[Feature][Add] Added support for azure key vault (#12)

* Added support for azure key vault

Signed-off-by: iamabhishek-dubey <abhishekbhardwaj510@gmail.com>

* Updated architecture diagram

Signed-off-by: iamabhishek-dubey <abhishekbhardwaj510@gmail.com>

* Updated docs for Azure Support

Signed-off-by: iamabhishek-dubey <abhishekbhardwaj510@gmail.com>

Author: iamabhishek-dubey

CHANGELOG.md

@@ -1,3 +1,12 @@
+### v3.0
+##### May 9, 2021
+
+#### :tada: [Features Added]
+
+- Added Azure Key Vault support
+- Fetch secrets from Azure Key Vault and inject them in pods/containers
+- Pod AD identity and Service principal based authentication in Azure
+
 ### v2.0
 ##### May 8, 2021
 

Makefile

@@ -2,7 +2,7 @@
 REGISTRY ?= quay.io
 REPOSITORY ?= $(REGISTRY)/opstree
 ARTIFACT_NAME=k8s-vault-webhook
-VERSION = 2.0
+VERSION = 3.0
 
 all: build-code build-image
 

README.md

@@ -32,10 +32,10 @@ The secret managers which are currently supported:-
 
 - **[Hashicorp Vault](https://www.vaultproject.io/)**
 - **[AWS Secret Manager](https://aws.amazon.com/secrets-manager/)**
+- **[Azure Key Vault](https://azure.microsoft.com/en-in/services/key-vault/)**
 
 There are some secret managers which are planned to be implemented in future.
 
-- **[Azure Key Vault](https://azure.microsoft.com/en-in/services/key-vault/)**
 - **[GCP Secret Manager](https://cloud.google.com/secret-manager)**
 
 ### Supported Features
@@ -45,21 +45,16 @@ There are some secret managers which are planned to be implemented in future.
 - Inject secret directly to pods/containers running inside Kubernetes
 - Inject secret directly to pods/containers from AWS Secret Manager
 - Authentication with AWS Secret Manager with access key and iam role
+- Fetch secrets from Azure Key Vault and inject them in pods/containers
+- Pod AD identity and Service principal based authentication in Azure
+- Authentication with AWS Secret Manager with access key and iam role
 - Support regex to inject all secrets from a certain path of Vault
 - Inject secrets directly to the process of container, i.e. after the injection you cannot read secrets from the environment variable
 
 ### Architecture
 
-#### Hashicorp Vault
-
-<div align="center">
-    <img src="./static/k8s-vault-webhook-arc-vault.png">
-</div>
-
-#### AWS Secret Manager
-
 <div align="center">
-    <img src="./static/k8s-vault-webhook-arc-aws.png">
+    <img src="./static/k8s-vault-webhook-arc.png">
 </div>
 
 ### Installation

annotations.go

@@ -1,6 +1,12 @@
 package main
 
 const (
+	// AnnotationAzureKeyVaultEnabled if enabled it will use Azure Key Vault
+	AnnotationAzureKeyVaultEnabled = "azure.opstree.secret.manager/enabled"
+
+	// AnnotationAzureKeyVaultName azure key vault name
+	AnnotationAzureKeyVaultName = "azure.opstree.secret.manager/vault-name"
+
 	// AnnotationAWSSecretManagerEnabled if enabled it will use AWS secret manager
 	AnnotationAWSSecretManagerEnabled = "aws.opstree.secret.manager/enabled"
 

azure.go

@@ -0,0 +1,28 @@
+package main
+
+import (
+	"fmt"
+
+	corev1 "k8s.io/api/core/v1"
+)
+
+type azure struct {
+	config struct {
+		enabled           bool
+		azureKeyVaultName string
+	}
+}
+
+func (azure *azure) mutateContainer(container corev1.Container) corev1.Container {
+	container = azure.setArgs(container)
+	return container
+}
+
+func (azure *azure) setArgs(c corev1.Container) corev1.Container {
+	args := []string{"azure"}
+	args = append(args, fmt.Sprintf("--azure-vault-name=%s", azure.config.azureKeyVaultName))
+
+	args = append(args, "--")
+	c.Args = append(args, c.Args...)
+	return c
+}

