Managing sensitive information like passwords, tokens, and API keys is crucial yet challenging in cloud environments. In Kubernetes, we often struggle to securely handle these secrets, especially when deploying applications at scale. Enter the External-Secrets-Operator, a Kubernetes tool designed to make secrets management easier and more secure. Think of it as a bridge between your Kubernetes cluster and external secret management systems like Azure KeyVault. Azure KeyVault is a cloud service by Microsoft Azure that provides secure storage for secrets, keys, and certificates. It's like a safe where you can store and manage your sensitive data. Now, combine this with Azure Kubernetes Service (AKS), Microsoft's managed Kubernetes service, and you've got a powerful, secure, and efficient way to handle secrets in your cloud-native applications.
In this blog post, we'll guide you through setting up the External-Secrets-Operator with AKS and Azure KeyVault. This setup ensures that your Kubernetes applications can securely access the secrets they need, without exposing them or making your setup too complex. Let's dive into the steps to achieve this seamless integration!
Prerequisites: Essential Requirements
Before starting, ensure you have an active Azure account, access to Azure Kubernetes Service (AKS), and Azure KeyVault. Additionally, have the Azure CLI, kubectl, and Helm tools installed on your machine. Basic familiarity with Kubernetes and Azure concepts is also recommended.
Step 1: Create a Workload Identity
- Set up a Workload Identity in Azure for secure interactions between AKS and Azure services:
export IDENTITY_NAME=name-of-identity
az identity create --name "${IDENTITY_NAME}"
Step 2: Export Required Values
- Define environment variables with details of your AKS cluster and KeyVault:
export KEY_VAULT_NAME=your-key-vault-name
...
export SERVICE_ACCOUNT_ISSUER=$(az aks show --resource-group $RESOURCE_GROUP --name $CLUSTER --query "oidcIssuerProfile.issuerUrl" -o tsv)Step 3: Add Role Assignment
- Assign the necessary roles for your identity to interact with KeyVault:
az role assignment create --role "Key Vault Contributor" --assignee $IDENTITY_CLIENT_IDStep 4: Add get Key Vault Policy
- Configure KeyVault to allow the identity to retrieve secrets:
az keyvault set-policy --name "${KEY_VAULT_NAME}" --secret-permissions get --object-id "${USER_ASSIGNED_IDENTITY_OBJECT_ID}"Step 5: Add Federated Identity to Workload Identity
- Link your Azure identity with the Kubernetes service account:
az identity federated-credential create --name "external-secrets"Step 6: Verify the Identity Creation
- Ensure that the identity has been created with the correct permissions:
az identity list -g checkmateInstalling external-secrets-operator:
- Add the External-Secrets Helm repository and configure the
values.yamlfile. - Install the operator using Helm:
helm install external-secrets external-secrets/external-secrets -f values.yamlCreating ClusterSecretStore and ExternalSecret:
- Define a
ClusterSecretStoreand anExternalSecretin your cluster to manage secrets.yaml:
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
...
kind: ExternalSecret
...Verifying the Setup:
- Check if the ExternalSecrets and the corresponding Kubernetes secrets are correctly created and synced:
kubectl get externalsecrets -n default
kubectl get secrets -n default
kubectl describe secret -n default