Feature: Need Options to create and Manage Keyvault Secrets

[adeepan]

I know we have options to create and manage the Azure Keyvault Certificates using the Operators. However, I would like to see if there is an option to create and manage Azure Keyvault Secrets using the Service Operators.

This would be a great help for us.

[babbageclunk]

Hi @adeepan - there is some support for storing secrets in Keyvault in ASOv1, for example MySQLServer can store the admin credentials in Keyvault when the server is created in ARM.
Hmm, actually I guess you mean adding support in ASOv2 for Keyvaults and Secrets, is that right? That's definitely on our roadmap in #1192, although we'll also need to get our kubernetes secret-handling (#1471) nailed down on the way to supporting Keyvault secrets properly.

[holooloo]

Hello everyone
Im really disappointed when i realized that ASO cant store secrets in Vault
This is the first thing to do
God bless you all for such ability

[adeepan]

@babbageclunk Thanks for taking this into the roadmap. Appreciate all the help!

[matthchr]

There are also two things being talked about here possibly?

1. @adeepan's ask, which seems to be the ability to create Microsoft.KeyVault keys, secrets, certificates, etc through ASO.
2. @holooloo's ask, which seems more about storing secrets in KeyVault. For example the secrets associated with an Azure Storage account or the secrets given as input to creating a MySQLServer (adminUser/adminPassword). This is something that ASOv1 already supports at least in places, via the azureOperatorKeyvault Helm parameter (which ends up in the AZURE_OPERATOR_KEYVAULT parameter in the aso-configuration secret).

For the original ask by @adeepan (creating Microsoft.KeyVault keys, secrets, certificates, etc through ASO) - why do you want the secrets in KeyVault?
The reason I ask is that, in order to support creating the secrets via ASO you would also have to create them in Kubernetes (to provide them to the operator securely). This means that your secrets are in 2 places. If your organization has a requirement that "all keys are stored in KeyVault" the fact that you also have them stored in your Kuberentes cluster for ASO might cause you to be in violation of that requirement. This is a bit of a catch-22 and is one of the reasons why we haven't implement direct support for creating/deleting KeyVault resources through ASO. Doing so seems to defeat some of the purpose of storing the keys in KeyVault in the first place. I'd love to hear more about your scenario though and understand why that doesn't apply to you, as maybe we are not understanding all the possible use-cases.

[stale]

This issue has been automatically marked as stale because it has not had activity in 60 days.

[matthchr]

We are not planning on supporting creating secrets using ASO directly. However we are planning on supporting storing secrets in KeyVault and allowing you to refer to them in ASO. See #2242.