docs/src/.vuepress/config.js

@@ -70,6 +70,7 @@ module.exports = {
           children: [
             'hashicorp-vault',
             'aws-secret-manager',
+            'azure-integration',
           ]
         },
         {
@@ -78,6 +79,7 @@ module.exports = {
           children: [
             'hashicorp-vault-example',
             'aws-secret-manager-example',
+            'azure-examples',
           ]
         },
         {

docs/src/guide/README.md

@@ -31,14 +31,6 @@ There are some secret managers which are planned to be implemented in future.
 
 ## Architecture
 
-### Hashicorp Vault
-
-<div align="center" style="padding-top: 25px;">
-    <img src="./images/k8s-vault-webhook-arc-vault.png">
-</div>
-
-### AWS Secret Manager
-
 <div align="center" style="padding-top: 25px;">
-    <img src="./images/k8s-vault-webhook-arc-aws.png">
+    <img src="./images/k8s-vault-webhook-arc.png">
 </div>

docs/src/guide/annotations.md

@@ -7,10 +7,10 @@ The annotations which are currently supported:-
 
 - **[Hashicorp Vault](https://www.vaultproject.io/)**
 - **[AWS Secret Manager](https://aws.amazon.com/secrets-manager/)**
+- **[Azure Key Vault](https://azure.microsoft.com/en-in/services/key-vault/)**
 
 There are some other annotations which are planned to be implemented in future.
 
-- **[Azure Key Vault](https://azure.microsoft.com/en-in/services/key-vault/)**
 - **[GCP Secret Manager](https://cloud.google.com/secret-manager)**
 
 ## Vault Annotations
@@ -39,3 +39,10 @@ The available annotations for k8s vault webhook are:-
 |`aws.secret.manager/role-arn`| AWS IAM Role to access the secret | no | |
 |`aws.secret.manager/secret-name`| Name of the AWS secret | no | |
 |`aws.secret.manager/previous-version`| If the secret is rotated, set to "true" | no | |
+
+## Azure Annotations
+
+|**Name**|**Description**|**Required**|**Default**|
+|--------|---------------|------------|-----------|
+|`azure.secret.manager/enabled`| Enable the Azure Key Vault | - | false |
+|`azure.secret.manager/vault-name`| Name of the Azure Key Vault in which secrets are held | no | test-secret |

