deploy: b8a763300fef3808e9c54f74f336d7364a58d649

provider-azure-key-vault/index.html

@@ -77,6 +77,10 @@
     <input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
     <label class="md-overlay" data-md-component="overlay" for="__drawer"></label>
     
+      <a href="#azure-key-vault" tabindex="1" class="md-skip">
+        Skip to content
+      </a>
+    
     
       <header class="md-header" data-md-component="header">
   <nav class="md-header-nav md-grid">
@@ -474,10 +478,77 @@
     <input class="md-toggle md-nav__toggle" data-md-toggle="toc" type="checkbox" id="__toc">
     
     
+      <label class="md-nav__link md-nav__link--active" for="__toc">
+        Key Vault
+      </label>
+    
     <a href="./" title="Key Vault" class="md-nav__link md-nav__link--active">
       Key Vault
     </a>
     
+      
+<nav class="md-nav md-nav--secondary">
+  
+  
+  
+    <label class="md-nav__title" for="__toc">Table of contents</label>
+    <ul class="md-nav__list" data-md-scrollfix>
+      
+        <li class="md-nav__item">
+  <a href="#azure-key-vault" class="md-nav__link">
+    Azure Key vault
+  </a>
+  
+    <nav class="md-nav">
+      <ul class="md-nav__list">
+        
+          <li class="md-nav__item">
+  <a href="#authentication" class="md-nav__link">
+    Authentication
+  </a>
+  
+    <nav class="md-nav">
+      <ul class="md-nav__list">
+        
+          <li class="md-nav__item">
+  <a href="#service-principal-key-authentication" class="md-nav__link">
+    Service Principal key authentication
+  </a>
+  
+</li>
+        
+      </ul>
+    </nav>
+  
+</li>
+        
+          <li class="md-nav__item">
+  <a href="#update-secret-store" class="md-nav__link">
+    Update secret store
+  </a>
+  
+</li>
+        
+          <li class="md-nav__item">
+  <a href="#creating-external-secret" class="md-nav__link">
+    Creating external secret
+  </a>
+  
+</li>
+        
+      </ul>
+    </nav>
+  
+</li>
+      
+      
+      
+      
+      
+    </ul>
+  
+</nav>
+    
   </li>
 
         
@@ -642,6 +713,75 @@
               </div>
             
             
+              <div class="md-sidebar md-sidebar--secondary" data-md-component="toc">
+                <div class="md-sidebar__scrollwrap">
+                  <div class="md-sidebar__inner">
+                    
+<nav class="md-nav md-nav--secondary">
+  
+  
+  
+    <label class="md-nav__title" for="__toc">Table of contents</label>
+    <ul class="md-nav__list" data-md-scrollfix>
+      
+        <li class="md-nav__item">
+  <a href="#azure-key-vault" class="md-nav__link">
+    Azure Key vault
+  </a>
+  
+    <nav class="md-nav">
+      <ul class="md-nav__list">
+        
+          <li class="md-nav__item">
+  <a href="#authentication" class="md-nav__link">
+    Authentication
+  </a>
+  
+    <nav class="md-nav">
+      <ul class="md-nav__list">
+        
+          <li class="md-nav__item">
+  <a href="#service-principal-key-authentication" class="md-nav__link">
+    Service Principal key authentication
+  </a>
+  
+</li>
+        
+      </ul>
+    </nav>
+  
+</li>
+        
+          <li class="md-nav__item">
+  <a href="#update-secret-store" class="md-nav__link">
+    Update secret store
+  </a>
+  
+</li>
+        
+          <li class="md-nav__item">
+  <a href="#creating-external-secret" class="md-nav__link">
+    Creating external secret
+  </a>
+  
+</li>
+        
+      </ul>
+    </nav>
+  
+</li>
+      
+      
+      
+      
+      
+    </ul>
+  
+</nav>
+                  </div>
+                </div>
+              </div>
+            
           
           <div class="md-content">
             <article class="md-content__inner md-typeset">
@@ -653,6 +793,87 @@
                   <h1>Key Vault</h1>
                 
