docs(azurekv): cert-manager pushsecret example and cleanups (#5972)

Co-authored-by: Gergely Bräutigam <gergely.brautigam@sap.com>

docs/snippets/azkv-pkcs12-cert-external-secret.yaml

@@ -13,8 +13,8 @@ spec:
       type: kubernetes.io/tls
       engineVersion: v2
       data:
-        tls.crt: "{{ .tls | b64dec | pkcs12cert }}"
-        tls.key: "{{ .tls | b64dec | pkcs12key }}"
+        tls.crt: '{{ .tls | b64dec | pkcs12cert }}'
+        tls.key: '{{ .tls | b64dec | pkcs12key }}'
   data:
   - secretKey: tls
     remoteRef:

docs/snippets/azkv-pushsecret-certificate-cert-manager.yaml

@@ -0,0 +1,16 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: dummy-certificate
+spec:
+  dnsNames:
+    - dummy.local
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: letsencrypt-prod
+  secretName: source-certificate
+  privateKey:
+    encoding: PKCS8 # Must be PKCS8 for Azure Key Vault
+    algorithm: RSA
+    size: 2048

docs/snippets/azkv-pushsecret-certificate-p12.yaml

@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: source-certificate
+data:
+  cert.p12: <BASE64_ENCODED_P12_CERTIFICATE>
+---
+apiVersion: external-secrets.io/v1alpha1
+kind: PushSecret
+metadata:
+  name: pushsecret-example
+  namespace: default
+spec:
+  refreshInterval: 1h0m0s # Refresh interval for which push secret will reconcile
+  deletionPolicy: Delete
+  secretStoreRefs: # A list of secret stores to push secrets to
+    - name: azure-store
+      kind: SecretStore
+  selector:
+    secret:
+      name: source-certificate # Source Kubernetes secret to be pushed
+  data:
+    - match:
+        secretKey: cert.p12 # Source Kubernetes secret key containing the P12 certificate
+        remoteRef:
+          remoteKey: cert/my-azkv-cert-name

docs/snippets/azkv-pushsecret-certificate-pem.yaml

@@ -0,0 +1,35 @@
+{% raw %}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: source-certificate
+data:
+  tls.crt: <BASE64_ENCODED_PEM_CERTIFICATE>
+  tls.key: <BASE64_ENCODED_PEM_KEY>
+---
+apiVersion: external-secrets.io/v1alpha1
+kind: PushSecret
+metadata:
+  name: pushsecret-example
+  namespace: default
+spec:
+  refreshInterval: 1h0m0s # Refresh interval for which push secret will reconcile
+  deletionPolicy: Delete
+  secretStoreRefs: # A list of secret stores to push secrets to
+    - name: azure-store
+      kind: SecretStore
+  selector:
+    secret:
+      name: source-certificate # Source Kubernetes secret to be pushed
+  template:
+    engineVersion: v2
+    data:
+      # Use the `fullPemToPkcs12` function to convert the PEM-encoded certificate chain (certificate + intermediate certificates) + private key into a P12 file.
+      # You can also use the `pemToPkcs12` function if you only want to include the certificate + private key without the intermediate certificates.
+      cert.p12: '{{ fullPemToPkcs12 (index . "tls.crt" | toString) (index . "tls.key" | toString) | b64dec }}'
+  data:
+    - match:
+        secretKey: cert.p12 # Reference to the generated P12 file in the template data
+        remoteRef:
+          remoteKey: cert/my-azkv-cert-name
+{% endraw %}

docs/snippets/azkv-secret-store-mi.yaml

@@ -4,10 +4,9 @@ metadata:
   name: azure-store
 spec:
   provider:
-    # provider type: azure keyvault
     azurekv:
       authType: ManagedIdentity
-      # Optionally set the Id of the Managed Identity, if multiple identities are assigned to external-secrets operator
-      identityId: "<MI_clientId>"
-      # URL of your vault instance, see: https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates
+      # Optionally set the ID of the Managed Identity, if multiple identities are assigned to External Secrets Operator.
+      identityId: "00000000-0000-0000-0000-000000000000"
+      # URL of your Key Vault instance, see: https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates
       vaultUrl: "https://my-keyvault-name.vault.azure.net"

docs/snippets/azkv-secret-store-spn-certificate.yaml

@@ -0,0 +1,20 @@
+apiVersion: external-secrets.io/v1
+kind: SecretStore
+metadata:
+  name: azure-store-spn-certificate
+spec:
+  provider:
+    azurekv:
+      # Azure tenant ID, see: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-to-find-tenant
+      tenantId: "2ed1d494-6c5a-4c5d-aa24-479446fb844d"
+      # URL of your Key Vault instance, see: https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates
+      vaultUrl: "https://kvtestpushsecret.vault.azure.net"
+      authSecretRef:
+        # Reference to Kubernetes Secret name containing the Service Principal client ID under the key `ClientID`
+        clientId:
+          name: azure-secret-sp
+          key: ClientID
+        # Reference to Kubernetes Secret name containing the Service Principal client certificate in PEM format under the key `ClientCertificate`
+        clientCertificate:
+          name: azure-secret-sp
+          key: ClientCertificate

docs/snippets/azkv-secret-store-spn-secret.yaml

@@ -0,0 +1,20 @@
+apiVersion: external-secrets.io/v1
+kind: SecretStore
+metadata:
+  name: azure-store-spn-secret
+spec:
+  provider:
+    azurekv:
+      # Azure tenant ID, see: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-to-find-tenant
+      tenantId: "2ed1d494-6c5a-4c5d-aa24-479446fb844d"
+      # URL of your Key Vault instance, see: https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates
+      vaultUrl: "https://kvtestpushsecret.vault.azure.net"
+      authSecretRef:
+        # Reference to Kubernetes Secret name containing the Service Principal client ID under the key `ClientID`
+        clientId:
+          name: azure-secret-sp
+          key: ClientID
+        # Reference to Kubernetes Secret name containing the Service Principal client secret under the key `ClientSecret`
+        clientSecret:
+          name: azure-secret-sp
+          key: ClientSecret

docs/snippets/azkv-secret-store.yaml

@@ -1,21 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: SecretStore
-metadata:
-  name: azure-store
-spec:
-  provider:
-    # provider type: azure keyvault
-    azurekv:
-      # azure tenant ID, see: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-to-find-tenant
-      tenantId: "2ed1d494-6c5a-4c5d-aa24-479446fb844d"
-      # URL of your vault instance, see: https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates
-      vaultUrl: "https://kvtestpushsecret.vault.azure.net"
-      authSecretRef:
-        # points to the secret that contains
-        # the azure service principal credentials
-        clientId:
-          name: azure-secret-sp
-          key: ClientID
-        clientSecret:
-          name: azure-secret-sp
-          key: ClientSecret

docs/snippets/azkv-workload-identity-mounted.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  # this service account was created by azwi
+  # This service account was created by azwi
   name: workload-identity-sa
   annotations:
     azure.workload.identity/client-id: 7d8cdf74-xxxx-xxxx-xxxx-274d963d358b
@@ -16,4 +16,4 @@ spec:
     azurekv:
       authType: WorkloadIdentity
       vaultUrl: "https://xx-xxxx-xx.vault.azure.net"
-      # note: no serviceAccountRef was provided
+      # Note: no serviceAccountRef was provided

docs/snippets/azkv-workload-identity-secretref.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  # this service account was created by azwi
+  # This service account was created by azwi
   name: workload-identity-sa
   annotations: {}
 ---