Member-only story
Securely Managing Secrets in AKS with Azure Key Vault and External Secrets
Managing secrets in Kubernetes clusters is a critical aspect of securing applications in production environments. One powerful tool for handling secrets securely is External Secrets, which allows Kubernetes to fetch sensitive data from external secret management systems like Azure Key Vault. In this article, we’ll walk through how to integrate Azure Key Vault with an AKS (Azure Kubernetes Service) cluster using External Secrets to securely manage a TLS certificate in PKCS#12 (PFX) format.
What is External Secrets?
External Secrets is an open-source tool that bridges external secret management systems and Kubernetes. It enables the secure injection of secrets into Kubernetes resources like Pods and ConfigMaps by fetching them from systems like Azure Key Vault, AWS Secrets Manager, and others.
By using External Secrets, you can centralize your secret management and avoid storing sensitive data directly in your Kubernetes manifests, making your infrastructure more secure and compliant.
Overview of the Example
In this guide, we will:
- Create an AKS cluster.
- Set up an Azure Key Vault to store a certificate.
- Generate a sample certificate in PFX format and upload it to Azure Key Vault.
- Deploy External Secrets on AKS.
- Fetch the PFX certificate from Azure Key Vault into Kubernetes using External Secrets.
- Verify that the certificate is correctly retrieved and stored in the Kubernetes cluster.
Step 1: Deploying an AKS Cluster
First, we need to create an AKS cluster where our application will run. You can do this easily using the Azure CLI.
# Variables
RESOURCE_GROUP="myResourceGroup"
AKS_NAME="myAKSCluster"
LOCATION="eastus"
# Create a resource group
az group create --name $RESOURCE_GROUP --location $LOCATION
# Create an AKS cluster
az aks create \
--resource-group $RESOURCE_GROUP \
--name $AKS_NAME \
--node-count 1 \
--enable-addons monitoring \
--generate-ssh-keys