                 <p><img alt="aws sm" src="../pictures/eso-az-kv-azure-kv.png" /></p>
+<h2 id="azure-key-vault">Azure Key vault</h2>
+<p>External Secrets Operator integrates with <a href="https://azure.microsoft.com/en-us/services/key-vault/">Azure Key vault</a> for secrets , certificates and Keys management.</p>
+<h3 id="authentication">Authentication</h3>
+<p>At the moment, we only support <a href="https://docs.microsoft.com/en-us/azure/key-vault/general/authentication">service principals</a> authentication.</p>
+<h4 id="service-principal-key-authentication">Service Principal key authentication</h4>
+<p>A service Principal client and Secret is created and the JSON keyfile is stored in a <code>Kind=Secret</code>. The <code>ClientID</code> and <code>ClientSecret</code> should be configured for the secret. This service principal should have proper access rights to the keyvault to be managed by the operator</p>
+<div class="highlight"><pre><span></span><span class="nt">apiVersion</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">v1</span>
+<span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">Secret</span>
+<span class="nt">metadata</span><span class="p">:</span>
+  <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">azure-secret-sp</span>
+<span class="nt">type</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">Opaque</span>
+<span class="nt">data</span><span class="p">:</span>
+  <span class="nt">ClientID</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">bXktc2VydmljZS1wcmluY2lwbGUtY2xpZW50LWlkCg==</span>  <span class="c1">#service-principal-ID</span>
+  <span class="nt">ClientSecret</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">bXktc2VydmljZS1wcmluY2lwbGUtY2xpZW50LXNlY3JldAo=</span> <span class="c1">#service-principal-secret</span>
+</pre></div>
+
+<h3 id="update-secret-store">Update secret store</h3>
+<p>Be sure the <code>azkv</code> provider is listed in the <code>Kind=SecretStore</code></p>
+<div class="highlight"><pre><span></span><span class="nt">apiVersion</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
+<span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
+<span class="nt">metadata</span><span class="p">:</span>
+  <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">example-secret-store</span>
+<span class="nt">spec</span><span class="p">:</span>
+  <span class="nt">azurekv</span><span class="p">:</span>      <span class="c1">#Provider type , azure keyvault</span>
+    <span class="nt">tenantid</span><span class="p">:</span> <span class="s">&quot;d3bc2180-xxxx-xxxx-xxxx-154105743342&quot;</span> <span class="c1">#azure tenant ID</span>
+    <span class="nt">vaultUrl</span><span class="p">:</span> <span class="s">&quot;https://my-keyvault-name.vault.azure.net&quot;</span> <span class="c1">#Keyvault URL</span>
+    <span class="nt">authSecretRef</span><span class="p">:</span>
+      <span class="c1">#Secret created in the cluster holding the azure service principal with proper access rights</span>
+      <span class="nt">clientID</span><span class="p">:</span>
+        <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">azure-secret-sp</span>  
+        <span class="nt">key</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">ClientID</span>
+      <span class="nt">clientSecret</span><span class="p">:</span>
+        <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">azure-secret-sp</span>
+        <span class="nt">key</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">ClientSecret</span>
+</pre></div>
+
+<h3 id="creating-external-secret">Creating external secret</h3>
+<p>To create a kubernetes secret from the Azure Key vault secret a <code>Kind=ExternalSecret</code> is needed.</p>
+<p>You can manage keys/secrets/certificates saved inside the keyvault , by setting a "/" prefixed type in the secret name , the default type is a <code>secret</code>. other supported values are <code>cert</code> and <code>key</code></p>
+<p>to select all secrets inside the key vault , you can use the <code>dataFrom</code> directive</p>
+<div class="highlight"><pre><span></span><span class="nt">apiVersion</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">external-secrets.io/v1alpha1</span>
+<span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">ExternalSecret</span>
+<span class="nt">metadata</span><span class="p">:</span>
+  <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">example-external-secret</span>
+<span class="nt">spec</span><span class="p">:</span>
+  <span class="nt">refreshInterval</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">1h</span>           <span class="c1"># rate SecretManager pulls Azure</span>
+  <span class="nt">secretStoreRef</span><span class="p">:</span>
+    <span class="nt">kind</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">SecretStore</span>
+    <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">example-secret-store</span>               <span class="c1"># name of the SecretStore (or kind specified)</span>
+
+  <span class="nt">target</span><span class="p">:</span>
+    <span class="nt">name</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">secret-to-be-created</span>  <span class="c1"># name of the k8s Secret to be created</span>
+    <span class="nt">creationPolicy</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">Owner</span>
+
+  <span class="nt">data</span><span class="p">:</span>
+  <span class="p p-Indicator">-</span> <span class="nt">secretKey</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">dev-secret-test</span>  <span class="c1"># name of the  key to be created in the secret object</span>
+    <span class="nt">remoteRef</span><span class="p">:</span>
+      <span class="nt">key</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">dev-secret-test</span> <span class="c1">#name of the SECRET in the Azure KV (no prefix =&gt; SECRET)</span>
+
+  <span class="p p-Indicator">-</span> <span class="nt">secretKey</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">dev-another-secret-test</span>  <span class="c1"># name of the  key to be created in the secret object</span>
+    <span class="nt">remoteRef</span><span class="p">:</span>
+      <span class="nt">key</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">secret/dev-secret-test</span> <span class="c1">#type and name of secret in the Azure KV</span>
+
+  <span class="p p-Indicator">-</span> <span class="nt">secretKey</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">dev-cert-test</span>  <span class="c1"># name of the  key to be created in the secret object</span>
+    <span class="nt">remoteRef</span><span class="p">:</span>
+      <span class="nt">key</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">cert/dev-cert-test</span> <span class="c1">#type/name of certificate in the Azure KV </span>
+                              <span class="c1">#raw value will be returned , use templating features for data processing</span>
+
+  <span class="p p-Indicator">-</span> <span class="nt">secretKey</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">dev-key-test</span>  <span class="c1"># name of the  key to be created in the secret object</span>
+    <span class="nt">remoteRef</span><span class="p">:</span>
+      <span class="nt">key</span><span class="p">:</span> <span class="l l-Scalar l-Scalar-Plain">key/dev-key-test</span> <span class="c1">#type/name of the public key in the Azure KV </span>
+
+  <span class="c1"># dataFrom , return ALL secrets saved in the referenced secretStore </span>
+  <span class="c1"># each secret name in the KV will be used as the secret key in the SECRET k8s target object</span>
+  <span class="nt">dataFrom</span><span class="p">:</span> 
+  <span class="p p-Indicator">-</span> <span class="nt">name</span><span class="p">:</span> <span class="s">&quot;*&quot;</span>
+</pre></div>
+
+<p>The operator will fetch the Azure Key vault secret and inject it as a <code>Kind=Secret</code>
+<div class="highlight"><pre><span></span>kubectl get secret secret-to-be-created -n &lt;namespace&gt; | -o jsonpath=&#39;{.data.dev-secret-test}&#39; | base64 -d
+</pre></div></p>
                 
