New to KubeVault? Please start here.
To use azureKeyVault mode specify mode.azureKeyVault. In this mode, unseal keys and root token will be stored in Azure Key Vault as secret.
spec:
unsealer:
mode:
azureKeyVault:
vaultBaseURL: <vault_base_url>
tenantID: <tenant_id>
clientCertSecret: <secret_name>
aadClientSecret: <secret_name
useManagedIdentity: <true/false>
cloud: <cloud_environment_identifier>
mode.azureKeyVault has the following fields:
azureKeyVault.vaultBaseURL is a required field that specifies the Azure key vault URL.
spec:
unsealer:
mode:
azureKeyVault:
vaultBaseURL: "https://myvault.vault.azure.net"
azureKeyVault.tenantID is a required field that specifies Azure Active Directory tenant ID.
spec:
unsealer:
mode:
azureKeyVault:
tenantID: "aaa-ddd-ffff-343455"
azureKeyVault.clientCertSecret is an optional field that specifies the name of the secret containing client cert and client cert password. The secret contains the following fields:
client-certclient-cert-passwordspec:
unsealer:
mode:
azureKeyVault:
clientCertSecret: "azure-client-cert-cred"
azureKeyVault.aadClientSecret is an optional field that specifies the name of the secret containing client id and client secret of AAD application. The secret contains the following fields:
client-idclient-secretspec:
unsealer:
mode:
azureKeyVault:
aadClientSecret: "azure-aad-client-cred"
azureKeyVault.useManageIdentity is an optional field that specifies to use managed service identity for the virtual machine.
spec:
unsealer:
mode:
azureKeyVault:
useManageIdentity: true
Note: One of
azureKeyVault.clientCertSecretorazureKeyVault.aadClientSecretorazureKeyVault.useManageIdentityhas to be specified.
azureKeyVault.cloud is an optional field that specifies the cloud environment identifier. If it is not specified, then AZUREPUBLICCLOUD will be used as default.
spec:
unsealer:
mode:
azureKeyVault:
cloud: "AZUREGERMANCLOUD"