Add detail to SOPS / Azure guide

Provide a more in-depth guide on how to set the environment variables required by SOPS to access an Azure Key Vault. Signed-off-by: Aaron Peschel <aaron.peschel@gmail.com>
2026-02-22 15:41:47 +00:00 · 2021-03-05 11:51:41 -08:00 · 2021-03-05 11:51:41 -08:00 · 5eaa219d51
commit 5eaa219d51
parent ca660b7ba5
1 changed files with 49 additions and 0 deletions
--- a/docs/guides/mozilla-sops.md
+++ b/docs/guides/mozilla-sops.md
@ -141,6 +141,55 @@ When using Azure Key Vault you need to authenticate the kustomize controller eit
 [Service Principal credentials as environment variables](https://github.com/mozilla/sops#encrypting-using-azure-key-vault)
 or with [add-pod-identity](https://github.com/Azure/aad-pod-identity).

+There are several authentication methods available in SOPS for connecting to an
+Azure Key Vault. SOPS looks for specific environment variables to determine
+which method to use, and then uses the credentials in those environment
+variables. Please refer to the SOPS documentation to determine which
+environment variables you will need to set for your preferred authentication
+method.
+
+For example, to use a service principal for authentication, you would need to
+have these environment variables set for SOPS:
+
+```
+AZURE_TENANT_ID=XXX
+AZURE_CLIENT_SECRET=XXX
+AZURE_CLIENT_ID=XXX
+```
+
+Since SOPS is running in the kustomize-controller, these environment variables
+will need to be set in the kustomize controller deployment definition.
+
+Create a secret with the appropriate environment variables:
+
+```sh
+kubectl create secret flux-azure-service-principal \
+  --namespace flux-system \
+  --from-literal=AZURE_TENANT_ID="XXX" \
+  --from-literal=AZURE_TENANT_ID="XXX" \
+  --from-literal=AZURE_TENANT_ID="XXX"
+```
+
+You'll need a separate process from Flux for bootstrapping this specific secret
+before you bootstrap Flux, or you'll end up with a dependency cycle.
+
+Finally, update your kustomize controller deployment definition in
+`flux-system/gotk-components.yaml` to mount the secret data as environment
+variables:
+
+```diff
+@@ -2495,6 +2495,9 @@ spec:
+           valueFrom:
+             fieldRef:
+               fieldPath: metadata.namespace
+        envFrom:
+        - secretRef:
+            name: flux-azure-service-principal
+         image: ghcr.io/fluxcd/kustomize-controller:v0.9.1
+         imagePullPolicy: IfNotPresent
+         livenessProbe:
+```
+
 #### Google Cloud

 Please ensure that the GKE cluster has Workload Identity enabled.