KeyVault and Private Links

[irperez]

Does the name of the KeyVault need to change if we are using Private Links? How do we ensure we're connecting on the private network? Any guidance for use with private link would be great! I don't see any mention of it in the docs.

apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
  name: azure-kvname
spec:
  provider: azure
  parameters:
    usePodIdentity: "false"               # [OPTIONAL] if not provided, will default to "false"
    useVMManagedIdentity: "false"         # [OPTIONAL available for version > 0.0.4] if not provided, will default to "false"
    userAssignedIdentityID: "client_id"   # [OPTIONAL available for version > 0.0.4] use the client id to specify which user assigned managed identity to use. If using a user assigned identity as the VM's managed identity, then specify the identity's client id. If empty, then defaults to use the system assigned identity on the VM
    keyvaultName: "kvname"                # the name of the KeyVault  
    cloudName: ""                         # [OPTIONAL available for version > 0.0.4] if not provided, azure environment will default to AzurePublicCloud
    cloudEnvFileName: ""                  # [OPTIONAL available for version > 0.0.7] use to define path to file for populating azure environment
    objects:  |
      array:
        - |
          objectName: secret1
          objectAlias: SECRET_1           # [OPTIONAL available for version > 0.0.4] object alias
          objectType: secret              # object types: secret, key or cert. For Key Vault certificates, refer to https://azure.github.io/secrets-store-csi-driver-provider-azure/configurations/getting-certs-and-keys/ for the object type to use
          objectVersion: ""               # [OPTIONAL] object versions, default to latest if empty
        - |
          objectName: key1
          objectAlias: ""                 # If provided then it has to be referenced in [secretObjects].[objectName] to sync with Kubernetes secrets 
          objectType: key
          objectVersion: ""
    tenantId: "tid"                       # the tenant ID of the KeyVault

[aramase]

Here is a doc for accessing keyvault with private link: https://docs.microsoft.com/en-us/azure/key-vault/general/private-link-service?tabs=portal. Once the required steps for keyvault + private link are setup I don't think there would be any additional changes in the SecretProviderClass config.

[jagiraud]

Did you get it to work @irperez ?
I'm doing some testing now accessing AKV with private link using Pod Identity and have problems with fetching secrets successfully.

My current lab config:

apiVersion: "aadpodidentity.k8s.io/v1"
kind: AzureIdentity
metadata:
  name: operations-lab-azureidentity
  namespace: operations-lab
spec:
 type: 0 # (0=Azure Id, 1=Service Principal)
 resourceID: *redacted*
 clientID: *redacted*

---
apiVersion: "aadpodidentity.k8s.io/v1"
kind: AzureIdentityBinding
metadata:
  name: operations-lab-azureidentitybinding
  namespace: operations-lab
spec:
  azureIdentity: operations-lab-azureidentity # must match the value in AzureIdentity
  selector: operations-lab-identity # label value to match for the pods
---
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: keyvaultName-grafana-lab-spc
  namespace: operations-lab
spec:
  provider: azure
  secretObjects:                                 # [OPTIONAL] SecretObject defines the desired state of synced K8s secret objects
  - secretName: grafanasecret
    type: Opaque
    data: 
    - objectName: adminpassword                    # name of the mounted content to sync. this could be the object name or object alias 
      key: adminpwd
  parameters:
    usePodIdentity: "true"
    keyvaultName: *redacted*
    objects: |
      array:
        - |
          objectName: grafana-oauth-creds-lab
          objectType: secret
          objectAlias: oauthsecret
          objectVersion: ""
        - |
          objectName: grafana-admin-password
          objectType: secret
          objectAlias: adminpassword
          objectVersion: ""
    tenantId: *redacted*

And some logs from the CSI store:

I1103 20:31:54.713723       1 auth.go:77] "using pod identity to retrieve token" pod="operations-lab/grafana-7746f8494c-4fr54"
I1103 20:31:54.731171       1 auth.go:111] "successfully acquired access token" accessToken="eyJ0##### REDACTED #####D0sw" clientID="f105##### REDACT####8e4a" pod="operations-lab/grafana-7746f8494c-4fr54"
I1103 20:31:54.731202       1 provider.go:278] "fetching object from key vault" objectName="grafana-oauth-creds-lab" objectType="secret" keyvault="kbperationskv" pod="operations-lab/grafana-7746f8494c-4fr54"
E1103 20:33:54.703672       1 server.go:58] "failed to process mount request" err="failed to get objectType:secret, objectName:grafana-oauth-creds-labjectVersion:: keyvault.BaseClient#GetSecret: Failure sending request: StatusCode=0 -- Original Error: context canceled"
I1103 20:33:55.755378       1 provider.go:257] "unmarshaled key vault objects" keyVaultObjects=[{ObjectName:grafana-oauth-creds-lab ObjectAlias:oauthet ObjectVersion: ObjectType:secret ObjectFormat: ObjectEncoding:} {ObjectName:grafana-admin-password ObjectAlias:adminpassword ObjectVersion: ObjectType:secret ObjectFormat: ObjectEncoding:}] cou pod="operations-lab/grafana-7746f8494c-4fr54"
E1103 20:33:54.703672       1 server.go:58] "failed to process mount request" err="failed to get objectType:secret, objectName:grafana-oauth-creds-lab, objectVersion:: keyvault.BaseClient#GetSecret: Failure sending request: StatusCode=0 -- Original Error: context canceled"
I1103 20:33:55.755378       1 provider.go:257] "unmarshaled key vault objects" keyVaultObjects=[{ObjectName:grafana-oauth-creds-lab ObjectAlias:oauthsecret ObjectVersion: ObjectType:secret ObjectFormat

Based on the troubleshooting docs this points to firewall configuration, but the source network is allowed in AKV.
nslookup returns the expected private link FQDN.
Pod identity resource has necessary permissions to get secrets from AKV.

@aramase Am I missing something here?
Edit: Created as an issue instead. #711

[irperez]

It seems to work without any changes to the config. I just wanted to be sure as there was no mention of it in the documentation. We're using managed identity.

[jagiraud]

Ok, thanks for letting me know 👍