Key Vault
Azure Key vault
External Secrets Operator integrates with Azure Key vault for secrets, certificates and Keys management.
Authentication
We support Service Principals and Managed Identity authentication.
To use Managed Identity authentication, you should use aad-pod-identity to assign the identity to external-secrets operator. To add the selector to external-secrets operator, use podLabels
in your values.yaml in case of Helm installation of external-secrets.
Service Principal key authentication
A service Principal client and Secret is created and the JSON keyfile is stored in a Kind=Secret
. The ClientID
and ClientSecret
should be configured for the secret. This service principal should have proper access rights to the keyvault to be managed by the operator
Managed Identity authentication
A Managed Identity should be created in Azure, and that Identity should have proper rights to the keyvault to be managed by the operator.
If there are multiple Managed Identitites for different keyvaults, the operator should have been assigned all identities via aad-pod-identity, then the SecretStore configuration should include the Id of the idenetity to be used via the identityId
field.
apiVersion: v1
kind: Secret
metadata:
name: azure-secret-sp
type: Opaque
data:
ClientID: bXktc2VydmljZS1wcmluY2lwbGUtY2xpZW50LWlkCg== #service-principal-ID
ClientSecret: bXktc2VydmljZS1wcmluY2lwbGUtY2xpZW50LXNlY3JldAo= #service-principal-secret
Update secret store
Be sure the azurekv
provider is listed in the Kind=SecretStore
apiVersion: external-secrets.io/v1alpha1
kind: SecretStore
metadata:
name: example-secret-store
spec:
provider:
# provider type: azure keyvault
azurekv:
# azure tenant ID, see: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-to-find-tenant
tenantId: "d3bc2180-xxxx-xxxx-xxxx-154105743342"
# URL of your vault instance, see: https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates
vaultUrl: "https://my-keyvault-name.vault.azure.net"
authSecretRef:
# points to the secret that contains
# the azure service principal credentials
clientId:
name: azure-secret-sp
key: ClientID
clientSecret:
name: azure-secret-sp
key: ClientSecret
ClusterSecretStore
, Be sure to provide namespace
in clientId
and clientSecret
with the namespaces where the secrets reside.
Or in case of Managed Idenetity authentication:
apiVersion: external-secrets.io/v1alpha1
kind: SecretStore
metadata:
name: example-secret-store
spec:
provider:
# provider type: azure keyvault
azurekv:
authType: ManagedIdentity
# Optionally set the Id of the Managed Identity, if multiple identities are assigned to external-secrets operator
identityId: "<MI_clientId>"
# URL of your vault instance, see: https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates
vaultUrl: "https://my-keyvault-name.vault.azure.net"
Object Types
Azure KeyVault manages different object types, we support keys
, secrets
and certificates
. Simply prefix the key with key
, secret
or cert
to retrieve the desired type (defaults to secret).
Object Type | Return Value |
---|---|
secret |
the raw secret value. |
key |
A JWK which contains the public key. Azure KeyVault does not export the private key. You may want to use template functions to transform this JWK into PEM encoded PKIX ASN.1 DER format. |
certificate |
The raw CER contents of the x509 certificate. You may want to use template functions to transform this into your desired encoding |
Creating external secret
To create a kubernetes secret from the Azure Key vault secret a Kind=ExternalSecret
is needed.
You can manage keys/secrets/certificates saved inside the keyvault , by setting a "/" prefixed type in the secret name , the default type is a secret
. other supported values are cert
and key
to select all secrets inside the key vault , you can use the dataFrom
directive
apiVersion: external-secrets.io/v1alpha1
kind: ExternalSecret
metadata:
name: example-external-secret
spec:
refreshInterval: 1h
secretStoreRef:
kind: SecretStore
name: example-secret-store
target:
name: secret-to-be-created
creationPolicy: Owner
data:
# name of the SECRET in the Azure KV (no prefix is by default a SECRET)
- secretKey: dev-secret-test
remoteRef:
key: dev-secret-test
# explicit type and name of secret in the Azure KV
- secretKey: dev-another-secret-test
remoteRef:
key: secret/dev-secret-test
# type/name of certificate in the Azure KV
# raw value will be returned, use templating features for data processing
- secretKey: dev-cert-test
remoteRef:
key: cert/dev-cert-test
# type/name of the public key in the Azure KV
# the key is returned PEM encoded
- secretKey: dev-key-test
remoteRef:
key: key/dev-key-test
The operator will fetch the Azure Key vault secret and inject it as a Kind=Secret
kubectl get secret secret-to-be-created -n <namespace> | -o jsonpath='{.data.dev-secret-test}' | base64 -d