I am using GCP Container Engine in my project and now I am facing some issue that I don't know if it can be solved via secrets.
One of my deployments is node-js app server, there I use some npm modules which require my GCP service account key (.json file) as an input.
The input is the path where this json file is located. Currently I managed to make it work by providing this file as part of my docker image and then in the code I put the path to this file and it works as expected. The problem is that I think that it is not a good solution because I want to decouple my nodejs image from the service account key because the service account key may be changed (e.g. dev,test,prod) and I will not be able to reuse my existing image (unless I will build and push it to a different registry).
So how could I upload this service account json file as secret and then consume it inside my pod? I saw it is possible to create secrets out of files but I don't know if it is possible to specify the path to the place where this json file is stored. If it is not possible with secrets (because maybe secrets are not saved in files...) so how (and if) it can be done?
You can make your json file a secret and consume in your pod. See the following link for secrets (http://kubernetes.io/docs/user-guide/secrets/), but I'll summarize next:
First create a secret from your json file:
kubectl create secret generic nodejs-key --from-file=./key.json
Now that you've created the secret, you can consume in your pod (in this example as a volume):
{
"apiVersion": "v1",
"kind": "Pod",
"metadata": {
"name": "nodejs"
},
"spec": {
"containers": [{
"name": "nodejs",
"image": "node",
"volumeMounts": [{
"name": "foo",
"mountPath": "/etc/foo",
"readOnly": true
}]
}],
"volumes": [{
"name": "foo",
"secret": {
"secretName": "nodejs-key"
}
}]
}
}
So when your pod spins up the file will be dropped in the "file system" in /etc/foo/key.json
I think you deploy on GKE/GCE, you don't need the key and it's going to work fine.
I've only tested with Google Cloud Logging but it might be the same for other services as well.
Eg: i only need the below when deploying app on gke/gce
var loggingClient = logging({
projectId: 'grape-spaceship-123'
});
Related
I am trying to create linkedservices with restapi in gitmode but the linked service is still created in live mode. My API code was
PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DataFactory/factories/{factoryName}/linkedservices/{linkedServiceName}?api-version=2018-06-01&versionType=branch&version=test_branch
with a body
"properties": {
"annotations": [],
"type": "AzureKeyVault",
"typeProperties": {
"baseUrl": "https://xxxxxxxxx.vault.azure.net/"
}
Please is there a way to reference the branch and create this service in git mode
As per official documentation, Changes made via PowerShell or an SDK are published directly to the Data Factory service, and are not entered into Git.
Refer - https://learn.microsoft.com/en-us/azure/data-factory/source-control
I was searching the web after information in regards to the question I have to add secrets and access policies to an existing keyvault in azure shade by others applications using ARM.
I read this documentation.
What I'm worried about is in regards to if anything existing will be overwritten on deleted as I'm creating a new template and parameter file in my services "solution" so to speak.
And I know that I have my CICD pipelines in devops set to "incremental" in regards to what it should be updating an creating.
Anyone have a crystal clear understanding regarding this?
Thanks in advance!
UPDATE:
So I think I managed to get it right here after all.
I Created a new key vault resource and added a couple of secrets and some access policies to emulate a situation of an already created resource which I want to add new secrets to.
Then I created this template:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"keyVault": {
"type": "string"
},
"Credentials1": {
"type": "secureString"
},
"SecretName1": {
"type": "string"
},
"Credentials2": {
"type": "secureString"
},
"SecretName2": {
"type": "string"
}
},
"variables": {
},
"resources": [
{
"type": "Microsoft.KeyVault/vaults/secrets",
"name": "[concat(parameters('keyVault'), '/', parameters('SecretName1'))]",
"apiVersion": "2015-06-01",
"properties": {
"contentType": "text/plain",
"value": "[parameters('Credentials1')]"
}
},
{
"type": "Microsoft.KeyVault/vaults/secrets",
"name": "[concat(parameters('keyVault'), '/', parameters('SecretName2'))]",
"apiVersion": "2015-06-01",
"properties": {
"contentType": "text/plain",
"value": "[parameters('Credentials2')]"
}
}
],
"outputs": {}
}
What I've learned is that if an existing shared key vault exists which I want to add some secrets to I only have to define the sub resources, in this case the secrets to be added to the existing key vault.
so this worked an resulted in not modifying anything else in the existing key vault except adding the new secrets.
even though this is not a fully automated way of adding a whole new key vault setup related to a new service, as one doesn't connect the new resources correctly by adding their principal ID's (identity). Its good for now as I don't have to add each secret manually. Though I do have to add the principal ID's manually.
