ClusterSecretStore for TLS Certificates

Use a ClusterSecretStore to sync TLS certificates from Azure Key Vault once and reuse them across multiple namespaces (e.g., multiple Airflow or app instances).

Benefits

1. Single source of truth — Certificate synced once from Key Vault
2. No duplication — Multiple namespaces reference the same store
3. Automatic updates — Certificate updates in Key Vault propagate to all namespaces
4. Consistent configuration — All apps use the same certificate

Architecture

Azure Key Vault
    ↓
ClusterSecretStore (cluster-scoped)
    ↓
ExternalSecret (namespace-scoped, references ClusterSecretStore)
    ↓
Kubernetes Secret (e.g., wildcard-tls)
    ↓
Ingress (uses the secret for TLS)

Prerequisites

• External Secrets Operator installed
• ServiceAccount with Workload Identity (access to Key Vault)
• Certificate and private key stored in Key Vault

ClusterSecretStore Example

apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
  name: azure-keyvault-cluster-store
spec:
  provider:
    azurekv:
      authType: WorkloadIdentity
      vaultUrl: "https://<your-keyvault>.vault.azure.net"
      serviceAccountRef:
        name: external-secrets-operator
        namespace: external-secrets-system

ExternalSecret for TLS

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: wildcard-tls
  namespace: your-namespace
spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: azure-keyvault-cluster-store
  target:
    name: wildcard-tls
    creationPolicy: Owner
    template:
      type: kubernetes.io/tls
  data:
    - secretKey: tls.crt
      remoteRef:
        key: your-certificate-name
    - secretKey: tls.key
      remoteRef:
        key: your-private-key-name

Using in Ingress

spec:
  tls:
    - hosts:
        - app.your-domain.com
      secretName: wildcard-tls

Verification

# Check ClusterSecretStore
kubectl get clustersecretstore azure-keyvault-cluster-store

# Check ExternalSecret
kubectl get externalsecret wildcard-tls -n your-namespace

# Check Secret
kubectl get secret wildcard-tls -n your-namespace

Troubleshooting

1. Certificate not syncing — Check ExternalSecret status and ESO logs
2. Permission denied — Ensure Managed Identity has Key Vault Secrets User
3. Wrong API version — Use external-secrets.io/v1beta1 for ClusterSecretStore

References

• ClusterSecretStore
• Azure Key Vault Provider