How to configure "Kubernetes KMS plugin for Azure Key Vault" with Azure CLI?

5/1/2019

I am working with Kubernetes on Azure. I created and configured the Azure Kubernetes Service and Azure Container Registry with the Azure command line interface (CLI) - I have a repository full of Azure CLI bash scripts that create/destroy my cloud infrastructure.

I plan to deploy to Kubernetes using Helm. I plan to use Helm Secrets to encrypt secrets and I am hoping I can use Azure Key Vault to store the encryption keys that encrypt/decrypt the "secrets".

I am now trying to create and configure the Azure Key Vault to work with Azure Kubernetes Service. I can see how I could create a Key Vault with the Azure CLI but the documentation for kubernetes-kms suggests that if you configure Kubernetes a certain way then the Key Vault will be automatically created and this will be configured to communicate with Azure Kubernetes Service.

"We have added this feature to aks-engine so that you do not have to worry about any of the manual steps to set this up."

The documentation talks about editing a "kubernetesConfig", I've not seen a "kubernetesConfig" anywhere yet - I guess that is what you would have if you created your components using Azure Resource Manager (ARM) Templates.

How do I get Azure Key Vault working with kubernetes-kms using Azure CLI?

e.g. adding enableEncryptionWithExternalKms to the Kubernetes configuration and adding an objectId attribute to the service principal.

-- Mark McLaren
azure
azure-aks
azure-keyvault
azure-kubernetes
kubernetes

1 Answer

5/1/2019

you cannot do that with AKS. You dont have access to masters to configure them.

enter image description here

-- 4c74356b41
Source: StackOverflow