How to integrate Azure keyvault with ARO cluster ?

Mangi,Balaraju,IN-Chennai 185 Reputation points
2024-06-18T17:53:50.2033333+00:00

Hi ,

I need the procedure for integrating Azure Keyvault with ARO cluster. Can you help me out on this please.

Regards,

Balaraju M

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,314 questions
Azure Red Hat OpenShift
Azure Red Hat OpenShift
An Azure service that provides a flexible, self-service deployment of fully managed OpenShift clusters.
84 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. akinbade abiola 18,305 Reputation points
    2024-06-18T18:17:53.7733333+00:00

    Hello Mangi,Balaraju,IN-Chennai,

    Thanks for your question.

    Please take a look at the guide to use Azure Key Vault Provider for Secrets Store CSI Driver on Azure Red Hat OpenShift

    Use Azure Key Vault Provider for Secrets Store CSI Driver on Azure Red Hat OpenShift

    Also, take a look at the Redhat documentation equivalent:

    Azure Key Vault CSI on Azure Red Hat OpenShift

    Regards,

    Abiola

    You can mark it 'Accept Answer' and upvote if this helped.

    0 comments No comments

  2. hossein jalilian 8,150 Reputation points
    2024-06-18T18:21:53.8533333+00:00

    Thanks for posting your question in the Microsoft Q&A forum.

    Follow these steps:

    • Create a namespace for your application
        oc new-project my-application
      
    • Create an Azure Key Vault in your resource group that contains ARO
        az keyvault create -n ${KEYVAULT_NAME} -g ${KEYVAULT_RESOURCE_GROUP} --location ${KEYVAULT_LOCATION} 
      
    • Create a secret in the Key Vault
        az keyvault secret set --vault-name ${KEYVAULT_NAME} --name secret1 --value "Hello" 
      
    • Create a service principal for the Key Vault
        export SERVICE_PRINCIPAL_CLIENT_SECRET="$(az ad sp create-for-rbac --skip-assignment --name http://$KEYVAULT_NAME --query 'password' -otsv)"
        export SERVICE_PRINCIPAL_CLIENT_ID="$(az ad sp list --display-name http://$KEYVAULT_NAME --query '.appId' -otsv)"
      
    • Set an access policy for the service principal
        az keyvault set-policy -n ${KEYVAULT_NAME} --secret-permissions get --spn ${SERVICE_PRINCIPAL_CLIENT_ID} 
      
    • Create and label a secret for Kubernetes to access the Key Vault
        oc create secret generic secrets-store-creds -n my-application --from-literal clientid=${SERVICE_PRINCIPAL_CLIENT_ID} --from-literal clientsecret=${SERVICE_PRINCIPAL_CLIENT_SECRET}
        oc -n my-application label secret secrets-store-creds secrets-store.csi.k8s.io/used=true
      
    • Install the Secrets Store CSI Driver and Azure Key Vault Provider
    helm repo add secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
    
    
    helm install csi-secrets-store-provider-azure secrets-store-csi-driver/secrets-store-csi-driver --namespace kube-system --set providers.azure.enabled=truehelm repo add secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts helm install csi-secrets-store-provider-azure secrets-store-csi-driver/secrets-store-csi-driver --namespace kube-system --set providers.azure.enabled=true
    
    • Create a SecretProviderClass to give access to the Key Vault secre
    cat <<EOF | oc apply -f -
    apiVersion: secrets-store.csi.x-k8s.io/v1
    kind: SecretProviderClass
    metadata:
      name: azure-kvname
      namespace: my-application
    spec:
      provider: azure
      parameters:
        usePodIdentity: "false"
        useVMManagedIdentity: "false"
        userAssignedIdentityID: ""
        keyvaultName: ${KEYVAULT_NAME}
        objects: |
          array:
            - |
              objectName: secret1
              objectType: secret
    EOF
    
    

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.