Problem
I’ve been creating Azure Bicep files in order to standardize our infrastructure.
Except for AKS, everything is going swimmingly. After doing some research and experimenting, I believe I have two possibilities.
AKS has pods that run Node.js or.net services that require environment variables such as database connection strings. These can be included in each AKS instance or passed in at the deploy stage of each node/.net.
Is this correct, and does one have an advantage over the other?
Asked by user3067684
Solution #1
The AKS IaC code should not be combined with the workload deployment code (your Nodejs or .Net Pods).
ENV variables should not be used for secrets or connection strings, in my opinion. Kubernetes’ upstream has decided to use CSI (Container Storage Interface).
Vault of Keys To sync secrets from Azure KeyVault to Kubernetes secrets or directly as files into pods, enable the azureKeyvaultSecretsProvider add-on for AKS.
After this you write you workload deployment of Nodejs and .Net Pods and refer the AZURE KEY VAULT PROVIDER FOR SECRETS STORE CSI DRIVER. If you develop more clusters, for example, you will become more self-sufficient.
Answered by Philip Welz
Post is based on https://stackoverflow.com/questions/70937782/azure-key-vault-values-inside-aks