Env-Injector Helm Chart

Azure Key Vault Env-Injector reference

This chart will install a Custom Resource Definition (AzureKeyVaultEnvSecret) and a mutating admission webhook, that together enable transparent injection of Azure Key Vault secrets to containers as environment variables.

For more information see the main GitHub repository at https://github.com/SparebankenVest/azure-key-vault-to-kubernetes.

Note about installing both Azure Key Vault Env Injector AND Azure Key Vault Controller

If installing both the Controller and the Controller, they share the same Custom Resource Definition (CRD), so only one of them can install it. Set installCrd to false for either this Chart or the Controller Chart.

Installing the Chart

helm repo add spv-charts http://charts.spvapi.no
helm repo update
helm install spv-charts/azure-key-vault-env-injector \
  --namespace akv2k8s

Note: Install akv2k8s in its own dedicated namespace

Note: The Env Injector needs to be enabled for each namespace

The Env Injector is developed using a Mutating Admission Webhook that triggers just before every Pod gets created. To allow cluster administrators some control over which Pods this Webhook gets triggered for, it must be enabled per namespace using the azure-key-vault-env-injection label, like in the example below:

apiVersion: v1
kind: Namespace
  name: akv-test
    azure-key-vault-env-injection: enabled

Installation of both Env Injector and Controller

helm install spv-charts/azure-key-vault-env-injector \
  --namespace akv2k8s

helm install spv-charts/azure-key-vault-controller \
    --set installCrd=false  --namespace akv2k8s

Using custom authentication with AAD Pod Identity

Requires Pod Identity: https://github.com/Azure/aad-pod-identity

helm install spv-charts/azure-key-vault-env-injector \
  --namespace akv2k8s \
  --set keyVault.customAuth.enabled=true \
  --set keyVault.customAuth.podIdentitySelector=myPidIdentitySelector \

Using custom authentication with credential injection enabled

helm install spv-charts/azure-key-vault-env-injector \
  --namespace akv2k8s \
  --set keyVault.customAuth.enabled=true \
  --set env.AZURE_TENANT_ID=... \
  --set env.AZURE_CLIENT_ID=... \
  --set env.AZURE_CLIENT_SECRET=...

Disable central authentication, leaving all AKV authentication to individual Pod

helm install spv-charts/azure-key-vault-env-injector \
  --namespace akv2k8s \
  --set authService.enabled=false


The following tables lists configurable parameters of the azure-key-vault-env-injector chart and their default values.

affinityaffinities to use{}
envaditional env vars to send to pod{}
envImage.repositoryimage repo that contains the env imagespvest/azure-keyvault-env
envImage.tagimage tag1.0.2
image.pullPolicyimage pull policyIfNotPresent
image.repositoryimage repo that contains the controllerspvest/azure-keyvault-webhook
image.tagimage tag1.0.2
installCrdinstall custom resource definitiontrue
keyVault.customAuth.enabledif custom authentication with azure key vault is enabledfalse
keyVault.customAuth.autoInject.enabledif auto injection of credentials to pods is enabledfalse
keyVault.customAuth.autoInject.secretNamename of secret to use to store credentialsakv2k8s-akv-credentials
keyVault.customAuth.autoInject.podIdentitySelectorif using aad-pod-identity, which selector to reference{}
logLevellog level - Trace, Debug, Info, Warning, Error, Fatal or PanicInfo
metrics.enabledif prometheus metrics is enabledfalse
metrics.addresslistening address for prometheus metrics':80'
nodeSelectornode selector to use{}
podDisruptionBudget.enabledif pod disruption budget is enabledtrue
podDisruptionBudget.minAvailablepod disruption minimum available1
podDisruptionBudget.maxUnavailablepod disruption maximum unavailablenil
replicaCountnumber of replicas1
resourcesresources to request{}
service.externalPortwebhook service external port443
service.internalPortwebhook service external port443
service.namewebhook service nameazure-keyvault-secrets-webhook
service.typewebhook service typeClusterIP
tolerationstolerations to add[]
Edit on GitHub