Announcing General Availability of the Azure Key Vault Secret Store Extension

We are thrilled to announce Azure Key Vault Secret Store Extension (SSE) is now generally available for Arc-enabled on-premises Kubernetes, including clusters that you connect yourself and AKS Arc managed clusters. SSE automatically fetches secrets from an Azure Key Vault to the on-premises cluster for offline access. This means you can use Azure Key Vault to store, maintain, and rotate your secrets, even when running your Kubernetes cluster in a semi-disconnected state.

Key Benefits

• Offline Access: It’s important that workloads continue even when there are temporary disruptions to connectivity. This includes regular operation as well as the ability to restart pods while there’s a connectivity interruption. With SSE, workloads can access secrets from the local Kubernetes secrets store regardless of connectivity interruptions.
• Standard K8s Secret Access: Secrets can be accessed via volume mounting, environment variables, or via the Kubernetes API. Workloads and ingress controllers do not need to be customized to access Azure Key Vault and developers have options on how to access secrets.
• Security:  SSE has limited permissions and leverages the latest Kubernetes security features so that cluster admins do not need to configure and limit permissions themselves. Secrets are critical business assets, so the Secret Store helps to secure them through isolated namespaces, role-based access control (RBAC) policies, federated identities for accessing AKV, and limited permissions for the secrets synchronizer.
• Scalability: SSE helps very large distributed deployments with hundreds or thousands of clusters to work with Azure Key Vault by spreading demand over time. By effectively caching secrets in the Kubernetes secrets store, SSE can also help to lower overall demand on Azure Key Vault instances.
• Low maintenance: Auto-updates can keep your SSE up to date with security and performance improvements as they are released. Additionally, changes to configured secrets are even easier now with the new simplified configuration experience (in preview). With the simplified configuration style, a single custom resource is all that’s needed, reducing the effort and surface area for misconfigurations.

How to Use the Secret Store Extension

1. Install the Secret Store Extension to an Arc-enabled cluster or AKS managed on-premises cluster with configuration parameters such as sync intervals.
2. Configure an Azure managed identity that has permission to read secrets from AKV and federate it with a Kubernetes service account.
3. Configure a secret provider class custom resource (CR) in the cluster with connection details to the Key Vault.
4. Configure a secret sync custom resource (CR) in the cluster for each secret to be synchronized. (Steps 3 and 4 are now even easier with the new simplified configuration!) 
5. Apply the CRs in the cluster and secrets will automatically begin syncing to the cluster.
6. Relax knowing that your configured secrets will be kept up to date on the cluster, as frequently as you want.

Try out the Secret Store Extension Today!

• Get started by visiting the SSE documentation
• Get hands-on even faster with the SSE Jumpstart Drop