Create Kubernetes Secrets from Azure Keyvault

Question

I am trying to create kubernetes secrets by retrieving the secret data from azure keyvault.

I know that there is the secrets store csi driver, but this plugin allows me to read secrets from KeyVault, and make them available as volume mounts only, but not kubernetes secrets.

The problem is, I use some kubernetes custom resource, which takes the k8s secret name in a field and then retrieve data from k8s secrets internally.

So, I need to be abe to create a kubernetes secret from data obtained from Azure Keyvault. Is this possible?

Answer 1

you can use an operator called Azure Key Vault to Kubernetes.

it has a piece called Azure Key Vault Controller which can help you do that exactly.

Answer 2

I am working with Azure Redhat Open shift (ARO). It has required to connect with Azure key vault. I have applied the following process to configure it.

We need to download open shift cli for windows Link1 Now extract zip file and move oc.exc into C:\Program Files\oc\oc.exc Add this path into your environment variable.

Now open your command prompt execute the following command

oc login https://api.<your ARO server>.aroapp.io:6443 -u kubeadmin

oc new-project k8s-secrets-store-csi

oc adm policy add-scc-to-user privileged \
  system:serviceaccount:k8s-secrets-store-csi:secrets-store-csi-driver

helm repo add secrets-store-csi-driver \
  https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts

helm repo update

helm install -n k8s-secrets-store-csi csi-secrets-store \
  secrets-store-csi-driver/secrets-store-csi-driver \
  --version v1.0.1 \
  --set "linux.providersDir=/var/run/secrets-store-csi-providers"

kubectl --namespace=k8s-secrets-store-csi get pods -l "app=secrets-store-csi-driver"

helm repo add csi-secrets-store-provider-azure \
  https://azure.github.io/secrets-store-csi-driver-provider-azure/charts

helm repo update

helm install -n k8s-secrets-store-csi azure-csi-provider \
  csi-secrets-store-provider-azure/csi-secrets-store-provider-azure \
  --set linux.privileged=true --set secrets-store-csi-driver.install=false \
  --set "linux.providersDir=/var/run/secrets-store-csi-providers" \
  --version=v1.0.1

oc adm policy add-scc-to-user privileged \
  system:serviceaccount:k8s-secrets-store-csi:csi-secrets-store-provider-azure

oc new-project my-application

Now create a service principal and give the access to the key vault

kubectl create secret generic secrets-store-creds \
  -n my-application \
  --from-literal clientid=${SERVICE_PRINCIPAL_CLIENT_ID} \
  --from-literal clientsecret=${SERVICE_PRINCIPAL_CLIENT_SECRET}
kubectl -n my-application label secret \
  secrets-store-creds secrets-store.csi.k8s.io/used=true