How to use the azure keyvault secrets provider addon?

Hi all,

With the recent releases of the AzureRM provider which enable the azure_keyvault_secrets_provider addon, I am unable to find any examples of how to use it. While I have enabled the addon, created a keyvault in azure, I am a bit stuck as how else to proceed. I triued having a look at the examples folder in the repository and could not find an example of how this is used.

Any ideas would be helpful.

Thanks,

Emmanuel

Hi Emmanuel,

By using the azure_keyvault_secrets_provider block you can enable the Azure Key Vault Provider for Secrets Store CSI Driver on your aks instance.
After you apply this change to your cluster, you will have the following pods:

kube-system aks-secrets-store-csi-driver
kube-system aks-secrets-store-csi-driver-windows
kube-system aks-secrets-store-provider-azure
kube-system aks-secrets-store-provider-azure-windows
kube-system csi-azuredisk-node
kube-system csi-azuredisk-node-win
kube-system csi-azurefile-node
kube-system csi-azurefile-node-win

Basically, the csi-driver and the provider-azure services are responsible for accessing the secrets stored on your Azure K/V service from the containerized application running on your pods.

To get this working, however, you need other resources deployed on your cluster.

1. You need to enable the AAD Pod Identity service on your cluster ( GitHub - Azure/aad-pod-identity: Assign Azure Active Directory Identities to Kubernetes applications. );
   Note: This service require Azure CNI as network plugin for AKS.
2. You need to create the k8s resources AzureIdentity and AzureIdentityBinding;
3. You need to configure and assign the identity to pods that need access your secrets;
4. You need to create the k8s resource SecretProviderClass on which you specify secrets the pods should access;
5. Finally, you need to mount secretProviderClass into the pod as a csi volume.

Please, refer to the following docs:

You can install the aad-pod-identity service via helm:

Have Fun!
Paolo