Inject PFX Certificate
Inject a PFX certificate from Azure Key Vault as environment variables into an application
Note: The prerequisites are required to complete this tutorial.
The certificate handling in certain programming languages like Microsoft .NET has a preference for certificates in the binary PKCS12 format, commonly known as PFX. To extract the raw PKCS12 certificate from Azure Key Vault, you need to get the Secret object of the Certificate!
This tutorial is EXACTLY like the Inject Certificate tutorial, except the highlighted last line below:
apiVersion: spv.no/v1alpha1 kind: AzureKeyVaultSecret metadata: name: certificate-inject namespace: akv-test spec: vault: name: akv2k8s-test # name of key vault object: name: my-certificate # name of the akv object type: secret # akv object type
type: secret instead of
certificate, Azure Key Vault will respond with the PKCS12 certificate
that can be injected directly into your application.
Apply to Kubernetes:
$ kubectl apply -f akvs-certificate-inject.yaml azurekeyvaultsecret.spv.no/certificate-inject created
To list AzureKeyVaultSecret's and see sync status:
$ kubectl -n akv-test get akvs NAME VAULT VAULT OBJECT SECRET NAME SYNCHED certificate-inject akv2k8s-test my-certificate
Then we deploy a Pod having a env-variable pointing to the secret above.
apiVersion: apps/v1 kind: Deployment metadata: name: akvs-certificate-app namespace: akv-test labels: app: akvs-certificate-app spec: selector: matchLabels: app: akvs-certificate-app template: metadata: labels: app: akvs-certificate-app spec: containers: - name: akv2k8s-env-test image: spvest/akv2k8s-env-test:2.0.1 args: ["PUBLIC_KEY", "PRIVATE_KEY"] env: - name: PUBLIC_KEY value: certificate-inject@azurekeyvault?tls.crt - name: PRIVATE_KEY value: certificate-inject@azurekeyvault?tls.key
Apply to Kubernetes:
$ kubectl apply -f certificate-deployment.yaml deployment.apps/akvs-certificate-app created
Things to note from the Deployment yaml above:
containers: - name: akv2k8s-env-test image: spvest/akv2k8s-env-test # 1. args: ["PUBLIC_KEY", "PRIVATE_KEY"] # 2. env: - name: PUBLIC_KEY # 3. value: certificate-inject@azurekeyvault?tls.crt # 4. - name: PRIVATE_KEY # 5. value: certificate-inject@azurekeyvault?tls.key # 6.
- We use a custom built Docker image for testing purposes that only outputs the content of the env-variables passed in as args in #2. Feel free to replace this with your own Docker image.
- Again, specific for the Docker test image we are using (in #1), we pass in which environment variables we want the container to print values for
- Name of the environment variable containing the certificate public key
- By using the special akv2k8s Env Injector convention
<azure-key-vault-secret-name>@azurekeyvaultto reference the AzureKeyVaultSecret
certificate-injectwe created earlier. The env-injector will download this secret from Azure Key Vault and inject into the executable running in your Container.
- Name of the environment variable containing the certificate private key
- Same as 4. - only for the certificate private key
To see the log output from your Pod, execute the following command:
kubectl -n akv-test logs deployment/akvs-certificate-app
kubectl delete -f akvs-secret-inject.yaml kubectl delete -f secret-deployment.yaml