Creating Static Persistent Volume in AKS using credentials in Azure Key Vault

Question

I am currently following this guide here to create a PV using an existing Azure File Share: https://learn.microsoft.com/en-us/azure/aks/azure-files-volume

The method is to store the storage account name and access key in a secret azure secret then use it in the csi section of the yaml file as below.

apiVersion: v1
kind: PersistentVolume
metadata:
  name: azurefile
spec:
  capacity:
    storage: 5Gi
  accessModes:
    - ReadWriteMany
  persistentVolumeReclaimPolicy: Retain
  storageClassName: azurefile-csi
  csi:
    driver: file.csi.azure.com
    readOnly: false
    volumeHandle: unique-volumeid  # make sure this volumeid is unique in the cluster
    volumeAttributes:
      resourceGroup: EXISTING_RESOURCE_GROUP_NAME  # optional, only set this when storage account is not in the same resource group as agent node
      shareName: aksshare
    nodeStageSecretRef:
      name: azure-secret
      namespace: default
  mountOptions:
    - dir_mode=0777
    - file_mode=0777
    - uid=0
    - gid=0
    - mfsymlinks
    - cache=strict
    - nosharesock
    - nobrl

However, due to technical risk and security reasons, now I do not want to put storage account access key in the kubernetes namespace. Instead, I want to fetch the access key from Azure key vault and use it to mount the persistent volume to the azure files.

I have done some research and testing, but to no avail. Would appreciate help on this, thanks!

Answer 1

We can fetch the access key from keyvault to mount the persistent volume to fileshare using providerClass instead of storage account access key

I have created RG and AKS Cluster

While creating the AKS Cluster we have to enable the CSI Drivers

I have created the keyvault to secure our secrets Resources>Keyvault>Create>RG,kvName>Review&Create

I have created the secrets using keyvaults

In KV Go-To secrets>click on Generate/import >give the name and secret value to create the secrets and its value(password)

Verify that your virtual machine scale set have their own system-assigned identity, if not we have to enable it

I have given the Access policy permissions to read the keyvault and its content

Go-To>keyvault>access-policy>create>

• Permissions>select>secret Permissions
• principal>select>id
• application>select application id>create

Created the secretprovider class by using this provider class by this class will get the secrets from the key vault

secretproviderclass(check the file here)

Apply the below command to deploy the secret class

       kubectl apply -f filename.yaml

By deploying the provider class the secrets will not be created, for that we have to create the POD which will mount the volume by utilizing the CSI drivers

pod.yaml(check this link)

Deploy the pod using below command

  kubectl apply -f file.yaml
  

After the pod starts, the mounted content at the volume path that we specified in YAML file will be available

kubectl exec <pod_name> -- ls /mnt/secrets-store/       
kubectl exec <pod_name> -- cat /mnt/secrets-store/<secret_name>

By using the above commands we will get the secret and secret value.