Documentation changes for Azure Key Vault support. (#704)

Signed-off-by: Vighnesh Shenoy <vshenoy@microsoft.com>
kedacore · Mar 16, 2022 · 910d1a5 · 910d1a5
1 parent b70cfdd
commit 910d1a5
Showing 1 changed file with 43 additions and 0 deletions.
diff --git a/content/docs/2.7/concepts/authentication.md b/content/docs/2.7/concepts/authentication.md
@@ -114,6 +114,20 @@ spec:
     - parameter: {scaledObject-parameter-name}        # Required.
       key: {hasicorp-vault-secret-key-name}           # Required.
       path: {hasicorp-vault-secret-path}              # Required.
+  azureKeyVault:                                      # Optional
+    vaultURI: {key-vault-address}                     # Required
+    credentials:                                      # Required
+      clientId: {azure-ad-client-id}                  # Required
+      clientSecret:                                   # Required
+        valueFrom:                                    # Required
+          secretKeyRef:                               # Required
+            name: {k8s-secret-with-azure-ad-secret}   # Required
+            key: {key-within-the-secret}              # Required
+      tenantId: {azure-ad-tenant-id}                  # Required
+    secrets:                                          # Required
+    - parameter: {param-name-used-for-auth}           # Required
+      name: {key-vault-secret-name}                   # Required
+      version: {key-vault-secret-version}             # Optional
 ```
 
 Based on the requirements you can mix and match the reference types providers in order to configure all required parameters.
@@ -207,6 +221,35 @@ hashiCorpVault:                                     # Optional.
     path: {hasicorp-vault-secret-path}              # Required.
 ```
 
+### Azure Key Vault secret(s)
+
+You can pull secrets from Azure Key Vault into the trigger by using the `azureKeyVault` key. 
+
+The `secrets` list defines the mapping between the key vault secret and the authentication parameter.
+
+Users need to register an application with Azure Active Directory, and grant "read secret" permissions on the Azure Key Vault. Learn more in the Azure
+Key Vault [documentation](https://docs.microsoft.com/en-us/azure/key-vault/general/assign-access-policy?tabs=azure-portal).
+
+The `clientId` and `tenantId` for the application
+are to be provided as part of the spec. The `clientSecret` for the application is expected to be within a secret on the cluster.
+
+```yaml
+azureKeyVault:                                      # Optional
+  vaultURI: {key-vault-address}                     # Required
+  credentials:                                      # Required
+    clientId: {azure-ad-client-id}                  # Required
+    clientSecret:                                   # Required
+      valueFrom:                                    # Required
+        secretKeyRef:                               # Required
+          name: {k8s-secret-with-azure-ad-secret}   # Required
+          key: {key-within-the-secret}              # Required
+    tenantId: {azure-ad-tenant-id}                  # Required
+  secrets:                                          # Required
+  - parameter: {param-name-used-for-auth}           # Required
+    name: {key-vault-secret-name}                   # Required
+    version: {key-vault-secret-version}             # Optional
+```
+
 ### Pod Authentication Providers
 
 Several service providers allow you to assign an identity to a pod. By using that identity, you can defer authentication to the pod & the service provider, rather than configuring secrets.