When using incremental mode to deploy the template, it should not overwrite the things in the keyvault.
But to be foolproof, I recommend you to back up your keyvault key, secret, certificate firstly. For the access policies, you can also export the template of the keyvault firstly, save the accessPolicies for restore in case.
If you redeploy the existing KeyVault in incremental mode any child properties, such as access policies, will be configured as they’re defined in the template. That could result in the loss of some access policies if you haven’t been careful to define them all in your template. The documentation linked to above will give you a full list of the properties that would be affected. As per the docs this can affect properties even if they’re not explicitly defined.
KeyVault Secrets aren’t a child property of the KeyVault resource so won’t get overwritten. They can be defined in ARM either as a separate resource in the same template or in a different template file. You can define some, all or none of the existing secrets in ARM. Any that aren’t defined in the ARM template will be left as is.
If you’re using CI/CD to manage your deployments it’s worth considering setting up a test environment to apply the changes to first so you can validate that the result is as expected before applying them to your production environment.
Previously, we were storing our certificates in a key vault secret. But as this function is deprecated we are now storing the certificates in the Key vault -> Certificates.
When deploying an appservice to azure, we make use of this part of the ARM template to get the certificate. This one is still getting the certificate from the secret, instead of from the certificates.
"resources": [
{
"type": "Microsoft.Web/certificates",
"name": "[variables('certName1')]",
"apiVersion": "2019-08-01",
"location": "[variables('location')]",
"properties": {
"keyVaultId": "[resourceId(variables('vaultSubscriptionId'),variables('vaultResourcegroupName'),'Microsoft.KeyVault/vaults', variables('vaultName'))]",
"keyVaultSecretName": "[variables('vaultSecretName1')]"
}
},
{
"type": "Microsoft.Web/certificates",
"name": "[variables('certName2')]",
"dependsOn": [
"[resourceId('Microsoft.Web/certificates', variables('certName1'))]"
],
"apiVersion": "2019-08-01",
"location": "[variables('location')]",
"properties": {
"keyVaultId": "[resourceId(variables('vaultSubscriptionId'),variables('vaultResourcegroupName'),'Microsoft.KeyVault/vaults', variables('vaultName'))]",
"keyVaultSecretName": "[variables('vaultSecretName2')]"
}
},
We are now getting the certificate with the keyVaultSecretName, but we don't want to use the keyvaultsecret anymore to get the certificate, but directly from Certificates. But I can't find how to do this. I am getting errors when removing the property keyVaultSecretName. Or when I leave it there, it can't find the certificate.
In your pipelines on Azure DevOps, if you want to use the Certificates stored in Key vault on Azure Portal, normally you should access the Certificates via a variable group on Azure DevOps.
Set up the variable group.
Link the variable group into the pipeline where you need to use the Certificates.
[UPDATE]
It seems that you should use the "keyVaultSecretName" to get the certificates, it is the predefined Certificate property. See here.
I also find some related articles, and found that all of them are using the "keyVaultSecretName".
Using an ARM template to deploy your SSL certificate stored in KeyVault on an Web App
How to access SSL in KeyVault from ARM Template
ARM Template with Key Vault certificate
I've created a Service Fabric Application currently consisting of two Reliable Services and a Reliable Actor. For development, I created an SQL Server and database in Azure, and hardcoded the connection string into my application, which I was running on my local SF cluster. This worked fine, and I was able to run my application locally whilst manipulating the database in the cloud.
I now want to publish my service to the cloud, and run it all remotely (so that I can set up and test the Web API is exposes), and this is where the problems start.
Following Azure docs:
Create a Service Fabric cluster in Azure using Azure Resource Manager
Connect to a secure cluster
Configure secure connections to a Service Fabric cluster from Visual Studio
Service Fabric cluster security scenarios
Publish an application to a remote cluster by using Visual Studio
Add or remove certificates for a Service Fabric cluster in Azure
I have taken the following steps:
Used Powershell (with ServiceFabricRPHelpers cmdlets) to create a KeyVault resource group, and within that a KeyVault.
Used New-SelfSignedCertificate with -DnsName set to api.mydomain.co.uk, which I have already purchased and created a CNAME record for api leading to mycluster.northeurope.cloudapp.azure.com:19000 (though of course it doesn't exist at this stage of the process), followed by Export-PfxCertificate to create the .pfx file. The .pfx was then imported to cert:\CurrentUser\TrustedPeople and cert:\CurrentUser\My.
Called Invoke-AddCertToKeyVault to add the newly generated certificate to my KeyVault.
Used the SetupApplications.ps1 script to configure AAD.
