Integrating Argocd with Azure Key Vault for Secure Kubernetes

Argocd can be integrated with Azure Key Vault to securely store and manage sensitive data, such as API keys and certificates.

This integration allows you to store your Kubernetes cluster's API server certificate in Azure Key Vault, which can then be used by Argocd to authenticate with the cluster.

Argocd can retrieve the certificate from Azure Key Vault and use it to authenticate with the cluster, eliminating the need to hardcode sensitive data in your application.

By using Azure Key Vault, you can ensure that your sensitive data is encrypted and protected from unauthorized access.

To configure Azure Key Vault with ArgoCD, you'll need to create a Secret in Kubernetes, specifically in the argocd namespace. This Secret will hold the required environment variables for the argocd-vault-plugin.

The required environment variables are the Vault address, Vault token, Vault role ID, Vault secret ID, and Vault namespace. You can store these variables in a file called argocd-vault-plugin-credentials.yaml and then create a Secret in Kubernetes using this file.

To make this Secret available to the argocd-repo-server pods, you'll need to add an envFrom pointing to the Secret in the argocd-repo-server deployment. This will allow the argocd-vault-plugin to use the environment variables to authenticate with your Azure Key Vault instance.

Once you've configured the plugin, you can create a secret within Vault by enabling the kv-v2 store and giving your AppRole role ID permissions to access the secret path. In ArgoCD, you can then perform a hard refresh to test the plugin.

Accessing secrets from AKS clusters is a bit different from accessing them from a VM. You need to set the policy to access secrets in your key vault.

To access secrets from an AKS cluster, you'll need to set up Kubernetes authentication on Vault. This involves enabling the Kubernetes Auth method and configuring it with the URL of the Kubernetes API server, Kubernetes CA certificate, and a token reviewer JWT.

These parameters can be obtained using three specific commands, which can then be set using the Vault UI.

To create an AKS cluster, you need to enable the Azure Key Vault Provider for Secrets Store CSI Driver capability. This involves creating an identity called azureKeyvaultSecretsProvider that will be used to access Azure resources.

The add-on creates this identity, and you should take note of the identity's clientId in the output. This clientId will be used to access the Key Vault.

With the identity created, you can now proceed with setting up your AKS cluster.

You can access secrets from AKS clusters by setting the policy to access secrets in your key vault. To do this, you'll need to create an AKS cluster with Azure Key Vault Provider for Secrets Store CSI Driver capability.

To create an AKS cluster, you'll need to add the Azure Key Vault Provider for Secrets Store CSI Driver capability. This will create an identity called azureKeyvaultSecretsProvider, which you'll use to access Azure resources.

The identity's client ID will be used to access the Key Vault. Take note of it in the output. You can then use this client ID to access the Key Vault and retrieve the secrets.

To access the secrets from the AKS cluster, you'll need to create a SecretProviderClass. This will use the Secrets Store CSI Driver for Kubernetes secrets to access the secrets from the Key Vault.

A SecretProviderClass is created using a YAML file, which specifies the user-assigned identity ID, key vault name, tenant ID, and the objects to retrieve from the key vault. You'll need to replace these values with your own.

Once you've created the SecretProviderClass, you can create a test pod that uses the SPC to mount the secret as a file. This will allow you to verify that the secret is created and mounted as a file in the pod.

After the pod is up and running, you can verify that the secret is created and mounted as a file in the pod. This will confirm that the SecretProviderClass is working correctly.

To configure the argocd-vault-plugin, you'll need to create a secret in Kubernetes using a file called argocd-vault-plugin-credentials.yaml. This file should contain the required environment variables for AppRole authentication, which include VAULT_ADDR, VAULT_SKIP_VERIFY, VAULT_APPROLE_ID, VAULT_APPROLE_SECRET_ID, and VAULT_APPROLE_SECRET.

You can then create the secret in Kubernetes using a command that points to the correct cluster. To make the secret available as environment variables in the argocd-repo-server pods, you'll need to add an envFrom pointing to the secret you just created. This will allow the plugin to communicate with your Vault instance.

