зеркало из https://github.com/Azure/acs-engine.git
Родитель
cb5f7ae5e2
Коммит
5c7476bda0
|
@ -4,37 +4,66 @@
|
|||
|
||||
ACS-Engine enables you to retrieve the following k8s deployment parameters from Microsoft Azure KeyVault:
|
||||
|
||||
* apiServerCertificate
|
||||
* apiServerPrivateKey
|
||||
* caCertificate
|
||||
* clientCertificate
|
||||
* clientPrivateKey
|
||||
* kubeConfigCertificate
|
||||
* kubeConfigPrivateKey
|
||||
* etcdServerCertificate
|
||||
* etcdServerPrivateKey
|
||||
* etcdClientCertificate
|
||||
* etcdClientPrivateKey
|
||||
* etcdPeerCertificates
|
||||
* etcdPeerPrivateKeys
|
||||
* servicePrincipal secret (a special case)
|
||||
* certificateProfile
|
||||
* apiServerCertificate
|
||||
* apiServerPrivateKey
|
||||
* caCertificate
|
||||
* caPrivateKey
|
||||
* clientCertificate
|
||||
* clientPrivateKey
|
||||
* kubeConfigCertificate
|
||||
* kubeConfigPrivateKey
|
||||
* etcdServerCertificate
|
||||
* etcdServerPrivateKey
|
||||
* etcdClientCertificate
|
||||
* etcdClientPrivateKey
|
||||
* etcdPeerCertificates (length of array depends on number of master nodes)
|
||||
* etcdPeerPrivateKeys (length of array depends on number of master nodes)
|
||||
* servicePrincipalProfile* (a special case)
|
||||
|
||||
The parameters above could still be set as plain text.
|
||||
## Certificate Profile
|
||||
|
||||
To refer to a keyvault secret, the value of the parameter in the api model file should be formatted as:
|
||||
For parameters referenced in the `properties.certificateProfile` section of the api model file, the value of each field should be formatted as:
|
||||
|
||||
```json
|
||||
{
|
||||
"<PARAMETER>": "/subscriptions/<SUB_ID>/resourceGroups/<RG_NAME>/providers/Microsoft.KeyVault/vaults/<KV_NAME>/secrets/<NAME>[/<VERSION>]"
|
||||
}
|
||||
```
|
||||
|
||||
"<PARAMETER>": "/subscriptions/<SUB_ID>/resourceGroups/<RG_NAME>/providers/Microsoft.KeyVault/vaults/<KV_NAME>/secrets/<NAME>[/<VERSION>]"
|
||||
where:
|
||||
- **SUB_ID** is the subscription ID of the keyvault
|
||||
- **RG_NAME** is the resource group of the keyvault
|
||||
- **KV_NAME** is the name of the keyvault
|
||||
- **NAME** is the name of the secret in the keyvault
|
||||
- **VERSION** (optional) is the version of the secret (default: the latest version)
|
||||
|
||||
The treatment of servicePrincipal secret is slightly different. As a plain text, the secret is set in *servicePrincipalProfile.secret*. Alternatively, as a keyvault reference, the secret is set in *servicePrincipalProfile.keyvaultSecretRef*, which separates kevault ID, secret name, and optionally the version.
|
||||
The keyvault ID format is *"/subscriptions/<SUB_ID>/resourceGroups/<RG_NAME>/providers/Microsoft.KeyVault/vaults/<KV_NAME>*
|
||||
* `SUB_ID` - is the subscription ID of the keyvault
|
||||
* `RG_NAME` - is the resource group of the keyvault
|
||||
* `KV_NAME` - is the name of the keyvault
|
||||
* `NAME` - is the name of the secret in the keyvault
|
||||
* `VERSION` (optional) - is the version of the secret (default: the latest version)
|
||||
|
||||
The example **kubernetes.json** shows you how to refer deployment parameter to a secret in a keyvault.
|
||||
## Service Principal Profile
|
||||
|
||||
For the service principal profile secret, the keyvault is referenced differently. If embedding the secret as plain text, the secret is set in `properties.servicePrincipalProfile.secret`.
|
||||
|
||||
If the secret is stored in a keyvault, it can be referenced as follows:
|
||||
|
||||
```json
|
||||
{
|
||||
"servicePrincipalProfile": {
|
||||
"clientId": "97ffd212-b56b-430a-97bd-9d15cc01ed43",
|
||||
"secret": "",
|
||||
"keyvaultSecretRef": {
|
||||
"vaultID": "/subscriptions/<SUB_ID>/resourceGroups/<RG_NAME>/providers/Microsoft.KeyVault/vaults/<KV_NAME>",
|
||||
"secretName": "<NAME>",
|
||||
"version": "<VERSION>"
|
||||
}
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
The version field is optional.
|
||||
|
||||
## Example
|
||||
|
||||
The example `kubernetes.json` shows you how to refer deployment parameter to a secret in a keyvault.
