我已经编写了一个ARM模板来部署Azure Kubernetes服务(AKS)。但是,我找不到自动创建服务主体客户端ID和密码的方法。
有一种方法可以像我所学的here那样在ARM模板中创建服务主体并将客户端ID和机密存储在Azure Key Vault中吗?
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"environment": {
"metadata": {
"description": "The name of the environment."
},
"type": "string"
},
// Azure Kubernetes Service
"kubernetes_name": {
"metadata": {
"description": "The name of the Managed Cluster resource."
},
"type": "string"
},
"kubernetes_location": {
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "The location of AKS resource."
},
"type": "string"
},
"kubernetes_dnsPrefix": {
"metadata": {
"description": "Optional DNS prefix to use with hosted Kubernetes API server FQDN."
},
"type": "string"
},
"kubernetes_osDiskSizeGB": {
"defaultValue": 0,
"metadata": {
"description": "Disk size (in GB) to provision for each of the agent pool nodes. This value ranges from 0 to 1023. Specifying 0 will apply the default disk size for that agentVMSize."
},
"maxValue": 1023,
"minValue": 0,
"type": "int"
},
"kubernetes_osType": {
"allowedValues": [
"Linux"
],
"defaultValue": "Linux",
"metadata": {
"description": "The type of operating system."
},
"type": "string"
},
"kubernetes_agentCount": {
"defaultValue": 3,
"metadata": {
"description": "The number of agent nodes for the cluster."
},
"maxValue": 50,
"minValue": 1,
"type": "int"
},
"kubernetes_agentVMSize": {
"defaultValue": "Standard_D2_v2",
"metadata": {
"description": "The size of the Virtual Machine."
},
"type": "string"
},
"kubernetes_maxPods": {
"defaultValue": 30,
"metadata": {
"description": "Maximum number of pods that can run on a node."
},
"type": "int"
},
"kubernetes_servicePrincipalClientId": {
"defaultValue": null,
"metadata": {
"description": "Client ID (used by cloudprovider)"
},
"type": "securestring"
},
"kubernetes_servicePrincipalClientSecret": {
"defaultValue": null,
"metadata": {
"description": "The Service Principal Client Secret."
},
"type": "securestring"
},
"kubernetes_kubernetesVersion": {
"defaultValue": "1.7.7",
"metadata": {
"description": "The version of Kubernetes."
},
"type": "string"
},
"kubernetes_enableHttpApplicationRouting": {
"defaultValue": false,
"metadata": {
"description": "boolean flag to turn on and off of http application routing"
},
"type": "bool"
},
"kubernetes_networkPlugin": {
"allowedValues": [
"azure",
"kubenet"
],
"defaultValue": "kubenet",
"metadata": {
"description": "Network plugin used for building Kubernetes network."
},
"type": "string"
},
"kubernetes_enableRBAC": {
"defaultValue": true,
"metadata": {
"description": "boolean flag to turn on and off of RBAC"
},
"type": "bool"
},
"kubernetes_enableOmsAgent": {
"defaultValue": true,
"metadata": {
"description": "boolean flag to turn on and off of omsagent addon"
},
"type": "bool"
},
// Azure Log Analytics
"log_analytics_location": {
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Specify the region for your OMS workspace"
},
"type": "string"
},
"log_analytics_workspaceName": {
"metadata": {
"description": "Specify the name of the OMS workspace"
},
"type": "string"
},
"log_analytics_workspaceId": {
"metadata": {
"description": "Specify the resource id of the OMS workspace"
},
"type": "string"
},
"log_analytics_sku": {
"allowedValues": [
"free",
"standalone",
"pernode"
],
"defaultValue": "free",
"metadata": {
"description": "Select the SKU for your workspace"
},
"type": "string"
}
},
"resources": [
{
"comments": "Azure Kubernetes Service",
