The documentation you are viewing is for Dapr v1.2 which is an older version of Dapr. For up-to-date documentation, see the latest version.

Azure Key Vault 和Kubernetes上的Managed Identities

如何配置Azure Key Vault和Kubernetes以使用Azure Managed Identities来获取密钥

配置

要设置Azure Key Vault密钥仓库,请创建一个类型为secretstores.azure.keyvault的组件。 See this guide on how to create and apply a secretstore configuration. See this guide on referencing secrets to retrieve and use the secret with Dapr components.

在Kubernetes中,将服务主体的证书存储到Kubernetes Secret Store中,然后用Kubernetes secretstore中的这个证书启用Azure Key Vault密钥仓库。

The component yaml uses the name of your key vault and the Client ID of the managed identity to setup the secret store.

apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: azurekeyvault
  namespace: default
spec:
  type: secretstores.azure.keyvault
  version: v1
  metadata:
  - name: vaultName
    value: [your_keyvault_name]
  - name: spnClientId
    value: [your_managed_identity_client_id]

元数据字段规范

字段 必填 详情 示例
vaultName Y Azure Key Vault名称 "mykeyvault"
spnClientId Y 你的托管标识客户端ID "yourId"

设置Managed Identity和 Azure Key Vault

先决条件

步骤

  1. 登录到 Azure 并设置默认订阅

    # Log in Azure
    az login
    
    # Set your subscription to the default subscription
    az account set -s [your subscription id]
    
  2. 在一个区域中创建 Azure Key Vault

    az keyvault create --location [region] --name [your keyvault] --resource-group [your resource group]
    
  3. 创建托管标识(可选)

    只有当AKS集群没有”–enable-managed-identity “标志时,才需要进行这一步。 If the cluster is provisioned with managed identity, than it is suggested to use the autogenerated managed identity that is associated to the Resource Group MC_*.

    $identity = az identity create -g [your resource group] -n [your managed identity name] -o json | ConvertFrom-Json
    

    Below is the command to retrieve the managed identity in the autogenerated scenario:

    az aks show -g <AKSResourceGroup> -n <AKSClusterName>
    

    有关将 AKS 与 Azure 服务集成的角色分配的更多详细信息 角色分配

  4. 检索托管标识ID

    主要有两种情况:

    • 服务主体(Service Principal),在这种情况下,AKS服务集群(AKS Service Cluster) 部署在资源组(Resource Group) 中
    $clientId= az aks show -g <AKSResourceGroup> -n <AKSClusterName> --query servicePrincipalProfile.clientId -otsv
    
    • 托管标识(Managed Identity),在这种情况下,AKS服务集群(AKS Service Cluster) 部署在资源组(Resource Group) 中
    $clientId= az aks show -g <AKSResourceGroup> -n <AKSClusterName> --query identityProfile.kubeletidentity.clientId -otsv
    
  5. 将Reader角色分配给被托管标识

    对于AKS集群来说,集群资源组指的是带有MC_前缀的资源组,它包含了与集群相关的所有基础设施资源,如VM/VMSS。

    az role assignment create --role "Reader" --assignee $clientId --scope /subscriptions/[your subscription id]/resourcegroups/[your resource group]
    
  6. 将托管标识管理员(Managed Identity Operator) 的角色分配给AKS服务主体(AKS Service Principal) 参考上一步关于要使用的资源组和要分配的标识的内容

    az role assignment create  --role "Managed Identity Operator"  --assignee $clientId  --scope /subscriptions/[your subscription id]/resourcegroups/[your resource group]
    
    az role assignment create  --role "Virtual Machine Contributor"  --assignee $clientId  --scope /subscriptions/[your subscription id]/resourcegroups/[your resource group]
    
  7. 为 Key Vault 添加策略,使托管标识可以读取密钥

    az keyvault set-policy --name [your keyvault] --spn $clientId --secret-permissions get list
    
  8. 在AKS上启用AAD Pod身份

    kubectl apply -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/deployment-rbac.yaml
    
    # For AKS clusters, deploy the MIC and AKS add-on exception by running -
    kubectl apply -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/mic-exception.yaml
    
  9. 配置Azure Identity和AzureIdentityBinding yaml

    在azure-identity-config.yaml中保存以下内容:

    apiVersion: "aadpodidentity.k8s.io/v1"
    kind: AzureIdentity
    metadata:
      name: [your managed identity name]
    spec:
      type: 0
      resourceID: [your managed identity id]
      clientID: [your managed identity Client ID]
    ---
    apiVersion: "aadpodidentity.k8s.io/v1"
    kind: AzureIdentityBinding
    metadata:
      name: [your managed identity name]-identity-binding
    spec:
      azureIdentity: [your managed identity name]
      selector: [your managed identity selector]
    
  10. 部署azure-identity-config.yaml:

    kubectl apply -f azure-identity-config.yaml
    

参考资料