Support for AKS application routing add-on Key Vault integration (GA)

[zioproto]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Description

The Managed nginx Ingress with the application routing add-on has a Key Vault integration (GA).

Documentation page: https://learn.microsoft.com/en-us/azure/aks/app-routing-dns-ssl#enable-azure-key-vault-integration

Equivalent Azure CLI command:

az aks approuting update -g <ResourceGroupName> -n <ClusterName> --enable-kv --attach-kv ${KEYVAULTID}

New or Affected Resource(s)/Data Source(s)

azurerm_kubernetes_cluster

Potential Terraform Configuration

web_app_routing {
  dns_zone_id = ""
  keyvault_id = azurerm_key_vault.main.id
}

### References

_No response_

[zioproto]

@ms-henglu @lonegunmanb

related to #18667

[bartholomew-gander]

Hi, I have found how Azure CLI achieves this action. It basically creates connection in two steps.

1. It enables key vault integration
2. Grants proper identity access to the key vault separately.

See below as sample

resource "azurerm_kubernetes_cluster" "cluster" {
    ...
    key_vault_secrets_provider { # This enabless key vault integration
        secret_rotation_enabled = true
    }
}

data "azurerm_key_vault" "kv" { ... }

resource "azurerm_role_assignment" "role_for_kv" {
    scope = <key_vault_id>
    role_definition_name = "Key Vault Secrets User" # This is not mistake, it's secrets not certificates
    principal_id = azurerm_kubernetes_cluster.cluster.web_app_routing[0].web_app_routing_identity[0].object_id
}

After that, you can point your ingress to the key vault certificate in the annotation. Eg.

data "azurerm_key_vault_certificate" "cert" { # reference to your certificate
    name = <your_secret_name>
    key_vault_id = data.azurerm_key_vault.kv.id
}

resource "kubernetes_ingress_v1" "ingress" {
    ...
    metadata {
        annotations = {
            # value eg. https://keyvault-name.vault.azure.net/certificates/yourcertificatename
            "kubernetes.azure.com/tls-cert-keyvault-uri" = data. azurerm_key_vault_certificate.cert.versionless_id
            ...
        }
        ...
    }
}

Cheers, Bartek