Search code examples
azurekubernetesazure-aksacr

Create imagePullSecrets from Azure key vault

To preface, I am new to leveraging Kubernetes in Azure, so I might get some terms wrong. Sorry in advance.

I have been attempting to find a way to create Kubernetes secret objects that are populated with values from Azure key vault (AKV) in Azure Kubernetes services (AKS). The goal is to be able to create an imagePullSecret using values populated from AKV to allow my cluster to pull *images* from an Azure container registry (ACR). I have tested this out with manual creation and got it working, but am open to other solutions to integrating AKS and ACR.

I have found several articles pointing out that I can manage secrets from AKV by using the API secrets-store.csi.x-k8s.io/v1. I attempted to find a way to leverage this, but these appear to be secrets that can be mounted by a pod and not leveraged by the AKS management layer.

Whenever I attempt to search for a way to generate Kubernetes imagePullSecrets, I always find either the API above or manual secret creation. At this point, I am starting to think it is not possible create the imagePullSecrets with a Kubernetes manifest file. If it is possible, a link to documentation would be appreciated. If the mentioned API can achieve the desired goal, I might need help understanding how to leverage it for this task.

TLDR: Can I create a Kubernetes secret object without the need for pods in AKS using AKV?
Alternatively, Is there another integration solution for AKS and ACR that would avoid the need to manual linkage creation?

Edit: Changed secret to image

Solution

  • No, the secret CSI always need a pod to create Kubernetes secrets.

    Yes, you can easily attach your ACR to your AKS leverage the Kubelet identity to pull images from your ACR. You just need to export the Identity and add a Role Assignment on your ACR (for an existing ACR and AKS):

    export KUBE_ID=$(az aks show -g <resource group> -n <aks cluster name> --query identityProfile.kubeletidentity.objectId -o tsv)
export ACR_ID=$(az acr show -g <resource group> -n <acr name> --query id -o tsv)
az role assignment create --assignee $KUBE_ID --role "AcrPull" --scope $ACR_ID

    For a new AKS simply run :

    MYACR=myContainerRegistry
az acr create -n $MYACR -g myContainerRegistryResourceGroup --sku basic
az aks create -n myAKSCluster -g myResourceGroup --generate-ssh-keys --attach-acr $MYACR

    This can be also done with IaC like Bicep or Terraform (just create the Role Assignment on the Kubelet Identity)

    Here you can also find the documentation.