I am using azure key vault to save secrets and use as env variables in deployment.yaml.
but issue is I can see these secrets in azure kubernetes cluster in azure portal.
I read in kubernetes documentation that we can use these variables as file instead of env variables for more secure deployment.
What changes do I need do for achieving this
Here are my helm charts -
SecretProviderClass.yaml
apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
name: azure-keyvault
spec:
provider: azure
secretObjects:
- secretName: database-configs
type: Opaque
data:
- objectName: DB-URL
key: DB-URL
parameters:
usePodIdentity: "false"
useVMManagedIdentity: "true"
userAssignedIdentityID: {{ .Values.spec.parameters.userAssignedIdentityID }}
resourceGroup: {{ .Values.spec.parameters.resourceGroup }}
keyvaultName: {{ .Values.spec.parameters.keyvaultName }}
tenantId: {{ .Values.spec.parameters.tenantId }}
objects: |
array:
- |
objectName: DB-URL
objectType: secret
objectAlias: DB-URL
deployment.yaml
env:
- name: DB-URL
valueFrom:
secretKeyRef:
name: database-configs
key: DB-URL
volumeMounts:
- mountPath: "/mnt/azure"
name: volume
- mountPath: "mnt/secrets-store"
name: secrets-mount
readOnly: true
volumes:
- name: volume
persistentVolumeClaim:
claimName: azure-managed-disk
- name: secrets-mount
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: "azure-keyvault"
file where helm substituting these values at deployment time-
settings.ini -
[server]
hostname = "localhost"
hot_deployment = false
url = "$env{DB-URL}"
[user_store]
type = "read_only_ldap"
Any help will be really appreciated.
I am looking for secure way to use key vault and kubernetes together