To configure the argocd-vault-plugin, you'll need to set up environment variables, a Kubernetes secret, or a config file.

There are 5 required variables to configure AppRole as the authentication method. These include VAULT_ADDR, VAULT_SKIP_VERIFY, VAULT_NAMESPACE, AVP_ROLE_ID, and AVP_SECRET_ID.

You can add these variables to Kubernetes as a Secret within the argocd namespace. Create a file called argocd-vault-plugin-credentials.yaml and paste the required variables into that file. Make sure to replace the values with your actual Vault values.

Then, create the secret in Kubernetes by running a command, making sure your Kubernetes context is pointing to the correct cluster.

Next, make the secret available as environment variables in the argocd-repo-server pods. Go back to the argocd-repo-server deployment and add an envFrom pointing to the secret you just created.

The supported annotations for plugin configuration are quite extensive. We support several different annotations that can be used inside a Kubernetes resource, which will override any corresponding configuration set via Environment Variable or Configuration File.

One of these annotations is `avp.kubernetes.io/path`, which specifies the path to the Vault Secret. This is a crucial piece of information for the plugin to function correctly.

Another important annotation is `avp.kubernetes.io/remove-missing`, which tells the plugin not to throw an error when a key is missing from the Vault Secret. This is only effective on Secret or ConfigMap resources.

Here's a list of the supported annotations:

These annotations can be used to customize the plugin's behavior and ensure it works seamlessly with your Kubernetes resources.

Authentication and Permissions are crucial when working with ArgoCD and Azure Key Vault.

To create a VM and assign permissions, you'll need to use the az vm create command and create a system-assigned identity for the VM.

The VM needs an identity, and permissions can be assigned to the identity so that the VM can access Key Vault using those permissions defined in the identity.

You'll also need to assign the previously created identity permissions to the key vault.

For Kubernetes authentication, you'll need to enable the Kubernetes Auth method on Vault and configure your authentication method with the URL of the Kubernetes API server, Kubernetes CA certificate, and a token reviewer JWT.

You can obtain all the required parameters using three commands, and then proceed to create a named role for ArgoCD Vault Plugin to authenticate against the Vault server.

The token expires after 24 hours, so be sure to update it regularly.

To create a SecretProviderClass, you'll need to create a YAML file with your own values for userAssignedIdentityID, keyvaultName, tenantId, and the objects to retrieve from your key vault.

Then, create a test pod that uses the SPC to mount the secret as a file, and verify that the secret is created and mounted as a file in the pod.

Argocd Azure Key Vault is a fantastic tool for managing secrets and configuration in your Azure environment. It's a centralized service that securely stores and manages sensitive data, such as API keys, passwords, and certificates.

Argocd is a GitOps tool that automates the deployment of applications in a secure and version-controlled manner, and it integrates seamlessly with Azure Key Vault to store and retrieve sensitive data.

Argocd Azure Key Vault uses Azure Active Directory (AAD) for authentication and authorization, which provides a secure and scalable way to manage access to sensitive data.

Argocd supports multiple Azure Key Vault versions, including Azure Key Vault 1.0 and Azure Key Vault 2.0, which allows for flexibility and compatibility with different Azure environments.

The integration between Argocd and Azure Key Vault is based on the Azure Key Vault REST API, which provides a secure and programmatic way to interact with the service.

Environment variables are a great way to pass sensitive data to your ArgoCD app manifest, especially when you have multiple teams using the same Vault but different namespaces. This approach is best suited for non-sensitive data like the Vault namespace.

You can pass environment variables in the ArgoCD app manifest, like setting VAULT_NAMESPACE to the appropriate value for each team. This way, you avoid exposing sensitive tokens in plain text.

To configure the argocd-vault-plugin, you'll need to set up environment variables in your Kubernetes cluster. There are five required variables for AppRole authentication: VAULT_ADDR, VAULT_ROLE_ID, VAULT_SECRET_ID, VAULT_NAMESPACE, and VAULT_SKIP_VERIFY.

You can create a Kubernetes secret to store these variables and then point the argocd-repo-server pods to it using an envFrom configuration. This will make the variables available as environment variables in the pods.