Thank you Chris, at the time of recording the video this was not available I think. Thank you so much for sharing your finding.

Much appreciated!

Hi Nikhil, yes for sure Managed Identities is the best alternative. This guide goes through the process for using User Assigned Managed Identities, which I think is a better way than using the System Assigned one: docs.microsoft.com/en-us/azure/key-vault/general/key-vault-integrate-kubernetes#create-your-own-secretproviderclass-object

Glad you liked it. More coming up soon.

That’s true. And there is no way around it except if you take the time/effort to write code in your application to try and grab its own secrets from Key Vault using its managed identity.

No, the secret should be created for you. If it is not then there is probably a permission issue somewhere. Check the logs of the secrets provider containers and it might point you somewhere.

Glad it helped

Hi Sharat, this is probably because of a typo in your command. There should be a space between -o and tsv param. Make sure that if you run the az ad sp command that it does produce the proper expected output.

Yes indeed, if you want an additional layer of security then you can encrypt it and decrypt it using your app.

@@ZoomSpeaksTech would other solutions like hashicorp vault do the same thing like mount secret volumes with password in plain text or they will at least automatically encrypt it?

They work exactly the same. If this bothers you, the other option is to write code to extract secrets from a secure vault like Azure Key Vault in your app.

That just means the secret was not created by driver. Make sure you’ve specified the correct settings/permissions in the driver YAML.

@@ZoomSpeaksTech i followed the examples provided in this video and did exactly same. Can you please throw some light on what are the things i need to check for "correct settings/permissions"..? And thanks for your very fast response.

@@skannan74 i would look at the SecretProviderClass configuration and make sure that the key vault secret I am trying to read actually exists and that the csi driver has the necessary account to do so: docs.microsoft.com/en-us/azure/aks/csi-secrets-store-driver#sync-mounted-content-with-a-kubernetes-secret I would also double check that entire document I sent. My video is now a little dated, and it might be useful to use this doc as an updated reference.

Sure, here you go: github.com/helshabini/kubernetes-akv

@@ZoomSpeaksTech Thank you

I agree. You can automate everything, but at some point it would be overkill to build something that serves no specific function other than to overcome verbosity. Which is why sometimes I prefer my apps to grab their own secrets whenever possible and absolve kubernetes of having to manage that. Keyvault integration can be easily done on most languages from the app code itself. The app merely needs a managed identity to be able to grab it.