https://github.com/developer-friendly/k8s-external-secret-azure-vault
This repo demonstrates how to fetch secrets from Azure Key Vault using the Kubernetes External Secrets operator. It leverages OIDC authentication and Azure Workload Identity to securely access the vault from within a Kubernetes cluster. The implementation uses K3d, OpenTofu, and Terragrunt for infrastructure provisioning, showcasing GitOps practice
https://github.com/developer-friendly/k8s-external-secret-azure-vault
authentication authorization azure azure-ad azure-key-vault ci-cd cloud-security devops external-secrets github-actions gitops infrastructure-as-code k3d kubernetes oidc openid-connect secrets-management service-account terragrunt workload-identity
Last synced: 5 months ago
JSON representation
This repo demonstrates how to fetch secrets from Azure Key Vault using the Kubernetes External Secrets operator. It leverages OIDC authentication and Azure Workload Identity to securely access the vault from within a Kubernetes cluster. The implementation uses K3d, OpenTofu, and Terragrunt for infrastructure provisioning, showcasing GitOps practice
- Host: GitHub
- URL: https://github.com/developer-friendly/k8s-external-secret-azure-vault
- Owner: developer-friendly
- License: apache-2.0
- Created: 2024-08-09T10:52:08.000Z (almost 2 years ago)
- Default Branch: main
- Last Pushed: 2025-10-27T21:38:38.000Z (9 months ago)
- Last Synced: 2025-10-27T23:20:09.828Z (9 months ago)
- Topics: authentication, authorization, azure, azure-ad, azure-key-vault, ci-cd, cloud-security, devops, external-secrets, github-actions, gitops, infrastructure-as-code, k3d, kubernetes, oidc, openid-connect, secrets-management, service-account, terragrunt, workload-identity
- Language: HCL
- Homepage: https://youtu.be/JFJJWB7neIg
- Size: 64.5 KB
- Stars: 2
- Watchers: 1
- Forks: 0
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Kubernetes External Secret Azure Vault
Fetching secrets from Azure Key Vault with External Secret
operator into a Kubernetes cluster.
This approach works with both managed Kubernetes clusters,
as well as the self-managed ones.
The implementation here is using the Kubernetes cluster
from K3d.
## Prerequisites
- [K3d v5][K3d]
- [Opentofu v1.8][opentofu]
- [Terragrunt v0.66][terragrunt]
## Diagram
```mermaid
sequenceDiagram
participant pod as Pod
participant IdP as Identity Provider
(K8s API Server)
participant sp as Service Provider
(Azure)
sp-->>IdP: Trust Relationship
GET https://example.com/.well-known/openid-configuration
rect rgba(0, 0, 0, 0.1)
note right of pod: Kubernetes
pod->>IdP: Request ServiceAccount token
IdP->>pod: Mount ServiceAccount token
end
pod->>sp: Request Access + token
sp->>IdP: Validate Token
GET https://example.com/openid/v1/jwks
IdP->>sp: Token Validation Response
sp->>pod: Access Granted
```
## Roadmap
- [x] Create the GitHub repository & the deploy key with write permissions
- [x] (Optional) Create the user GPG Key and add it to GitHub user GPG keys
- [x] Spin up the Kubernetes cluster with the issuer URL of the GitHub pages
- [x] Create a K8s cronjob that fetches the OIDC config and commits them to repo
- [x] Create the Azure Key Vault
- [x] Deploy Azure Workload Identity
- [x] Deploy External Secret Operator & the Azure managed identity plus the
credentials with the pod annotation of tenant-id and client-id
- [x] Create & fetch a sample secret from Vault into Kubernetes
## Stacks
The following are the Terragrunt dependency stacks:
Group 1
- tofu/az-key-vault
- tofu/gh-repo
- tofu/user-gpg-key
Group 2
- tofu/k8s-cluster
- tofu/k8s-oidc-config
Group 3
- tofu/az-workload-identity
Group 4
- tofu/external-secrets
Group 5
- tofu/demo-secret-reader
- tofu/vault-secret-store
[K3d]: https://github.com/k3d-io/k3d/releases/v5.7.3/
[opentofu]: https://github.com/opentofu/opentofu/releases/v1.8.1/
[terragrunt]: https://github.com/gruntwork-io/terragrunt/releases/v0.66.3/