-
Notifications
You must be signed in to change notification settings - Fork 181
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SOPS: add support for Azure Key Vault credentials using SecretRef #495
Conversation
I have rebased my commit on the main branch to remove the preBuild dependency. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will try to get this reviewed on Monday, thanks in advance @dquagebeur 🙇
This is misleading, Flux does supports Azure Key Vault, here is the e2e tests that proves this https://github.com/fluxcd/flux2/blob/main/tests/azure/azure_test.go#L525 |
Yes, it's true. |
Right! This makes Flux usable on multi-tenant AKS clusters, it does solve the issue raised in #324 but only for Azure Key Vault. |
@dquagebeur please signoff your commits, see https://github.com/fluxcd/kustomize-controller/pull/495/checks?check_run_id=4266364175 |
hi @hiddeco, do you have any more changes before validating the PR ? |
I need to have another round on Microsoft internals on how they present things to their (groups) of users, as I am getting the sense that there are multiple instructions out there that people may use as a starting point. Meaning that we either need to guide them to not do this, or support multiple JSON structures. In addition, I need to have another look at the (various) SDK(s) we built upon, to ensure that besides rate limiting, I am not missing another setting to facilitate smooth operations. Thanks for making me aware of this @phillebaba 🙇 In any case, and given this touches the area of security, I do not want to rush this. Which means that with an eye on the holiday period that's arriving soon, many of us enjoying some well deserved time off then, and my current pile of TODOs. I think this is more likely to land at the beginning of 2022. |
Signed-off-by: David Quagebeur <david.quagebeur@worldline.com>
- Ensure key source follows upstream SOPS contracts as closely as possible (e.g. `MasterKey` interface). - Prevent unnecesary FS operations by allowing token creation and and authorizer configuration to be factored from file bytes. - Ensure a limited number of configuration option is taken into account, excluding e.g. file path references. - Ensure server maintains backwards compatibility with previously supported "global" Azure configuration, _without_ relying on file assumptions and/or inspections (but rather, server configurations). Signed-off-by: Hidde Beydals <hello@hidde.co>
Signed-off-by: Hidde Beydals <hello@hidde.co>
This updates to the `github.com/Azure/azure-sdk-for-go` SDK, which is the (apparent) successor of the previous SDK, and allows for easier configuration of credentials through the `azidentity` package. Signed-off-by: Hidde Beydals <hello@hidde.co>
This supports the fields as documented in the AKS documentation: https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal?tabs=azure-cli#manually-create-a-service-principal Signed-off-by: Hidde Beydals <hello@hidde.co>
Signed-off-by: Hidde Beydals <hello@hidde.co>
This includes a refactor of the other entries, to start moving guides to the website while containing minimal technical (instructions) in-spec. Signed-off-by: Hidde Beydals <hello@hidde.co>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Thanks @hiddeco and @dquagebeur 🏅
Out of curiosity, what was the reasoning behind changing the pinned version of kustomize from |
@marshallford the version got bork during merge, we’ll do a patch release today with the right one, thanks for reporting this. |
This PR is to support Azure Keyvault for SOPS.
Azure credentials have to be provided in the SOPS secret under the key
sops.azure-kv
.