Skip to content

Commit

Permalink
Add Helm Chart variables to mount the Custom Azure Environment File
Browse files Browse the repository at this point in the history 
To get the Azure KeyVault Provider working in air-gapped or on-prem Azure clouds, the Custom Azure Environment file needs to be mounted on the KeyVault Provider pods.  This change adds new variables to the Helm chart that allows this Volume Mount to be created.

Fixes #444
  • Loading branch information
@chrisamert
chrisamert committed Apr 5, 2021
1 parent 8031a9c commit 27e7f7c
Show file tree
Hide file tree
Showing 5 changed files with 52 additions and 2 deletions.
4 changes: 4 additions & 0 deletions manifest_staging/charts/csi-secrets-store-provider-azure/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,8 @@ The following table lists the configurable parameters of the csi-secrets-store-p
| `linux.healthzPort` | port for health check | `"8989"` |
| `linux.healthzPath` | path for health check | `"/healthz"` |
| `linux.healthzTimeout` | RPC timeout for health check | `"5s"` |
| `linux.volumes` | Additional volumes to create for the KeyVault provider pods. | `[]` |
| `linux.volumeMounts` | Additional volumes to mount on the KeyVault provider pods. | `[]` |
| `windows.enabled` | Install azure keyvault provider on windows nodes | false |
| `windows.image.repository` | Windows image repository | `mcr.microsoft.com/oss/azure/secrets-store/provider-azure` |
| `windows.image.pullPolicy` | Windows image pull policy | `IfNotPresent` |
Expand All @@ -85,6 +87,8 @@ The following table lists the configurable parameters of the csi-secrets-store-p
| `windows.healthzPort` | port for health check | `"8989"` |
| `windows.healthzPath` | path for health check | `"/healthz"` |
| `windows.healthzTimeout` | RPC timeout for health check | `"5s"` |
| `windows.volumes` | Additional volumes to create for the KeyVault provider pods. | `[]` |
| `windows.volumeMounts` | Additional volumes to mount on the KeyVault provider pods. | `[]` |
| `secrets-store-csi-driver.install` | Install secrets-store-csi-driver with this chart | true |
| `secrets-store-csi-driver.linux.enabled` | Install secrets-store-csi-driver on linux nodes | true |
| `secrets-store-csi-driver.linux.kubeletRootDir` | Configure the kubelet root dir | `/var/lib/kubelet` |
Expand Down
6 changes: 6 additions & 0 deletions ...g/charts/csi-secrets-store-provider-azure/templates/provider-azure-installer-windows.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,9 @@ spec:
- name: mountpoint-dir
mountPath: "C:\\var\\lib\\kubelet\\pods"
mountPropagation: HostToContainer
{{- if .Values.windows.volumeMounts }}
{{- toYaml .Values.windows.volumeMounts | nindent 12 }}
{{- end}}
{{- if .Values.windows.priorityClassName }}
priorityClassName: {{ .Values.windows.priorityClassName | quote }}
{{- end }}
Expand All @@ -75,6 +78,9 @@ spec:
- name: mountpoint-dir
hostPath:
path: C:\var\lib\kubelet\pods\
{{- if .Values.windows.volumes }}
{{- toYaml .Values.windows.volumes | nindent 8 }}
{{- end}}
nodeSelector:
kubernetes.io/os: windows
{{- if .Values.windows.nodeSelector }}
Expand Down
6 changes: 6 additions & 0 deletions ...t_staging/charts/csi-secrets-store-provider-azure/templates/provider-azure-installer.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,9 @@ spec:
- name: mountpoint-dir
mountPath: /var/lib/kubelet/pods
mountPropagation: HostToContainer
{{- if .Values.linux.volumeMounts }}
{{- toYaml .Values.linux.volumeMounts | nindent 12 }}
{{- end}}
{{- if .Values.linux.priorityClassName }}
priorityClassName: {{ .Values.linux.priorityClassName | quote }}
{{- end }}
Expand All @@ -79,6 +82,9 @@ spec:
- name: mountpoint-dir
hostPath:
path: "/var/lib/kubelet/pods"
{{- if .Values.linux.volumes }}
{{- toYaml .Values.linux.volumes | nindent 8 }}
{{- end}}
nodeSelector:
kubernetes.io/os: linux
{{- if .Values.linux.nodeSelector }}
Expand Down
4 changes: 4 additions & 0 deletions manifest_staging/charts/csi-secrets-store-provider-azure/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,8 @@ linux:
healthzPort: 8989
healthzPath: "/healthz"
healthzTimeout: "5s"
volumes: []
volumeMounts: []

windows:
image:
Expand Down Expand Up @@ -73,6 +75,8 @@ windows:
healthzPort: 8989
healthzPath: "/healthz"
healthzTimeout: "5s"
volumes: []
volumeMounts: []

## Configuration values for the secrets-store-csi-driver dependency.
## ref: https://github.com/kubernetes-sigs/secrets-store-csi-driver/tree/master/charts/secrets-store-csi-driver/README.md
Expand Down
34 changes: 32 additions & 2 deletions website/content/en/configurations/custom-environments.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,45 @@ description: >
Pull secret content from KeyVault instances hosted on air-gapped and/or on-prem Azure clouds
---

In order to pull secret content from Keyvault instances hosted on air-gapped and/or on-prem Azure clouds, your `SecretProviderClass` resource must include the following:
In order to pull secret content from Keyvault instances hosted on air-gapped and/or on-prem Azure clouds, there are two steps needed

1. Mount the Custom Cloud Environment file to the Azure KeyVault Provider Pods
2. Configure the Secret Provider Class

## Mount Custom Cloud Environment File

The Custom Cloud Environment file is a JSON file that contains the custom cloud environment details that [azure-sdk-for-go](https://github.com/Azure/azure-sdk-for-go) needs to interact with the target Keyvault instance. Typically, the custom cloud environment file is stored in the file system of the Kubernetes node and made accessible to the Azure Key Vault provider pods through a mounted volume.

If you are installing the Azure KeyVault Provider via Helm charts, set the following values to mount the Environment File

- `linux.volumes` / `windows.volumes` - A volume that contains the custom cloud environment file
- `linux.volumeMounts` / `windows.volumeMounts` - A volume mount allowing the KeyVault provider pod to access the custom cloud environment file

Example:

```yaml
linux:
volumes:
- name: cloudenvfile-vol
hostPath:
path: "/etc/kubernetes"
volumeMounts:
- name: cloudenvfile-vol
mountPath: "/cloudEnv/myCustomEnvironmentFile.json"
subPath: "myCustomEnvironmentFile.json"
```

## Update Secret Provider class

The `SecretProviderClass` resource must include the following:

```yaml
parameters:
cloudName: "AzureStackCloud"
cloudEnvFileName: "/path/to/custom/environment.json"
```

Parameter `cloudEnvFileName` should be the path to a JSON file that contains the custom cloud environment details that [azure-sdk-for-go](https://github.com/Azure/azure-sdk-for-go) needs to interact with the target Keyvault instance. Typically, the custom cloud environment file is stored in the file system of the Kubernetes node and accessible to the Azure Key Vault provider pods through a mounted volume.
The `cloudEnvFileName` parameter should match the volumeMount that was configured in the previous step.

Even if the target cloud is not an Azure Stack Hub cloud, cloud name must be set to `"AzureStackCloud"` to signal `azure-sdk-for-go` to load the custom cloud environment details from `cloudEnvFileName`.

Expand Down

0 comments on commit 27e7f7c

Please sign in to comment.