{{- if .Values.azure.enabled -}} apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: "azure-keyvault" spec: provider: azure secretObjects: - secretName: active-directory type: Opaque data: - objectName: "app-dev-sp-password" key: principal-clientpassword - objectName: "app-dev-sp-tenant-id" key: tenant-id - objectName: "subscription-id" key: subscription-id - objectName: "app-dev-sp-id" key: principal-clientid - objectName: "app-dev-sp-username" key: msi-clientid - secretName: azure-resources type: Opaque data: - objectName: "keyvault-uri" key: keyvault-uri - objectName: "insights-key" key: insights-key - objectName: "insights-connection" key: insights-connection - objectName: "system-storage" key: azurestorageaccountname - objectName: "system-storage-key" key: azurestorageaccountkey - objectName: "airflow-admin-username" key: airflow-username - objectName: "airflow-admin-password" key: airflow-password parameters: clientID: {{ .Values.azure.clientId }} # client id of the Azure AD app/identity to use for workload identity keyvaultName: {{ .Values.azure.keyvaultName }} # the name of the KeyVault objects: | array: - | objectName: app-dev-sp-password objectType: secret - | objectName: app-dev-sp-tenant-id objectType: secret - | objectName: app-dev-sp-id objectType: secret - | objectName: app-dev-sp-username objectType: secret - | objectName: keyvault-uri objectType: secret - | objectName: insights-key objectType: secret - | objectName: insights-connection objectType: secret - | objectName: subscription-id objectType: secret - | objectName: system-storage objectType: secret - | objectName: system-storage-key objectType: secret - | objectName: airflow-admin-username objectType: secret - | objectName: airflow-admin-password objectType: secret tenantId: {{ .Values.azure.tenantId }} # the tenant ID of the KeyVault {{- end }}