This validation will use Service Principal and Key Vault CSI Secret Driver features to test secret management with Key Vault Secrets.
Create Azure Resources
# Azure CLI Login
az login
az account set --subscription <your_subscription>
RAND="$(echo $RANDOM | tr '[0-9]' '[a-z]')"
# Create a Service Principal
CLIENT_NAME="principal-$RAND"
CLIENT_SECRET=$(az ad sp create-for-rbac -n $CLIENT_NAME --skip-assignment --query password -o tsv)
CLIENT_ID=$(az ad sp list --display-name $CLIENT_NAME --query [].appId -o tsv)
TENANT_ID=$(az ad sp list --display-name $CLIENT_NAME --query [].appOwnerTenantId -o tsv)
SUBSCRIPTION_ID=$(az account show --query id -otsv)Create test Kubernetes Cluster
# Using kind create a Kubernetes Cluster
kind create cluster
# Deploy CSI Driver
helm repo add aad-pod-identity https://raw.githubusercontent.com/Azure/aad-pod-identity/master/charts
helm install aad-pod-identity aad-pod-identity/aad-pod-identity --set operationMode=managed
# Validate
kubectl get podsDeploy Sample Application
# Create a Secret
kubectl create secret generic secrets-store-creds \
--from-literal clientsecret=$CLIENT_SECRET
# Validate the Secret Exists
kubectl describe Secret secrets-store-creds
# Deploy Azure Identity
cat <<EOF | kubectl apply -f -
---
apiVersion: v1
kind: Secret
metadata:
name: demo-aad1-sp
type: Opaque
data:
clientSecret: $(echo -n $CLIENT_SECRET | base64)
---
apiVersion: "aadpodidentity.k8s.io/v1"
kind: AzureIdentity
metadata:
name: demo-aad1
spec:
type: 1
tenantID: $TENANT_ID
clientID: $CLIENT_ID
clientPassword: {"name":"demo-aad1-sp","namespace":"default"}
---
apiVersion: "aadpodidentity.k8s.io/v1"
kind: AzureIdentityBinding
metadata:
name: demo-azure-id-binding
spec:
azureIdentity: "demo-aad1"
selector: "demo"
EOF
# Validate
kubectl run azure-cli -it \
--rm \
--image=mcr.microsoft.com/azure-cli \
--labels=aadpodidbinding=test-identity \
--command -- \
curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F' \
-s -H Metadata:true | jq .