feat(docs): Azure Key Vault guide (#158)

Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>

Author: migmartri

docs/guides/deployment/azure-keyvault/azure-1.png

@@ -0,0 +1,79 @@
+---
+title: Use Azure KeyVault as secrets backend
+---
+
+import Image from "@theme/IdealImage";
+
+A requirement to run your own Chainloop instance, is to have a secure credentials backend where sensitive information such as API tokens can be stored. 
+
+If you are running your instance in Azure, you might want to leverage the [Azure KeyVault](https://azure.microsoft.com/en-us/products/key-vault) secret backend for that purpose. 
+During this guide we'll walk you through the process of a) create/retrieve credentials and configure the Key Vault in Azure and b) deploy Chainloop using that new configuration.
+
+## Pre-requisites
+
+To configure your Chainloop instance with Azure KeyVault you'll need the following information from your Azure account:
+
+- Active Directory Tenant ID
+- Service Principal ID
+- Service Principal Secret
+- Vault URI
+
+We'll walk you through the process of how to find this information
+
+## Register an application to create the service principal
+
+First, you'll need to register an application in your Azure Active Directory tenant. You can do this using the Azure CLI or from the Azure portal
+
+![](./azure-1.png)
+
+Once done, in the application overview you should be able to find the tenantID, and Service principal ID
+
+![](./azure-3.png)
+
+Next, let's create a secret for the service principal.
+
+![](./azure-2.png)
+
+## Create a Vault instance and give permissions
+
+Next, we'll create a Key Vault (or you can use an existing one)
+
+![](./azure-4.png)
+
+Take a note on the Vault URI
+
+![](./azure-7.png)
+
+Next, in the Vault IAM section, let's give permissions to the service principal by clicking on Add Role Assignment.
+
+![](./azure-5.png)
+
+on the role assignment role, select "Key Vault Secrets officer"
+
+![](./azure-6.png)
+
+and in the members, search for the application we just registered
+
+![](./azure-8.png)
+
+That's all, we got all the information we need, let's just to the deployment.
+
+## Configure Chainloop deployment
+
+As explained in the [deployment guide](../k8s), you can configure the credentials backend using the `secretsBackend` section of the `values.yaml` file.
+
+Just put the information we gathered from the previous steps like this.
+
+```yaml
+secretsBackend:
+  backend: azureKeyVault
+  azureKeyVault:
+    tenantID: [TENANT_ID] # Active Directory Tenant ID
+    clientID: [CLIENT_ID] # Registered application / service principal client ID
+    clientSecret: [CLIENT_SECRET] # Service principal client secret
+    vaultURI: [VAULT URI] # Azure Key Vault URL
+```
+
+And deploy your Chainloop Control Plane with the update values to take effect.
+
+Now your Chainloop instance will automatically store any sensitive information in the Azure KeyVault instance you just configured.

docs/guides/deployment/azure-keyvault/azure-2.png

@@ -56,7 +56,7 @@ The Helm Chart in this mode includes
 During installation, you'll need to provide
 
 - Open ID Connect Identity Provider (IDp) settings i.e [Auth0 settings](https://auth0.com/docs/get-started/applications/application-settings#basic-information)
-- Connection settings for a secrets storage backend, either [Hashicorp Vault](https://www.vaultproject.io/) or [AWS Secret Manager](https://aws.amazon.com/secrets-manager)
+- Connection settings for a secrets storage backend, either [Hashicorp Vault](https://www.vaultproject.io/) or [AWS Secrets Manager](https://aws.amazon.com/secrets-manager)
 - ECDSA (ES512) key-pair used for Controlplane <-> CAS Authentication
 
 Instructions on how to create the ECDSA keypair can be found [here](#generate-a-ecdsa-key-pair).
@@ -81,7 +81,7 @@ helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \
     --set casJWTPublicKey="$(cat public.pem)"
 ```
 
-Deploy using AWS secret manager instead of Vault
+Deploy using AWS Secrets Manager instead of Vault
 
