Migrate to use Azure Key Vault to host SSL certificate

1. Create akv2k8s namespace

kubectl create ns akv2k8s

2. Install akv2k8s controller

helm repo add spv-charts https://charts.spvapi.no
helm repo update
helm upgrade --install akv2k8s spv-charts/akv2k8s --namespace akv2k8s --set controller.nodeSelector."kubernetes\.io/os"=linux --set env_injector.nodeSelector."kubernetes\.io/os"=linux

3. Create Key Vault and import certificate

Create a key vault under the resource group where the AKS cluster is on.

In Networking tab, give access to the VNet that the AKS cluster is on.

Import SSL certificate to the key vault. Supported format: PEM and PFX.

4. Assign permission to AKS service identity

The akv2k8s controller needs access to your Key Vault to retrieve the certificate. It used the service principal or managed identity of the cluster to do so.

The jq tool is required to run this command: https://stedolan.github.io/jq/download/
Make sure the Get permission for certificate is assigned.

//Get object id of AKS identity
az aks show -n <clustername> -g <resourcegroup> | jq .identityProfile.kubeletidentity.objectId -r
//Assign permission
az keyvault set-policy  -n <azure key vault name> --secret-permissions get --certificate-permissions get --object-id  <objectId> --subscription <azure subscription>

5. Create AzureKeyVaultSecret

Create a AzureKeyVaultSecret resource in the namespace you want the Kubernetes Secret to be synced.

Get name of tls secret configured in onelist ingress resource.

Create a akv-secret.yaml file with content below.

Run below commands to delete the old TLS secret and create the AzureKeyVaultSecret. If this is a new deployment, skip the delete secret command.

6. Check sync status

References:

https://blog.baeke.info/2020/12/07/certificates-with-azure-key-vault-and-nginx-ingress-controller/

https://akv2k8s.io/quick-start/