HiveBrain v1.2.0
Get Started
← Back to all entries
snippetkubernetesMinor

Is it possible to create a tls kubernetes secret using Azure Key Vault data resources in Terraform?

Submitted by: @import:stackexchange-devops··
0
Viewed 0 times
createtlskubernetesvaultpossibleazureusingsecretresourcesdata

Problem

I have a certificate file and a private key file that I am using to implement tls encrypted traffic for several different k8s pods running under an NGINX ingress load balancer. This works fine (i.e. the web apps are visible and show as secure in a browser) if I create the kubernetes.io/tls secret in either of these ways:

  • Use kubectl: kubectl create secret my-tls-secret --key --cert .



  • Reference those files locally in terraform:



resource "kubernetes_secret" "my_tls_secret" {
metadata {
name = "my-tls-secret"
}

type = "kubernetes.io/tls"

data = {
"tls.crt" = file("${path.module}/certfile.cer"),
"tls.key" = file("${path.module}/keyfile.key")
}
}


However, neither of these methods are ideal because for #1, it turns my terraform plan/apply steps into 2-step processes and for #2, I don't want to commit the key file to source control for security reasons.

So, my question is: is there a way to do this by using some combination of Azure Key Vault data resources (i.e. keys, secrets or certificates)?

I have tried the following:

  • Copy/pasting the cert and key into key vault secrets (have also tried this with base64 encoding the values before pasting them into the key vault and using base64decode() around the tls.crt and tls.key values in the Terraform):



data "azurerm_key_vault_secret" "my_private_key" {
name = "my-private-key"
key_vault_id = data.azurerm_key_vault.mykv.id
}

data "azurerm_key_vault_secret" "my_certificate" {
name = "my-certificate"
key_vault_id = data.azurerm_key_vault.mykv.id
}

resource "kubernetes_secret" "my_tls_secret" {
metadata {
name = "my-tls-secret"
}

type = "kubernetes.io/tls"

data = {
"tls.crt" = data.azurerm_key_vault_secret.my_certificate.value,
"tls.key" = data.azurerm_key_vault_secret.my_private_key.value
}
}


  • Tried importing the cert as an Azure key vault certificate and accessing its attributes like so:



`data "azurerm_key_vault_certificate_data" "m

Solution

Method #1 from the original post works - the key point I was missing was how I was getting the cert/key into Azure KeyVault. As mentioned in the post, I was copy/pasting the text from the files into the web portal secret creation UI. Something was getting lost in translation doing it this way. The right way to do it is to use the Azure CLI, like so:

az keyvault secret set --vault-name  --name my-private-key --file 

az keyvault secret set --vault-name  --name my-certificate --file 

Code Snippets

az keyvault secret set --vault-name <vault name> --name my-private-key --file <path to key file>

az keyvault secret set --vault-name <vault name> --name my-certificate --file <path to cert file>

Context

StackExchange DevOps Q#17180, answer score: 1

Revisions (0)

No revisions yet.