Azure Key Vault

1. Encrypt etcd
2. Create Azure Key Vault
3. Give your azure account access to create secrets
4. Create secrets
5. Login to Azure CLI
6. Create service principal (user allowed to get secrets and restrict to namespace) required per namespace
7. Deploy Azure Key Vault Provider for Secrets Store CSI Driver
8. Create service principle secret in kubernetes (this will be stored in etcd)
9. Create and apply secrets.yaml
10. create and apply deployment to use the secret

If you do not have a service principal, run the following Azure CLI command to create a new service principal.

# OPTIONAL: Create a new service principal, be sure to notate the SP secret returned on creation.
az ad sp create-for-rbac --skip-assignment --name $SPNAME
# If you lose your AZURE_CLIENT_SECRET (SP Secret), you can reset and receive it with this command:
# az ad sp credential reset --name $SPNAME --credential-description "APClientSecret" --query password -o tsv

With an existing service principal, assign the following permissions

# Set environment variables
SPNAME=<servicePrincipalName>
AZURE_CLIENT_ID=$(az ad sp show --id http://${SPNAME} --query appId -o tsv)
KEYVAULT_NAME=<key-vault-name>
KEYVAULT_RESOURCE_GROUP=<resource-group-name-for-KV>
SUBID=<subscription-id>

az keyvault set-policy -n $KEYVAULT_NAME --key-permissions get --spn $AZURE_CLIENT_ID
az keyvault set-policy -n $KEYVAULT_NAME --secret-permissions get --spn $AZURE_CLIENT_ID
az keyvault set-policy -n $KEYVAULT_NAME --certificate-permissions get --spn $AZURE_CLIENT_ID

---