Skip to content
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
126 lines (93 sloc) 5.42 KB
title metaTitle metaDescription index
See the complete reference and options for all akv2k8s resources.

The AzureKeyVaultSecret resource

The AzureKeyVaultSecret is defined using this schema:

kind: AzureKeyVaultSecret
  name: < name for azure key vault secret>
  namespace: <namespace for azure key vault secret>
    name: <name of azure key vault>
      name: <name of azure key vault object to sync>
      type: <object type in azure key vault to sync>
      version: <optional - version of object to sync>
      contentType: <only used when type is the special multi-key-value-secret - either application/x-json or application/x-yaml>
  output: # ignored by env injector, required by controller to output kubernetes secret
      name: <name of the kubernetes secret to create>
      dataKey: <required when type is opaque - name of the kubernetes secret data key to assign value to - ignored for all other types>
      type: <optional - kubernetes secret type - defaults to opaque>

Note - the output is only used by the Controller to create the Azure Key Vault secret as a Kubernetes native Secret - it is ignored and not needed by the Env Injector.

Vault object types

Object type Description
secret Azure Key Vault Secret - can contain any secret data
certificate Azure Key Vault Certificate - A TLS certificate with just the public key or both public and private key if exportable
key Azure Key Vault Key - A RSA or EC key used for signing
multi-key-value-secret A special kind of Azure Key Vault Secret only understood by the Controller and the Env Injector. For cases where a secret contains json or yaml key/value items that will be directly exported as key/value items in the Kubernetes secret, or access with queries in the Evn Injector. When multi-key-value-secret type is used, the contentType property MUST also be set to either application/x-json or application/x-yaml.

See Examples for different usages.

The Controller

Make sure the Controller is installed in the Kubernetes cluster, then:

Create AzureKeyVaultSecret resources to synchronize into native Kubernetes secrets. Note that the output section is mandatory:

      name: <required - name of the kubernetes secret to create>
      dataKey: <required when type is opaque - name of the kubernetes secret data key to assign value to - ignored for all other types>
      type: <optional - kubernetes secret type - defaults to opaque>

Note-1: Pods in Kubernetes currently do not get notifications when Secret resources change, and Pods will have to be re-created or use something like the Wave controller ( to get the changes

Note-2: By default the Controller auto sync secrets every 10 minutes (configurable) and depending on how many secrets are synchronized can cause extra usage costs of Azure Key Vault.

Commonly used Kubernetes secret types

The default secret type (spec.output.secret.type) is opaque. Below is a list of supported Kubernetes secret types and which keys each secret type stores.

For a complete list:

Secret type Keys
opaque (default) defined in spec.output.secret.dataKey tls.key, tls.crt .dockerconfigjson .dockercfg username, password ssh-privatekey

With the exception of the opaque secret type, the Controller will make a best effort to export the Azure Key Vault object into the secret type defined.

By pointing to a exportable Certificate object in Azure Key Vault AND setting the Kubernetes output secret type to, the controller will automatically format the Kubernetes secret accordingly both for pem and pfx certificates.

Requires a well formatted docker config stored in a Secret object like this:

  "auths": {
    "": {
      "username": "someuser",
      "password": "somepassword",
      "email": "",
      "auth": "c29tZXVzZXI6c29tZXBhc3N3b3JkCg=="

If the "auth" property is not included, the controller will generate it.

The controller support two formats. Either username:password or pre-encoded with base64: dXNlcm5hbWU6cGFzc3dvcmQ= stored in a Secret object.

This must be a properly formatted Private SSH Key stored in a Secret object.

The Env Injector

Make sure the Env Injector is installed in the Kubernetes cluster, then:

  1. Set the azure-key-vault-env-injection label for the namespace(s) where the secret is going to be used
  2. Create AzureKeyVaultSecret resources references secrets in Azure Key Vault
  3. Inject into applications using syntax below, referencing to the AzureKeyVaultSecret in 2.
  - name: <name of environment variable>
    value: <name of AzureKeyVaultSecret>@azurekeyvault?<optional field query>
You can’t perform that action at this time.