From b85a5dfd9ab8954128e05a9d66d48e8813e0ec51 Mon Sep 17 00:00:00 2001
From: Marcin-Ramotowski <marcin00.mr@gmail.com>
Date: Tue, 6 May 2025 21:57:43 +0000
Subject: [PATCH] Implemented automatic fetching secrets from Azure KeyVault

---
 deploy.yaml       | 26 ++++++++++++++++++++------
 namespace.yaml    |  5 +++++
 secret-store.yaml | 41 +++++++++++++++++++++++++++++++++++++++++
 3 files changed, 66 insertions(+), 6 deletions(-)
 create mode 100644 namespace.yaml
 create mode 100644 secret-store.yaml

diff --git a/deploy.yaml b/deploy.yaml
index 5683c0f..3c71a91 100644
--- a/deploy.yaml
+++ b/deploy.yaml
@@ -1,10 +1,4 @@
 ---
-# Namespace (opcjonalnie)
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: user-microservice
----
 # MySQL Deployment
 apiVersion: apps/v1
 kind: Deployment
@@ -44,9 +38,18 @@ spec:
           volumeMounts:
             - name: mysql-pv
               mountPath: /var/lib/mysql
+            - name: secrets-store
+              mountPath: "/mnt/secrets"
+              readOnly: true
       volumes:
         - name: mysql-pv
           emptyDir: {}
+        - name: secrets-store
+          csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: "azure-kvname"
 ---
 # MySQL Service
 apiVersion: v1
@@ -87,6 +90,17 @@ spec:
                 secretKeyRef:
                   name: sqlalchemy-database-uri
                   key: SQLALCHEMY_DATABASE_URI
+          volumeMounts:
+            - name: secrets-store
+              mountPath: "/mnt/secrets"
+              readOnly: true
+      volumes:
+        - name: secrets-store
+          csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: "azure-kvname"
 ---
 # API Service
 apiVersion: v1
diff --git a/namespace.yaml b/namespace.yaml
new file mode 100644
index 0000000..3c8803a
--- /dev/null
+++ b/namespace.yaml
@@ -0,0 +1,5 @@
+# Namespace (opcjonalnie)
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: user-microservice
diff --git a/secret-store.yaml b/secret-store.yaml
new file mode 100644
index 0000000..8fc590b
--- /dev/null
+++ b/secret-store.yaml
@@ -0,0 +1,41 @@
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: azure-kvname
+  namespace: user-microservice
+spec:
+  provider: azure
+  secretObjects:
+    - secretName: sqlalchemy-database-uri
+      type: Opaque
+      data:
+        - objectName: sqlalchemy-database-uri
+          key: SQLALCHEMY_DATABASE_URI
+    - secretName: mysql-password
+      type: Opaque
+      data:
+        - objectName: mysql-password
+          key: MYSQL_PASSWORD
+    - secretName: mysql-root-password
+      type: Opaque
+      data:
+        - objectName: mysql-root-password
+          key: MYSQL_ROOT_PASSWORD
+  parameters:
+    usePodIdentity: "false"
+    useVMManagedIdentity: "true"
+    userAssignedIdentityID: "0c2780e4-8594-4aab-8f1a-8a19f71924bd" # client_id of the user-assigned managed identity
+    clientID: "0c2780e4-8594-4aab-8f1a-8a19f71924bd"               # client_id of the user-assigned managed identity
+    keyvaultName: "dev-aks"
+    objects:  |
+      array:
+        - |
+          objectName: sqlalchemy-database-uri
+          objectType: secret
+        - |
+          objectName: mysql-password
+          objectType: secret
+        - |
+          objectName: mysql-root-password
+          objectType: secret
+    tenantID: "f4e3e6f7-d21c-460e-b201-2192174e7f41"