Work items:
@yaron2 I completed my GTM issues so I will pick it up today.
cc/ @msfussell
Key vault secretstore authenticates keyvault resource with Service Prinicpal. Key vault secretstore will support not only standalone mode but also kubernetes mode with the shared component yaml. In both modes, user needs to provide tenant Id, client id, and certificate for the app representing service principal. Standalone mode uses PKS#12(PFX) certificate located in local disk while Kubernetes mode uses the certs in Kubeneretes secret store by leveraging the existing Kubernetes secretstore implementation.
apiVersion: actions.io/v1alpha1
kind: Component
metadata:
name: azurekeyvault
spec:
type: secretstores.keyvault
metadata:
- name: vaultName
value: actions-sample-vault
- name: spnTenantId
value: "72f988bf-86f1-41af-91ab-2d7cd011db47"
- name: spnClientId
value: "61a33746-1198-49ec-91a5-eaa9140889e3"
- name: spnCertificateFile
value: ./cert/spn-cert.pfx
apiVersion: actions.io/v1alpha1
kind: Component
metadata:
name: azurekeyvault
spec:
type: secretstores.keyvault
metadata:
- name: vaultName
value: actions-sample-vault
- name: spnTenantId
value: "72f988bf-86f1-41af-91ab-2d7cd011db47"
- name: spnClientId
value: "61a33746-1198-49ec-91a5-eaa9140889e3"
- name: spnCertificate
secretKeyRef:
name: keyvaultSecret
key: spncert
auth:
secretStore: kubernetes
The secrets in user's Keyvault are referenced by using secretKeyRef object instead of value property. Unlike one secret in K8S secret store represents a map data type which stores multiple key-values, Azure Keyvault secret is a string data type so that Keyvault secretstore uses only name property in secretKeyRef object to look up secret in Azure Keyvault and key property value will be ignored.
apiVersion: actions.io/v1alpha1
kind: Component
metadata:
name: statestore
spec:
type: state.redis
metadata:
- name: redisPassword
secretKeyRef:
name: redisSecret
- name: redisHost
value: "localhost:6379"
auth:
secretStore: azurekeyvault
@yaron2 @amanbha @Haishi2016 Please review the mini-spec for keyvault secret store - https://github.com/actionscore/actions/issues/372#issuecomment-532908932
BTW, Kudos to @yaron2. the spec is written really well!
Could you please explain following in a bit more detail:
_Unlike Kubernetes secretstore implementation, Keyvault secretstore uses only name property in secretKeyRef object to look up secret in Azure Keyvault, but key property value must be default. For example, if component yaml uses the different value for key property, the secret value will be empty string._
Could you please explain following in a bit more detail:
_Unlike Kubernetes secretstore implementation, Keyvault secretstore uses only name property in secretKeyRef object to look up secret in Azure Keyvault, but key property value must be default. For example, if component yaml uses the different value for key property, the secret value will be empty string._
In Kubernetes, one secret can have multiple key-values so secretKeyRef object has two properties; name and key.
secretKeyRef:
name: redisSecret
key: password
but in Keyvault, one secret is a string data type unless we serialize object to json.
(in the example, redisSecret is keyvault secret name, password value in key property is useless)
I would like to allow key property to use default or something else. Or maybe it is better ignoring key property value.
@amanbha ignoring key property makes more sense for keyvault. I will update the spec.
Most helpful comment
Overview
Key vault secretstore authenticates keyvault resource with Service Prinicpal. Key vault secretstore will support not only standalone mode but also kubernetes mode with the shared component yaml. In both modes, user needs to provide tenant Id, client id, and certificate for the app representing service principal. Standalone mode uses PKS#12(PFX) certificate located in local disk while Kubernetes mode uses the certs in Kubeneretes secret store by leveraging the existing Kubernetes secretstore implementation.
Metadata
Register secretstore component
Standalone mode example
Kubernetes mode example
Use secret via keyvault secret store
The secrets in user's Keyvault are referenced by using
secretKeyRefobject instead ofvalueproperty. Unlike one secret in K8S secret store represents a map data type which stores multiple key-values, Azure Keyvault secret is a string data type so that Keyvault secretstore uses onlynameproperty insecretKeyRefobject to look up secret in Azure Keyvault andkeyproperty value will be ignored.Open questions
Reference