Key Vault

  1. First create a secret named ExamplePassword in the key vault through the portal.
    (You may have to give yourself permissions first.)

  2. Secondly deploy the key vault secret provider class

    apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: storage-class-key-vault
spec:
  provider: azure
  secretObjects:
    - secretName: test-secret  # Name of secret within cluster
      data:
        - key: key
          objectName: ExamplePassword # Name of secret declared in objects properties below
      type: Opaque
  parameters:
    usePodIdentity: "false"
    useVMManagedIdentity: "true"          # Set to true for using managed identity
    userAssignedIdentityID: <client_id>   # Set the clientID of the user-assigned managed identity to use
    keyvaultName: <key-vault-name>       # Set to the name of your key vault
    objects:  | # Secrets to import from key vault
      array:
        - |
          objectName: ExamplePassword
          objectType: secret              # object types: secret, key, or cert
          objectVersion: ""               # [OPTIONAL] object versions, default to latest if empty          

    tenantId: <tenant_id>                 # The tenant ID of the key vault

  3. Edit Pod Deployment by adding environment secrets or secret volume mount

    apiVersion: v1
kind: Pod
metadata:
  name: azure-files-pod-test
  labels:
    app: test-app
spec:
containers:
  - image: <azure-container-registry-name>.azurecr.io/nginx:v1
name: azure-files-pod-test
ports:
  - containerPort: 80
    protocol: TCP
env: # Traditional secret mapping with environmant
  - name: SECRET
    valueFrom:
      secretKeyRef:
        name: test-secret
        key: key
volumeMounts:
  - name: azure
    mountPath: /usr/share/nginx/html
  - name: secrets-store-inline   # Map secrets trough file mounts
    mountPath: "/mnt/secrets-store"
    readOnly: true

volumes:
  - name: secrets-store-inline
    csi:
      driver: secrets-store.csi.k8s.io
      readOnly: true
      volumeAttributes:
        secretProviderClass: storage-class-key-vault

  4. Validate Secrets mounted file share
    To validate, once the pod is started, you should see the new mounted content at the volume path specified in your deployment yaml.

    # show secrets held in secrets-store
kubectl exec azure-files-pod-test -- ls /mnt/secrets-store/

# print a test secret held in secrets-store
kubectl exec azure-files-pod-test -- cat /mnt/secrets-store/ExamplePassword

  5. Validate Secrets Environment variable

    # Login to pod
kubectl exec --stdin --tty azure-files-pod-test -- /bin/bash
echo $test-secret
Last modified July 3, 2023: + Improved nginx version in deployment example (a8ba98a)