SOPS: add support for Azure Key Vault credentials using SecretRef #495
Conversation
|
I have rebased my commit on the main branch to remove the preBuild dependency. |
There was a problem hiding this comment.
Will try to get this reviewed on Monday, thanks in advance @dquagebeur 🙇
This is misleading, Flux does supports Azure Key Vault, here is the e2e tests that proves this https://github.com/fluxcd/flux2/blob/main/tests/azure/azure_test.go#L525 |
stefanprodan
changed the title
|
Yes, it's true. |
Right! This makes Flux usable on multi-tenant AKS clusters, it does solve the issue raised in #324 but only for Azure Key Vault. |
|
@dquagebeur please signoff your commits, see https://github.com/fluxcd/kustomize-controller/pull/495/checks?check_run_id=4266364175 |
|
hi @hiddeco, do you have any more changes before validating the PR ? |
hiddeco
added
area/sops
|
I need to have another round on Microsoft internals on how they present things to their (groups) of users, as I am getting the sense that there are multiple instructions out there that people may use as a starting point. Meaning that we either need to guide them to not do this, or support multiple JSON structures. In addition, I need to have another look at the (various) SDK(s) we built upon, to ensure that besides rate limiting, I am not missing another setting to facilitate smooth operations. Thanks for making me aware of this @phillebaba 🙇 In any case, and given this touches the area of security, I do not want to rush this. Which means that with an eye on the holiday period that's arriving soon, many of us enjoying some well deserved time off then, and my current pile of TODOs. I think this is more likely to land at the beginning of 2022. |
Signed-off-by: David Quagebeur <[email protected]>
- Ensure key source follows upstream SOPS contracts as closely as possible (e.g. `MasterKey` interface). - Prevent unnecesary FS operations by allowing token creation and and authorizer configuration to be factored from file bytes. - Ensure a limited number of configuration option is taken into account, excluding e.g. file path references. - Ensure server maintains backwards compatibility with previously supported "global" Azure configuration, _without_ relying on file assumptions and/or inspections (but rather, server configurations). Signed-off-by: Hidde Beydals <[email protected]>
Signed-off-by: Hidde Beydals <[email protected]>
This updates to the `github.com/Azure/azure-sdk-for-go` SDK, which is the (apparent) successor of the previous SDK, and allows for easier configuration of credentials through the `azidentity` package. Signed-off-by: Hidde Beydals <[email protected]>
This supports the fields as documented in the AKS documentation: https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal?tabs=azure-cli#manually-create-a-service-principal Signed-off-by: Hidde Beydals <[email protected]>
Signed-off-by: Hidde Beydals <[email protected]>
This includes a refactor of the other entries, to start moving guides to the website while containing minimal technical (instructions) in-spec. Signed-off-by: Hidde Beydals <[email protected]>
hiddeco
changed the title
|
Out of curiosity, what was the reasoning behind changing the pinned version of kustomize from |
|
@marshallford the version got bork during merge, we’ll do a patch release today with the right one, thanks for reporting this. |
This PR is to support Azure Keyvault for SOPS.
Azure credentials have to be provided in the SOPS secret under the key
sops.azure-kv.