|
||||
|
||||
**Important** The secrets in the KeyVault for the Certificates and Private Keys must be Base64 encoded, and all on a single line -- this means you can't use the `--encoding base64` option of the Azure CLI. Instead you should use the `base64` command:
|
||||
|
||||
|
@ -47,7 +76,9 @@ The example **kubernetes.json** shows you how to refer deployment parameter to a
|
|||
```
|
||||
|
||||
## KeyVault Configuration
|
||||
|
||||
To enable Azure Resource Manager to retrieve the secrets from the KeyVault, template deployment must be enabled on the KeyVault:
|
||||
|
||||
```sh
|
||||
az keyvault update -g $RG_NAME -n $KV_NAME --enabled-for-template-deployment
|
||||
```
|
||||
|
|
|
@ -43,13 +43,28 @@
|
|||
}
|
||||
},
|
||||
"certificateProfile": {
|
||||
"caCertificate": "<caCertificate>",
|
||||
"apiServerCertificate": "/subscriptions/my-sub/resourceGroups/my-rg/providers/Microsoft.KeyVault/vaults/my-kv/secrets/my-secret1/ver1",
|
||||
"apiServerPrivateKey": "<apiServerPrivateKey>",
|
||||
"clientCertificate": "<clientCertificate>",
|
||||
"clientPrivateKey": "<clientPrivateKey>",
|
||||
"kubeConfigCertificate": "<kubeConfigCertificate>",
|
||||
"kubeConfigPrivateKey": "<kubeConfigPrivateKey>"
|
||||
"caCertificate": "/subscriptions/<SUB_ID>/resourceGroups/<RG_NAME>/providers/Microsoft.KeyVault/vaults/<KV_NAME>/secrets/<CA_CRT_NAME>",
|
||||
"caPrivateKey": "/subscriptions/<SUB_ID>/resourceGroups/<RG_NAME>/providers/Microsoft.KeyVault/vaults/<KV_NAME>/secrets/<CA_KEY_NAME>",
|
||||
"apiServerCertificate": "/subscriptions/<SUB_ID>/resourceGroups/<RG_NAME>/providers/Microsoft.KeyVault/vaults/<KV_NAME>/secrets/<APISERVER_CRT_NAME>",
|
||||
"apiServerPrivateKey": "/subscriptions/<SUB_ID>/resourceGroups/<RG_NAME>/providers/Microsoft.KeyVault/vaults/<KV_NAME>/secrets/<APISERVER_KEYNAME>",
|
||||
"clientCertificate": "/subscriptions/<SUB_ID>/resourceGroups/<RG_NAME>/providers/Microsoft.KeyVault/vaults/<KV_NAME>/secrets/<CLIENT_CRT_NAME>",
|
||||
"clientPrivateKey": "/subscriptions/<SUB_ID>/resourceGroups/<RG_NAME>/providers/Microsoft.KeyVault/vaults/<KV_NAME>/secrets/<CLIENT_KEY_NAME>",
|
||||
"kubeConfigCertificate": "/subscriptions/<SUB_ID>/resourceGroups/<RG_NAME>/providers/Microsoft.KeyVault/vaults/<KV_NAME>/secrets/<KUBE_CRT_NAME>",
|
||||
"kubeConfigPrivateKey": "/subscriptions/<SUB_ID>/resourceGroups/<RG_NAME>/providers/Microsoft.KeyVault/vaults/<KV_NAME>/secrets/<KUBE_KEY_NAME>",
|
||||
"etcdServerCertificate": "/subscriptions/<SUB_ID>/resourceGroups/<RG_NAME>/providers/Microsoft.KeyVault/vaults/<KV_NAME>/secrets/<ETCDSERVER_CRT_NAME>",
|
||||
"etcdServerPrivateKey": "/subscriptions/<SUB_ID>/resourceGroups/<RG_NAME>/providers/Microsoft.KeyVault/vaults/<KV_NAME>/secrets/<ETCDSERVER_KEY_NAME>",
|
||||
"etcdClientCertificate": "/subscriptions/<SUB_ID>/resourceGroups/<RG_NAME>/providers/Microsoft.KeyVault/vaults/<KV_NAME>/secrets/<ETCDCLIENT_CRT_NAME>",
|
||||
"etcdClientPrivateKey": "/subscriptions/<SUB_ID>/resourceGroups/<RG_NAME>/providers/Microsoft.KeyVault/vaults/<KV_NAME>/secrets/<ETCDCLIENT_KEY_NAME>",
|
||||
"etcdPeerCertificates": [
|
||||
"/subscriptions/<SUB_ID>/resourceGroups/<RG_NAME>/providers/Microsoft.KeyVault/vaults/<KV_NAME>/secrets/<ETCDPEER0_CRT_NAME>",
|
||||
"/subscriptions/<SUB_ID>/resourceGroups/<RG_NAME>/providers/Microsoft.KeyVault/vaults/<KV_NAME>/secrets/<ETCDPEER1_CRT_NAME>",
|
||||
"/subscriptions/<SUB_ID>/resourceGroups/<RG_NAME>/providers/Microsoft.KeyVault/vaults/<KV_NAME>/secrets/<ETCDPEER2_CRT_NAME>"
|
||||
],
|
||||
"etcdPeerPrivateKeys": [
|
||||
"/subscriptions/<SUB_ID>/resourceGroups/<RG_NAME>/providers/Microsoft.KeyVault/vaults/<KV_NAME>/secrets/<ETCDPEER0_KEY_NAME>",
|
||||
"/subscriptions/<SUB_ID>/resourceGroups/<RG_NAME>/providers/Microsoft.KeyVault/vaults/<KV_NAME>/secrets/<ETCDPEER1_KEY_NAME>",
|
||||
"/subscriptions/<SUB_ID>/resourceGroups/<RG_NAME>/providers/Microsoft.KeyVault/vaults/<KV_NAME>/secrets/<ETCDPEER2_KEY_NAME>"
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
Загрузка…
Ссылка в новой задаче