为Docker注册表创建Kubernetes机密-Terraform

时间:2020-06-01 17:28:37

标签: kubernetes terraform azure-aks terraform-provider-azure

使用kubectl,我们可以如下创建docker registry authentication secret 

kubectl create secret docker-registry regsecret \
--docker-server=docker.example.com \
--docker-username=kube \
--docker-password=PW_STRING \
--docker-email=my@email.com \

如何使用secret创建此terraform,我看到了data,它terraform在{{1 }}实例是在kubernetes中创建的,我从那里获取了所需的数据,并创建了以下内容

azure

似乎不对,因为没有拉出图像。我在这里想念什么。

2 个答案:

答案 0 :(得分:5)

如果您运行以下命令

kubectl create secret docker-registry regsecret \
--docker-server=docker.example.com \
--docker-username=kube \
--docker-password=PW_STRING \
--docker-email=my@email.com

它将创建如下秘密

$ kubectl get secrets regsecret -o yaml
apiVersion: v1
data:
  .dockerconfigjson: eyJhdXRocyI6eyJkb2NrZXIuZXhhbXBsZS5jb20iOnsidXNlcm5hbWUiOiJrdWJlIiwicGFzc3dvcmQiOiJQV19TVFJJTkciLCJlbWFpbCI6Im15QGVtYWlsLmNvbSIsImF1dGgiOiJhM1ZpWlRwUVYxOVRWRkpKVGtjPSJ9fX0=
kind: Secret
metadata:
  creationTimestamp: "2020-06-01T18:31:07Z"
  name: regsecret
  namespace: default
  resourceVersion: "42304"
  selfLink: /api/v1/namespaces/default/secrets/regsecret
  uid: 59054483-2789-4dd2-9321-74d911eef610
type: kubernetes.io/dockerconfigjson

如果我们解码.dockerconfigjson,我们将会得到

{"auths":{"docker.example.com":{"username":"kube","password":"PW_STRING","email":"my@email.com","auth":"a3ViZTpQV19TVFJJTkc="}}}

那么,我们如何使用terraform做到这一点?

我使用以下数据创建了文件config.json 

{"auths":{"${docker-server}":{"username":"${docker-username}","password":"${docker-password}","email":"${docker-email}","auth":"${auth}"}}}

然后在main.tf文件中

resource "kubernetes_secret" "docker-registry" {
  metadata {
    name = "regsecret"
  }

  data = {
    ".dockerconfigjson" = "${data.template_file.docker_config_script.rendered}"
  }

  type = "kubernetes.io/dockerconfigjson"
}


data "template_file" "docker_config_script" {
  template = "${file("${path.module}/config.json")}"
  vars = {
    docker-username           = "${var.docker-username}"
    docker-password           = "${var.docker-password}"
    docker-server             = "${var.docker-server}"
    docker-email              = "${var.docker-email}"
    auth                      = base64encode("${var.docker-username}:${var.docker-password}")
  }
}

然后运行

$ terraform apply

这将产生相同的秘密。希望对您有帮助

答案 1 :(得分:2)

我建议创建一个azurerm_role_assignement以便aks可以访问acr:

resource "azurerm_role_assignment" "aks_sp_acr" {
  scope                = azurerm_container_registry.acr.id
  role_definition_name = "AcrPull"
  principal_id         = var.service_principal_obj_id

  depends_on = [
    azurerm_kubernetes_cluster.aks,
    azurerm_container_registry.acr
  ]
}

更新

您可以在azure门户中或使用az cli创建服务主体,并在terraform中使用client_id,client_secret和object-id。

通过运行az ad sp list --filter "displayName eq '<name>'"获取Client_id和Object_id。必须在服务主体的Certificates & secrets标签中创建机密。请参阅此指南:https://pixelrobots.co.uk/2018/11/first-look-at-terraform-and-the-azure-cloud-shell/

只需将所有三个设置为变量,例如obj_id:

variable "service_principal_obj_id" {
   default = "<object-id>"
}

现在使用带有aks的凭据:

resource "azurerm_kubernetes_cluster" "aks" {

  ...

  service_principal {
    client_id     = var.service_principal_app_id
    client_secret = var.service_principal_password
  }

  ...

}

并如上所述在acr中设置对象ID。

替代

您可以使用terraform创建服务主体(仅在您具有必要的权限时才有效)。 https://www.terraform.io/docs/providers/azuread/r/service_principal.htmlrandom_password资源相结合:

resource "azuread_application" "aks_sp" {
  name                       = "somename"
  available_to_other_tenants = false
  oauth2_allow_implicit_flow = false
}

resource "azuread_service_principal" "aks_sp" {
  application_id = azuread_application.aks_sp.application_id

  depends_on = [
    azuread_application.aks_sp
  ]
}

resource "azuread_service_principal_password" "aks_sp_pwd" {
  service_principal_id = azuread_service_principal.aks_sp.id
  value                = random_password.aks_sp_pwd.result
  end_date             = "2099-01-01T01:02:03Z"

  depends_on = [
    azuread_service_principal.aks_sp
  ]
}

您需要将角色“ Conributer”分配给sp,并可以直接在aks / acr中使用它。

resource "azurerm_role_assignment" "aks_sp_role_assignment" {
  scope                = var.subscription_id
  role_definition_name = "Contributor"
  principal_id         = azuread_service_principal.aks_sp.id

  depends_on = [
    azuread_service_principal_password.aks_sp_pwd
  ]
}

与aks一起使用:

resource "azurerm_kubernetes_cluster" "aks" {

  ...

  service_principal {
    client_id     = azuread_service_principal.aks_sp.app_id
    client_secret = azuread_service_principal_password.aks_sp_pwd.value
  }

  ...

}

和角色分配:

resource "azurerm_role_assignment" "aks_sp_acr" {
  scope                = azurerm_container_registry.acr.id
  role_definition_name = "AcrPull"
  principal_id         = azuread_service_principal.aks_sp.object_id

  depends_on = [
    azurerm_kubernetes_cluster.aks,
    azurerm_container_registry.acr
  ]
}

更新机密示例 

resource "random_password" "aks_sp_pwd" {
  length = 32
  special = true
}
相关问题
最新问题