Skip to content
Azure Key Vault to Kubernetes (akv2k8s for short) makes it simple and secure to use Azure Key Vault secrets, keys and certificates in Kubernetes.
Go Makefile Shell Dockerfile
Branch: master
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.github removed [skip ci] func Dec 27, 2019
artifacts Lots of rewrites, improvements and refactorings Mar 3, 2019
cmd Trying to get file deletion in memory volume to work Jan 13, 2020
docs
hack Removed v1 and stick with v1alpha1 for now Dec 28, 2019
images Migrated from dep to go modules Sep 12, 2019
installation Lots of rewrites, improvements and refactorings Mar 3, 2019
pkg Removed v1 and stick with v1alpha1 for now Dec 28, 2019
.dockerignore Bumped akv api from v1alpha1 to v1 Dec 26, 2019
.gitignore - Added a Mutating Admission Webhook that will inject a init containe… Feb 16, 2019
CODE_OF_CONDUCT.md Create CODE_OF_CONDUCT.md Mar 9, 2019
LICENSE Added license Feb 4, 2019
Makefile git describe for tags only Dec 28, 2019
OWNERS Added owners Feb 4, 2019
README.md shields with rounded corners (style=flat) Dec 28, 2019
drone.yaml Added drone build config Nov 15, 2019
go.mod Bumped akv api from v1alpha1 to v1 Dec 26, 2019
go.sum Bumped akv api from v1alpha1 to v1 Dec 26, 2019

README.md

Azure Key Vault To Kubernetes

Release Build Status Go Report Card Docker Pulls Docker Pulls

Project status: Stable - multipal financial institutions are running this project on production Kubernetes clusters

Read the announcement: https://mrdevops.io/introducing-azure-key-vault-to-kubernetes-931f82364354

Full documentation available at https://akv2k8s.io

Overview

Azure Key Vault to Kubernetes (akv2k8s) has two components for handling Azure Key Vault Secrets in Kubernetes:

  • Azure Key Vault Controller
  • Azure Key Vault Env Injector

The Azure Key Vault Controller (Controller for short) is for synchronizing Secrets, Certificates and Keys from Azure Key Vault to native Secret's in Kubernetes.

The Azure Key Vault Env Injector (Env Injector for short) is a Kubernetes Mutating Webhook transparently injecting Azure Key Vault secrets as environment variables into programs running in containers, without touching disk or in any other way expose the actual secret content outside the program.

Goals

Goals for this project was:

  1. Avoid a direct program dependency on Azure Key Vault for getting secrets, and adhere to the 12 Factor App principle for configuration (https://12factor.net/config)
  2. Make it simple, secure and low risk to transfer Azure Key Vault secrets into Kubernetes as native Kubernetes secrets
  3. Securely and transparently be able to inject Azure Key Vault secrets as environment variables to applications, without having to use native Kubernetes secrets

All of these goals are met.

Requirements

  • Kubernetes version >= 1.9
  • Enabled admission controllers: MutatingAdmissionWebhook and ValidatingAdmissionWebhook
  • RBAC enabled
  • Default authentication requires Kubernetes cluster running in Azure - use custom authentication if running outside Azure

Installation

It's recommended to use Helm charts for installation:

Controller: https://github.com/SparebankenVest/public-helm-charts/tree/master/stable/azure-key-vault-controller

Env Injector: https://github.com/SparebankenVest/public-helm-charts/tree/master/stable/azure-key-vault-env-injector

For more details, see full documentation at https://akv2k8s.io.

Installation without Helm

If Helm is not an option in Kubernetes, use Helm on a local computer to generate the Kubernetes templates like below:

helm install --debug --dry-run <options>

See the individual Helm charts above for <options>.

Credits

Credit goes to Banzai Cloud for coming up with the original idea of environment injection for their bank-vaults solution, which they use to inject Hashicorp Vault secrets into Pods.

Contributing

Development of Azure Key Vault for Kubernetes happens in the open on GitHub, and encourage users to:

  • Send a pull request with any security issues found and fixed
  • Send a pull request with your new features and bug fixes
  • Report issues on security or other issues you have come across
  • Help new users with issues they may encounter
  • Support the development of this project and star this repo!

Code of Conduct

Sparebanken Vest has adopted a Code of Conduct that we expect project participants to adhere to. Please read the full text so that you can understand what actions will and will not be tolerated.

License

Azure Key Vault to Kubernetes is licensed under Apache License 2.0.

You can’t perform that action at this time.