chainloop-dev · migmartri · Oct 17, 2023 · Oct 17, 2023 · Oct 17, 2023 · Oct 17, 2023
diff --git a/app/artifact-cas/README.md b/app/artifact-cas/README.md
@@ -20,7 +20,7 @@ Its structure contains the following top to down layers.
 
 ## System Dependencies
 
-The CAS proxy **has only one running dependency**. A secret storage backend to retrieve the OCI repository credentials. Currently, we support [Hashicorp Vault](https://www.vaultproject.io/), [AWS Secret Manager](https://aws.amazon.com/secrets-manager/) AND [GCP Secret Manager](https://cloud.google.com/secret-manager).
+The CAS proxy **has only one running dependency**. A secret storage backend to retrieve the OCI repository credentials. Currently, we support [Hashicorp Vault](https://www.vaultproject.io/), [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/) AND [GCP Secret Manager](https://cloud.google.com/secret-manager).
 
 This secret backend is used to download OCI repository credentials (repository path + key pair) during upload/downloads. This makes the Artifact CAS multi-tenant by default since the destination OCI backend gets selected at runtime.
 

diff --git a/app/controlplane/configs/samples/config.yaml b/app/controlplane/configs/samples/config.yaml
@@ -27,7 +27,6 @@ cas_server:
 
 # Where to store credentials such as OCI registries or third party integrations secrets
 credentials_service:
-  # You can use either vault or aws secret manager
   vault:
     address: ${VAULT_ADDRESS:http://0.0.0.0:8200}
     token: ${VAULT_TOKEN:notasecret}

diff --git a/deployment/chainloop/README.md b/deployment/chainloop/README.md
@@ -50,7 +50,7 @@ The Helm Chart in this mode includes
 During installation, you'll need to provide
 
 - Open ID Connect Identity Provider (IDp) settings i.e [Auth0 settings](https://auth0.com/docs/get-started/applications/application-settings#basic-information)
-- Connection settings for a secrets storage backend, either [Hashicorp Vault](https://www.vaultproject.io/) or [AWS Secret Manager](https://aws.amazon.com/secrets-manager)
+- Connection settings for a secrets storage backend, either [Hashicorp Vault](https://www.vaultproject.io/) or [AWS Secrets Manager](https://aws.amazon.com/secrets-manager)
 - ECDSA (ES512) key-pair used for Controlplane <-> CAS Authentication
 
 Instructions on how to create the ECDSA keypair can be found [here](#generate-a-ecdsa-key-pair).
@@ -75,7 +75,7 @@ helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \
     --set casJWTPublicKey="$(cat public.pem)"
 ```
 
-Deploy using AWS secret manager instead of Vault
+Deploy using AWS Secrets Manager instead of Vault
 
 ```console
 helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \
@@ -90,7 +90,7 @@ helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \
     # ...
 ```
 
-Deploy using GCP secret manager instead of Vault
+or using GCP Secret Manager
 
 ```console
 helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \
@@ -104,6 +104,22 @@ helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \
     # ...
 ```
 
+or Azure KeyVault
+
+```console
+helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \
+    # Open ID Connect (OIDC)
+    # ...
+    # Secrets backend
+    --set secretsBackend.backend=azureKeyVault \
+    --set secretsBackend.azureKeyVault.tenantID=[AD tenant ID] \
+    --set secretsBackend.azureKeyVault.clientID=[Service Principal ID] \
+    --set secretsBackend.azureKeyVault.clientSecret=[Service Principal secret] \
+    --set secretsBackend.azureKeyVault.vaultURI=[Azure KeyVault URI]
+    # Server Auth KeyPair
+    # ...
+```
+
 Connect to an external PostgreSQL database instead
 
 ```console
@@ -142,7 +158,7 @@ The Helm Chart in this mode includes
 During installation, you'll need to provide
 
 - Open ID Connect Identity Provider (IDp) settings i.e [Auth0 settings](https://auth0.com/docs/get-started/applications/application-settings#basic-information)
-- ~~Connection settings for a secrets storage backend, either [Hashicorp Vault](https://www.vaultproject.io/) or [AWS Secret Manager](https://aws.amazon.com/secrets-manager)~~
+- ~~Connection settings for a secrets storage backend, either [Hashicorp Vault](https://www.vaultproject.io/) or [AWS Secrets Manager](https://aws.amazon.com/secrets-manager)~~
 - ~~ECDSA (ES512) key-pair used for Controlplane <-> CAS Authentication~~
 
