Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Documentation changes for Azure Key Vault support. #704

Merged
merged 4 commits into from
Mar 16, 2022
Merged

Documentation changes for Azure Key Vault support. #704

Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
04f2786
Documentation changes for Azure Key Vault support.
v-shenoy Mar 10, 2022
455576a
Restructure.
v-shenoy Mar 11, 2022
bd8fbcb
Missed adding the link to key vault access documentation.
v-shenoy Mar 11, 2022
78e4a69
Fix typo.
v-shenoy Mar 16, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 43 additions & 0 deletions content/docs/2.7/concepts/authentication.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,6 +114,20 @@ spec:
- parameter: {scaledObject-parameter-name} # Required.
key: {hasicorp-vault-secret-key-name} # Required.
path: {hasicorp-vault-secret-path} # Required.
azureKeyVault: # Optional
vaultURI: {key-vault-address} # Required
credentials: # Required
clientId: {azure-ad-client-id} # Required
clientSecret: # Required
valueFrom: # Required
secretKeyRef: # Required
name: {k8s-secret-with-azure-ad-secret} # Required
key: {key-within-the-secret} # Required
tenantId: {azure-ad-tenant-id} # Required
secrets: # Required
- parameter: {param-name-used-for-auth} # Required
name: {key-vault-secret-name} # Required
version: {key-vault-secret-version} # Optional
```

Based on the requirements you can mix and match the reference types providers in order to configure all required parameters.
Expand Down Expand Up @@ -207,6 +221,35 @@ hashiCorpVault: # Optional.
path: {hasicorp-vault-secret-path} # Required.
```

### Azure Key Vault secret(s)

You can pull secrets from Azure Key Vault into the trigger by using the `azureKeyVault` key.

The `secrets` list defines the mapping between the key vault secret and the authentication parameter.

Users need to register an application with Azure Active Directory, and grand "read secret" permissions on the Azure Key Vault. Learn more in the Azure
zroubalik marked this conversation as resolved.
Show resolved Hide resolved
Key Vault [documentation](https://docs.microsoft.com/en-us/azure/key-vault/general/assign-access-policy?tabs=azure-portal).

The `clientId` and `tenantId` for the application
are to be provided as part of the spec. The `clientSecret` for the application is expected to be within a secret on the cluster.

```yaml
azureKeyVault: # Optional
vaultURI: {key-vault-address} # Required
credentials: # Required
clientId: {azure-ad-client-id} # Required
clientSecret: # Required
valueFrom: # Required
secretKeyRef: # Required
name: {k8s-secret-with-azure-ad-secret} # Required
key: {key-within-the-secret} # Required
tenantId: {azure-ad-tenant-id} # Required
secrets: # Required
- parameter: {param-name-used-for-auth} # Required
name: {key-vault-secret-name} # Required
version: {key-vault-secret-version} # Optional
```

### Pod Authentication Providers

Several service providers allow you to assign an identity to a pod. By using that identity, you can defer authentication to the pod & the service provider, rather than configuring secrets.
Expand Down