2 months ago · fd565c327e
--- a/docs/provider/azure-key-vault.md
+++ b/docs/provider/azure-key-vault.md
--- a/docs/snippets/azkv-pkcs12-cert-external-secret.yaml
+++ b/docs/snippets/azkv-pkcs12-cert-external-secret.yaml
@@ -13,8 +13,8 @@ spec:
 
				       type: kubernetes.io/tls
			
 
				       engineVersion: v2
			
 
				       data:
			
 
				-        tls.crt: "{{ .tls | b64dec | pkcs12cert }}"
			
 
				-        tls.key: "{{ .tls | b64dec | pkcs12key }}"
			
 
				+        tls.crt: '{{ .tls | b64dec | pkcs12cert }}'
			
 
				+        tls.key: '{{ .tls | b64dec | pkcs12key }}'
			
 
				   data:
			
 
				   - secretKey: tls
			
 
				     remoteRef:
			
--- a/docs/snippets/azkv-pushsecret-certificate-cert-manager.yaml
+++ b/docs/snippets/azkv-pushsecret-certificate-cert-manager.yaml
@@ -0,0 +1,16 @@
 
				+apiVersion: cert-manager.io/v1
			
 
				+kind: Certificate
			
 
				+metadata:
			
 
				+  name: dummy-certificate
			
 
				+spec:
			
 
				+  dnsNames:
			
 
				+    - dummy.local
			
 
				+  issuerRef:
			
 
				+    group: cert-manager.io
			
 
				+    kind: ClusterIssuer
			
 
				+    name: letsencrypt-prod
			
 
				+  secretName: source-certificate
			
 
				+  privateKey:
			
 
				+    encoding: PKCS8 # Must be PKCS8 for Azure Key Vault
			
 
				+    algorithm: RSA
			
 
				+    size: 2048
			
--- a/docs/snippets/azkv-pushsecret-certificate-p12.yaml
+++ b/docs/snippets/azkv-pushsecret-certificate-p12.yaml
@@ -0,0 +1,26 @@
 
				+apiVersion: v1
			
 
				+kind: Secret
			
 
				+metadata:
			
 
				+  name: source-certificate
			
 
				+data:
			
 
				+  cert.p12: <BASE64_ENCODED_P12_CERTIFICATE>
			
 
				+---
			
 
				+apiVersion: external-secrets.io/v1alpha1
			
 
				+kind: PushSecret
			
 
				+metadata:
			
 
				+  name: pushsecret-example
			
 
				+  namespace: default
			
 
				+spec:
			
 
				+  refreshInterval: 1h0m0s # Refresh interval for which push secret will reconcile
			
 
				+  deletionPolicy: Delete
			
 
				+  secretStoreRefs: # A list of secret stores to push secrets to
			
 
				+    - name: azure-store
			
 
				+      kind: SecretStore
			
 
				+  selector:
			
 
				+    secret:
			
 
				+      name: source-certificate # Source Kubernetes secret to be pushed
			
 
				+  data:
			
 
				+    - match:
			
 
				+        secretKey: cert.p12 # Source Kubernetes secret key containing the P12 certificate
			
 
				+        remoteRef:
			
 
				+          remoteKey: cert/my-azkv-cert-name
			
--- a/docs/snippets/azkv-pushsecret-certificate-pem.yaml
+++ b/docs/snippets/azkv-pushsecret-certificate-pem.yaml
@@ -0,0 +1,35 @@
 
				+{% raw %}
			
 
				+apiVersion: v1
			
 
				+kind: Secret
			
 
				+metadata:
			
 
				+  name: source-certificate
			
 
				+data:
			
 
				+  tls.crt: <BASE64_ENCODED_PEM_CERTIFICATE>
			
 
				+  tls.key: <BASE64_ENCODED_PEM_KEY>
			
 
				+---
			
 
				+apiVersion: external-secrets.io/v1alpha1
			
 
				+kind: PushSecret
			
 
				+metadata:
			
 
				+  name: pushsecret-example
			
 
				+  namespace: default
			
 
				+spec:
			
 
				+  refreshInterval: 1h0m0s # Refresh interval for which push secret will reconcile
			
 
				+  deletionPolicy: Delete
			
 
				+  secretStoreRefs: # A list of secret stores to push secrets to
			
 
				+    - name: azure-store
			
 
				+      kind: SecretStore
			
 
				+  selector:
			
 
				+    secret:
			
 
				+      name: source-certificate # Source Kubernetes secret to be pushed
			
 
				+  template:
			
 
				+    engineVersion: v2
			
 
				+    data:
			
 
				+      # Use the `fullPemToPkcs12` function to convert the PEM-encoded certificate chain (certificate + intermediate certificates) + private key into a P12 file.
			
 
				+      # You can also use the `pemToPkcs12` function if you only want to include the certificate + private key without the intermediate certificates.
			
 
				+      cert.p12: '{{ fullPemToPkcs12 (index . "tls.crt" | toString) (index . "tls.key" | toString) | b64dec }}'
			
 
				+  data:
			
 
				+    - match:
			
 
				+        secretKey: cert.p12 # Reference to the generated P12 file in the template data
			
 
				+        remoteRef:
			
 
				+          remoteKey: cert/my-azkv-cert-name
			
 
				+{% endraw %}
			
--- a/docs/snippets/azkv-pushsecret-certificate.yaml
+++ b/docs/snippets/azkv-pushsecret-certificate.yaml
--- a/docs/snippets/azkv-secret-store-mi.yaml
+++ b/docs/snippets/azkv-secret-store-mi.yaml
@@ -4,10 +4,9 @@ metadata:
 
				   name: azure-store
			
 
				 spec:
			
 
				   provider:
			
 
				-    # provider type: azure keyvault
			
 
				     azurekv:
			
 
				       authType: ManagedIdentity
			
 
				-      # Optionally set the Id of the Managed Identity, if multiple identities are assigned to external-secrets operator
			
 
				-      identityId: "<MI_clientId>"
			
 
				-      # URL of your vault instance, see: https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates
			
 
				+      # Optionally set the ID of the Managed Identity, if multiple identities are assigned to External Secrets Operator.
			
