Azure aks secret provider
Jump to navigation
Jump to search
aks-secret-provider-mnt.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: secret-mount
spec:
replicas: 1
selector:
matchLabels:
app: secret-mount
template:
metadata:
labels:
app: secret-mount
spec:
containers:
- name: busybox
image: busybox
command: [ "sleep", "infinity" ]
volumeMounts:
- name: secrets-store
mountPath: "/mnt/secrets-store"
readOnly: true
volumes:
- name: secrets-store
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: grafana-ingress-tls-from-keyvault
aks-secret-provider.yaml.tpl
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: grafana-ingress-tls-from-keyvault
spec:
provider: azure
secretObjects:
- secretName: grafana{{ DASH_ENV_NAME }}-example-com
type: kubernetes.io/tls
data:
- objectName: grafana{{ DASH_ENV_NAME }}-example-com
key: tls.key
- objectName: grafana{{ DASH_ENV_NAME }}-example-com
key: tls.crt
parameters:
usePodIdentity: "false"
useVMManagedIdentity: "true"
userAssignedIdentityID: "{{ AKS_KV_SECRETS_PROVIDER_MANAGED_ID }}"
keyvaultName: "{{ ENV_CHAR_UPPER }}-MY-KV"
objects: |
array:
- |
objectName: grafana{{ DASH_ENV_NAME }}-example-com
objectType: secret
tenantId: "{{ ARM_TENANT_ID }}"