You are looking at the documentation of a prior release. To read the documentation of the latest release, please
visit here.
New to KubeVault? Please start here.
mode.azureKeyVault
To use azureKeyVault mode specify mode.azureKeyVault
. In this mode, unseal keys and root token will be stored in Azure Key Vault as secret.
spec:
unsealer:
mode:
azureKeyVault:
vaultBaseURL: <vault_base_url>
tenantID: <tenant_id>
clientCertSecret: <secret_name>
aadClientSecret: <secret_name
useManagedIdentity: <true/false>
cloud: <cloud_environment_identifier>
mode.azureKeyVault
has the following fields:
azureKeyVault.vaultBaseURL
azureKeyVault.vaultBaseURL
is a required field that specifies the Azure key vault URL.
spec:
unsealer:
mode:
azureKeyVault:
vaultBaseURL: "https://myvault.vault.azure.net"
azureKeyVault.tenantID
azureKeyVault.tenantID
is a required field that specifies Azure Active Directory tenant ID.
spec:
unsealer:
mode:
azureKeyVault:
tenantID: "aaa-ddd-ffff-343455"
azureKeyVault.clientCertSecret
azureKeyVault.clientCertSecret
is an optional field that specifies the name of the secret containing client cert and client cert password. The secret contains the following fields:
client-cert
client-cert-password
spec:
unsealer:
mode:
azureKeyVault:
clientCertSecret: "azure-client-cert-cred"
azureKeyVault.aadClientSecret
azureKeyVault.aadClientSecret
is an optional field that specifies the name of the secret containing client id and client secret of AAD application. The secret contains the following fields:
client-id
client-secret
spec:
unsealer:
mode:
azureKeyVault:
aadClientSecret: "azure-aad-client-cred"
azureKeyVault.useManageIdentity
azureKeyVault.useManageIdentity
is an optional field that specifies to use managed service identity for the virtual machine.
spec:
unsealer:
mode:
azureKeyVault:
useManageIdentity: true
Note: One of
azureKeyVault.clientCertSecret
orazureKeyVault.aadClientSecret
orazureKeyVault.useManageIdentity
has to be specified.
azureKeyVault.cloud
azureKeyVault.cloud
is an optional field that specifies the cloud environment identifier. If it is not specified, then AZUREPUBLICCLOUD
will be used as default.
spec:
unsealer:
mode:
azureKeyVault:
cloud: "AZUREGERMANCLOUD"