Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for AKS application routing add-on Key Vault integration (GA) #24131

Open
1 task done
zioproto opened this issue Dec 6, 2023 · 2 comments
Open
1 task done

Support for AKS application routing add-on Key Vault integration (GA) #24131

zioproto opened this issue Dec 6, 2023 · 2 comments
Labels
enhancement service/kubernetes-cluster

Comments

@zioproto
Copy link
Contributor

zioproto commented Dec 6, 2023

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Description

The Managed nginx Ingress with the application routing add-on has a Key Vault integration (GA).

Documentation page:
https://learn.microsoft.com/en-us/azure/aks/app-routing-dns-ssl#enable-azure-key-vault-integration

Equivalent Azure CLI command:

az aks approuting update -g <ResourceGroupName> -n <ClusterName> --enable-kv --attach-kv ${KEYVAULTID}

New or Affected Resource(s)/Data Source(s)

azurerm_kubernetes_cluster

Potential Terraform Configuration

web_app_routing {
  dns_zone_id = ""
  keyvault_id = azurerm_key_vault.main.id
}


### References

_No response_
@zioproto
Copy link
Contributor Author

zioproto commented Dec 6, 2023

@ms-henglu @lonegunmanb

related to #18667

@zioproto zioproto mentioned this issue Dec 6, 2023
Open
1 task
@bartholomew-gander
Copy link

Hi, I have found how Azure CLI achieves this action. It basically creates connection in two steps.

  1. It enables key vault integration
  2. Grants proper identity access to the key vault separately.

See below as sample

resource "azurerm_kubernetes_cluster" "cluster" {
    ...
    key_vault_secrets_provider { # This enabless key vault integration
        secret_rotation_enabled = true
    }
}

data "azurerm_key_vault" "kv" { ... }

resource "azurerm_role_assignment" "role_for_kv" {
    scope = <key_vault_id>
    role_definition_name = "Key Vault Secrets User" # This is not mistake, it's secrets not certificates
    principal_id = azurerm_kubernetes_cluster.cluster.web_app_routing[0].web_app_routing_identity[0].object_id
}

After that, you can point your ingress to the key vault certificate in the annotation. Eg.

data "azurerm_key_vault_certificate" "cert" { # reference to your certificate
    name = <your_secret_name>
    key_vault_id = data.azurerm_key_vault.kv.id
}

resource "kubernetes_ingress_v1" "ingress" {
    ...
    metadata {
        annotations = {
            # value eg. https://keyvault-name.vault.azure.net/certificates/yourcertificatename
            "kubernetes.azure.com/tls-cert-keyvault-uri" = data. azurerm_key_vault_certificate.cert.versionless_id
            ...
        }
        ...
    }
}

Cheers,
Bartek

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement service/kubernetes-cluster
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zioproto @bartholomew-gander @mybayern1974