Share via

How to integrate Azure keyvault with ARO cluster ?

Mangi,Balaraju,IN-Chennai 185 Reputation points
2024-06-18T17:53:50.2033333+00:00

Hi ,

I need the procedure for integrating Azure Keyvault with ARO cluster. Can you help me out on this please.

Regards,

Balaraju M

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,309 questions
Azure Red Hat OpenShift
Azure Red Hat OpenShift
An Azure service that provides a flexible, self-service deployment of fully managed OpenShift clusters.
84 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. akinbade abiola 18,130 Reputation points
    2024-06-18T18:17:53.7733333+00:00

    Hello Mangi,Balaraju,IN-Chennai,

    Thanks for your question.

    Please take a look at the guide to use Azure Key Vault Provider for Secrets Store CSI Driver on Azure Red Hat OpenShift

    Use Azure Key Vault Provider for Secrets Store CSI Driver on Azure Red Hat OpenShift

    Also, take a look at the Redhat documentation equivalent:

    Azure Key Vault CSI on Azure Red Hat OpenShift

    Regards,

    Abiola

    You can mark it 'Accept Answer' and upvote if this helped.

    0 comments
  2. hossein jalilian 7,845 Reputation points
    2024-06-18T18:21:53.8533333+00:00

    Thanks for posting your question in the Microsoft Q&A forum.

    Follow these steps:

    • Create a namespace for your application 
        oc new-project my-application
    • Create an Azure Key Vault in your resource group that contains ARO 
        az keyvault create -n ${KEYVAULT_NAME} -g ${KEYVAULT_RESOURCE_GROUP} --location ${KEYVAULT_LOCATION}
    • Create a secret in the Key Vault 
        az keyvault secret set --vault-name ${KEYVAULT_NAME} --name secret1 --value "Hello"
    • Create a service principal for the Key Vault 
        export SERVICE_PRINCIPAL_CLIENT_SECRET="$(az ad sp create-for-rbac --skip-assignment --name http://$KEYVAULT_NAME --query 'password' -otsv)"
  export SERVICE_PRINCIPAL_CLIENT_ID="$(az ad sp list --display-name http://$KEYVAULT_NAME --query '.appId' -otsv)"
    • Set an access policy for the service principal 
        az keyvault set-policy -n ${KEYVAULT_NAME} --secret-permissions get --spn ${SERVICE_PRINCIPAL_CLIENT_ID}
    • Create and label a secret for Kubernetes to access the Key Vault 
        oc create secret generic secrets-store-creds -n my-application --from-literal clientid=${SERVICE_PRINCIPAL_CLIENT_ID} --from-literal clientsecret=${SERVICE_PRINCIPAL_CLIENT_SECRET}
  oc -n my-application label secret secrets-store-creds secrets-store.csi.k8s.io/used=true
    • Install the Secrets Store CSI Driver and Azure Key Vault Provider
    helm repo add secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts


helm install csi-secrets-store-provider-azure secrets-store-csi-driver/secrets-store-csi-driver --namespace kube-system --set providers.azure.enabled=truehelm repo add secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts helm install csi-secrets-store-provider-azure secrets-store-csi-driver/secrets-store-csi-driver --namespace kube-system --set providers.azure.enabled=true
    • Create a SecretProviderClass to give access to the Key Vault secre
    cat <<EOF | oc apply -f -
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: azure-kvname
  namespace: my-application
spec:
  provider: azure
  parameters:
    usePodIdentity: "false"
    useVMManagedIdentity: "false"
    userAssignedIdentityID: ""
    keyvaultName: ${KEYVAULT_NAME}
    objects: |
      array:
        - |
          objectName: secret1
          objectType: secret
EOF

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.