You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Jul 5, 2021. It is now read-only.
You need to have a Key Vault instance with a secret and an application registered in your Azure Active directory with Read access to the Vault's secrets.
6
+
7
+
The following script creates everything needed for sample purposes. It assumes you have Azure ClI installed and it is already authenticated.
8
+
For more information about Azure CLI refer to the Azure CLI's [documentation page](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli).
9
+
10
+
```bash
11
+
# The tennatId will be needed to get the secrets
12
+
TENANT_ID=$(az account show --query tenantId | tr -d \")
13
+
14
+
# Name and location of the Resource Group
15
+
RESOURCE_GROUP="MyKeyVaultResourceGroup"
16
+
LOCATION="westus"
17
+
18
+
# Create the Resource Group
19
+
az group create --location $LOCATION --name $RESOURCE_GROUP
20
+
21
+
VAULT_NAME="eso-akv-test"
22
+
23
+
# Create the Key Vault
24
+
az keyvault create --name $VAULT_NAME --resource-group $RESOURCE_GROUP
25
+
26
+
SECRET_NAME="example-externalsecret-key"
27
+
SECRET_VAlUE="This is our secret now!"
28
+
29
+
# Add a secret to the vault
30
+
az keyvault secret set --name $SECRET_NAME --vault-name $VAULT_NAME --value "$SECRET_VAlUE"
31
+
32
+
# Now you need to create an app to access the Key Vault
# Add permission to your App to query the Key Vault
40
+
# The --api-permission refers to the Azure Key Vault user_impersonation permission (do not modify)
41
+
# The --api refers to the Azure Key Vault API (do not modify)
42
+
az ad app permission add --id $APP_ID --api-permissions f53da476-18e3-4152-8e01-aec403e6edc0=Scope --api cfa8b339-82a2-471a-a3c9-0fc0be7a4093
43
+
44
+
APP_PASSWORD="ThisisMyStrongPassword"
45
+
# A password must be created for the app
46
+
az ad app credential reset --id $APP_ID --password "$APP_PASSWORD"
47
+
48
+
# Finnaly, the Key Vault must have an Access Policy for the created app
49
+
az keyvault set-policy --name $VAULT_NAME --object-id $SERVICE_PRINCIPAL --secret-permissions get
50
+
```
51
+
52
+
For a detailed view on how to create the above mentioned resources in the Azure Portal, please go to: [How To Access Azure Key Vault Secrets Through Rest API Using Postman](https://www.c-sharpcorner.com/article/how-to-access-azure-key-vault-secrets-through-rest-api-using-postman/)
53
+
54
+
- Now you're ready to tnstall CRDs
55
+
```
56
+
make install
57
+
```
58
+
59
+
### Deployment
60
+
61
+
- Uncomment and update credentials to be used in `config/credentials/kustomization.yaml`:
62
+
63
+
```yaml
64
+
resources:
65
+
# - credentials-gsm.yaml
66
+
# - credentials-asm.yaml
67
+
# - credentials-dummy.yaml
68
+
# - credentials-gitlab.yaml
69
+
- credentials-akv.yaml
70
+
71
+
```
72
+
73
+
- Update the Azure Key Vault backend credentials `config/credentials/credentials-akv.yaml` with your personal access token
74
+
```json
75
+
{
76
+
"tenantId": "<Active Directory's Tenant ID>",
77
+
"clientId": "<Application (client) ID>",
78
+
"clientSecret": "<Application's secret value>",
79
+
"keyvault": "<Key Vault name>"
80
+
}
81
+
```
82
+
83
+
You can run the following script that will generate the above mentioned json object
84
+
```bash
85
+
echo -e "{ \n \
86
+
\"tenantId\": \"$TENANT_ID\", \n \
87
+
\"clientId\": \"$APP_ID\", \n \
88
+
\"clientSecret\": \"$APP_PASSWORD\", \n \
89
+
\"keyvault\": \"$VAULT_NAME\"\n \
90
+
}"
91
+
```
92
+
> Beware of the indentation if you paste the output from above into your file.
93
+
94
+
95
+
- Update the `SecretStore` resource definition `config/samples/store_v1alpha1_secretstore.yaml`
0 commit comments