< Previous Challenge - Home - Next Challenge >
This challenge will cover the management of app configuration, and secret injection in AKS from Azure Key Vault
You need to fulfill these requirements to complete this challenge:
- Supply environment variables to the Web and API containers over Kubernetes config maps or secrets
- For sensitive parameters (like the database user password) make sure that they are not stored anywhere in the Kubernetes cluster, but in a purpose-built secret store such as Azure Key Vault
- Non-sensitive configuration for the containers should be supplied from a configuration map, not hard coded in the manifests
- Make sure that no static password is stored in the AKS cluster that allows access to the Azure Key Vault
- Environment variables in the deployment manifests are not hard coded, but imported from Kubernetes configuration maps
- The SQL password is not stored as a Kubernetes secret or Kubernetes config map
- No Service Principal secret is stored in Kubernetes
- Enable SSL in the ingress controller, and have its SSL certificate supplied from a purpose-built store such as Azure Key Vault
These docs might help you achieving these objectives:
- Azure Key Vault
- AKV provider for secrets store CSI driver
- AKS Overview
- Pod Identity - github.io docs
- Pod Identity - Microsoft docs
- AAD Workload Identity for Kubernetes announcement
- AKV Secret Provider - Microsoft docs
- AKV Secret Provider - github.io docs
- Provide an identity to access the AKV Provider for Secrets Store CSI Driver