4. Secrets integration

Overview

This guide walks you through setting up the CSI Secret Driver for Azure, allowing Kubernetes to use secrets stored in Azure Key Vault using a user-assigned managed identity.

Prerequisites

• Access to the Key vault
• Connected to the AKS cluster

CSI Secret Store Driver configuration

1. Access Your Key vault

   • In your managed resource group (eg. mrg-kubernetes-by-fortytwo-xxxx if you are using the default values). Locate the Key vault resource type in the resource list and click it.

2. Update IAM Settings

   • Go to Access control (IAM) section of your Key vault and click + Add and Add role assignment.
   • Select the Key Vault Secrets Officer role and click Next.
   • Click the Select members button and find your own user in the list.
   • Click Next and then Review + assign to save the changes.

3. Add your IP address to the Key vault firewall

   • Find your own IP address (eg. by using https://whatismyipaddress.com/) and copy it to your clipboard.
   • Go to the Networking section in the left menu under Settings.
   • Under Firewall click + Add your client IP address
   • Paste in your IP address in the list and click Apply to apply the changes.

4. Add Secrets to Key vault

   • Click Secrets in the left menu in your Key vault.
   • Click on + Generate/Import to add new secrets.
   • Enter the secret name secret1 and some random secret value.
   • Click Create to save the secret in the Key vault.

5. Configure Kubernetes to Use Azure Key Vault with User-Assigned Managed Identity

   • Copy and paste the following code in your terminal, which utilizes a user-assigned managed identity to access your Key vault. Replace <key-vault-name>, <tenant-id>, and <client-id> with your own values.

   kubectl apply -f - <<EOF
   apiVersion: v1
   kind: Namespace
   metadata:
     name: workloads
   ---
   apiVersion: secrets-store.csi.x-k8s.io/v1
   kind: SecretProviderClass
   metadata:
     name: azure-kvname-user-msi
     namespace: workloads
   spec:
     provider: azure
     parameters:
       usePodIdentity: "false"
       useVMManagedIdentity: "true"
       userAssignedIdentityID: <managed-identity-client-id>   # Replace with the clientID of the managed identity
       keyvaultName: <keyvault-name>                          # Replace with your Key Vault name
       objects:  |
         array:
           - |
             objectName: secret1
             objectType: secret
             objectVersion: ""
       tenantId: <tenant-id>                                  # Replace with your Azure tenant ID
   EOF
   

   • Finding Tenant ID:
     • In your Key vault, click the "Overview" and look for the "Directory ID" in the "Essentials" section.
   • Finding Managed Identity:
     • The managed identity client-id can be found in the Azure portal under the resource type "Managed Identity". Its name typically follows the format azurekeyvaultsecretsprovider-{cluster-name}.

Conclusion

After following these steps, the CSI Secret Driver will be configured in your Kubernetes cluster using Azure Key Vault with a user-assigned managed identity.

Next steps

• Configure ArgoCD UI