Key vault csi secret mount
Jump to navigation
Jump to search
Code
Readme
https://learn.microsoft.com/en-us/azure/aks/csi-secrets-store-driver
az aks enable-addons --addons azure-keyvault-secrets-provider --name myAKSCluster --resource-group myResourceGroup
https://learn.microsoft.com/en-us/azure/aks/csi-secrets-store-nginx-tls
main.sh
#!/bin/bash set -eu . ../includes/main.sh az keyvault secret set --vault-name $AKS_SECRETS_KV_NAME --name my-secret --value "test value" export AKS_MANAGED_IDENTITY=$(az aks show --resource-group $RGRP_NAME --name $AKS_NAME --query "addonProfiles.azureKeyvaultSecretsProvider.identity.clientId" --output tsv) echo $AKS_MANAGED_IDENTITY envtpl --keep-template secret-provider-class.yaml.tpl kubectl apply -f secret-provider-class.yaml kubectl apply -f ubuntu-pod.yaml
secret-provider-class.yaml.tpl
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: azure-keyvault
spec:
provider: azure
secretObjects:
- secretName: my-aks-secret
type: Opaque
data:
- objectName: my-secret
key: secret-key
parameters:
usePodIdentity: "false"
useVMManagedIdentity: "true"
# userAssignedIdentityID: "<your-managed-identity-client-id>"
userAssignedIdentityID: "{{ AKS_MANAGED_IDENTITY }}"
keyvaultName: "{{ AKS_SECRETS_KV_NAME }}"
cloudName: ""
objects: |
array:
- |
objectName: my-secret
objectType: secret
objectVersion: ""
tenantId: "{{ ARM_TENANT_ID }}"
ubuntu-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: ubuntu-pod
spec:
containers:
- name: ubuntu-container
image: ubuntu:24.04
command: ["/bin/sh"]
args: ["-c", "sleep infinity"]
volumeMounts:
- name: secrets-store-inline
mountPath: "/mnt/secrets-store"
readOnly: true
volumes:
- name: secrets-store-inline
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: "azure-keyvault"
.env
set env vars values
run
. .env ./main.sh