deploy: 1e9ba0ceb5f297de4c2ae02a24de49492db514af

provider-azure-key-vault/index.html

@@ -564,6 +564,13 @@
     Service Principal key authentication
   </a>
   
+</li>
+        
+          <li class="md-nav__item">
+  <a href="#managed-identity-authentication" class="md-nav__link">
+    Managed Identity authentication
+  </a>
+  
 </li>
         
       </ul>
@@ -1003,6 +1010,13 @@
     Service Principal key authentication
   </a>
   
+</li>
+        
+          <li class="md-nav__item">
+  <a href="#managed-identity-authentication" class="md-nav__link">
+    Managed Identity authentication
+  </a>
+  
 </li>
         
       </ul>
@@ -1059,9 +1073,13 @@
 <h2 id="azure-key-vault">Azure Key vault</h2>
 <p>External Secrets Operator integrates with <a href="https://azure.microsoft.com/en-us/services/key-vault/">Azure Key vault</a> for secrets, certificates and Keys management.</p>
 <h3 id="authentication">Authentication</h3>
-<p>At the moment, we only support <a href="https://docs.microsoft.com/en-us/azure/key-vault/general/authentication">service principals</a> authentication.</p>
+<p>We support Service Principals and Managed Identity <a href="https://docs.microsoft.com/en-us/azure/key-vault/general/authentication">authentication</a>.</p>
+<p>To use Managed Identity authentication, you should use <a href="https://azure.github.io/aad-pod-identity/docs/">aad-pod-identity</a> to assign the identity to external-secrets operator. To add the selector to external-secrets operator, use <code>podLabels</code> in your values.yaml in case of Helm installation of external-secrets.</p>
 <h4 id="service-principal-key-authentication">Service Principal key authentication</h4>
 <p>A service Principal client and Secret is created and the JSON keyfile is stored in a <code>Kind=Secret</code>. The <code>ClientID</code> and <code>ClientSecret</code> should be configured for the secret. This service principal should have proper access rights to the keyvault to be managed by the operator</p>
+<h4 id="managed-identity-authentication">Managed Identity authentication</h4>
+<p>A Managed Identity should be created in Azure, and that Identity should have proper rights to the keyvault to be managed by the operator.</p>
+<p>If there are multiple Managed Identitites for different keyvaults, the operator should have been assigned all identities via <a href="https://azure.github.io/aad-pod-identity/docs/">aad-pod-identity</a>, then the SecretStore configuration should include the Id of the idenetity to be used via the <code>identityId</code> field.</p>
 <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">v1</span>
 <span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">Secret</span>
 <span class="nt">metadata</span><span class="p">:</span>
@@ -1073,7 +1091,7 @@
 </code></pre></div>
 
 <h3 id="update-secret-store">Update secret store</h3>
-<p>Be sure the <code>azkv</code> provider is listed in the <code>Kind=SecretStore</code></p>
+<p>Be sure the <code>azurekv</code> provider is listed in the <code>Kind=SecretStore</code></p>
 <div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
 <span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
 <span class="nt">metadata</span><span class="p">:</span>
@@ -1097,6 +1115,22 @@
           <span class="nt">key</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">ClientSecret</span>
 </code></pre></div>
 
+<p>Or in case of Managed Idenetity authentication:</p>
+<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
+<span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
+<span class="nt">metadata</span><span class="p">:</span>
+  <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">example-secret-store</span>
+<span class="nt">spec</span><span class="p">:</span>
+  <span class="nt">provider</span><span class="p">:</span>
+    <span class="c1"># provider type: azure keyvault</span>
+    <span class="nt">azurekv</span><span class="p">:</span>
+      <span class="nt">authType</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">ManagedIdentity</span>
+      <span class="c1"># Optionally set the Id of the Managed Identity, if multiple identities is assignet to external-secrets operator</span>
+      <span class="nt">identityId</span><span class="p">:</span> <span class="s">&quot;&lt;MI_clientId&gt;&quot;</span>
+      <span class="c1"># URL of your vault instance, see: https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates</span>
+      <span class="nt">vaultUrl</span><span class="p">:</span> <span class="s">&quot;https://my-keyvault-name.vault.azure.net&quot;</span>
+</code></pre></div>
+
 <h3 id="object-types">Object Types</h3>
 <p>Azure KeyVault manages different <a href="https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#object-types">object types</a>, we support <code>keys</code>, <code>secrets</code> and <code>certificates</code>. Simply prefix the key with <code>key</code>, <code>secret</code> or <code>cert</code> to retrieve the desired type (defaults to secret).</p>
 <table>

