Fetching secrets from Azure Key Vault with External Secret operator into a Kubernetes cluster.
This approach works with both managed Kubernetes clusters, as well as the self-managed ones.
The implementation here is using the Kubernetes cluster from K3d.
sequenceDiagram
participant pod as Pod
participant IdP as Identity Provider<br/>(K8s API Server)
participant sp as Service Provider<br/>(Azure)
sp-->>IdP: Trust Relationship<br/>GET https://example.com/.well-known/openid-configuration
rect rgba(0, 0, 0, 0.1)
note right of pod: Kubernetes
pod->>IdP: Request ServiceAccount token
IdP->>pod: Mount ServiceAccount token
end
pod->>sp: Request Access + token
sp->>IdP: Validate Token<br/>GET https://example.com/openid/v1/jwks
IdP->>sp: Token Validation Response
sp->>pod: Access Granted
- Create the GitHub repository & the deploy key with write permissions
- (Optional) Create the user GPG Key and add it to GitHub user GPG keys
- Spin up the Kubernetes cluster with the issuer URL of the GitHub pages
- Create a K8s cronjob that fetches the OIDC config and commits them to repo
- Create the Azure Key Vault
- Deploy Azure Workload Identity
- Deploy External Secret Operator & the Azure managed identity plus the credentials with the pod annotation of tenant-id and client-id
- Create & fetch a sample secret from Vault into Kubernetes
The following are the Terragrunt dependency stacks:
Group 1
- tofu/az-key-vault
- tofu/gh-repo
- tofu/user-gpg-key
Group 2
- tofu/k8s-cluster
- tofu/k8s-oidc-config
Group 3
- tofu/az-workload-identity
Group 4
- tofu/external-secrets
Group 5
- tofu/demo-secret-reader
- tofu/vault-secret-store