Native integration between AKS and Azure Key Vault
It makes sense to have some sort of smart integration between kubernetes secrets and azure key vault.
I.e.
containers:
env:
- name: CLIENT_ID
valueFrom:
azureSecretKeyRef:
name: client-details
key: client-id
Anonymous
shared this idea
7 comments
-
Anonymous
commented
A managed Pod identity would solve a lot of issue here to access KeyVault as well
-
Francois Boulais
commented
We use Kubernetes secrets. I would like to manage these secrets directly in Azure Key Vault.
akv2k8s.io look to be a nice project, but i won't use it.
Secrets are sensible information. I dont trust akv2k8s.io enough, but I trust Microsoft. -
David Soff
commented
https://github.com/kubernetes-sigs/secrets-store-csi-driver
Is apparently also an option for file base things
https://akv2k8s.io/
For env injection -
Andrew Sears
commented
It would be great if this was a native option and includes injection of environment variables / same functionality as existing k8s secrets. Many apps are written to use environment variables rather than file-based keys.
A secrets.yaml file could reference the key vault secret keys k8s needs. The secret or environment could be decrypted as part of the injector process. Could look to other tools such as Databricks for the similar cluster-based patterns.
Some best practices around storing base64 encoded secrets yaml files in Devops library, and ability to store yaml files in Key Vault or other encrypted-at-rest mechanism would be useful.
-
Please take a look at this project and let us know what you think:
-
Badal Kotecha
commented
and when you are enabling this, please ensure it work with OSBA as well
-
Doug Fish
commented
Storing Kubernetes secrets in Azure Key Vault is useful for environments where FIPS 140-2 Level 2 validated HSMs are required for secret storage.
