Implementation of the Secrets Store CSI Driver for Azure KeyVault.The key take aways are
- Azure Keyvault as a secrets store is implemented as a SecretProviderClass
- The SecretProviderClass and other resources that are needed to make this work are deployed as AKS CRDs
- Extensibility to other secret stores is the key highlight of this feature
- The pods use the AAD pod identity to access the vault
- The secret content when accessed from the vault eliminates the need to save sensitive data as native K8s secrets (which is only a base64 encoded version of your data and is not really encrypted. There are plenty of articles that talk about why the CSI driver for secrets store is a welcomed feature)
src: Microsoft docs (https://docs.microsoft.com/en-us/azure/aks/developer-best-practices-pod-security#use-azure-key-vault-with-secrets-store-csi-driver)
- Developer Best Practices -https://docs.microsoft.com/en-us/azure/aks/developer-best-practices-pod-security#use-azure-key-vault-with-secrets-store-csi-driver
- Azure/secrets-store-csi-driver-provider-azure (open source github repo)- https://github.com/Azure/secrets-store-csi-driver-provider-azure
- Walkthrough of Secrets Store CSI driver for multicloud scenarios- https://www.youtube.com/watch?v=w0k7MI6sCJg&list=PLQL1JGGe-t0u2bTkrVmek72nF-_vJACnG&index=22&t=302s