Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

works just fine for pod but doesn't work with deployment #2

Open
Farzad-Jalali opened this issue May 26, 2020 · 1 comment
Open

works just fine for pod but doesn't work with deployment #2

Farzad-Jalali opened this issue May 26, 2020 · 1 comment

Comments

@Farzad-Jalali
Copy link

Farzad-Jalali commented May 26, 2020
edited

Dear Houssem,

Thank you for sharing your code,
It's really nice and I have to admit that I impressed, please continue the good work.

I'm playing with your code (the one in the below URL), it works just fine when you deploy your pods directly.
https://github.com/HoussemDellai/aks-keyvault/blob/master/commands-identity.ps1

But I noticed when I use the "deployment kind" instead of the pod kind, something like the below example then it won't work,


 kind: Deployment
apiVersion: apps/v1
metadata:
  name: nginx-secrets-store
...

When I describe the pods to see what is the error, I see the below output:


Events:
  Type     Reason       Age        From                                        Message
  ----     ------       ----       ----                                        -------
  Normal   Scheduled    <unknown>  default-scheduler                           Successfully assigned default/nginx-secrets-store-7f648c9df6-sv2cr to aks-nodepool1-32392463-vmss000000
  Warning  FailedMount  37s        kubelet, aks-nodepool1-32392463-vmss000000  MountVolume.SetUp failed for volume "secrets-store-inline" : kubernetes.io/csi: mounter.SetupAt failed: rpc error: code = Unknown desc = error mounting secret time="2020-05-26T21:43:40Z" level=fatal msg="[error] : failed to get keyvaultClient: failed 
to get key vault token: nmi response failed with status code: 404"
 for pod: 1e6fc7fa-058c-480c-9a0f-66d6fce385bb, ns: default

Here is the deployment yaml


kind: Deployment
apiVersion: apps/v1
metadata:                                          
  name: nginx-secrets-store
  labels:
    aadpodidbinding: azure-kv   
    app: nginx-secrets-store    
spec:
  selector:
    matchLabels:
      app: nginx-secrets-store  
  template:
    metadata:   
      labels:
        app: nginx-secrets-store
    spec:
      containers:
      - name: nginx
        image: nginx
        volumeMounts:
        - name: secrets-store-inline
          mountPath: "/mnt/secrets-store"
          readOnly: true
      volumes:
      - name: secrets-store-inline
        csi:
          driver: secrets-store.csi.k8s.io
          readOnly: true
          volumeAttributes:
            secretProviderClass: secret-provider-kv

here is the full error:
@TimCohn
Copy link

TimCohn commented Sep 22, 2020

Try moving aadpodidbinding to be under spec/template/metadata/labels like:

kind: Deployment
apiVersion: apps/v1
metadata:
  name: nginx-secrets-store
  labels:
    app: nginx-secrets-store
spec:
  selector:
    matchLabels:
      app: nginx-secrets-store
  template:
    metadata:
      labels:
        app: nginx-secrets-store
        aadpodidbinding: azure-kv
    spec:
      containers:
      - name: nginx
        image: nginx
        volumeMounts:
        - name: secrets-store-inline
          mountPath: "/mnt/secrets-store"
          readOnly: true
      volumes:
      - name: secrets-store-inline
        csi:
          driver: secrets-store.csi.k8s.io
          readOnly: true
          volumeAttributes:
            secretProviderClass: secret-provider-kv

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Farzad-Jalali @TimCohn