Azure Kubernetes Service (AKS) with Azure Key Vault (AKV) Part 2— akv2k8s

This actually should not be a part 2 as it is not related to part 1 but actually a different way of setting AKS to get AKV’s resources. I name it as part 2 because I would people to go through either method.

Step-by-Step Guidance

  • Get AKS user-assigned identity
  • Create an AKV
  • Provide the AAD SP the access and permissions to get both secrets and certificates within the target AKV. We are creating certificates in AKV but storing it as secrets in AKS. So, in this case, we would need both permissions.
  • Install akv2k8s on AKS
  • Create a resource of AzureKeyVaultSecret

The yellow part is self-defined; the green part is the AKV name; the blue part is the certificate within AKV and the pink part is what would be shown within your AKS environment after it gets synchronized.

  • Create a NGINX Ingress Controller

You could definitely install the whole solution with one-liner below.

However, this would be creating all the resources in the namespace called “ingress-nginx”. If you would like to create resources in your own namespace, you would first need to download the whole template from https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.45.0/deploy/static/provider/baremetal/deploy.yaml. Inside your Linux environment, use the command below to replace the namespace you would like.

  • Create a test application deployment, service and Ingress

Demonstration

Troubleshooting

If you are experiencing any kind of situation, such as AKVS resource not able to get AKV’s resource to use as AKS secret. The first thing would be checking the akv2k8s logs and see what are the error messages.

For me personally, I was being blocked because lack of required permissions. The AKS user-assigned identity would need both get-secret and get-certificate permissions within AKV, but I was only giving get-certificate. After adding the right permission, the identity object could retrieve the certificate without issues.

For more troubleshooting thoughts, please refer to this section of the official documentation.

That is it! This is the other way how you could let AKS get AKV’s resource as native secrets and associate them in NGINX Ingress Controller! Hope this would save some people’s time by looking into multiple documentations for reference! Happy learning!

For more information, please check

Learning new things about Kubernetes every day. Hopefully, the learning notes could help people on the same journey!