Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AKS Learn feedback: Reference to secret Object needs a correction #103

Open
SatishNaidi opened this issue Nov 30, 2024 · 0 comments
Open

AKS Learn feedback: Reference to secret Object needs a correction #103

SatishNaidi opened this issue Nov 30, 2024 · 0 comments
Labels
Pri3

Comments

@SatishNaidi
Copy link

Type of issue

Code doesn't work

Feedback

In section, "Use the following manifest to deploy SecretProviderClass to provide Azure Key Vault specific parameters to the CSI driver" The reference of type under secretObjects needs a correction from 'tls' to 'kubernetes.io/tls' and key should referenct o tls.key and tls.crt as the gatewayobject in Istio refers to kubernetes tls with exact names.

Refer below for an example that worked for me.

cat <<EOF | kubectl apply -f -
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: productpage-credential-spc
  namespace: aks-istio-ingress
spec:
  provider: azure
  secretObjects:
  - secretName: productpage-credential
    type: kubernetes.io/tls
    data:
    - objectName: test-productpage-bookinfo-key
      key: tls.key
    - objectName: test-productpage-bookinfo-crt
      key: tls.crt
  parameters:
    useVMManagedIdentity: "true"
    userAssignedIdentityID: $CLIENT_ID 
    keyvaultName: $AKV_NAME
    cloudName: ""
    objects:  |
      array:
        - |
          objectName: test-productpage-bookinfo-key
          objectType: secret
          objectAlias: "test-productpage-bookinfo-key"
        - |
          objectName: test-productpage-bookinfo-crt
          objectType: secret
          objectAlias: "test-productpage-bookinfo-crt"
    tenantId: $TENANT_ID
EOF

Adding another example as well if any one wants to refer to cert directly from keyvault as this took good time for me to figureout.

apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: productpage-credential-spc
  namespace: aks-istio-ingress
spec:
  provider: azure
  secretObjects:
  - secretName: productpage-credential
    type: kubernetes.io/tls
    data:
    - objectName: istio-pfx-secret
      key: tls.key
    - objectName: istio-pfx-cert
      key: tls.crt
  parameters:
    useVMManagedIdentity: "true"
    userAssignedIdentityID: $CLIENT_ID 
    keyvaultName: $AKV_NAME
    cloudName: ""
    objects:  |
      array:
        - |
          objectName: istio-pfx  #Cert Name from keyvault
          objectType: secret #https://learn.microsoft.com/en-us/azure/aks/csi-secrets-store-identity-access?tabs=azure-portal&pivots=access-with-a-user-assigned-managed-identity#obtain-certificates-and-keys
          objectAlias: "istio-pfx-secret"
        - |
          objectName: istio-pfx #Cert Name from keyvault
          objectType: cert
          objectAlias: "istio-pfx-cert"          
    tenantId: XXXX

Page URL

https://learn.microsoft.com/en-us/azure/aks/istio-secure-gateway

Content source URL

https://github.com/MicrosoftDocs/azure-aks-docs/blob/main/articles/aks/istio-secure-gateway.md

Author

@deveshdama

Document Id

71845395-d208-2c49-ac6d-8376713f2607
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Pri3
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@SatishNaidi