Search code examples
kubernetes-helmazure-aksazure-keyvaultakv2k8s

secret-inject@azurekeyvault waiting forever

I would like to use akv2k8s.io for adding key vault into kubernetes using helm chart.

apiVersion: spv.no/v2beta1
kind: AzureKeyVaultSecret
metadata:
  name: secret-sync 
  namespace: akv-test-butfa
spec:
  vault:
    name: akv2k8s-butfa # name of key vault
    object:
      name: myusername # name of the akv object
      type: secret # akv object type
  output: 
    secret: 
      name: my-secret-from-butfa # kubernetes secret name
      dataKey: secret-value # key to store object value in kubernetes secret

And my deployment file:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: akvs-secret-app
  namespace: akv-test-butfa
  labels:
    app: akvs-secret-app
spec:
  selector:
    matchLabels:
      app: akvs-secret-app
  template:
    metadata:
      labels:
        app: akvs-secret-app
    spec:
      containers:
      - name: akv2k8s-env-test
        image: spvest/akv2k8s-env-test:2.0.1
        args: ["TEST_SECRET"]
        env:
        - name: TEST_SECRET
          value: "secret-inject@azurekeyvault" # ref to akvs

I have created keyvault is name: akv2k8s-butfa with secret and I have set permission for that.

$kubectl -n akv-test get akvs
    NAME          VAULT                VAULT OBJECT   SECRET NAME   SYNCHED   AGE
    secret-sync   akv2k8s-test-butfa   mysecret                               6h26m

But I got issuse:

secret-inject@azurekeyvault
waiting forever...

When I see logs of deployment.

Update:

State:          Waiting
  Reason:       CrashLoopBackOff
Last State:     Terminated
  Reason:       Error
  Exit Code:    1
  Started:      Fri, 29 Oct 2021 07:50:15 +0700
  Finished:     Fri, 29 Oct 2021 07:50:15 +0700
Ready:          False
Restart Count:  7
Environment Variables from:
  my-secret-from-butfa  Secret  Optional: false
Environment:            <none>

enter image description here

Solution

  • Funny, i also played this week with akv2k8s :)

    Did you create a role assignment for the kubelet identity to your keyvault?

    resource "azurerm_role_assignment" "akv_k8s_reader" {
  scope                = azurerm_key_vault.akv.id
  role_definition_name = "Key Vault Secrets User"
  principal_id         = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id
}

    or

    export KUBE_ID=$(az aks show -g <resource group> -n <aks cluster name> --query identityProfile.kubeletidentity.objectId -o tsv)
export AKV_ID=$(az keyvault show -g <resource group> -n <akv name> --query id -o tsv)
az role assignment create --assignee $KUBE_ID --role "Key Vault Secrets User" --scope $AKV_ID

    NOTE: Your Azure KeyVault needs RBAC enabled.

    I also noticed that you only need this if you need the injector function:

    apiVersion: spv.no/v2beta1
kind: AzureKeyVaultSecret
metadata:
  name: secret-sync 
  namespace: akv-test-butfa
spec:
  vault:
    name: akv2k8s-butfa # name of key vault
    object:
      name: myusername # name of the akv object
      type: secret # akv object

    The output in the AzureKeyVaultSecret function is for using it as secret sync and then your pod manifest would look like this:

      envFrom:
  - secretRef:
      name: my-secret-from-butfa