Placed all resulting strings etc. into azuredeploy.json and azuredeploy.parameters.json, resolved errors (some of which seemed to contradict the documentation..), and successfully deployed the cluster. It is now visible on my Azure Portal.
Assigned User Roles (admin to myself) from the classic portal.
Used Invoke-AddCertToKeyVault to (this time create and) add a second, "admin client" certificate to the cluster (as opposed to the first which was a cluster certificate).
So, with all of that done, I believe I should have done everything I need to in order to be able to connect to the cluster to publish via VS2015, and access the management interface from api.mydomain.co.uk:19080. Alas, that doesn't happen...
Connection to the database within the resource group my cluster still works from VS via the SQL Server Explorer using SQL authentication, however, any attempt to communicate with the server itself using AAD or X509 based authentication results in a wait while it tries to connect, and then failure. A few examples:
Trying to connect to the management console says it's blocked, which implies to me it is there, but all the documentation ends before telling me how to access it.
Attempting to connect using Connect-ServiceFabricCluster also fails, and searching the error messages hasn't given me any indication of what to do.
After spending two days absorbing all of this and trying to get it working, I'm all out of ideas on what to try and change. Can anyone find a problem in what I have done, or suggest anything I could try?
If you need more details from me then please just ask!
I too had a nightmare attempting to deploy a secure cluster, using much of the same documentation you too have tried to consume. After spending days getting my hands dirty I managed to finally get it working.
Here is my own helper and template: SecureCluster
The key things to watch are:
Make sure your client and cluster certificates are both in your key vault and referenced within your ARM template under the OSProfile of the VM scale set (I noticed in your example that you were adding the client admin certificate after modifying the ARM template):
"osProfile": {
"adminUsername": "[parameters('adminUsername')]",
"adminPassword": "[parameters('adminPassword')]",
"computernamePrefix": "[parameters('vmNodeType0Name')]",
"secrets": [
{
"sourceVault": {
"id": "[parameters('sourceVault')]"
},
"vaultCertificates": [
{
"certificateStore": "My",
"certificateUrl": "[parameters('clusterCertificateUrl')]"
},
{
"certificateStore": "My",
"certificateUrl": "[parameters('adminCertificateUrl')]"
}
]
}
]
},
This will make sure all your certificates are installed onto each node within the cluster.
Next is to make sure that the Service Fabric extension within the scale set also has your certificate:
"extensions": [
{
"name": "[concat(parameters('vmNodeType0Name'),'_ServiceFabricNode')]",
"properties": {
"type": "ServiceFabricNode",
"autoUpgradeMinorVersion": false,
"protectedSettings": {
"StorageAccountKey1":
"[listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('supportLogStorageAccountName')),'2015-05-01-preview').key1]",
"StorageAccountKey2":
"[listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('supportLogStorageAccountName')),'2015-05-01-preview').key2]"
},
"publisher": "Microsoft.Azure.ServiceFabric",
"settings": {
"clusterEndpoint": "[reference(parameters('clusterName')).clusterEndpoint]",
"nodeTypeRef": "[parameters('vmNodeType0Name')]",
"dataPath": "D:\\\\SvcFab",
"durabilityLevel": "Bronze",
"certificate": {
"thumbprint": "[parameters('clusterCertificateThumbPrint')]",
"x509StoreName": "My"
}
},
"typeHandlerVersion": "1.0"
}
},
Finally, under the Service Fabric resource section within the ARM template make sure you specify which certificates to use for node to node security and which is for client to node security.
certificate": {
"thumbprint": "[parameters('clusterCertificateThumbPrint')]",
"x509StoreName": "My"
},
"clientCertificateCommonNames": [],
"clientCertificateThumbprints": [{
"CertificateThumbprint": "[parameters('adminCertificateThumbPrint')]",
"IsAdmin": true
}],
You should then be able to securely connect to the cluster in the way you are attempting to. Although one thing I have found is that the URL shouldbn't be prefixed with "http" within the publish profile and when trying you browse to the explorer you will need the URL to be https://[n]:19080/Explorer/index.html
Hopefully you will find this of some help.
I'm trying to find the correct template to use for the App Service "Mobile App" for deployment via New-AzureRmResourceGroupDeployment
I've had a look at the template for Web App but doesn't appear to be anything to specify a type or kind for Mobile App
https://github.com/Azure/azure-resource-manager-schemas/blob/master/schemas/2015-08-01/Microsoft.Web.json
You can just add the "kind" property to a website resource, e.g.
{
"name": "[parameters('siteName')]",
"type": "Microsoft.Web/sites",
"location": "[resourceGroup().location]",
"apiVersion": "2014-06-01",
"kind": "mobileapp" ...