Code

Readme

https://learn.microsoft.com/en-us/azure/aks/csi-secrets-store-driver

az aks enable-addons --addons azure-keyvault-secrets-provider --name myAKSCluster --resource-group myResourceGroup

https://learn.microsoft.com/en-us/azure/aks/csi-secrets-store-nginx-tls

main.sh

#!/bin/bash
set -eu
. ../includes/main.sh

az keyvault secret set --vault-name $AKS_SECRETS_KV_NAME --name my-secret --value "test value"
export AKS_MANAGED_IDENTITY=$(az aks show --resource-group $RGRP_NAME --name $AKS_NAME --query "addonProfiles.azureKeyvaultSecretsProvider.identity.clientId" --output tsv)
echo $AKS_MANAGED_IDENTITY

envtpl --keep-template secret-provider-class.yaml.tpl
kubectl apply -f secret-provider-class.yaml
kubectl apply -f ubuntu-pod.yaml

secret-provider-class.yaml.tpl

apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: azure-keyvault
spec:
  provider: azure
  secretObjects:
  - secretName: my-aks-secret
    type: Opaque
    data:
    - objectName: my-secret
      key: secret-key
  parameters:
    usePodIdentity: "false"
    useVMManagedIdentity: "true"
    # userAssignedIdentityID: "<your-managed-identity-client-id>"
    userAssignedIdentityID: "{{ AKS_MANAGED_IDENTITY }}"
    keyvaultName: "{{ AKS_SECRETS_KV_NAME }}"
    cloudName: ""
    objects: |
      array:
        - |
          objectName: my-secret
          objectType: secret
          objectVersion: ""
    tenantId: "{{ ARM_TENANT_ID }}"

ubuntu-pod.yaml

apiVersion: v1
kind: Pod
metadata:
  name: ubuntu-pod
spec:
  containers:
  - name: ubuntu-container
    image: ubuntu:24.04
    command: ["/bin/sh"]
    args: ["-c", "sleep infinity"]
    volumeMounts:
    - name: secrets-store-inline
      mountPath: "/mnt/secrets-store"
      readOnly: true
  volumes:
  - name: secrets-store-inline
    csi:
      driver: secrets-store.csi.k8s.io
      readOnly: true
      volumeAttributes:
        secretProviderClass: "azure-keyvault"

.env

set env vars values

run

. .env
./main.sh