我建议创建一个
azurerm_role_assignement
来给 aks 授予对 acr 的访问权限:
resource "azurerm_role_assignment" "aks_sp_acr" {
scope = azurerm_container_registry.acr.id
role_definition_name = "AcrPull"
principal_id = var.service_principal_obj_id
depends_on = [
azurerm_kubernetes_cluster.aks,
azurerm_container_registry.acr
]
}
更新
您可以在Azure门户中创建服务主体,也可以使用az cli,并在terraform中使用client_id、client_secret和object-id。
通过运行az ad sp list --filter "displayName eq '<name>'"
获取Client_id和Object_id. 密钥必须在服务主体的“证书和密码”选项卡中创建。请参阅此指南:https://pixelrobots.co.uk/2018/11/first-look-at-terraform-and-the-azure-cloud-shell/
只需将这三个设置为变量,例如obj_id:
variable "service_principal_obj_id" {
default = "<object-id>"
}
现在可以使用凭据与aks:
resource "azurerm_kubernetes_cluster" "aks" {
...
service_principal {
client_id = var.service_principal_app_id
client_secret = var.service_principal_password
}
...
}
按照上述描述,在acr中设置对象id。
替代方案
您可以使用terraform创建服务主体(仅在您拥有必要权限时才有效)。结合random_password
资源,可参考https://www.terraform.io/docs/providers/azuread/r/service_principal.html。
resource "azuread_application" "aks_sp" {
name = "somename"
available_to_other_tenants = false
oauth2_allow_implicit_flow = false
}
resource "azuread_service_principal" "aks_sp" {
application_id = azuread_application.aks_sp.application_id
depends_on = [
azuread_application.aks_sp
]
}
resource "azuread_service_principal_password" "aks_sp_pwd" {
service_principal_id = azuread_service_principal.aks_sp.id
value = random_password.aks_sp_pwd.result
end_date = "2099-01-01T01:02:03Z"
depends_on = [
azuread_service_principal.aks_sp
]
}
你需要给sp分配"贡献者"的角色,并可以直接在aks/acr中使用。
resource "azurerm_role_assignment" "aks_sp_role_assignment" {
scope = var.subscription_id
role_definition_name = "Contributor"
principal_id = azuread_service_principal.aks_sp.id
depends_on = [
azuread_service_principal_password.aks_sp_pwd
]
}
与 aks 一起使用:
resource "azurerm_kubernetes_cluster" "aks" {
...
service_principal {
client_id = azuread_service_principal.aks_sp.app_id
client_secret = azuread_service_principal_password.aks_sp_pwd.value
}
...
}
以及角色分配:
resource "azurerm_role_assignment" "aks_sp_acr" {
scope = azurerm_container_registry.acr.id
role_definition_name = "AcrPull"
principal_id = azuread_service_principal.aks_sp.object_id
depends_on = [
azurerm_kubernetes_cluster.aks,
azurerm_container_registry.acr
]
}
更新密钥示例
resource "random_password" "aks_sp_pwd" {
length = 32
special = true
}