                   
                 

snippets/azkv-credentials-secret.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: azure-secret-sp
+type: Opaque
+data:
+  ClientID: bXktc2VydmljZS1wcmluY2lwbGUtY2xpZW50LWlkCg==  #service-principal-ID
+  ClientSecret: bXktc2VydmljZS1wcmluY2lwbGUtY2xpZW50LXNlY3JldAo= #service-principal-secret

snippets/azkv-external-secret.yaml

@@ -0,0 +1,36 @@
+apiVersion: external-secrets.io/v1alpha1
+kind: ExternalSecret
+metadata:
+  name: example-external-secret
+spec:
+  refreshInterval: 1h           # rate SecretManager pulls Azure
+  secretStoreRef:
+    kind: SecretStore
+    name: example-secret-store               # name of the SecretStore (or kind specified)
+ 
+  target:
+    name: secret-to-be-created  # name of the k8s Secret to be created
+    creationPolicy: Owner
+  
+  data:
+  - secretKey: dev-secret-test  # name of the  key to be created in the secret object
+    remoteRef:
+      key: dev-secret-test #name of the SECRET in the Azure KV (no prefix => SECRET)
+
+  - secretKey: dev-another-secret-test  # name of the  key to be created in the secret object
+    remoteRef:
+      key: secret/dev-secret-test #type and name of secret in the Azure KV
+
+  - secretKey: dev-cert-test  # name of the  key to be created in the secret object
+    remoteRef:
+      key: cert/dev-cert-test #type/name of certificate in the Azure KV 
+                              #raw value will be returned , use templating features for data processing
+
+  - secretKey: dev-key-test  # name of the  key to be created in the secret object
+    remoteRef:
+      key: key/dev-key-test #type/name of the public key in the Azure KV 
+  
+  # dataFrom , return ALL secrets saved in the referenced secretStore 
+  # each secret name in the KV will be used as the secret key in the SECRET k8s target object
+  dataFrom: 
+  - name: "*"

snippets/azkv-secret-store.yaml

@@ -0,0 +1,16 @@
+apiVersion: external-secrets.io/v1alpha1
+kind: SecretStore
+metadata:
+  name: example-secret-store
+spec:
+  azurekv:      #Provider type , azure keyvault
+    tenantid: "d3bc2180-xxxx-xxxx-xxxx-154105743342" #azure tenant ID
+    vaultUrl: "https://my-keyvault-name.vault.azure.net" #Keyvault URL
+    authSecretRef:
+      #Secret created in the cluster holding the azure service principal with proper access rights
+      clientID:
+        name: azure-secret-sp  
+        key: ClientID
+      clientSecret:
+        name: azure-secret-sp
+        key: ClientSecret