/k8s-external-secret-azure-vault

This repo demonstrates how to fetch secrets from Azure Key Vault using the Kubernetes External Secrets operator. It leverages OIDC authentication and Azure Workload Identity to securely access the vault from within a Kubernetes cluster. The implementation uses K3d, OpenTofu, and Terragrunt for infrastructure provisioning, showcasing GitOps practice

Primary LanguageHCLApache License 2.0Apache-2.0

Kubernetes External Secret Azure Vault

Fetching secrets from Azure Key Vault with External Secret operator into a Kubernetes cluster.

This approach works with both managed Kubernetes clusters, as well as the self-managed ones.

The implementation here is using the Kubernetes cluster from K3d.

Prerequisites

Diagram

sequenceDiagram
    participant pod as Pod
    participant IdP as Identity Provider<br/>(K8s API Server)
    participant sp as Service Provider<br/>(Azure)

    sp-->>IdP: Trust Relationship<br/>GET https://example.com/.well-known/openid-configuration

    rect rgba(0, 0, 0, 0.1)
    note right of pod: Kubernetes
    pod->>IdP: Request ServiceAccount token
    IdP->>pod: Mount ServiceAccount token
    end

    pod->>sp: Request Access + token

    sp->>IdP: Validate Token<br/>GET https://example.com/openid/v1/jwks
    IdP->>sp: Token Validation Response
    sp->>pod: Access Granted
Loading

Roadmap

  • Create the GitHub repository & the deploy key with write permissions
  • (Optional) Create the user GPG Key and add it to GitHub user GPG keys
  • Spin up the Kubernetes cluster with the issuer URL of the GitHub pages
  • Create a K8s cronjob that fetches the OIDC config and commits them to repo
  • Create the Azure Key Vault
  • Deploy Azure Workload Identity
  • Deploy External Secret Operator & the Azure managed identity plus the credentials with the pod annotation of tenant-id and client-id
  • Create & fetch a sample secret from Vault into Kubernetes

Stacks

The following are the Terragrunt dependency stacks:

Group 1

  • tofu/az-key-vault
  • tofu/gh-repo
  • tofu/user-gpg-key

Group 2

  • tofu/k8s-cluster
  • tofu/k8s-oidc-config

Group 3

  • tofu/az-workload-identity

Group 4

  • tofu/external-secrets

Group 5

  • tofu/demo-secret-reader
  • tofu/vault-secret-store