In addition to a Kubernetes cluster, you will need an Azure Key Vault resource with secret content to access. Follow this quickstart tutorial to deploy an Azure Key Vault and add an example secret to it.
Review the settings you desire for your Key Vault, such as what resources (Azure VMs, Azure Resource Manager, etc.) and what kind of network endpoints can access secrets in it.
Take note of the following properties for use in the next section:
SecretProviderClass custom resource to provide provider-specific parameters for the Secrets Store CSI driver. In this example, use an existing Azure Key Vault or the Azure Key Vault resource created previously.
SecretProviderClasshas to be in the same namespace as the pod referencing it.
Update this sample deployment to create a
SecretProviderClass resource to provide Azure-specific parameters for the Secrets Store CSI driver.
To provide identity to access key vault, refer to the following section.
apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: azure-kvname spec: provider: azure parameters: usePodIdentity: "false" # [OPTIONAL] if not provided, will default to "false" useVMManagedIdentity: "false" # [OPTIONAL available for version > 0.0.4] if not provided, will default to "false" userAssignedIdentityID: "client_id" # [OPTIONAL available for version > 0.0.4] use the client id to specify which user assigned managed identity to use. If using a user assigned identity as the VM's managed identity, then specify the identity's client id. If empty, then defaults to use the system assigned identity on the VM clientID: "client_id" # [OPTIONAL available for version > 1.1.0] client id of the Azure AD Application or managed identity to use for workload identity keyvaultName: "kvname" # the name of the KeyVault cloudName: "" # [OPTIONAL available for version > 0.0.4] if not provided, azure environment will default to AzurePublicCloud cloudEnvFileName: "" # [OPTIONAL available for version > 0.0.7] use to define path to file for populating azure environment objects: | array: - | objectName: secret1 objectAlias: SECRET_1 # [OPTIONAL available for version > 0.0.4] object alias objectType: secret # object types: secret, key or cert. For Key Vault certificates, refer to https://azure.github.io/secrets-store-csi-driver-provider-azure/configurations/getting-certs-and-keys/ for the object type to use objectVersion: "" # [OPTIONAL] object versions, default to latest if empty filePermission: 0755 # [OPTIONAL] permission for secret file being mounted into the pod, default is 0644 if not specified. - | objectName: key1 objectAlias: "" # If provided then it has to be referenced in [secretObjects].[objectName] to sync with Kubernetes secrets objectType: key objectVersion: "" tenantId: "tid" # the tenant ID of the KeyVault
|provider||yes||specify name of the provider||""|
|usePodIdentity||no||set to true for using aad-pod-identity to access keyvault||“false”|
|useVMManagedIdentity||no||[available for version > 0.0.4] specify access mode to enable use of User-assigned managed identity||“false”|
|userAssignedIdentityID||no||[available for version > 0.0.4] the user assigned identity ID is required for User-assigned Managed Identity mode||""|
|clientID||no||[available for version > 1.1.0] client id of the Azure AD Application or managed identity to use for workload identity||""|
|keyvaultName||yes||name of a Key Vault instance||""|
|cloudName||no||[available for version > 0.0.4] name of the azure cloud based on azure go sdk (AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud, AzureStackCloud)||""|
|cloudEnvFileName||no||[available for version > 0.0.7] path to the file to be used while populating the Azure Environment (required if target cloud is AzureStackCloud). More details here.||""|
|objects||yes||a string of arrays of strings||""|
|objectName||yes||name of a Key Vault object||""|
|objectAlias||no||[available for version > 0.0.4] specify the filename of the object when written to disk - defaults to objectName if not provided||""|
|objectType||yes||type of a Key Vault object: secret, key or cert.|
For Key Vault certificates, refer to doc for the object type to use.
|objectVersion||no||version of a Key Vault object, if not provided, will use latest||""|
|objectFormat||no||[available for version > 0.0.7] the format of the Azure Key Vault object, supported types are pem and pfx. ||“pem”|
|objectEncoding||no||[available for version > 0.0.8] the encoding of the Azure Key Vault secret object, supported types are ||“utf-8”|
|filePermission||no||[available for version > v1.1.0] permission for secret file being mounted into the pod||“0644”|
|tenantId||yes||tenant ID containing key vault instance||""|
The Azure Key Vault Provider offers five modes for accessing a Key Vault instance:
To ensure your application is using the Secrets Store CSI driver, update your deployment yaml to use the
secrets-store.csi.k8s.io driver and reference the
SecretProviderClass resource created in the previous step.
Update your deployment yaml to use the Secrets Store CSI driver and reference the
SecretProviderClass resource created in the previous step.
volumes: - name: secrets-store-inline csi: driver: secrets-store.csi.k8s.io readOnly: true volumeAttributes: secretProviderClass: "azure-kvname"
Deploy the SecretProviderClass yaml created previously. For example:
kubectl apply -f https://raw.githubusercontent.com/Azure/secrets-store-csi-driver-provider-azure/master/examples/service-principal/v1alpha1_secretproviderclass_service_principal.yaml
Deploy the application yaml created previously. For example:
kubectl apply -f https://raw.githubusercontent.com/Azure/secrets-store-csi-driver-provider-azure/master/examples/service-principal/pod-inline-volume-service-principal.yaml
To validate, once the pod is started, you should see the new mounted content at the volume path specified in your deployment yaml.
## show secrets held in secrets-store kubectl exec busybox-secrets-store-inline -- ls /mnt/secrets-store/ ## print a test secret held in secrets-store kubectl exec busybox-secrets-store-inline -- cat /mnt/secrets-store/secret1
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.