Open zioproto opened 11 months ago
@ms-henglu @lonegunmanb
related to #18667
Hi, I have found how Azure CLI achieves this action. It basically creates connection in two steps.
See below as sample
resource "azurerm_kubernetes_cluster" "cluster" {
...
key_vault_secrets_provider { # This enabless key vault integration
secret_rotation_enabled = true
}
}
data "azurerm_key_vault" "kv" { ... }
resource "azurerm_role_assignment" "role_for_kv" {
scope = <key_vault_id>
role_definition_name = "Key Vault Secrets User" # This is not mistake, it's secrets not certificates
principal_id = azurerm_kubernetes_cluster.cluster.web_app_routing[0].web_app_routing_identity[0].object_id
}
After that, you can point your ingress to the key vault certificate in the annotation. Eg.
data "azurerm_key_vault_certificate" "cert" { # reference to your certificate
name = <your_secret_name>
key_vault_id = data.azurerm_key_vault.kv.id
}
resource "kubernetes_ingress_v1" "ingress" {
...
metadata {
annotations = {
# value eg. https://keyvault-name.vault.azure.net/certificates/yourcertificatename
"kubernetes.azure.com/tls-cert-keyvault-uri" = data. azurerm_key_vault_certificate.cert.versionless_id
...
}
...
}
}
Cheers, Bartek
Is there an existing issue for this?
Community Note
Description
The Managed nginx Ingress with the application routing add-on has a Key Vault integration (GA).
Documentation page: https://learn.microsoft.com/en-us/azure/aks/app-routing-dns-ssl#enable-azure-key-vault-integration
Equivalent Azure CLI command:
New or Affected Resource(s)/Data Source(s)
azurerm_kubernetes_cluster
Potential Terraform Configuration