Skip to content

Commit

Permalink
Add Helm Chart variables to mount the Custom Azure Environment File
Browse files Browse the repository at this point in the history 
To get the Azure KeyVault Provider working in air-gapped or on-prem Azure clouds, the Custom Azure Environment file needs to be mounted on the KeyVault Provider pods.  This change adds new variables to the Helm chart that allows this Volume Mount to be created.

Fixes #444
  • Loading branch information
@chrisamert
chrisamert committed Mar 17, 2021
1 parent 3f1a6c0 commit 25491d2
Show file tree
Hide file tree
Showing 5 changed files with 46 additions and 2 deletions.
4 changes: 4 additions & 0 deletions manifest_staging/charts/csi-secrets-store-provider-azure/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,8 @@ The following table lists the configurable parameters of the csi-secrets-store-p
| `linux.priorityClassName` | Indicates the importance of a Pod relative to other Pods. | `""` |
| `linux.updateStrategy` | Configure a custom update strategy for the daemonset on linux nodes | `RollingUpdate with 1 maxUnavailable` |
| `linux.privileged` | Enable privileged mode for Linux **daemonset** | `false` |
| `linux.cloudEnvFileHostPath` | The path on the host to the custom cloud environment file. This is needed only when running in Custom Azure Environments. | `""` |
| `linux.cloudEnvFileMountPath` | The path on the Pod to mount the custom cloud environment file. This is needed only when running in Custom Azure Environments.| `""` |
| `windows.enabled` | Install azure keyvault provider on windows nodes | false |
| `windows.image.repository` | Windows image repository | `mcr.microsoft.com/oss/azure/secrets-store/provider-azure` |
| `windows.image.pullPolicy` | Windows image pull policy | `IfNotPresent` |
Expand All @@ -76,6 +78,8 @@ The following table lists the configurable parameters of the csi-secrets-store-p
| `windows.podAnnotations` | Additional pod annotations | `{}` |
| `windows.priorityClassName` | Indicates the importance of a Pod relative to other Pods. | `""` |
| `windows.updateStrategy` | Configure a custom update strategy for the daemonset on windows nodes | `RollingUpdate with 1 maxUnavailable` |
| `windows.cloudEnvFileHostPath` | The path on the host to the custom cloud environment file. This is needed only when running in Custom Azure Environments. | `""` |
| `windows.cloudEnvFileMountPath` | The path on the Pod to mount the custom cloud environment file. This is needed only when running in Custom Azure Environments.| `""` |
| `secrets-store-csi-driver.install` | Install secrets-store-csi-driver with this chart | true |
| `secrets-store-csi-driver.linux.enabled` | Install secrets-store-csi-driver on linux nodes | true |
| `secrets-store-csi-driver.linux.kubeletRootDir` | Configure the kubelet root dir | `/var/lib/kubelet` |
Expand Down
10 changes: 10 additions & 0 deletions ...g/charts/csi-secrets-store-provider-azure/templates/provider-azure-installer-windows.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,11 @@ spec:
- name: mountpoint-dir
mountPath: "C:\\var\\lib\\kubelet\\pods"
mountPropagation: HostToContainer
{{- if and (.Values.windows.cloudEnvFileHostPath) (.Values.windows.cloudEnvFileMountPath)}}
- name: cloudenvfile-vol
mountPath: "{{.Values.windows.cloudEnvFileMountPath}}"
subPath: "{{base .Values.windows.cloudEnvFileHostPath}}"
{{- end}}
{{- if .Values.windows.priorityClassName }}
priorityClassName: {{ .Values.windows.priorityClassName | quote }}
{{- end }}
Expand All @@ -73,6 +78,11 @@ spec:
- name: mountpoint-dir
hostPath:
path: C:\var\lib\kubelet\pods\
{{- if and (.Values.windows.cloudEnvFileHostPath) (.Values.windows.cloudEnvFileMountPath)}}
- name: cloudenvfile-vol
hostPath:
path: "{{dir .Values.windows.cloudEnvFileHostPath}}"
{{- end}}
nodeSelector:
kubernetes.io/os: windows
{{- if .Values.windows.nodeSelector }}
Expand Down
10 changes: 10 additions & 0 deletions ...t_staging/charts/csi-secrets-store-provider-azure/templates/provider-azure-installer.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,11 @@ spec:
- name: mountpoint-dir
mountPath: /var/lib/kubelet/pods
mountPropagation: HostToContainer
{{- if and (.Values.linux.cloudEnvFileHostPath) (.Values.linux.cloudEnvFileMountPath)}}
- name: cloudenvfile-vol
mountPath: "{{.Values.linux.cloudEnvFileMountPath}}"
subPath: "{{base .Values.linux.cloudEnvFileHostPath}}"
{{- end}}
{{- if .Values.linux.priorityClassName }}
priorityClassName: {{ .Values.linux.priorityClassName | quote }}
{{- end }}
Expand All @@ -81,6 +86,11 @@ spec:
- name: mountpoint-dir
hostPath:
path: "/var/lib/kubelet/pods"
{{- if and (.Values.linux.cloudEnvFileHostPath) (.Values.linux.cloudEnvFileMountPath)}}
- name: cloudenvfile-vol
hostPath:
path: "{{dir .Values.linux.cloudEnvFileHostPath}}"
{{- end}}
nodeSelector:
kubernetes.io/os: linux
{{- if .Values.linux.nodeSelector }}
Expand Down
4 changes: 4 additions & 0 deletions manifest_staging/charts/csi-secrets-store-provider-azure/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,8 @@ linux:
# If provided, the userAgent string will be appended to the
# AKV provider user agents for all adal and keyvault requests.
customUserAgent: ""
cloudEnvFileHostPath: ""
cloudEnvFileMountPath: ""

