Native integration between AKS and Azure Key Vault
It makes sense to have some sort of smart integration between kubernetes secrets and azure key vault.
- name: CLIENT_ID
A managed Pod identity would solve a lot of issue here to access KeyVault as well
Francois Boulais commented
We use Kubernetes secrets. I would like to manage these secrets directly in Azure Key Vault.
akv2k8s.io look to be a nice project, but i won't use it.
Secrets are sensible information. I dont trust akv2k8s.io enough, but I trust Microsoft.
David Soff commented
Is apparently also an option for file base things
For env injection
Andrew Sears commented
It would be great if this was a native option and includes injection of environment variables / same functionality as existing k8s secrets. Many apps are written to use environment variables rather than file-based keys.
A secrets.yaml file could reference the key vault secret keys k8s needs. The secret or environment could be decrypted as part of the injector process. Could look to other tools such as Databricks for the similar cluster-based patterns.
Some best practices around storing base64 encoded secrets yaml files in Devops library, and ability to store yaml files in Key Vault or other encrypted-at-rest mechanism would be useful.
Please take a look at this project and let us know what you think:
Badal Kotecha commented
and when you are enabling this, please ensure it work with OSBA as well
Doug Fish commented
Storing Kubernetes secrets in Azure Key Vault is useful for environments where FIPS 140-2 Level 2 validated HSMs are required for secret storage.