"apiVersion": "2018-03-31",
"dependsOn": [
"[concat('Microsoft.Resources/deployments/', 'WorkspaceDeployment')]"
],
"type": "Microsoft.ContainerService/managedClusters",
"location": "[parameters('kubernetes_location')]",
"name": "[parameters('kubernetes_name')]",
"properties": {
"kubernetesVersion": "[parameters('kubernetes_kubernetesVersion')]",
"enableRBAC": "[parameters('kubernetes_enableRBAC')]",
"dnsPrefix": "[parameters('kubernetes_dnsPrefix')]",
"addonProfiles": {
"httpApplicationRouting": {
"enabled": "[parameters('kubernetes_enableHttpApplicationRouting')]"
},
"omsagent": {
"enabled": "[parameters('kubernetes_enableOmsAgent')]",
"config": {
"logAnalyticsWorkspaceResourceID": "[parameters('log_analytics_workspaceId')]"
}
}
},
"agentPoolProfiles": [
{
"name": "agentpool",
"osDiskSizeGB": "[parameters('kubernetes_osDiskSizeGB')]",
"osType": "[parameters('kubernetes_osType')]",
"count": "[parameters('kubernetes_agentCount')]",
"vmSize": "[parameters('kubernetes_agentVMSize')]",
"storageProfile": "ManagedDisks",
"maxPods": "[parameters('kubernetes_maxPods')]"
}
],
"servicePrincipalProfile": {
"ClientId": "[parameters('kubernetes_servicePrincipalClientId')]",
"Secret": "[parameters('kubernetes_servicePrincipalClientSecret')]"
},
"networkProfile": {
"networkPlugin": "[parameters('kubernetes_networkPlugin')]"
}
},
"tags": {
"Environment": "[parameters('environment')]"
}
},
{
"comments": "Azure Log Analytics (Container Insights)",
"type": "Microsoft.Resources/deployments",
"name": "SolutionDeployment",
"apiVersion": "2017-05-10",
"resourceGroup": "[split(parameters('log_analytics_workspaceId'),'/')[4]]",
"subscriptionId": "[split(parameters('log_analytics_workspaceId'),'/')[2]]",
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"apiVersion": "2015-11-01-preview",
"type": "Microsoft.OperationsManagement/solutions",
"location": "[parameters('log_analytics_location')]",
"name": "[concat('ContainerInsights', '(', split(parameters('log_analytics_workspaceId'),'/')[8], ')')]",
"properties": {
"workspaceResourceId": "[parameters('log_analytics_workspaceId')]"
},
"plan": {
"name": "[concat('ContainerInsights', '(', split(parameters('log_analytics_workspaceId'),'/')[8], ')')]",
"product": "[concat('OMSGallery/', 'ContainerInsights')]",
"promotionCode": "",
"publisher": "Microsoft"
}
}
]
}
},
"dependsOn": [
"[concat('Microsoft.Resources/deployments/', 'WorkspaceDeployment')]"
],
"tags": {
"Environment": "[parameters('environment')]"
}
},
{
"comments": "Azure Log Analytics",
"type": "Microsoft.Resources/deployments",
"name": "WorkspaceDeployment",
"apiVersion": "2017-05-10",
"resourceGroup": "[split(parameters('log_analytics_workspaceId'),'/')[4]]",
"subscriptionId": "[split(parameters('log_analytics_workspaceId'),'/')[2]]",
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"apiVersion": "2015-11-01-preview",
"type": "Microsoft.OperationalInsights/workspaces",
"location": "[parameters('log_analytics_location')]",
"name": "[parameters('log_analytics_workspaceName')]",
"properties": {
"sku": {
"name": "[parameters('log_analytics_sku')]"
}
}
}
]
}
},
"tags": {
"Environment": "[parameters('environment')]"
}
}
],
"outputs": {
"controlPlaneFQDN": {
"type": "string",
"value": "[reference(concat('Microsoft.ContainerService/managedClusters/', parameters('kubernetes_name'))).fqdn]"
}
}
}
答案 0 :(得分:1)
不幸的是,您无法在ARM模板中创建服务主体。
我使用PowerShell脚本创建它们,然后将相关属性作为参数传递给ARM模板,或者将它们推入KeyVault并从相关ARM模板支持的KeyVault中引用它们。