windows:
image:
Expand All @@ -67,6 +69,8 @@ windows:
# If provided, the userAgent string will be appended to the
# AKV provider user agents for all adal and keyvault requests.
customUserAgent: ""
cloudEnvFileHostPath: ""
cloudEnvFileMountPath: ""

## Configuration values for the secrets-store-csi-driver dependency.
## ref: https://github.com/kubernetes-sigs/secrets-store-csi-driver/tree/master/charts/secrets-store-csi-driver/README.md
Expand Down
20 changes: 18 additions & 2 deletions website/content/en/configurations/custom-environments.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,31 @@ description: >
Pull secret content from KeyVault instances hosted on air-gapped and/or on-prem Azure clouds
---

In order to pull secret content from Keyvault instances hosted on air-gapped and/or on-prem Azure clouds, your `SecretProviderClass` resource must include the following:
In order to pull secret content from Keyvault instances hosted on air-gapped and/or on-prem Azure clouds, there are two steps needed

1. Mount the Custom Cloud Environment file to the Azure KeyVault Provider Pods
2. Configure the Secret Provider Class

## Mount Custom Cloud Environment File

The Custom Cloud Environment file is a JSON file that contains the custom cloud environment details that [azure-sdk-for-go](https://github.com/Azure/azure-sdk-for-go) needs to interact with the target Keyvault instance. Typically, the custom cloud environment file is stored in the file system of the Kubernetes node and made accessible to the Azure Key Vault provider pods through a mounted volume.

If you are installing the Azure KeyVault Provider via Helm charts, set the following values to mount the Environment File

- `windows.cloudEnvFileMountPath` / `linux.cloudEnvFileMountPath` - The path on the Kubernetes Host node to the Environment file
- `linux.cloudEnvFileMountPath` / `windows.cloudEnvFileMountPath` - The location to mount the file on the Azure KeyVault Provider pods

## Update Secret Provider class

The `SecretProviderClass` resource must include the following:

```yaml
parameters:
cloudName: "AzureStackCloud"
cloudEnvFileName: "/path/to/custom/environment.json"
```

Parameter `cloudEnvFileName` should be the path to a JSON file that contains the custom cloud environment details that [azure-sdk-for-go](https://github.com/Azure/azure-sdk-for-go) needs to interact with the target Keyvault instance. Typically, the custom cloud environment file is stored in the file system of the Kubernetes node and accessible to the Azure Key Vault provider pods through a mounted volume.
The `cloudEnvFileName` parameter should match the `cloudEnvFileMountPath` that was set in the previous step.

Even if the target cloud is not an Azure Stack Hub cloud, cloud name must be set to `"AzureStackCloud"` to signal `azure-sdk-for-go` to load the custom cloud environment details from `cloudEnvFileName`.

Expand Down

0 comments on commit 25491d2

Please sign in to comment.