New to KubeVault? Please start here.
To use azureKeyVault mode specify mode.azureKeyVault. In this mode, unseal keys and root token will be stored in Azure Key Vault as secret.
spec:
unsealer:
mode:
azureKeyVault:
vaultBaseUrl: <vault_base_url>
tenantID: <tenant_id>
clientCertSecret: <secret_name>
aadClientSecret: <secret_name
useManagedIdentity: <true/false>
cloud: <cloud_environment_identifier>
mode.azureKeyVault has following field:
azureKeyVault.vaultBaseUrl is a required field that specifies Azure key vault url.
spec:
unsealer:
mode:
azureKeyVault:
vaultBaseUrl: "https://myvault.vault.azure.net"
azureKeyVault.tenantID is a required field that specifies Azure Active Directory tenant ID.
spec:
unsealer:
mode:
azureKeyVault:
tenantID: "aaa-ddd-ffff-343455"
azureKeyVault.clientCertSecret is an optional field that specifies the name of the secret containing client cert and client cert password. The secret contains following fields:
client-certclient-cert-passwordspec:
unsealer:
mode:
azureKeyVault:
clientCertSecret: "azure-client-cert-cred"
azureKeyVault.addClientSecret is an optional field that specifies the name of the secret containing client id and client secret of AAD application. The secret contains following fields:
client-idclient-secretspec:
unsealer:
mode:
azureKeyVault:
addClientSecret: "azure-add-client-cred"
azureKeyVault.useManageIdentity is an optional field that specifies to use managed service identity for the virtual machine.
spec:
unsealer:
mode:
azureKeyVault:
useManageIdentity: true
Note:
azureKeyVault.clientCertSecretorazureKeyVault.addClientSecretorazureKeyVault.useManageIdentityhas to be specified.
azureKeyVault.cloud is an optional field that specifies the cloud environment identifier. If it is not specified, then AZUREPUBLICCLOUD will be used as default.
spec:
unsealer:
mode:
azureKeyVault:
cloud: "AZUREGERMANCLOUD"