0 trust
By design, Blue Agent must be able to use a token to register itself to the Azure DevOps server. Centrally manage the tokens storage, their lifecycle and their access greatly improve operational security.
Kubernetes (Helm)
Azure Kubernetes Service
Azure Kubernetes Service implements Pod Identity, which allows to use a Managed Identity from a Kubernetes Pod. This will allow components on the cluster to access the secrets stored in Azure Key Vault.
Prerequisites to the deployment are:
- The Key Vault provider for Secrets Store CSI Driver add-on installed in the cluster.
- An Key Vault with two secrets named
organization-url
andpersonal-access-token
, both of typesecret
. - A Managed Identity (system or user managed) with the
Key Vault Secrets User
role on the Key Vault.
# values.yaml
secret:
create: true
azureKeyVault:
enabled: false
managedIdentityId: MY_MANAGED_IDENTITY_ID
name: MY_KEY_VAULT_NAME
tenantId: MY_TENANT_ID
Other distributions
Disable the secret creation in the Helm chart, and integrate yourself with your own secret management solution.
# values.yaml
secret:
create: false
Azure Container Apps (Bicep)
Bicep is not supported out of the box. But, integration between Azure Key Vault and Azure Container Apps is native and can be done in an hour. See the documentation.
Last updated on