I try to implement Azure KeyVault for using its secrets in pipeline. For now there is question how to use it in pipeline cause gitlab uses hashicorp vault as vault for secrets.
Any idea how we can use it in GitLab CI?
Related
Seeking your assistance in how to trigger azure devops pipeline CI CD using powershell
Thanks
There are a few PowerShell modules out there but I don't know a module that provides a cmdlet to trigger a pipeline. However, Azure DevOps has an API including a Run Pipeline endpoint. Before you use it you have to Choose the right authentication mechanism. I usually use a Personal access token (PAT) for authentication in my scripts.
I have Azure Pipeline where we are connecting to downstream and one of our developer used password in configmap as a plan test.
Can some one please tell me how I can use the existing Key-Vault to stored that password and refer in my Pipeline?
You need to reference your KeyVault in your pipeline and provide access to it.
Here is a good article regarding your question - https://learn.microsoft.com/en-us/azure/devops/pipelines/release/azure-key-vault?view=azure-devops
We have some unit tests/integration tests running on Azure build/release pipelines. There are few tests that retrieve secrets from key vault and these are failing because the code is written for fetching secrets from keyvault using MSI and Azure app authentication features. Since pipelines are not enabled for MSI, the keyvault calls are failing and hence the tests are also failing. What is the alternative that exists for this scenario where pipelines can access keyvault successfuly?
Note: I have already gone through articles suggesting to use variable groups and azure keyvault tasks but not helpful in my scenario .Looking for alternatives.
Note: I have already gone through articles suggesting to use variable
groups and azure keyvault tasks but not helpful in my scenario.Looking
for alternatives.
You can try two directions:
Configure a self-hosted agent to run your pipeline in local environment. Of course the agent should be configured with your managed identity.
According to step5 from this blog:
AzureServiceTokenProvider will use the developer's security context to get a token to authenticate to Key Vault. This removes the need to create a service principal, and share it with the development team. It also prevents credentials from being checked in to source code. AzureServiceTokenProvider will use Azure CLI or Active Directory Integrated Authentication to authenticate to Azure AD to get a token. That token will be used to fetch the secret from Azure Key Vault.
You can use Azure Cli task to run your tests in command-line. Check this similar issue.
I am working with Kubernetes on Azure. I created and configured the Azure Kubernetes Service and Azure Container Registry with the Azure command line interface (CLI) - I have a repository full of Azure CLI bash scripts that create/destroy my cloud infrastructure.
I plan to deploy to Kubernetes using Helm. I plan to use Helm Secrets to encrypt secrets and I am hoping I can use Azure Key Vault to store the encryption keys that encrypt/decrypt the "secrets".
I am now trying to create and configure the Azure Key Vault to work with Azure Kubernetes Service. I can see how I could create a Key Vault with the Azure CLI but the documentation for kubernetes-kms suggests that if you configure Kubernetes a certain way then the Key Vault will be automatically created and this will be configured to communicate with Azure Kubernetes Service.
"We have added this feature to aks-engine so that you do not have to
worry about any of the manual steps to set this up."
The documentation talks about editing a "kubernetesConfig", I've not seen a "kubernetesConfig" anywhere yet - I guess that is what you would have if you created your components using Azure Resource Manager (ARM) Templates.
How do I get Azure Key Vault working with kubernetes-kms using Azure CLI?
e.g. adding enableEncryptionWithExternalKms to the Kubernetes configuration and adding an objectId attribute to the service principal.
you cannot do that with AKS. You dont have access to masters to configure them.
We can create secrets when deploy KV using ARM template, but it can't seem to create or import a KEY at the same time. Is anybody know how to create a KEY when deploying the KV? Any help will be appreciated.
This is not possible as of now, unfortunately. You can only create secrets with ARM templates.
Yes, it's not available to create Keys when deploy azure keyvault via ARM Template and you could only create secrets when deploy keyvault.
You could vote up this feedback to promote the feature to achieve.