Getting secret values to your application, like credentials for external services and database connection strings, is critical to application delivery. The Key Vault CSI driver enables you to leverage the Kubernetes Container Storage Interface to mount Azure Key Vault data (i.e. secrets and certificates) as files or environment variables on your pod. In this step you'll enable the Key Vault CSI driver and then use it to pull a secret value into a pod.
Make sure the following are complete before setting up the CSI driver
- Cluster is provisioned and accessible via 'kubectl'
- You've completed the Workload Identity lab
- The Key Vault CSI Drive must be enabled on the AKS cluster as a managed add-on
- Workload Identity must be used to access the key vault, NOT pod identity
- A test pod must be created with a secret mounted in the following two ways:
- Secret value mounted into a file
- Secret value loaded into an environment variable
- Enable the Key Vault CSI driver managed add-on on the AKS cluster
- Ensure Workload Identity is properly configured
- Create the Managed Identity and Federated Service Principal that will access the key vault
- Create the Key Vault and add a secret
- Create the secret provider configuration
- Deploy a pod that mounts the secret and test
Useful links: