Implemented automatic fetching secrets from Azure KeyVault

2025-05-29 21:37:20 +00:00 · 2025-05-29 21:37:20 +00:00 · 80dca16646
commit 80dca16646
parent 9c1c1bdd70
4 changed files with 73 additions and 0 deletions
--- a/deployment/deploy.yaml
+++ b/deployment/deploy.yaml
@ -44,9 +44,18 @@ spec:
          volumeMounts:
            - name: mysql-pv
              mountPath: /var/lib/mysql
+            - name: secrets-store
+              mountPath: "/mnt/secrets"
+              readOnly: true
      volumes:
        - name: mysql-pv
          emptyDir: {}
+        - name: secrets-store
+          csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: "dev-aks"
 ---
 # MySQL Service
 apiVersion: v1
@ -87,6 +96,17 @@ spec:
                secretKeyRef:
                  name: sqlalchemy-database-uri
                  key: SQLALCHEMY_DATABASE_URI
+          volumeMounts:
+            - name: secrets-store
+              mountPath: "/mnt/secrets"
+              readOnly: true
+      volumes:
+        - name: secrets-store
+          csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: "dev-aks"
 ---
 # API Service
 apiVersion: v1
--- a/deployment/ingress.yaml
+++ b/deployment/ingress.yaml
--- a/deployment/rbac-role.yaml
+++ b/deployment/rbac-role.yaml
@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: deployer-binding
+subjects:
+- kind: User
+  name: daabce80-f745-413f-8377-00472517521c
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: cluster-admin
+  apiGroup: rbac.authorization.k8s.io
--- a/deployment/secret-store.yaml
+++ b/deployment/secret-store.yaml
@ -0,0 +1,41 @@
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: dev-aks
+  namespace: todolist
+spec:
+  provider: azure
+  secretObjects:
+    - secretName: todolist-sqlalchemy-database-uri
+      type: Opaque
+      data:
+        - objectName: todolist-sqlalchemy-database-uri
+          key: SQLALCHEMY_DATABASE_URI
+    - secretName: todolist-mysql-password
+      type: Opaque
+      data:
+        - objectName: todolist-mysql-password
+          key: MYSQL_PASSWORD
+    - secretName: todolist-mysql-root-password
+      type: Opaque
+      data:
+        - objectName: todolist-mysql-root-password
+          key: MYSQL_ROOT_PASSWORD
+  parameters:
+    usePodIdentity: "false"
+    useVMManagedIdentity: "true"
+    userAssignedIdentityID: "0c2780e4-8594-4aab-8f1a-8a19f71924bd" # client_id of the user-assigned managed identity
+    clientID: "0c2780e4-8594-4aab-8f1a-8a19f71924bd"               # client_id of the user-assigned managed identity
+    keyvaultName: "dev-aks"
+    objects:  |
+      array:
+        - |
+          objectName: todolist-sqlalchemy-database-uri
+          objectType: secret
+        - |
+          objectName: todolist-mysql-password
+          objectType: secret
+        - |
+          objectName: todolist-mysql-root-password
+          objectType: secret
+    tenantID: "f4e3e6f7-d21c-460e-b201-2192174e7f41"