The build intelligent apps scenario currently has sensitive information stored in config maps as opposed to keyvault. This needs to change. Update the manifest files and deployment instructions to pull the following environment variables from key vault instead of config maps to make the deployment more secure. Currently only the OPENAI_API_KEY is deployed this way. you can use it as a template for the remaining sensitive environment variables. Below is a list of them:
AzureWebJobsStorage
BLOB_ACCOUNT_KEY
FORM_RECOGNIZER_KEY
OPENAI_API_BASE
TRANSLATE_KEY
This is the command currently used to pass the OPENAI_API_KEY to the keyvault here: DEP=$(az deployment group create --name aksenvironmentdeployment -g $RGNAME --parameters signedinuser=$SIGNEDINUSER api_key= -f aks.bicep -o json).
Bicep file updated to require parameters for the additional sensitive variables
Readme command updated to pass the parameters
Deployment manifest files updated to pull secrets using the secret provider class just like it pulls the openaiapikey secret
PR submitted to the opernai-embeddings branch
The build intelligent apps scenario currently has sensitive information stored in config maps as opposed to keyvault. This needs to change. Update the manifest files and deployment instructions to pull the following environment variables from key vault instead of config maps to make the deployment more secure. Currently only the OPENAI_API_KEY is deployed this way. you can use it as a template for the remaining sensitive environment variables. Below is a list of them: AzureWebJobsStorage BLOB_ACCOUNT_KEY FORM_RECOGNIZER_KEY OPENAI_API_BASE TRANSLATE_KEY
You can find the config map file here for your reference: https://github.com/Azure/AKS-Landing-Zone-Accelerator/blob/openai-embeddings/Scenarios/AKS-OpenAI-CogServe-Redis-Embeddings/kubernetes/env-configmap.yaml
This is the command currently used to pass the OPENAI_API_KEY to the keyvault here: DEP=$(az deployment group create --name aksenvironmentdeployment -g $RGNAME --parameters signedinuser=$SIGNEDINUSER api_key= -f aks.bicep -o json).
that deployment command will need to be updated to pass these other sensitive variables. The Bicep files will also need to be updated accordingly: https://github.com/Azure/AKS-Landing-Zone-Accelerator/blob/openai-embeddings/Scenarios/AKS-OpenAI-CogServe-Redis-Embeddings/infrastructure/kvRbac.bicep
Acceptance criteria:
Bicep file updated to require parameters for the additional sensitive variables Readme command updated to pass the parameters Deployment manifest files updated to pull secrets using the secret provider class just like it pulls the openaiapikey secret PR submitted to the opernai-embeddings branch