Kubernetes app that syncs cert-manager Secrets to Azure Key Vault. Originally created with the intention of getting LetsEncrypt certficates into Key Vault, but works with any certificate stored in a Kubernetes Secret.
linux/amd64
, linux/arm64
, linux/arm64/v8
(Apple M1)*.your-domain.com
in multiple Namespaces)~> v1
in your Azure Kubernetes clusterIf you're running an older version of Helm, HELM_EXPERIMENTAL_OCI=1
needs to be set to support OCI charts.
export HELM_EXPERIMENTAL_OCI=1
helm upgrade --install cert-manager-key-vault-sync \
oci://docker.io/rdvansloten/cert-manager-key-vault-sync \
--values ./charts/cert-manager-key-vault-sync/values.yaml \
--version 0.2.0 \
--namespace cert-manager-key-vault-sync --create-namespace
If you wish to use raw Kubernetes manifests instead, you may render the Helm template to plain YAML using the command below.
helm template cert-manager-key-vault-sync oci://docker.io/rdvansloten/cert-manager-key-vault-sync \
--values ./charts/cert-manager-key-vault-sync/values.yaml > output.yaml
For examples on building the image from scratch or prepping your Azure/Kubernetes environment, see Examples.
The synchronization process is a small Python3 application running on an Alpine image. It leverages OpenSSL to bundle the .cer
and .key
files, then uploads the resulting .pfx
file to Azure Key Vault. cert-manager-key-vault-sync requires verbs "get"
, "list"
, "watch"
on the "secrets"
resource, as it needs to pull cert-manager-generated Secrets from all namespaces. It will only search for Secrets with the annotation cert-manager.io/certificate-name
by default, though this can be changed.
The attached Service Account is connected to a Managed Identity in Azure, providing access to the Key Vault. The Managed Identity requires the Key Vault Certificates Officer
role on the Key Vault, or a custom role with permissions to list, read, create and update Certificates and their metadata.
I'd love your input! I want to make contributing to this project as easy and transparent as possible, whether it's:
Pull requests are the best way to propose changes. I actively welcome your Pull Requests:
main
.