Select Language:
Here’s how you can use the Azure Key Vault with your local Kubernetes cluster by installing the necessary tools and configuring everything step-by-step:
First, ensure you have a working local Kubernetes setup and an Azure Key Vault containing the secrets or certificates you need. You’ll also need an Azure service principal with the right permissions (such as “Get” access to secrets), which allows your local cluster to connect securely. It’s important to note that, unlike in managed cloud environments, local clusters don’t support managed identities, so you must set up authentication using a service principal with a client ID and secret or certificate. Also, make sure your network allows your cluster to reach Azure Key Vault endpoints, and have Helm installed on your machine.
Start by installing the core Secrets Store CSI Driver—this is the main plugin that connects your cluster to external secret stores. Use Helm to add the Helm repository for the driver:
bash
helm repo add secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
helm repo update
Next, install the Secrets Store CSI Driver with this command:
bash
helm install csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver –namespace kube-system
Now, install the Azure-specific provider that lets the CSI driver access your Azure Key Vault. Add the provider’s Helm repo:
bash
helm repo add csi-secrets-store-provider-azure https://azure.github.io/secrets-store-csi-driver-provider-azure/charts
helm repo update
And install the Azure provider with:
bash
helm install csi-secrets-store-provider-azure csi-secrets-store-provider-azure/csi-secrets-store-provider-azure –namespace kube-system
To connect your local cluster to Azure Key Vault, create a Kubernetes secret that contains your Azure service principal credentials. Replace <your-client-id> and <your-client-secret> with your actual credentials:
bash
kubectl create secret generic secrets-store-creds –from-literal=clientid=”
kubectl label secret secrets-store-creds secrets-store.csi.k8s.io/used=true
Next, define a SecretProviderClass resource. This configuration tells the CSI driver how to reach your Azure Key Vault and which secrets to fetch. Here’s an example YAML file:
yaml
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: azure-keyvault
spec:
provider: azure
parameters:
usePodIdentity: “false”
useVMManagedIdentity: “false”
keyvaultName: “
objects: |
array:
- |
objectName:
objectType: secret
tenantId: ““
Replace the placeholders with your specific details and apply this configuration:
bash
kubectl apply -f secretproviderclass.yaml
Finally, create a pod that uses this setup. The pod will mount the secret from Azure Key Vault into its file system. Here’s an example pod manifest:
yaml
kind: Pod
apiVersion: v1
metadata:
name: mypod
spec:
containers:
- name: mycontainer
image: busybox
command:- “/bin/sh”
- “-c”
- “sleep 10000”
volumeMounts: - name: secrets-store-inline
mountPath: “/mnt/secrets”
readOnly: true
volumes:
- name: secrets-store-inline
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: “azure-keyvault”
Deploy the pod with:
bash
kubectl apply -f pod.yaml
Once the pod is running, check the /mnt/secrets directory inside it. The secret from your Azure Key Vault will be there, ready to use.
For more detailed instructions and resources, you can visit the official Microsoft documentation or the GitHub repositories linked in the references section. If you follow these steps carefully, you’ll be able to seamlessly connect your local Kubernetes cluster to Azure Key Vault, ensuring your secrets are stored securely and accessed easily within your containers.
If you need any help along the way or have questions, feel free to ask. Happy troubleshooting!
Add us on ChatGPT
Add us on Perplexity