docs/src/guide/azure-examples.md

@@ -0,0 +1,83 @@
+# Azure Key Vault
+
+Let's try to create a deployment to inject secrets directly from Azure Key Vault. For example, purpose we are taking mysql as deployment and then we will try to set mysql root password using k8s-vault-webhook.
+
+We can use our [example](https://github.com/OT-CONTAINER-KIT/k8s-vault-webhook/tree/master/example) folder.
+
+The environment variables will get substitute automatically, we just have to provide some custom annotations.
+
+```yaml
+  template:
+    metadata:
+      labels:
+        app: k8s-azure-mysql
+        tier: mysql
+# Use Azure App Pod Pinding if cluster is configured in Azure
+        # aadpodidbinding: POD_IDENTITY_NAME
+      annotations:
+        azure.opstree.secret.manager/enabled: "true"
+        azure.opstree.secret.manager/vault-name: "vault-k8s-secret"
+    spec:
+      containers:
+      - image: opstree/mysql:latest
+        name: mysql
+# If running outside Azure
+        env:
+        - name: AZURE_CLIENT_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: azure-secret
+              key: AZURE_CLIENT_SECRET
+        - name: AZURE_CLIENT_ID
+          valueFrom:
+            secretKeyRef:
+              name: azure-secret
+              key: AZURE_CLIENT_ID
+        - name: AZURE_TENANT_ID
+          valueFrom:
+            secretKeyRef:
+              name: azure-secret
+              key: AZURE_TENANT_ID
+```
+
+Let's try to apply the deployment manifest.
+
+```shell
+$ kubectl apply -f example/azure-mysql-example.yaml
+...
+deployment.apps/k8s-azure-mysql configured
+```
+
+Verify the mysql pods are running or not by using `kubectl` command line.
+
+```shell
+$ kubectl get pods
+...
+NAME                                       READY   STATUS             RESTARTS   AGE
+k8s-azure-mysql-658b99f8dc-k9r58           1/1     Running            0          128m
+```
+
+Now let's try to get inside the `mysql` pod and see if the Azure Key Vault's password is working fine or not.
+
+```shell
+$ kubectl exec -it k8s-azure-mysql-658b99f8dc-k9r58 \
+    -- mysql -u root -pazurepassword -e "show databases;"
+...
+Warning: Using a password on the command line interface can be insecure.
++--------------------+
+| Database           |
++--------------------+
+| information_schema |
+| mysql              |
+| performance_schema |
++--------------------+
+```
+
+Also, try to check the value in environment variable of MySQL pod.
+
+```shell
+$ kubectl exec -it k8s-azure-mysql-658b99f8dc-k9r58 \
+    -- env | grep ROOT
+...
+No output
+```

docs/src/guide/azure-integration.md

@@ -0,0 +1,23 @@
+# Azure Key Vault
+
+For integrating AWS Secret Manager with the K8s Vault Webhook, first we need to setup Azure Key Vault inside Azure account.
+
+Here we will talk about the integration of Azure Key Vault inside Kubernetes.
+
+Login into the [Azure Portal](http://portal.azure.com/#home) and select [Azure Key Vault](https://azure.microsoft.com/en-in/services/key-vault/) service.
+
+![](./images/azure-key-vault-azure.png)
+
+Create a secret in Settings > Secrets and click on `Generate/Import` ans specify these details for testing.
+
+|**Key**|**Value**|
+|-------|---------|
+| mysql-root-password | azurepassword |
+
+![](./images/azure-key-vault-secrets.png)
+
+Once the details has been provided, create the secret.
+
+![](./images/azure-key-vault-name.png)
+
+**Since Azure Key Vault doesn't supports underscore `_`, we will use hyphen `-`. The k8s-vault-webhook will automatically replace the hyphen with underscore.**

docs/src/guide/changelog.md

@@ -1,3 +1,12 @@
+### v3.0
+**May 9, 2021**
+
+**:tada: [Features Added]**
+
+- Added Azure Key Vault support
+- Fetch secrets from Azure Key Vault and inject them in pods/containers
+- Pod AD identity and Service principal based authentication in Azure
+
 ### v2.0
 **May 8, 2021**
 

docs/src/guide/images/azure-key-vault-azure.png

@@ -0,0 +1,48 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: k8s-azure-mysql
+  labels:
+    app: k8s-azure-mysql
+spec:
+  selector:
+    matchLabels:
+      app: k8s-azure-mysql
+      tier: mysql
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: k8s-azure-mysql
+        tier: mysql
+# Use Azure App Pod Pinding if cluster is configured in Azure
+        # aadpodidbinding: POD_IDENTITY_NAME
+      annotations:
+        azure.opstree.secret.manager/enabled: "true"
+        azure.opstree.secret.manager/vault-name: "vault-k8s-secret"
+    spec:
+      containers:
+      - image: opstree/mysql:latest
+        name: mysql
+# If running outside Azure
+        env:
+        - name: AZURE_CLIENT_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: azure-secret
+              key: AZURE_CLIENT_SECRET
+        - name: AZURE_CLIENT_ID
+          valueFrom:
+            secretKeyRef:
+              name: azure-secret
+              key: AZURE_CLIENT_ID
+        - name: AZURE_TENANT_ID
+          valueFrom:
+            secretKeyRef:
+              name: azure-secret
+              key: AZURE_TENANT_ID
+        ports:
+        - containerPort: 3306
+          name: mysql

