From 0c02c20995f2bee4d2bb3c1695694d66e9858bc9 Mon Sep 17 00:00:00 2001
From: Marcin-Ramotowski <marcin00.mr@gmail.com>
Date: Mon, 12 May 2025 20:52:29 +0000
Subject: [PATCH] Implemented automatic fetching ACR password from Azure
 KeyVault

---
 argo-workflows/build.yaml        | 21 ++++++++++++---------
 argo-workflows/secret-store.yaml | 25 +++++++++++++++++++++++++
 2 files changed, 37 insertions(+), 9 deletions(-)
 create mode 100644 argo-workflows/secret-store.yaml

diff --git a/argo-workflows/build.yaml b/argo-workflows/build.yaml
index 8c83393..7fb693c 100644
--- a/argo-workflows/build.yaml
+++ b/argo-workflows/build.yaml
@@ -23,6 +23,13 @@ spec:
       resources:
         requests:
           storage: 128Mi
+  volumes:
+  - name: secrets-store
+    csi:
+      driver: secrets-store.csi.k8s.io
+      readOnly: true
+      volumeAttributes:
+        secretProviderClass: azure-keyvault
   templates:
 
   # 🔁 Main steps sequence
@@ -112,21 +119,14 @@ spec:
           ./dgoss run -e SQLALCHEMY_DATABASE_URI=sqlite:///:memory: $DOCKER_IMAGE > /workspace/goss_junit.xml
           
           echo "===> Logging into ACR"
+          ACR_PASSWORD=$(cat /mnt/secrets/acr-password)
           echo "$ACR_PASSWORD" | docker login {{workflow.parameters.registry_server}} -u $ACR_USERNAME --password-stdin
 
           echo "===> Pushing image to ACR"
           docker push $DOCKER_IMAGE
       env:
         - name: ACR_USERNAME
-          valueFrom:
-            secretKeyRef:
-              name: acr-creds
-              key: username
-        - name: ACR_PASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: acr-creds
-              key: password
+          value: marcin00
       securityContext:
         privileged: true
       volumeMounts:
@@ -134,6 +134,9 @@ spec:
           mountPath: /workspace
         - name: docker-library
           mountPath: /var/lib/docker
+        - name: secrets-store
+          mountPath: "/mnt/secrets"
+          readOnly: true
     volumes:
       - name: docker-library
         emptyDir: {}
diff --git a/argo-workflows/secret-store.yaml b/argo-workflows/secret-store.yaml
new file mode 100644
index 0000000..09e2502
--- /dev/null
+++ b/argo-workflows/secret-store.yaml
@@ -0,0 +1,25 @@
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: azure-keyvault
+  namespace: argo
+spec:
+  provider: azure
+  secretObjects:
+    - secretName: acr-creds
+      type: Opaque
+      data:
+        - objectName: acr-password
+        - key: password
+  parameters:
+    usePodIdentity: "false"
+    useVMManagedIdentity: "true"
+    userAssignedIdentityID: "0c2780e4-8594-4aab-8f1a-8a19f71924bd" # client_id of the user-assigned managed identity
+    clientID: "0c2780e4-8594-4aab-8f1a-8a19f71924bd"               # client_id of the user-assigned managed identity
+    keyvaultName: "dev-aks"
+    objects:  |
+      array:
+        - |
+          objectName: acr-password
+          objectType: secret
+    tenantID: "f4e3e6f7-d21c-460e-b201-2192174e7f41"