apiVersion: secrets-store.csi.x-k8s.io/v1alpha1 kind: SecretProviderClass metadata: name: aks-tls-akv namespace: ratingsapp spec: provider: azure parameters: keyvaultName: <Key vault> useVMManagedIdentity: "true" userAssignedIdentityID: <aks identity client ID> # the client ID of the MSI created by the objects: | array: - | objectName: aks-ingress-tls objectAlias: aks-ingress-tls objectType: secret # The objectType above is "secret" even though the aks-ingress-tls Certificate in the keyvault is certificate type. # Also, the appropriate identity will need acces to GET "secrets" from the KV, as well as GET for "certificates" tenantId: <tenant id> secretObjects: - secretName: aks-tls-akv # k8s secret manifest will be generated and synced after mounting it from pod/deploy type: kubernetes.io/tls data: - objectName: aks-ingress-tls # must match the name of certificate in kv key: tls.crt - objectName: aks-ingress-tls # must match the name of certificate in kv key: tls.key