-
Notifications
You must be signed in to change notification settings - Fork 56
/
Copy pathcommands.ps1
147 lines (129 loc) · 5.25 KB
/
commands.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
echo "Setting up the variables..."
$subscriptionId = (az account show | ConvertFrom-Json).id
$tenantId = (az account show | ConvertFrom-Json).tenantId
$location = "westeurope"
$resourceGroupName = "rg-demo08"
$aksName = "aks-demo08"
$keyVaultName = "keyvault-demo08"
$secret1Name = "DatabaseLogin"
$secret2Name = "DatabasePassword"
$secret1Alias = "DATABASE_LOGIN"
$secret2Alias = "DATABASE_PASSWORD"
$identityName = "identity-aks-kv"
$identitySelector = "azure-kv"
$secretProviderClassName = "secret-provider-kv"
# echo "Creating Resource Group..."
# $rg = az group create -n $resourceGroupName -l $location | ConvertFrom-Json
# echo "Creating AKS cluster..." # doesn't work with AKS with Managed Identity!
# $aks = az aks create -n $aksName -g $resourceGroupName --enable-managed-identity --kubernetes-version 1.17.3 --node-count 1 | ConvertFrom-Json
$aks = (az aks show -n $aksName -g $resourceGroupName | ConvertFrom-Json) # retrieve existing AKS
# echo "Connecting/athenticating to AKS..."
az aks get-credentials -n $aksName -g $resourceGroupName
echo "Creating Key Vault..."
$keyVault = az keyvault create -n $keyVaultName -g $resourceGroupName -l $location --enable-soft-delete true --retention-days 7 | ConvertFrom-Json
# $keyVault = (az keyvault show -n $keyVaultName | ConvertFrom-Json) # retrieve existing KV
echo "Creating Secrets in Key Vault..."
az keyvault secret set --name $secret1Name --value "Houssem" --vault-name $keyVaultName
az keyvault secret set --name $secret2Name --value "P@ssword123456" --vault-name $keyVaultName
echo "Adding Helm repo for Secret Store CSI..."
helm repo add secrets-store-csi-driver https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/master/charts
echo "Installing Secrets Store CSI Driver using Helm..."
kubectl create ns csi-driver
helm install csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver --namespace csi-driver
kubectl get pods --namespace=csi-driver
echo "Installing Secrets Store CSI Driver with Azure Key Vault Provider..."
kubectl apply -f https://raw.githubusercontent.com/Azure/secrets-store-csi-driver-provider-azure/master/deployment/provider-azure-installer.yaml --namespace csi-driver
kubectl get pods -n csi-driver
echo "Using the Azure Key Vault Provider..."
$secretProviderKV = @"
apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
name: $($secretProviderClassName)
spec:
provider: azure
parameters:
usePodIdentity: "true"
useVMManagedIdentity: "false"
userAssignedIdentityID: ""
keyvaultName: $keyVaultName
cloudName: AzurePublicCloud
objects: |
array:
- |
objectName: $secret1Name
objectAlias: $secret1Alias
objectType: secret
objectVersion: ""
- |
objectName: $secret2Name
objectAlias: $secret2Alias
objectType: secret
objectVersion: ""
resourceGroup: $resourceGroupName
subscriptionId: $subscriptionId
tenantId: $tenantId
"@
$secretProviderKV | kubectl create -f -
echo "Installing AAD Pod Identity into AKS..."
kubectl apply -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/deployment-rbac.yaml
kubectl get pods
echo "Creating an Azure Identity..."
$identity = az identity create -g $resourceGroupName -n $identityName | ConvertFrom-Json
echo "Assigning Reader Role to new Identity for Key Vault..."
az role assignment create --role "Reader" --assignee $identity.principalId --scope $keyVault.id
echo "Providing required permissions for MIC..."
az role assignment create --role "Managed Identity Operator" --assignee $aks.servicePrincipalProfile.clientId --scope $identity.id
echo "Setting policy to access secrets in Key Vault..."
az keyvault set-policy -n $keyVaultName --secret-permissions get --spn $identity.clientId
echo "Adding AzureIdentity and AzureIdentityBinding..."
$aadPodIdentityAndBinding = @"
apiVersion: aadpodidentity.k8s.io/v1
kind: AzureIdentity
metadata:
name: $($identityName)
spec:
type: 0
resourceID: $($identity.id)
clientID: $($identity.clientId)
---
apiVersion: aadpodidentity.k8s.io/v1
kind: AzureIdentityBinding
metadata:
name: $($identityName)-binding
spec:
azureIdentity: $($identityName)
selector: $($identitySelector)
"@
$aadPodIdentityAndBinding | kubectl apply -f -
echo "Deploying a Nginx Pod for testing..."
$nginxPod = @"
kind: Pod
apiVersion: v1
metadata:
name: nginx-secrets-store
labels:
aadpodidbinding: $($identitySelector)
spec:
containers:
- name: nginx
image: nginx
volumeMounts:
- name: secrets-store-inline
mountPath: "/mnt/secrets-store"
readOnly: true
volumes:
- name: secrets-store-inline
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: $($secretProviderClassName)
"@
$nginxPod | kubectl apply -f -
echo "Validating the pod has access to the secrets from Key Vault..."
kubectl exec -it nginx-secrets-store ls /mnt/secrets-store/
kubectl exec -it nginx-secrets-store cat /mnt/secrets-store/DATABASE_LOGIN
kubectl exec -it nginx-secrets-store cat /mnt/secrets-store/$secret1Alias
kubectl exec -it nginx-secrets-store cat /mnt/secrets-store/DATABASE_PASSWORD
kubectl exec -it nginx-secrets-store cat /mnt/secrets-store/$secret2Alias