Update the CSI Secret Identity to use a BYO Managed User and Setup the required federation

Azure / AKS-Construction

Accelerate your onboarding to AKS with; Helper Web App, bicep templating and CI/CD samples. Flexible & secure AKS baseline implementations in a Microsoft + community maintained reference implementation.

https://azure.github.io/AKS-Construction/

MIT License

356 stars 165 forks source link

Update the CSI Secret Identity to use a BYO Managed User and Setup the required federation #638

Closed khowling closed 11 months ago

khowling commented 1 year ago

As described here https://learn.microsoft.com/en-us/azure/aks/csi-secrets-store-identity-access#access-with-an-azure-ad-workload-identity

Gordonby commented 1 year ago

It is specific to the workload (service account) - so perhaps more relevant to https://github.com/Azure-Samples/java-aks-keyvault-tls ?

khowling commented 1 year ago

Good Shout, but we've been having issues consuming aksc in a workload repo, selecting csi&keyvault options, then configuring the workload to use it with federated identity. I cant see how its possible at the moment without the workload repo needing to create their own keyvault. This pattern need attention!

Gordonby commented 1 year ago

Agreed, I think the app would need their own keyvault. Rbac will become tricky.

github-actions[bot] commented 1 year ago

Issue smells stale, no activity for 30 days. Stale Label will be removed if the issue is updated, otherwise closed in a month.