docs/src/guide/images/azure-key-vault-name.png

@@ -248,6 +248,11 @@ func (mw *mutatingWebhook) mutateContainers(containers []corev1.Container, podSp
 		container.Command = []string{"/k8s-secret/k8s-secret-injector"}
 		container.Args = args
 
+		if secretManagerConfig.azure.config.enabled {
+			container = secretManagerConfig.azure.mutateContainer(container)
+			mutationInProgress = true
+		}
+
 		if secretManagerConfig.aws.config.enabled {
 			container = secretManagerConfig.aws.mutateContainer(container)
 			mutationInProgress = true
@@ -341,6 +346,9 @@ func (mw *mutatingWebhook) parseSecretManagerConfig(obj metav1.Object) secretMan
 	var smCfg secretManagerConfig
 	annotations := obj.GetAnnotations()
 
+	smCfg.azure.config.enabled, _ = strconv.ParseBool(annotations[AnnotationAzureKeyVaultEnabled])
+	smCfg.azure.config.azureKeyVaultName = annotations[AnnotationAzureKeyVaultName]
+
 	smCfg.aws.config.enabled, _ = strconv.ParseBool(annotations[AnnotationAWSSecretManagerEnabled])
 	smCfg.aws.config.region = annotations[AnnotationAWSSecretManagerRegion]
 	smCfg.aws.config.roleARN = annotations[AnnotationAWSSecretManagerRoleARN]
@@ -380,6 +388,16 @@ func (mw *mutatingWebhook) SecretsMutator(ctx context.Context, obj metav1.Object
 
 	switch v := obj.(type) {
 	case *corev1.Pod:
+		if smCfg.azure.config.enabled {
+			mw.logger.Infof("Using Azure Key Vault")
+
+			if smCfg.azure.config.azureKeyVaultName == "" {
+				return true, fmt.Errorf("Error getting azure key vault - make sure you set the annotation %s on the Pod", AnnotationAzureKeyVaultName)
+			}
+
+			return false, mw.mutatePod(v, smCfg, whcontext.GetAdmissionRequest(ctx).Namespace, whcontext.IsAdmissionRequestDryRun(ctx))
+		}
+
 		if smCfg.aws.config.enabled {
 			mw.logger.Infof("Using AWS Secret Manager")
 
@@ -461,7 +479,7 @@ func newK8SClient() (kubernetes.Interface, error) {
 }
 
 func init() {
-	viper.SetDefault("k8s_secret_injector_image", "quay.io/opstree/k8s-secret-injector:2.0")
+	viper.SetDefault("k8s_secret_injector_image", "quay.io/opstree/k8s-secret-injector:3.0")
 	viper.SetDefault("k8s_secret_injector_image_pull_policy", string(corev1.PullIfNotPresent))
 	viper.SetDefault("k8s_secret_injector_image_pull_secret_name", "")
 	viper.SetDefault("tls_cert_file", "")

docs/src/guide/images/azure-key-vault-secrets.png

@@ -9,6 +9,7 @@ import (
 type secretManagerConfig struct {
 	vault
 	aws
+	azure
 	// explicitSecrets bool // only get secrets that match the prefix `secret:`
 }
 

docs/src/guide/images/k8s-vault-webhook-arc-aws.png

@@ -1,7 +1,7 @@
 package version
 
-// version is a private field and should be set when compiling with --ldflags="-X github.com/innovia/secrets-consumer-env/pkg/version.version=X.Y.Z"
-var version = "1.0"
+// version is a private field
+var version = "3.0"
 
 // GetVersion returns the current version
 func GetVersion() string {