{"id":44002845,"url":"https://github.com/developer-friendly/k8s-external-secret-azure-vault","last_synced_at":"2026-02-07T13:04:26.737Z","repository":{"id":252792992,"uuid":"840277598","full_name":"developer-friendly/k8s-external-secret-azure-vault","owner":"developer-friendly","description":"This repo demonstrates how to fetch secrets from Azure Key Vault using the Kubernetes External Secrets operator. It leverages OIDC authentication and Azure Workload Identity to securely access the vault from within a Kubernetes cluster. The implementation uses K3d, OpenTofu, and Terragrunt for infrastructure provisioning, showcasing GitOps practice","archived":false,"fork":false,"pushed_at":"2025-10-27T21:38:38.000Z","size":66,"stargazers_count":2,"open_issues_count":2,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-10-27T23:20:09.828Z","etag":null,"topics":["authentication","authorization","azure","azure-ad","azure-key-vault","ci-cd","cloud-security","devops","external-secrets","github-actions","gitops","infrastructure-as-code","k3d","kubernetes","oidc","openid-connect","secrets-management","service-account","terragrunt","workload-identity"],"latest_commit_sha":null,"homepage":"https://youtu.be/JFJJWB7neIg","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/developer-friendly.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2024-08-09T10:52:08.000Z","updated_at":"2024-09-29T16:13:27.000Z","dependencies_parsed_at":"2024-12-17T00:58:26.526Z","dependency_job_id":"f6f285fd-6caf-4e0d-a6f2-74e224252e76","html_url":"https://github.com/developer-friendly/k8s-external-secret-azure-vault","commit_stats":null,"previous_names":["developer-friendly/k8s-external-secret-azure-vault"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/developer-friendly/k8s-external-secret-azure-vault","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/developer-friendly%2Fk8s-external-secret-azure-vault","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/developer-friendly%2Fk8s-external-secret-azure-vault/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/developer-friendly%2Fk8s-external-secret-azure-vault/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/developer-friendly%2Fk8s-external-secret-azure-vault/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/developer-friendly","download_url":"https://codeload.github.com/developer-friendly/k8s-external-secret-azure-vault/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/developer-friendly%2Fk8s-external-secret-azure-vault/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29194494,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-07T12:38:28.597Z","status":"ssl_error","status_checked_at":"2026-02-07T12:38:23.888Z","response_time":63,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","authorization","azure","azure-ad","azure-key-vault","ci-cd","cloud-security","devops","external-secrets","github-actions","gitops","infrastructure-as-code","k3d","kubernetes","oidc","openid-connect","secrets-management","service-account","terragrunt","workload-identity"],"created_at":"2026-02-07T13:04:26.158Z","updated_at":"2026-02-07T13:04:26.729Z","avatar_url":"https://github.com/developer-friendly.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Kubernetes External Secret Azure Vault\n\nFetching secrets from Azure Key Vault with External Secret\noperator into a Kubernetes cluster.\n\nThis approach works with both managed Kubernetes clusters,\nas well as the self-managed ones.\n\nThe implementation here is using the Kubernetes cluster\nfrom K3d.\n\n## Prerequisites\n\n- [K3d v5][K3d]\n- [Opentofu v1.8][opentofu]\n- [Terragrunt v0.66][terragrunt]\n\n## Diagram\n\n```mermaid\nsequenceDiagram\n    participant pod as Pod\n    participant IdP as Identity Provider\u003cbr/\u003e(K8s API Server)\n    participant sp as Service Provider\u003cbr/\u003e(Azure)\n\n    sp--\u003e\u003eIdP: Trust Relationship\u003cbr/\u003eGET https://example.com/.well-known/openid-configuration\n\n    rect rgba(0, 0, 0, 0.1)\n    note right of pod: Kubernetes\n    pod-\u003e\u003eIdP: Request ServiceAccount token\n    IdP-\u003e\u003epod: Mount ServiceAccount token\n    end\n\n    pod-\u003e\u003esp: Request Access + token\n\n    sp-\u003e\u003eIdP: Validate Token\u003cbr/\u003eGET https://example.com/openid/v1/jwks\n    IdP-\u003e\u003esp: Token Validation Response\n    sp-\u003e\u003epod: Access Granted\n```\n\n## Roadmap\n\n- [x] Create the GitHub repository \u0026 the deploy key with write permissions\n- [x] (Optional) Create the user GPG Key and add it to GitHub user GPG keys\n- [x] Spin up the Kubernetes cluster with the issuer URL of the GitHub pages\n- [x] Create a K8s cronjob that fetches the OIDC config and commits them to repo\n- [x] Create the Azure Key Vault\n- [x] Deploy Azure Workload Identity\n- [x] Deploy External Secret Operator \u0026 the Azure managed identity plus the\n      credentials with the pod annotation of tenant-id and client-id\n- [x] Create \u0026 fetch a sample secret from Vault into Kubernetes\n\n## Stacks\n\nThe following are the Terragrunt dependency stacks:\n\nGroup 1\n- tofu/az-key-vault\n- tofu/gh-repo\n- tofu/user-gpg-key\n\nGroup 2\n- tofu/k8s-cluster\n- tofu/k8s-oidc-config\n\nGroup 3\n- tofu/az-workload-identity\n\nGroup 4\n- tofu/external-secrets\n\nGroup 5\n- tofu/demo-secret-reader\n- tofu/vault-secret-store\n\n[K3d]: https://github.com/k3d-io/k3d/releases/v5.7.3/\n[opentofu]: https://github.com/opentofu/opentofu/releases/v1.8.1/\n[terragrunt]: https://github.com/gruntwork-io/terragrunt/releases/v0.66.3/\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdeveloper-friendly%2Fk8s-external-secret-azure-vault","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdeveloper-friendly%2Fk8s-external-secret-azure-vault","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdeveloper-friendly%2Fk8s-external-secret-azure-vault/lists"}