sitemap.xml

@@ -1,111 +1,111 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9"><url>
      <loc>None</loc>
-     <lastmod>2021-12-06</lastmod>
+     <lastmod>2021-12-07</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-06</lastmod>
+     <lastmod>2021-12-07</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-06</lastmod>
+     <lastmod>2021-12-07</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-06</lastmod>
+     <lastmod>2021-12-07</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-06</lastmod>
+     <lastmod>2021-12-07</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-06</lastmod>
+     <lastmod>2021-12-07</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-06</lastmod>
+     <lastmod>2021-12-07</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-06</lastmod>
+     <lastmod>2021-12-07</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-06</lastmod>
+     <lastmod>2021-12-07</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-06</lastmod>
+     <lastmod>2021-12-07</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-06</lastmod>
+     <lastmod>2021-12-07</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-06</lastmod>
+     <lastmod>2021-12-07</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-06</lastmod>
+     <lastmod>2021-12-07</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-06</lastmod>
+     <lastmod>2021-12-07</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-06</lastmod>
+     <lastmod>2021-12-07</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-06</lastmod>
+     <lastmod>2021-12-07</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-06</lastmod>
+     <lastmod>2021-12-07</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-06</lastmod>
+     <lastmod>2021-12-07</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-06</lastmod>
+     <lastmod>2021-12-07</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-06</lastmod>
+     <lastmod>2021-12-07</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-06</lastmod>
+     <lastmod>2021-12-07</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-06</lastmod>
+     <lastmod>2021-12-07</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-06</lastmod>
+     <lastmod>2021-12-07</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-06</lastmod>
+     <lastmod>2021-12-07</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-06</lastmod>
+     <lastmod>2021-12-07</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-06</lastmod>
+     <lastmod>2021-12-07</lastmod>
      <changefreq>daily</changefreq>
     </url><url>
      <loc>None</loc>
-     <lastmod>2021-12-06</lastmod>
+     <lastmod>2021-12-07</lastmod>
      <changefreq>daily</changefreq>
     </url>
 </urlset>

snippets/azkv-secret-store-mi.yaml

@@ -0,0 +1,13 @@
+apiVersion: external-secrets.io/v1alpha1
+kind: SecretStore
+metadata:
+  name: example-secret-store
+spec:
+  provider:
+    # provider type: azure keyvault
+    azurekv:
+      authType: ManagedIdentity
+      # Optionally set the Id of the Managed Identity, if multiple identities is assignet to external-secrets operator
+      identityId: "<MI_clientId>"
+      # URL of your vault instance, see: https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates
+      vaultUrl: "https://my-keyvault-name.vault.azure.net"

spec/index.html

@@ -1376,6 +1376,33 @@ string
 </tr>
 </tbody>
 </table>
+<h3 id="external-secrets.io/v1alpha1.AuthType">AuthType
+(<code>string</code> alias)</p></h3>
+<p>
+(<em>Appears on:</em>
+<a href="#external-secrets.io/v1alpha1.AzureKVProvider">AzureKVProvider</a>)
+</p>
+<p>
+<p>AuthType describes how to authenticate to the Azure Keyvault
+Only one of the following auth types may be specified.
+If none of the following auth type is specified, the default one
+is ServicePrincipal.</p>
+</p>
+<table>
+<thead>
+<tr>
+<th>Value</th>
+<th>Description</th>
+</tr>
+</thead>
+<tbody><tr><td><p>&#34;ManagedIdentity&#34;</p></td>
+<td><p>Using Managed Identity to authenticate. Used with aad-pod-identity instelled in the clister.</p>
+</td>
+</tr><tr><td><p>&#34;ServicePrincipal&#34;</p></td>
+<td><p>Using service principal to authenticate, which needs a tenantId, a clientId and a clientSecret.</p>
+</td>
+</tr></tbody>
+</table>
 <h3 id="external-secrets.io/v1alpha1.AzureKVAuth">AzureKVAuth
 </h3>
 <p>
@@ -1436,6 +1463,23 @@ github.com/external-secrets/external-secrets/apis/meta/v1.SecretKeySelector
 <tbody>
 <tr>
 <td>
+<code>authType</code></br>
+<em>
+<a href="#external-secrets.io/v1alpha1.AuthType">
+AuthType
+</a>
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>Auth type defines how to authenticate to the keyvault service.
+Valid values are:
+- &ldquo;ServicePrincipal&rdquo; (default): Using a service principal (tenantId, clientId, clientSecret)
+- &ldquo;ManagedIdentity&rdquo;: Using Managed Identity assigned to the pod (see aad-pod-identity)</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>vaultUrl</code></br>
 <em>
 string
@@ -1453,7 +1497,8 @@ string
 </em>
 </td>
 <td>
-<p>TenantID configures the Azure Tenant to send requests to.</p>
+<em>(Optional)</em>
+<p>TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.</p>
 </td>
 </tr>
 <tr>
@@ -1466,7 +1511,20 @@ AzureKVAuth
 </em>
 </td>
 <td>
-<p>Auth configures how the operator authenticates with Azure.</p>
+<em>(Optional)</em>
+<p>Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.</p>
+</td>
+</tr>
+<tr>
+<td>
+<code>identityId</code></br>
+<em>
+string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>If multiple Managed Identity is assigned to the pod, you can select the one to be used</p>
 </td>
 </tr>
 </tbody>