 ```console
 helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \
@@ -96,7 +96,7 @@ helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \
     # ...
 ```
 
-Deploy using GCP secret manager instead of Vault
+or using GCP Secret Manager
 
 ```console
 helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \
@@ -110,6 +110,22 @@ helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \
     # ...
 ```
 
+or Azure KeyVault
+
+```console
+helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \
+    # Open ID Connect (OIDC)
+    # ...
+    # Secrets backend
+    --set secretsBackend.backend=azureKeyVault \
+    --set secretsBackend.azureKeyVault.tenantID=[AD tenant ID] \
+    --set secretsBackend.azureKeyVault.clientID=[Service Principal ID] \
+    --set secretsBackend.azureKeyVault.clientSecret=[Service Principal secret] \
+    --set secretsBackend.azureKeyVault.vaultURI=[Azure KeyVault URI]
+    # Server Auth KeyPair
+    # ...
+```
+
 Connect to an external PostgreSQL database instead
 
 ```console
@@ -148,7 +164,7 @@ The Helm Chart in this mode includes
 During installation, you'll need to provide
 
 - Open ID Connect Identity Provider (IDp) settings i.e [Auth0 settings](https://auth0.com/docs/get-started/applications/application-settings#basic-information)
-- ~~Connection settings for a secrets storage backend, either [Hashicorp Vault](https://www.vaultproject.io/) or [AWS Secret Manager](https://aws.amazon.com/secrets-manager)~~
+- ~~Connection settings for a secrets storage backend, either [Hashicorp Vault](https://www.vaultproject.io/) or [AWS Secrets Manager](https://aws.amazon.com/secrets-manager)~~
 - ~~ECDSA (ES512) key-pair used for Controlplane <-> CAS Authentication~~
 
 #### Installation Examples
@@ -315,9 +331,9 @@ controlplane:
     database: chainloop-controlplane-prod
 ```
 
-### Use AWS secret manager
+### Use AWS secrets manager
 
-You can swap the secret manager backend with the following settings
+Instead of using [Hashicorp Vault](https://www.vaultproject.io/) (default), you can use [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/) by adding these settings in your `values.yaml` file
 
 ```yaml
 secretsBackend:
@@ -330,7 +346,7 @@ secretsBackend:
 
 ### Use GCP secret manager
 
-You can swap the secret manager backend with the following settings
+Or [Google Cloud Secret Manager](https://cloud.google.com/secret-manager) with the following settings
 
 ```yaml
 secretsBackend:
@@ -340,6 +356,21 @@ secretsBackend:
     serviceAccountKey: [KEY]
 ```
 
+### Use Azure KeyVault
+
+[Azure KeyVault](https://azure.microsoft.com/en-us/products/key-vault/) is also supported
+
+```yaml
+secretsBackend:
+  backend: azureKeyVault
+  azureKeyVault:
+    tenantID: [TENANT_ID] # Active Directory Tenant ID
+    clientID: [CLIENT_ID] # Registered application / service principal client ID
+    clientSecret: [CLIENT_SECRET] # Service principal client secret
+    vaultURI: [VAULT URI] # Azure Key Vault URL
+
+```
+
 ### Send exceptions to Sentry
 
 You can configure different sentry projects for both the controlplane and the artifact CAS
@@ -397,7 +428,7 @@ chainloop config save \
 | `secretsBackend.vault.token`                        | Vault authentication token                                                                |             |
 | `secretsBackend.awsSecretManager.accessKey`         | AWS Access KEY ID                                                                         |             |
 | `secretsBackend.awsSecretManager.secretKey`         | AWS Secret Key                                                                            |             |
-| `secretsBackend.awsSecretManager.region`            | AWS Secret Manager Region                                                                 |             |
+| `secretsBackend.awsSecretManager.region`            | AWS Secrets Manager Region                                                                |             |
 | `secretsBackend.gcpSecretManager.projectId`         | GCP Project ID                                                                            |             |
 | `secretsBackend.gcpSecretManager.serviceAccountKey` | GCP Auth Key                                                                              |             |
 | `secretsBackend.azureKeyVault.tenantID`             | Active Directory Tenant ID                                                                |             |