search

Azure / secrets-store-csi-driver-provider-azure

Azure Key Vault provider for Secret Store CSI driver allows you to get secret contents stored in Azure Key Vault instance and use the Secret Store CSI driver interface to mount them into Kubernetes pods.
https://azure.github.io/secrets-store-csi-driver-provider-azure/
MIT License
432 stars 191 forks source link

multiple key vault support #1088

Open davildaran opened 1 year ago

davildaran commented 1 year ago

Describe the solution you'd like [A clear and concise description of what you want to happen.]

The ability to specify multiple Azure Key Vaults/SecretProviderClasses for the same service in the same namespace.

E.g. serviceA/dev/secret-provider-class.yaml

apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: secrets
  namespace: serviceA
spec:
  provider: azure
  parameters:
    usePodIdentity: "false"
    useVMManagedIdentity: "true"
    userAssignedIdentityID: ...
    keyvaultName: serviceA-keyvault1
    cloudName: ""
    tenantId: ...
---
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: secrets
  namespace: serviceA
spec:
  provider: azure
  parameters:
    usePodIdentity: "false"
    useVMManagedIdentity: "true"
    userAssignedIdentityID: ...
    keyvaultName: serviceA-keyvaultB
    cloudName: ""
    tenantId: ...

Anything else you would like to add: [Miscellaneous information that will assist in solving the issue.]

Looked into a few ways of trying to specify this. kustomize build path/to/dev/ yields valid yaml but overrides to just (1) single SecretProviderClass definition.

Environment:

JorTurFer commented 5 months ago

I'd say that this is currently supported. I mean, just name them differently and mount the one by one into your workload