Is it possible to create a tls kubernetes secret using Azure Key Vault data resources in Terraform?

Question

I have a certificate file and a private key file that I am using to implement tls encrypted traffic for several different k8s pods running under an NGINX ingress load balancer. This works fine (i.e. the web apps are visible and show as secure in a browser) if I create the kubernetes.io/tls secret in either of these ways:

1. Use kubectl: kubectl create secret my-tls-secret --key <path to key file> --cert <path to cert file>.
2. Reference those files locally in terraform:

resource "kubernetes_secret" "my_tls_secret" {
  metadata {
    name = "my-tls-secret"
  }

  type = "kubernetes.io/tls"

  data = {
    "tls.crt" = file("${path.module}/certfile.cer"),
    "tls.key" = file("${path.module}/keyfile.key")
  }
}

However, neither of these methods are ideal because for #1, it turns my terraform plan/apply steps into 2-step processes and for #2, I don't want to commit the key file to source control for security reasons.

So, my question is: is there a way to do this by using some combination of Azure Key Vault data resources (i.e. keys, secrets or certificates)?

I have tried the following:

1. Copy/pasting the cert and key into key vault secrets (have also tried this with base64 encoding the values before pasting them into the key vault and using base64decode() around the tls.crt and tls.key values in the Terraform):

data "azurerm_key_vault_secret" "my_private_key" {
  name         = "my-private-key"
  key_vault_id = data.azurerm_key_vault.mykv.id
}

data "azurerm_key_vault_secret" "my_certificate" {
  name         = "my-certificate"
  key_vault_id = data.azurerm_key_vault.mykv.id
}

resource "kubernetes_secret" "my_tls_secret" {
  metadata {
    name = "my-tls-secret"
  }

  type = "kubernetes.io/tls"

  data = {
    "tls.crt" = data.azurerm_key_vault_secret.my_certificate.value,
    "tls.key" = data.azurerm_key_vault_secret.my_private_key.value
  }
}

2. Tried importing the cert as an Azure key vault certificate and accessing its attributes like so:

data "azurerm_key_vault_certificate_data" "my_certificate_data" {
  name         = "my-certificate"
  key_vault_id = data.azurerm_key_vault.mykv.id
}

resource "kubernetes_secret" "my_tls_secret" {
  metadata {
    name = "my-tls-secret"
  }

  type = "kubernetes.io/tls"

  data = {
    "tls.crt" = data.azurerm_key_vault_certificate_data.my_certificate_data.pem,
    "tls.key" = data.azurerm_key_vault_certificate_data.my_certificate_data.key
  }
}

which results in an error in the NGINX ingress log of: [lua] certificate.lua:253: call(): failed to convert private key from PEM to DER: PEM_read_bio_PrivateKey() failed, context: ssl_certificate_by_lua*, client: xx.xx.xx.xx, server: 0.0.0.0:443

Both of these attempts resulted in failure and the sites ended up using the default/fake/acme kubernetes certificate and so are shown as insecure in a browser.

I could potentially store the files in a storage container and wrap my terraform commands in a script that pulls the cert/key from the storage container first and then use working method #2 from above, but I'm hoping there's a way I can avoid that that I am just missing. Any help would be greatly appreciated!

Answer 1

Method #1 from the original post works - the key point I was missing was how I was getting the cert/key into Azure KeyVault. As mentioned in the post, I was copy/pasting the text from the files into the web portal secret creation UI. Something was getting lost in translation doing it this way. The right way to do it is to use the Azure CLI, like so:

az keyvault secret set --vault-name <vault name> --name my-private-key --file <path to key file>

az keyvault secret set --vault-name <vault name> --name my-certificate --file <path to cert file>