Skip to content

This Terraform template provisions an AKS Cluster with Key Vault integration using CSI secrets store driver

License

Notifications You must be signed in to change notification settings

syedhassaanahmed/tf-aks-kv

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

tf-aks-kv

Terraform

This Terraform template provisions an AKS Cluster with Key Vault integration using CSI secrets store driver. Authentication to the Key Vault is performed using AAD Pod Identity. This template is based on the awesome document published by my colleague Paul Bouwer.

Requirements

Note: This template performs Azure AD role assignments required by AAD Pod Identity. Therefore the Service Principal used for Terraform authentication must be created with Owner privileges.

Azure resources

  • Key Vault
  • User-Assigned Managed Identity
  • AKS Cluster

Note: The CSI secrets store driver requires AKS v1.16+

Smoke Test

Once terraform apply has successfully completed, fill the following variables from the Terraform output;

export aad_pod_id_binding_selector="aad-pod-id-binding-selector"
export aks_cluster_name="aks-xxxxxx"
export key_vault_name="kv-xxxxxx"
export rg_name="rg-xxxxxx"
export tenant_id="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

Alternatively, you can execute the following;

eval $(terraform output | sed 's/^/export /; s/ = /="/g; s/$/"/')

Set variables for the demo secret in test;

export SECRET_NAME="demo-secret"
export SECRET_VALUE="demo-value"

Then;

./smoke_test.sh

The smoke test will create a test pod in the newly provisioned AKS cluster and will attempt to mount the Key Vault using the CSI driver. Once the pod is successfully started, the test will compare the content of mounted file with the actual value in Key Vault.

About

This Terraform template provisions an AKS Cluster with Key Vault integration using CSI secrets store driver

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published