Loading...
D365Hub logo D365Hub

Helm charts managed through Terraform to deploy an Azure SecretProviderClass on AKS

Helm charts managed through Terraform to deploy an Azure SecretProviderClass on AKS

Introduction

 

In this article we will see how to benefit from the advantages of two infrastructure and template management solutions: Helm charts and Terraform.

 

In order to make the exercise challenging and to prove that the use of these two features works well, I deliberately chose to use the SecretProviderClass because it is a complex Kubernetes resource type to model.

 

For more details on the SecretProviderClass, please consult the following article that points out how to create a SecretProviderClass using user-assigned identity to access your key vault.

 

Jamesdld23_1-1711810014024.png

 

 

 

All the code used in this article is available here on GitHub: JamesDLD/terraform-azurerm_kubernetes-helm-chart-SecretProviderClass

 

 

Prerequisite

 

 

 

Terraform providers & authentication

 

The trick here is to retrieve the Kubernetes certificate from the azurerm_kubernetes_cluster resource and pass it to the helm provider.

 

 

 

 

# - # - Providers # - provider "azurerm" { subscription_id = var.subscription_id features {} } provider "helm" { kubernetes { host = data.azurerm_kubernetes_cluster.aks.kube_admin_config.0.host client_certificate = base64decode(data.azurerm_kubernetes_cluster.aks.kube_admin_config.0.client_certificate) client_key = base64decode(data.azurerm_kubernetes_cluster.aks.kube_admin_config.0.client_key) cluster_ca_certificate = base64decode(data.azurerm_kubernetes_cluster.aks.kube_admin_config.0.cluster_ca_certificate) } } # - # - Azure Kubernetes Service cluster # - data "azurerm_kubernetes_cluster" "aks" { name = var.aks_cluster.name resource_group_name = var.aks_cluster.resource_group_name }

 

 

 

 

 

 

Terraform Helm release

 

In this section we highlight the following tips:

  1. Use Helm values files.
  2. Pass parameters from Terraform to the Helm chart through the “set” function.
  3. Dynamically retrieve the Azure Tenant ID from Terraform and pass it to the Helm chart.

 

 

 

 

 

variable "helm_release" { description = "A Release is an instance of a chart running in a Kubernetes cluster. https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release" default = { demo = { chart_path = "/charts/SecretProviderClass" values_paths = [ "/charts/SecretProviderClass/values.yaml", "/charts/SecretProviderClass/values-demo.yaml" ] set = [ { name = "tenantId" #Will calculated, see the below code }, { name = "userAssignedIdentityID" value = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx" #Application ID of the managed identity "azurekeyvaultsecretsprovider-<AKS Cluster Name>" }, { name = "keyvaultName" value = "xxxxxxxxxxxx" } ] } } } data "azurerm_client_config" "current" {} # - # - Helm charts # - resource "helm_release" "helm_release" { for_each = var.helm_release name = lookup(each.value, "name", each.key) chart = "${path.module}${each.value.chart_path}" values = lookup(each.value, "values_paths", null) == null ? null : [for x in each.value.values_paths : file(format("%s%s", path.module, x))] recreate_pods = lookup(each.value, "recreate_pods", null) dynamic "set" { for_each = lookup(each.value, "set", []) content { name = set.value.name value = lookup(set.value, "name", null) == "tenantId" ? data.azurerm_client_config.current.tenant_id : set.value.value type = lookup(set.value, "type", null) } } }

 

 

 

 

 

Helm chart template

 

The following manifest file manages the Kubernetes SecretProviderClass object and was designed using the following requirements:

  1. Ability to create multiple SecretProviderClass Kubernetes objects using the range action.
  2. Use in order of preference the values ​​provided by the current “range” (file “value-demo.yaml”), then the default values ​​(file “value.yaml”) then those provided by Terraform (“set” function).