 #### Installation Examples
@@ -309,9 +325,9 @@ controlplane:
     database: chainloop-controlplane-prod
 ```
 
-### Use AWS secret manager
+### Use AWS secrets manager
 
-You can swap the secret manager backend with the following settings
+Instead of using [Hashicorp Vault](https://www.vaultproject.io/) (default), you can use [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/) by adding these settings in your `values.yaml` file
 
 ```yaml
 secretsBackend:
@@ -324,7 +340,7 @@ secretsBackend:
 
 ### Use GCP secret manager
 
-You can swap the secret manager backend with the following settings
+Or [Google Cloud Secret Manager](https://cloud.google.com/secret-manager) with the following settings
 
 ```yaml
 secretsBackend:
@@ -334,6 +350,21 @@ secretsBackend:
     serviceAccountKey: [KEY]
 ```
 
+### Use Azure KeyVault
+
+[Azure KeyVault](https://azure.microsoft.com/en-us/products/key-vault/) is also supported
+
+```yaml
+secretsBackend:
+  backend: azureKeyVault
+  azureKeyVault:
+    tenantID: [TENANT_ID] # Active Directory Tenant ID
+    clientID: [CLIENT_ID] # Registered application / service principal client ID
+    clientSecret: [CLIENT_SECRET] # Service principal client secret
+    vaultURI: [VAULT URI] # Azure Key Vault URL
+
+```
+
 ### Send exceptions to Sentry
 
 You can configure different sentry projects for both the controlplane and the artifact CAS
@@ -391,7 +422,7 @@ chainloop config save \
 | `secretsBackend.vault.token`                        | Vault authentication token                                                                |             |
 | `secretsBackend.awsSecretManager.accessKey`         | AWS Access KEY ID                                                                         |             |
 | `secretsBackend.awsSecretManager.secretKey`         | AWS Secret Key                                                                            |             |
-| `secretsBackend.awsSecretManager.region`            | AWS Secret Manager Region                                                                 |             |
+| `secretsBackend.awsSecretManager.region`            | AWS Secrets Manager Region                                                                |             |
 | `secretsBackend.gcpSecretManager.projectId`         | GCP Project ID                                                                            |             |
 | `secretsBackend.gcpSecretManager.serviceAccountKey` | GCP Auth Key                                                                              |             |
 | `secretsBackend.azureKeyVault.tenantID`             | Active Directory Tenant ID                                                                |             |

diff --git a/deployment/chainloop/values.yaml b/deployment/chainloop/values.yaml
@@ -29,7 +29,6 @@ secretsBackend:
   ##
   secretPrefix: "chainloop"
 
-  # Either vault, AWS secret manager or GCP secret manager enabled at the same time
   ## @extra secretsBackend.vault.address Vault address
   ## @extra secretsBackend.vault.token Vault authentication token
   ##
@@ -39,7 +38,7 @@ secretsBackend:
 
   ## @extra secretsBackend.awsSecretManager.accessKey AWS Access KEY ID
   ## @extra secretsBackend.awsSecretManager.secretKey AWS Secret Key
-  ## @extra secretsBackend.awsSecretManager.region AWS Secret Manager Region
+  ## @extra secretsBackend.awsSecretManager.region AWS Secrets Manager Region
   ##
   # awsSecretManager:
   #   accessKey: ""

diff --git a/devel/README.md b/devel/README.md
@@ -19,7 +19,7 @@ To get up and running you'll need
 Chainloop requires some configuration to be in place such as
 
 - PostgreSQL 14 connection from the Control plane
-- Access to a secrets manager. Currently Hashicorp Vault and AWS secret manager are supported.
+- Access to a secrets manager. Currently Hashicorp Vault, AWS Secrets Manager, GCP Secret Manager and Azure KeyVault are supported.
 - Open ID connect (OIDC) single sign-on credentials.
 
 Luckily, you can leverage the provided docker compose file that can be found in the `devel` directory to do all the setup for you.