skip to Main Content

I hope somebody can help me out here.

I have a basic configuration in azure which consists in a web app and database.

The web app is able to connect to the database using managed identity adn everything here works just fine, but i wanted to try the same configuration using aks.

I deployed AKS and enabled managed identity. I deployed a pod into the cluster as follow:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: webapp-deployment
  labels:
    app: webapp
spec:
  replicas: 1
  selector:
    matchLabels:
      app: webapp
  template:
    metadata:
      labels:
        app: webapp
    spec:
      containers:
        - name: webapp
          image: dockerimage
          ports:
            - containerPort: 80
          env:
            - name: "ConnectionStrings__MyDbConnection"
              value: "Server=server-url; Authentication=Active Directory Managed Identity; Database=database-name"
            - name: "ASPNETCORE_ENVIRONMENT"
              value: "Development"
          securityContext:
            allowPrivilegeEscalation: false
      restartPolicy: Always 

The deployment went trough just smoothly and everything works just fine. But this is where i have the problem and cannot figure out the best solution.

The env block is in plain text, i would like to protect those environment variables by storing them in a keyvault.

I have been looking around into different forums and documentation and the options start confusing me. Is there any good way to achieve security in this scenario?

In my web app, under configurations i have the managed identity enabled and using this i can access the secrets in a keyvault and retrieve them. Can i do the same using AKS?

Thank you so much for any help you can provide or help with.

And please if my question is not 100% clear, just let me know

2

Answers


    1. Upgrade an existing AKS cluster with Azure Key Vault Provider for Secrets Store CSI Driver support
    2. Use a user-assigned managed identity to access KV
    3. Set an environment variable to reference Kubernetes secrets

    You will need to do some reading, but the process is straight forward.
    The KV secrets will be stored in k8s secrets, that you can reference in the pods environment variables.

    Login or Signup to reply.
  1. You can try to replace environment key-value like you did with Azure Configuration. Using Azure app config, you can
    add "ConnectionStrings__MyDbConnection" as ‘Key Vault reference’ to your kv secret. Then use DefaultAzureCredential or ManagedIdentityCredential class
    to setup credential for authentication to app config and key vault resources.

    var builder = WebApplication.CreateBuilder(args);
            var usermanaged_client_id = "";
            
        var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions { ManagedIdentityClientId = usermanaged_client_id });
    
            
           // Add services to the container.
           builder.Configuration.AddAzureAppConfiguration(opt =>
           {
    
               opt.Connect(new Uri("https://your-app-config.azconfig.io"), credential)
               .ConfigureKeyVault(kv =>
               {
                   kv.SetCredential(credential);
               });
    
           });
    

    Make sure that you grant access of Key Vault to the user managed identity.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search