Skip to content
This repository has been archived by the owner on Oct 12, 2023. It is now read-only.

Use kubernetes-keyvault-flexvol in a deployment #63

Closed
rkja22 opened this issue Jan 25, 2019 · 3 comments · Fixed by #64
Closed

Use kubernetes-keyvault-flexvol in a deployment #63

rkja22 opened this issue Jan 25, 2019 · 3 comments · Fixed by #64

Comments

@rkja22
Copy link

rkja22 commented Jan 25, 2019

I could get this working on a pod. But how can I use it in a deployment, where I will have multiple pods spread across nodes. Each pod has to access the volume that contains the key.

Is there any alternate solution for such a scenario?

Thanks
@ritazh ritazh mentioned this issue Jan 26, 2019
Merged
@ritazh
Copy link
Member

ritazh commented Jan 26, 2019

@ramk22 Please take a look at #64. Let me know how this works for you.

@badalk
Copy link

badalk commented Jan 26, 2019

Here is a working example

apiVersion: apps/v1beta1
kind: Deployment
metadata:
  name: <servicename>
  namespace: <namespace>
spec:
  replicas: 2
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 1
  minReadySeconds: 5
  template:
    metadata:
      labels:
        app: myappname
        aadpodidbinding: <selector mentioned in your AzureIdentityBinding>
        namespace: <namespace>
    spec:
      containers:
      - name: <anyname>
        image: <reference-to-image>
        imagePullPolicy: Always
        # mount the volume created below from key-vault flexvolume driver
        volumeMounts:
        - name: test
          mountPath: /etc/kvmnt
          readOnly: true
        ports:
        - name: http
          containerPort: 80
          protocol: TCP
        - name: https
          containerPort: 443
          protocol:  TCP
        resources:
          requests:
            cpu: 100m
          limits:
            cpu: 200m
      volumes:
      - name: test
        flexVolume:
          driver: "azure/kv"
          options:
            usepodidentity: "true"         # [OPTIONAL] if not provided, will default to "false"
            keyvaultname: "<keyvaultname>"               # the name of the KeyVault
            keyvaultobjectnames: "secret1;secret2"        # list of KeyVault object names (semi-colon separated)
            keyvaultobjecttypes: "secret;secret"    # list of KeyVault object types: secret, key or cert (semi-colon separated)
            keyvaultobjectversions: "47b45e##5d6###ae75####ddcf6;3c6c##########f0009693bee;"     # [OPTIONAL] list of KeyVault object versions (semi-colon separated), will get latest if empty
            resourcegroup: "<key vault resourcegroup name>"              # the resource group of the KeyVault
            subscriptionid: "########-####-####-####-############"             # the subscription ID of the KeyVault
            tenantid: "########-####-####-####-############"

Hope this helps

@rkja22
Copy link
Author

rkja22 commented Jan 28, 2019

@ritazh That worked. Thank you.

@rkja22 rkja22 closed this as completed Jan 28, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add deployment example ritazh/kubernetes-keyvault-flexvol
3 participants
@ritazh @badalk @rkja22