This Terraform template provisions an AKS Cluster with Key Vault integration using CSI secrets store driver. Authentication to the Key Vault is performed using AAD Pod Identity. This template is based on the awesome document published by my colleague Paul Bouwer.
Note: This template performs Azure AD role assignments required by AAD Pod Identity. Therefore the Service Principal used for Terraform authentication must be created with
Owner
privileges.
- Key Vault
- User-Assigned Managed Identity
- AKS Cluster
Note: The CSI secrets store driver requires AKS v1.16+
Once terraform apply
has successfully completed, fill the following variables from the Terraform output;
export aad_pod_id_binding_selector="aad-pod-id-binding-selector"
export aks_cluster_name="aks-xxxxxx"
export key_vault_name="kv-xxxxxx"
export rg_name="rg-xxxxxx"
export tenant_id="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
Alternatively, you can execute the following;
eval $(terraform output | sed 's/^/export /; s/ = /="/g; s/$/"/')
Set variables for the demo secret in test;
export SECRET_NAME="demo-secret"
export SECRET_VALUE="demo-value"
Then;
./smoke_test.sh
The smoke test will create a test pod in the newly provisioned AKS cluster and will attempt to mount the Key Vault using the CSI driver. Once the pod is successfully started, the test will compare the content of mounted file with the actual value in Key Vault.