From d84e70c1881dc3452660902a66bc97d507f5fb47 Mon Sep 17 00:00:00 2001 From: Jorge Turrado Date: Fri, 4 Nov 2022 13:58:17 +0100 Subject: [PATCH 1/2] feat: explain how to use pod identity for Azure Key Vault Signed-off-by: Jorge Turrado --- .../docs/2.9/authentication-providers/azure-key-vault.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/content/docs/2.9/authentication-providers/azure-key-vault.md b/content/docs/2.9/authentication-providers/azure-key-vault.md index eee27a637..1905d6f2a 100644 --- a/content/docs/2.9/authentication-providers/azure-key-vault.md +++ b/content/docs/2.9/authentication-providers/azure-key-vault.md @@ -7,9 +7,9 @@ You can pull secrets from Azure Key Vault into the trigger by using the `azureKe The `secrets` list defines the mapping between the key vault secret and the authentication parameter. -Currently pod identity providers are not supported for key vault. +Currently, `azure` and `azure-workload` pod identity providers are supported for key vault using the podIdentity block inside `azureKeyVault`. -You need to register an [application](https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals) with Azure Active Directory and specify its credentials. The `clientId` and `tenantId` for the application are to be provided as part of the spec. The `clientSecret` for the application is expected to be within a kubernetes secret in the same namespace as the authentication resource. +Service principal authentication is also supported, needing to register an [application](https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals) with Azure Active Directory and specifying its credentials. The `clientId` and `tenantId` for the application are to be provided as part of the spec. The `clientSecret` for the application is expected to be within a kubernetes secret in the same namespace as the authentication resource. Ensure that "read secret" permissions have been granted to the Azure AD application on the Azure Key Vault. Learn more in the Azure Key Vault [documentation](https://docs.microsoft.com/en-us/azure/key-vault/general/assign-access-policy?tabs=azure-portal). @@ -19,7 +19,10 @@ The `cloud` parameter can be used to specify cloud environments besides `Azure P ```yaml azureKeyVault: # Optional. vaultUri: {key-vault-address} # Required. - credentials: # Required. + podIdentity: # Optional. + provider: azure | azure-workload # Required. + identityId: # Optional + credentials: # Optional. clientId: {azure-ad-client-id} # Required. clientSecret: # Required. valueFrom: # Required. From 1fbe409e711f7f4a1480920b3a9337e995b30f8b Mon Sep 17 00:00:00 2001 From: Jorge Turrado Ferrero Date: Fri, 4 Nov 2022 15:32:06 +0100 Subject: [PATCH 2/2] Update content/docs/2.9/authentication-providers/azure-key-vault.md Co-authored-by: Tom Kerkhove Signed-off-by: Jorge Turrado Ferrero --- content/docs/2.9/authentication-providers/azure-key-vault.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/docs/2.9/authentication-providers/azure-key-vault.md b/content/docs/2.9/authentication-providers/azure-key-vault.md index 1905d6f2a..41b6588fb 100644 --- a/content/docs/2.9/authentication-providers/azure-key-vault.md +++ b/content/docs/2.9/authentication-providers/azure-key-vault.md @@ -7,7 +7,7 @@ You can pull secrets from Azure Key Vault into the trigger by using the `azureKe The `secrets` list defines the mapping between the key vault secret and the authentication parameter. -Currently, `azure` and `azure-workload` pod identity providers are supported for key vault using the podIdentity block inside `azureKeyVault`. +Currently, `azure` and `azure-workload` pod identity providers are supported for Azure Key Vault using `podIdentity` inside `azureKeyVault`. Service principal authentication is also supported, needing to register an [application](https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals) with Azure Active Directory and specifying its credentials. The `clientId` and `tenantId` for the application are to be provided as part of the spec. The `clientSecret` for the application is expected to be within a kubernetes secret in the same namespace as the authentication resource.