 
				+      identityId: "00000000-0000-0000-0000-000000000000"
			
 
				+      # URL of your Key Vault instance, see: https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates
			
 
				       vaultUrl: "https://my-keyvault-name.vault.azure.net"
			
--- a/docs/snippets/azkv-secret-store-spn-certificate.yaml
+++ b/docs/snippets/azkv-secret-store-spn-certificate.yaml
@@ -0,0 +1,20 @@
 
				+apiVersion: external-secrets.io/v1
			
 
				+kind: SecretStore
			
 
				+metadata:
			
 
				+  name: azure-store-spn-certificate
			
 
				+spec:
			
 
				+  provider:
			
 
				+    azurekv:
			
 
				+      # Azure tenant ID, see: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-to-find-tenant
			
 
				+      tenantId: "2ed1d494-6c5a-4c5d-aa24-479446fb844d"
			
 
				+      # URL of your Key Vault instance, see: https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates
			
 
				+      vaultUrl: "https://kvtestpushsecret.vault.azure.net"
			
 
				+      authSecretRef:
			
 
				+        # Reference to Kubernetes Secret name containing the Service Principal client ID under the key `ClientID`
			
 
				+        clientId:
			
 
				+          name: azure-secret-sp
			
 
				+          key: ClientID
			
 
				+        # Reference to Kubernetes Secret name containing the Service Principal client certificate in PEM format under the key `ClientCertificate`
			
 
				+        clientCertificate:
			
 
				+          name: azure-secret-sp
			
 
				+          key: ClientCertificate
			
--- a/docs/snippets/azkv-secret-store-spn-secret.yaml
+++ b/docs/snippets/azkv-secret-store-spn-secret.yaml
@@ -0,0 +1,20 @@
 
				+apiVersion: external-secrets.io/v1
			
 
				+kind: SecretStore
			
 
				+metadata:
			
 
				+  name: azure-store-spn-secret
			
 
				+spec:
			
 
				+  provider:
			
 
				+    azurekv:
			
 
				+      # Azure tenant ID, see: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-to-find-tenant
			
 
				+      tenantId: "2ed1d494-6c5a-4c5d-aa24-479446fb844d"
			
 
				+      # URL of your Key Vault instance, see: https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates
			
 
				+      vaultUrl: "https://kvtestpushsecret.vault.azure.net"
			
 
				+      authSecretRef:
			
 
				+        # Reference to Kubernetes Secret name containing the Service Principal client ID under the key `ClientID`
			
 
				+        clientId:
			
 
				+          name: azure-secret-sp
			
 
				+          key: ClientID
			
 
				+        # Reference to Kubernetes Secret name containing the Service Principal client secret under the key `ClientSecret`
			
 
				+        clientSecret:
			
 
				+          name: azure-secret-sp
			
 
				+          key: ClientSecret
			
--- a/docs/snippets/azkv-secret-store.yaml
+++ b/docs/snippets/azkv-secret-store.yaml
@@ -1,21 +0,0 @@
 
				-apiVersion: external-secrets.io/v1
			
 
				-kind: SecretStore
			
 
				-metadata:
			
 
				-  name: azure-store
			
 
				-spec:
			
 
				-  provider:
			
 
				-    # provider type: azure keyvault
			
 
				-    azurekv:
			
 
				-      # azure tenant ID, see: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-to-find-tenant
			
 
				-      tenantId: "2ed1d494-6c5a-4c5d-aa24-479446fb844d"
			
 
				-      # URL of your vault instance, see: https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates
			
 
				-      vaultUrl: "https://kvtestpushsecret.vault.azure.net"
			
 
				-      authSecretRef:
			
 
				-        # points to the secret that contains
			
 
				-        # the azure service principal credentials
			
 
				-        clientId:
			
 
				-          name: azure-secret-sp
			
 
				-          key: ClientID
			
 
				-        clientSecret:
			
 
				-          name: azure-secret-sp
			
 
				-          key: ClientSecret
			
--- a/docs/snippets/azkv-workload-identity-mounted.yaml
+++ b/docs/snippets/azkv-workload-identity-mounted.yaml
@@ -1,7 +1,7 @@
 
				 apiVersion: v1
			
 
				 kind: ServiceAccount
			
 
				 metadata:
			
 
				-  # this service account was created by azwi
			
 
				+  # This service account was created by azwi
			
 
				   name: workload-identity-sa
			
 
				   annotations:
			
 
				     azure.workload.identity/client-id: 7d8cdf74-xxxx-xxxx-xxxx-274d963d358b
			
@@ -16,4 +16,4 @@ spec:
 
				     azurekv:
			
 
				       authType: WorkloadIdentity
			
 
				       vaultUrl: "https://xx-xxxx-xx.vault.azure.net"
			
 
				-      # note: no serviceAccountRef was provided
			
 
				+      # Note: no serviceAccountRef was provided
			
--- a/docs/snippets/azkv-workload-identity-secretref.yaml
+++ b/docs/snippets/azkv-workload-identity-secretref.yaml
@@ -1,7 +1,7 @@
 
				 apiVersion: v1
			
 
				 kind: ServiceAccount
			
 
				 metadata:
			
 
				-  # this service account was created by azwi
			
 
				+  # This service account was created by azwi
			
 
				   name: workload-identity-sa
			
 
				   annotations: {}
			
 
				 ---