An open API service indexing awesome lists of open source software.

https://github.com/developer-friendly/k8s-external-secret-azure-vault

This repo demonstrates how to fetch secrets from Azure Key Vault using the Kubernetes External Secrets operator. It leverages OIDC authentication and Azure Workload Identity to securely access the vault from within a Kubernetes cluster. The implementation uses K3d, OpenTofu, and Terragrunt for infrastructure provisioning, showcasing GitOps practice
https://github.com/developer-friendly/k8s-external-secret-azure-vault

authentication authorization azure azure-ad azure-key-vault ci-cd cloud-security devops external-secrets github-actions gitops infrastructure-as-code k3d kubernetes oidc openid-connect secrets-management service-account terragrunt workload-identity

Last synced: 5 months ago
JSON representation

This repo demonstrates how to fetch secrets from Azure Key Vault using the Kubernetes External Secrets operator. It leverages OIDC authentication and Azure Workload Identity to securely access the vault from within a Kubernetes cluster. The implementation uses K3d, OpenTofu, and Terragrunt for infrastructure provisioning, showcasing GitOps practice

Awesome Lists containing this project

README

          

# Kubernetes External Secret Azure Vault

Fetching secrets from Azure Key Vault with External Secret
operator into a Kubernetes cluster.

This approach works with both managed Kubernetes clusters,
as well as the self-managed ones.

The implementation here is using the Kubernetes cluster
from K3d.

## Prerequisites

- [K3d v5][K3d]
- [Opentofu v1.8][opentofu]
- [Terragrunt v0.66][terragrunt]

## Diagram

```mermaid
sequenceDiagram
participant pod as Pod
participant IdP as Identity Provider
(K8s API Server)
participant sp as Service Provider
(Azure)

sp-->>IdP: Trust Relationship
GET https://example.com/.well-known/openid-configuration

rect rgba(0, 0, 0, 0.1)
note right of pod: Kubernetes
pod->>IdP: Request ServiceAccount token
IdP->>pod: Mount ServiceAccount token
end

pod->>sp: Request Access + token

sp->>IdP: Validate Token
GET https://example.com/openid/v1/jwks
IdP->>sp: Token Validation Response
sp->>pod: Access Granted
```

## Roadmap

- [x] Create the GitHub repository & the deploy key with write permissions
- [x] (Optional) Create the user GPG Key and add it to GitHub user GPG keys
- [x] Spin up the Kubernetes cluster with the issuer URL of the GitHub pages
- [x] Create a K8s cronjob that fetches the OIDC config and commits them to repo
- [x] Create the Azure Key Vault
- [x] Deploy Azure Workload Identity
- [x] Deploy External Secret Operator & the Azure managed identity plus the
credentials with the pod annotation of tenant-id and client-id
- [x] Create & fetch a sample secret from Vault into Kubernetes

## Stacks

The following are the Terragrunt dependency stacks:

Group 1
- tofu/az-key-vault
- tofu/gh-repo
- tofu/user-gpg-key

Group 2
- tofu/k8s-cluster
- tofu/k8s-oidc-config

Group 3
- tofu/az-workload-identity

Group 4
- tofu/external-secrets

Group 5
- tofu/demo-secret-reader
- tofu/vault-secret-store

[K3d]: https://github.com/k3d-io/k3d/releases/v5.7.3/
[opentofu]: https://github.com/opentofu/opentofu/releases/v1.8.1/
[terragrunt]: https://github.com/gruntwork-io/terragrunt/releases/v0.66.3/