|
|
@@ -1813,14 +1813,19 @@ az keyvault set-policy --name kv-name-with-certs --object-id <span class="s2">&q
|
|
|
<h4 id="managed-identity-authentication">Managed Identity authentication</h4>
|
|
|
<p>A Managed Identity should be created in Azure, and that Identity should have proper rights to the keyvault to be managed by the operator.</p>
|
|
|
<p>If there are multiple Managed Identitites for different keyvaults, the operator should have been assigned all identities via <a href="https://azure.github.io/aad-pod-identity/docs/">aad-pod-identity</a>, then the SecretStore configuration should include the Id of the idenetity to be used via the <code>identityId</code> field.</p>
|
|
|
-<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span><span class="w"></span>
|
|
|
-<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Secret</span><span class="w"></span>
|
|
|
+<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1beta1</span><span class="w"></span>
|
|
|
+<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">SecretStore</span><span class="w"></span>
|
|
|
<span class="nt">metadata</span><span class="p">:</span><span class="w"></span>
|
|
|
-<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">azure-secret-sp</span><span class="w"></span>
|
|
|
-<span class="nt">type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Opaque</span><span class="w"></span>
|
|
|
-<span class="nt">data</span><span class="p">:</span><span class="w"></span>
|
|
|
-<span class="w"> </span><span class="nt">ClientID</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">bXktc2VydmljZS1wcmluY2lwbGUtY2xpZW50LWlkCg==</span><span class="w"> </span><span class="c1">#service-principal-ID</span><span class="w"></span>
|
|
|
-<span class="w"> </span><span class="nt">ClientSecret</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">bXktc2VydmljZS1wcmluY2lwbGUtY2xpZW50LXNlY3JldAo=</span><span class="w"> </span><span class="c1">#service-principal-secret</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">example-secret-store</span><span class="w"></span>
|
|
|
+<span class="nt">spec</span><span class="p">:</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">provider</span><span class="p">:</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="c1"># provider type: azure keyvault</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">azurekv</span><span class="p">:</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">authType</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ManagedIdentity</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="c1"># Optionally set the Id of the Managed Identity, if multiple identities are assigned to external-secrets operator</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">identityId</span><span class="p">:</span><span class="w"> </span><span class="s">"<MI_clientId>"</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="c1"># URL of your vault instance, see: https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates</span><span class="w"></span>
|
|
|
+<span class="w"> </span><span class="nt">vaultUrl</span><span class="p">:</span><span class="w"> </span><span class="s">"https://my-keyvault-name.vault.azure.net"</span><span class="w"></span>
|
|
|
</code></pre></div>
|
|
|
<h4 id="workload-identity">Workload Identity</h4>
|
|
|
<p>You can use <a href="https://docs.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation">Azure AD Workload Identity Federation</a> to access Azure managed services like Key Vault <strong>without needing to manage secrets</strong>. You need to configure a trust relationship between your Kubernetes Cluster and Azure AD. This can be done in various ways, for instance using <code>terraform</code>, the Azure Portal or the <code>az</code> cli. We found the <a href="https://azure.github.io/azure-workload-identity/docs/installation/azwi.html">azwi</a> cli very helpful. The Azure <a href="https://azure.github.io/azure-workload-identity/docs/quick-start.html">Workload Identity Quick Start Guide</a> is also good place to get started.</p>
|
Docs