging
---
apiVersion: v1
kind: Service
metadata:
name: postgres-cluster-ip-service-staging
namespace: staging
spec:
type: ClusterIP
selector:
component: postgres
ports:
- port: 5432
targetPort: 5432
Suggestions for what the issue is here?
解决方案
Oversight on my part... the aadpodidbinding should be in the template: per:
The resulting YAML should be:
# postgres.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: postgres-deployment-production
namespace: production
spec:
replicas: 1
selector:
matchLabels:
component: postgres
template:
metadata:
labels:
component: postgres
aadpodidbinding: aks-akv-identity-binding-selector
spec:
containers:
- name: postgres
image: postgres:13-alpine
ports:
- containerPort: 5432
env:
- name: POSTGRES_DB_FILE
value: /mnt/secrets-store/DEV-PGDATABASE
- name: POSTGRES_USER_FILE
value: /mnt/secrets-store/DEV-PGUSER
- name: POSTGRES_PASSWORD_FILE
value: /mnt/secrets-store/DEV-PGPASSWORD
- name: POSTGRES_INITDB_ARGS
value: "-A md5"
- name: PGDATA
value: /var/postgresql/data
volumeMounts:
- name: secrets-store01-inline
mountPath: /mnt/secrets-store
readOnly: true
- name: postgres-storage-production
mountPath: /var/postgresql
volumes:
- name: secrets-store01-inline
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: aks-akv-secret-provider
- name: postgres-storage-production
persistentVolumeClaim:
claimName: postgres-storage-production
---
apiVersion: v1
kind: Service
metadata:
name: postgres-cluster-ip-service-production
namespace: production
spec:
type: ClusterIP
selector:
component: postgres
ports:
- port: 5432
targetPort: 5432
这篇关于Azure Key Vault与AKS的集成适用于Nginx教程Pod,但不适用于实际项目部署的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
