search

SparebankenVest / azure-key-vault-to-kubernetes

Azure Key Vault to Kubernetes (akv2k8s for short) makes it simple and secure to use Azure Key Vault secrets, keys and certificates in Kubernetes.
https://akv2k8s.io
Apache License 2.0
439 stars 97 forks source link

[Question] There is no documentation on Workload Identity? #739

Open v1ferrarij opened 2 months ago

v1ferrarij commented 2 months ago

As far as I can see, there is no documentation on how to use aks2k8s with Workload Identity?

Is there any examples which can be followed, I am using the following but does not seem to work, I am guessing on how this works by looking at PR's which have been merged.

Can there be some documentation which is added for some explanation on how this works?

I have tried this which does not work

resource "helm_release" "uks_akv2k8s" {
  name       = "akv2k8s"
  namespace  = "akv2k8s"
  repository = "https://charts.spvapi.no"
  chart      = "akv2k8s"

  set {
    name  = "global.keyVaultAuth"
    value = "environment-azidentity"
  }

  set {
    name  = "serviceAccount.labels.azure\\.workload\\.identity/use"
    value = true
  }

  set {
    name  = "serviceAccount.annotations.azure\\.workload\\.identity/client-id"
    value = "*******"
  }

  depends_on = [kubernetes_namespace.uks_namespace]
}
Yunzlez commented 2 weeks ago

You may have solved this already in the meantime, but I ran into the same, so here's the solution, in case anyone needs it: I think the problem with your setup is you're setting the azure.workload.identity/use label on the ServiceAccount, instead of on the controller pod(s).

setting these values works for me (json, but should just map on whatever you use):

controller: {
    keyVaultAuth: "environment-azidentity",
    podLabels: {
        "azure.workload.identity/use": "true"
    },
    serviceAccount: {
        annotations: {
            "azure.workload.identity/client-id": "<Workload Managed Identity ClientId>"
        }
    }
}