Kubernetes app that syncs cert-manager Secrets to Azure Key Vault. Originally created with the intention of getting LetsEncrypt certficates into Key Vault, but works with any certificate stored in a Kubernetes Secret.
| Component | Version | Status |
|---|---|---|
| Helm Chart | v0.2.2 |  |
| Application | v0.1.1 |  |
- Supports Kubernetes Nodes running
linux/amd64,linux/arm64(Apple M1, Linux) - Synchronizes Kubernetes Secrets to Azure Key Vault Certificates
- Leverages passwordless authentication using Workload Identity
- Certificate is automatically rotated when cert-manager triggers a renewal
- Supports duplicate certificates in multiple Kubernetes Namespaces (e.g.
*.your-domain.comin multiple Namespaces) - Runs in a lightweight Alpine container, using < 100 MiB of memory
- Includes a Helm Chart for easy installation
- Running cert-manager
~> v1in your Azure Kubernetes cluster - Only syncs Kubernetes Secrets to Key Vault Certificates (not to Key Vault Secrets)
- The included Helm chart only authenticates using Workload Identity
If you're running an older version of Helm, HELM_EXPERIMENTAL_OCI=1 needs to be set to support OCI charts.
export HELM_EXPERIMENTAL_OCI=1
helm upgrade --install cert-manager-key-vault-sync \
oci://docker.io/rdvansloten/cert-manager-key-vault-sync \
--values ./charts/cert-manager-key-vault-sync/values.yaml \
--version v0.2.2 \
--namespace cert-manager-key-vault-sync --create-namespaceIf you wish to use raw Kubernetes manifests instead, you may render the Helm template to plain YAML using the command below.
helm template cert-manager-key-vault-sync oci://docker.io/rdvansloten/cert-manager-key-vault-sync --version v0.2.2 \
--values ./charts/cert-manager-key-vault-sync/values.yaml > output.yamlFor examples on building the image from scratch or prepping your Azure/Kubernetes environment, see Examples.
The synchronization process is a small Python3 application running on an Alpine image. It leverages OpenSSL to bundle the .cer and .key files, then uploads the resulting .pfx file to Azure Key Vault. cert-manager-key-vault-sync requires verbs "get", "list", "watch" on the "secrets" resource, as it needs to pull cert-manager-generated Secrets from all namespaces. It will only search for Secrets with the annotation cert-manager.io/certificate-name by default, though this can be changed.
The attached Service Account is connected to a Managed Identity in Azure, providing access to the Key Vault. The Managed Identity requires the Key Vault Certificates Officer role on the Key Vault, or a custom role with permissions to list, read, create and update Certificates and their metadata.
I'd love your input! I want to make contributing to this project as easy and transparent as possible, whether it's:
- Reporting an issue.
- Submitting a fix.
- Proposing new features.
- Becoming a maintainer.
- Supporting my GitHub page through GitHub Sponsors or ko-fi.
Pull requests are the best way to propose changes. I actively welcome your Pull Requests:
- Fork this repository and create your branch from
main. - If you've added code that should be tested, add some test examples.
- Update the documentation.
- Submit that Pull Request!