 

 

 

 

# Reference: Provide an identity to access the Azure Key Vault Provider for Secrets Store CSI Driver # Chapter: Use a user-assigned managed identity https://learn.microsoft.com/en-us/azure/aks/csi-secrets-store-identity-access?WT.mc_id=AZ-MVP-5003548#use-a-user-assigned-managed-identity {{- range $key, $value := .Values.secrets }} apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: {{ $value.name }} namespace: {{ $value.namespace }} spec: provider: azure parameters: {{ if $value.usePodIdentity }} usePodIdentity: "{{ $value.usePodIdentity }}" {{ else }} usePodIdentity: "{{ $.Values.usePodIdentity }}" {{ end }} {{ if $value.useVMManagedIdentity }} useVMManagedIdentity: "{{ $value.useVMManagedIdentity }}" {{ else }} useVMManagedIdentity: "{{ $.Values.useVMManagedIdentity }}" {{ end }} userAssignedIdentityID: {{ $.Values.userAssignedIdentityID }} {{ if $value.keyvaultName }} keyvaultName: {{ $value.keyvaultName }} {{ else }} keyvaultName: {{ $.Values.keyvaultName }} {{ end }} objects: | {{- $value.parameters.objects | nindent 6 }} tenantId: {{ $.Values.tenantId }} {{ if $value.secretObjects }} secretObjects: {{ $value.secretObjects | toYaml | nindent 2 -}} {{ end }} --- {{- end }}

 

 

 

 

 

 

Terraform plan

 

What’s interesting here with Terraform is that we can see the planned changes and we can pass Terraform known information like the Azure Tenant ID and core parameters like the target Azure Key Vault.

 

Jamesdld23_0-1711809967333.png

 

 

 

Conclusion

 

Using Terraform and Helm charts will help you reap the benefits of both worlds:

  • Make full use of your teams’ skills.
  • Pass calculated values from your cloud provider without writing them in your code.
  • Manage planned changes that new git commits plan to do before applying them in production.

 

See You in the Cloud

Jamesdld

Published on:

Learn more
Azure Developer Community Blog articles
Azure Developer Community Blog articles

Azure Developer Community Blog articles

Share post:

Related posts

Automating Business PDFs Using Azure Document Intelligence and Power Automate

In today’s data-driven enterprises, critical business information often arrives in the form of PDFs—bank statements, invoices, policy document...

3 days ago

Azure Developer CLI (azd) Dec 2025 – Extensions Enhancements, Foundry Rebranding, and Azure Pipelines Improvements

This post announces the December release of the Azure Developer CLI (`azd`). The post Azure Developer CLI (azd) Dec 2025 – Extensions En...

6 days ago

Replit and Microsoft Azure are putting software development in everyone’s hands

6 days ago

Unlock the power of distributed graph databases with JanusGraph and Azure Apache Cassandra

Connecting the Dots: How Graph Databases Drive Innovation In today’s data-rich world, organizations face challenges that go beyond simple tabl...

8 days ago

Azure Boards integration with GitHub Copilot

A few months ago we introduced the Azure Boards integration with GitHub Copilot in private preview. The goal was simple: allow teams to take a...

9 days ago

Microsoft Dataverse – Monitor batch workloads with Azure Monitor Application Insights

We are announcing the ability to monitor batch workload telemetry in Azure Monitor Application Insights for finance and operations apps in Mic...

10 days ago

Copilot Studio: Connect An Azure SQL Database As Knowledge

Copilot Studio can connect to an Azure SQL database and use its structured data as ... The post Copilot Studio: Connect An Azure SQL Database ...

11 days ago

Retirement of Global Personal Access Tokens in Azure DevOps

In the new year, we’ll be retiring the Global Personal Access Token (PAT) type in Azure DevOps. Global PATs allow users to authenticate across...

13 days ago

Azure Cosmos DB vNext Emulator: Query and Observability Enhancements

The Azure Cosmos DB Linux-based vNext emulator (preview) is a local version of the Azure Cosmos DB service that runs as a Docker container on ...

14 days ago
Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy