From b50d4243a3f598ff1602313b4e56f40ad8b99a90 Mon Sep 17 00:00:00 2001
From: devopstales <42894256+devopstales@users.noreply.github.com>
Date: Fri, 18 Oct 2024 14:23:13 +0000
Subject: [PATCH] 2024-10-18

---
 Home/aks-azure-key-vault-csi.md.save     | 357 +++++++++++++++++++++++
 atom.xml                                 |   2 +-
 cloud/aks-azure-key-vault-csi.md.save    | 357 +++++++++++++++++++++++
 cloud/aks-azure-key-vault-csi/index.html | 157 +++++++++-
 cloud/atom.xml                           |   2 +-
 devops/atom.xml                          |   2 +-
 home/aks-azure-key-vault-csi/index.html  | 157 +++++++++-
 home/atom.xml                            | 156 +++++++++-
 kubernetes/atom.xml                      |   2 +-
 linux/atom.xml                           |   2 +-
 mikrotik/atom.xml                        |   2 +-
 monitoring/atom.xml                      |   2 +-
 sso/atom.xml                             |   2 +-
 virtualization/atom.xml                  |   2 +-
 windows/atom.xml                         |   2 +-
 15 files changed, 1176 insertions(+), 28 deletions(-)
 create mode 100644 Home/aks-azure-key-vault-csi.md.save
 create mode 100644 cloud/aks-azure-key-vault-csi.md.save

diff --git a/Home/aks-azure-key-vault-csi.md.save b/Home/aks-azure-key-vault-csi.md.save
new file mode 100644
index 0000000000..062893762e
--- /dev/null
+++ b/Home/aks-azure-key-vault-csi.md.save
@@ -0,0 +1,357 @@
+---
+title: "Azure Key Vault AKS integration with CSI Driver"
+date: "2023-03-08"
+thumbnail: "img/aks2.webp"
+disable_myintraments: false # Optional, disable Disqus myintraments if true
+authorbox: true # Optional, enable authorbox for specific post
+toc: true # Optional, enable Table of Contents for specific post
+mathjax: true # Optional, enable MathJax for specific post
+tags:
+  - "Azure"
+  - "AKS"
+  - "Kubernetes"
+  - "K8S"
+draft: false
+coffeebox: yes
+keywords:
+  - "Azure"
+  - "AKS"
+  - "streaming"
+---
+
+
+In this Post I will show you how you can use CSI Driver to mount secrets from Azure Key Vault to AKS.
+<!--more-->
+
+## Create key vault and add keys
+
+First we need to create a key vault
+
+```bash
+az aks enable-addons \
+--addons=azure-keyvault-secrets-provider \
+--name=$CLUSTER \
+--resource-group=$RG
+
+# create the key vault and turn on Azure RBAC; we will grant a managed identity access to this key vault below
+az keyvault create \
+--name $KV \
+--resource-group $RG \
+--location westeurope \
+--enable-rbac-authorization true
+
+# get the subscription id
+SUBSCRIPTION_ID=$(az account show --query id -o tsv)
+ 
+# get your user object id
+USER_OBJECT_ID=$(az ad signed-in-user show --query objectId -o tsv)
+ 
+# grant yourself access to key vault
+az role assignment create \
+--assignee-object-id $USER_OBJECT_ID \
+--role "Key Vault Administrator" \
+--scope /subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RG/providers/Microsoft.KeyVault/vaults/$KV
+ 
+# add a secret to the key vault
+az keyvault secret set --vault-name $KV --name $SECRET --value $VALUE
+```
+
+Create secret in keyvault:
+
+```bash
+az keyvault secret set \
+--vault-name "$KV" \
+--name "sqldatabase" \
+--value 'kvdemo'
+
+az keyvault secret set \
+--vault-name "$KV" \
+--name "sqlusername" \
+--value 'root'
+
+az keyvault secret set \
+--vault-name "$KV" \
+--name "sqlpassword" \
+--value 'Password1'
+```
+
+## Acces key vault with AKS's managed identity
+
+If you created your AKS cluster with managed identity you need to grant access to a managed identity:
+
+```bash
+# grab the managed identity principalId assuming it is in the default
+# MC_ group for your cluster and resource group
+IDENTITY_ID=$(az identity show -g MC\_$RG\_$CLUSTER\_westeurope --name azurekeyvaultsecretsprovider-$CLUSTER --query principalId -o tsv)
+ 
+# grant access rights on Key Vault
+az role assignment create \
+--assignee-object-id $IDENTITY_ID \
+--role "Key Vault Administrator" \
+--scope /subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RG/providers/Microsoft.KeyVault/vaults/$KV
+```
+
+Create a SecretProviderClass:
+
+```bash
+AZURE_TENANT_ID=$(az account show --query tenantId -o tsv)
+CLIENT_ID=$(az aks show -g $RG -n $CLUSTER --query addonProfiles.azureKeyvaultSecretsProvider.identity.clientId -o tsv)
+```
+
+```yaml
+cat <<EOF | kubectl apply -f -
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: demo-secret
+  namespace: default
+spec:
+  provider: azure
+  parameters:
+    usePodIdentity: "false"
+    # use managed identity
+    useVMManagedIdentity: "true"
+    # add managed identity id manually
+    userAssignedIdentityID: "$CLIENT_ID"
+    tenantId: "$AZURE_TENANT_ID"
+    keyvaultName: "$KV"
+    # name and type in keyvault
+    objects: |
+      array:
+        - |
+          objectName: "sqldatabase"
+          objectType: secret
+        - |
+          objectName: "sqlusername"
+          objectType: secret
+        - |
+          objectName: "sqlpassword"
+          objectType: secret
+  secretObjects:
+  - secretName: databasesecrets
+    type: Opaque
+    # name and key in secret
+    data:
+    - objectName: "sqldatabase"
+      key: sqldatabase
+    - objectName: "sqlusername"
+      key: sqlusername
+    - objectName: "sqlpassword"
+      key: sqlpassword
+EOF
+```
+
+Mount the secrets in pods
+
+```yaml
+cat <<EOF | kubectl apply -f -
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: secretpods
+  name: secretpods
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: secretpods
+  template:
+    metadata:
+      labels:
+        app: secretpods
+    spec:
+      containers:
+      - image: nginx
+        name: nginx
+        # get as environment variables
+        env:
+          - name:  sqldatabase
+            valueFrom:
+              secretKeyRef:
+                name:  databasesecrets
+                key:  sqldatabase
+          - name:  sqlusername
+            valueFrom:
+              secretKeyRef:
+                name:  databasesecrets
+                key:  sqlusername
+          - name:  sqlpassword
+            valueFrom:
+              secretKeyRef:
+                name:  databasesecrets
+                key:  sqlpassword
+        # mount as file
+        volumeMounts:
+          - name:  secret-store
+            mountPath:  "mnt/secret-store"
+            readOnly: true
+      # get the SecretProviderClass object
+      volumes:
+        - name:  secret-store
+          csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: "demo-secret"
+EOF
+```
+
+## Acces key vault with service principal
+
+Create an identity in Azure
+
+```bash
+export CLIENT_SECRET=$(az ad sp create-for-rbac \
+--role Contributor --scopes /subscriptions/$SUBSCRIPTION_ID \
+--name http://secrets-store-test --query 'password' -otsv)
+
+export CLIENT_ID=$(az ad sp show --id http://secrets-store-test --query 'appId' -otsv)
+```
+
+Provide the identity to access the Azure key vault
+
+```bash
+az keyvault set-policy -n $KV --secret-permissions get --spn $CLIENT_ID
+```
+
+Create the Kubernetes secret with credentials
+
+```yaml
+cat <<EOF | kubectl apply -f -
+apiVersion: v1
+data:
+  clientid: $CLIENT_ID
+  clientsecret: $CLIENT_SECRET
+kind: Secret
+metadata:
+  labels:
+    secrets-store.csi.k8s.io/used: "true"
+  name: secrets-store-creds
+  namespace: default
+type: Opaque
+EOF
+```
+
+Create and apply your own SecretProviderClass object
+
+```yaml
+cat <<EOF | kubectl apply -f -
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: demo-secret
+  namespace: default
+spec:
+  provider: azure
+  parameters:
+    usePodIdentity: "false"
+    useVMManagedIdentity: "false"
+    tenantId: "$AZURE_TENANT_ID"
+    keyvaultName: "$KV"
+    # name and type in keyvault
+    objects: |
+      array:
+        - |
+          objectName: "sqldatabase"
+          objectType: secret
+        - |
+          objectName: "sqlusername"
+          objectType: secret
+        - |
+          objectName: "sqlpassword"
+          objectType: secret
+  secretObjects:
+  - secretName: databasesecrets
+    type: Opaque
+    # name and key in secret
+    data:
+    - objectName: "sqldatabase"
+      key: sqldatabase
+    - objectName: "sqlusername"
+      key: sqlusername
+    - objectName: "sqlpassword"
+      key: sqlpassword
+EOF
+```
+
+Mount the secrets in pods
+
+```yaml
+cat <<EOF | kubectl apply -f -
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: secretpods
+  name: secretpods
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: secretpods
+  template:
+    metadata:
+      labels:
+        app: secretpods
+    spec:
+      containers:
+      - image: nginx
+        name: nginx
+        # get as environment variables
+        env:
+          - name:  sqldatabase
+            valueFrom:
+              secretKeyRef:
+                name:  databasesecrets
+                key:  sqldatabase
+          - name:  sqlusername
+            valueFrom:
+              secretKeyRef:
+                name:  databasesecrets
+                key:  sqlusername
+          - name:  sqlpassword
+            valueFrom:
+              secretKeyRef:
+                name:  databasesecrets
+                key:  sqlpassword
+        # mount as file
+        volumeMounts:
+          - name:  secret-store
+            mountPath:  "mnt/secret-store"
+            readOnly: true
+      # get the SecretProviderClass object
+      volumes:
+        - name:  secret-store
+          csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: "demo-secret"
+            # Only required when using service principal mode
+            nodePublishSecretRef:
+              name: secrets-store-creds
+EOF
+```
+
+
+## Demo time
+
+Now we you can werify the secret in the pod:
+
+```bash
+export POD_NAME=$(kubectl get pods -l "app=secretpods" -o jsonpath="{.items[0].metadata.name}")
+ 
+# if this does not work, check the status of the pod
+# if still in ContainerCreating there might be an issue
+kubectl exec -it $POD_NAME -- sh
+ 
+cd /mnt/secret-store
+ls
+sqldatabase  sqlpassword  sqlusername
+# the file containing the secret is listed
+cat sqldatabase
+ 
+# echo the value of the environment variable
+echo $sqldatabase
+```
diff --git a/atom.xml b/atom.xml
index 32934e2760..e873934695 100644
--- a/atom.xml
+++ b/atom.xml
@@ -9,7 +9,7 @@
             <link href="https://devopstales.github.io/" rel="alternate" type="text/html" title="HTML" />
             <link href="https://devopstales.github.io/index.xml" rel="alternate" type="application/rss+xml" title="RSS" />
             <link href="https://devopstales.github.io/atom.xml" rel="self" type="application/atom+xml" title="Atom" />
-    <updated>2024-10-14T13:44:33+00:00</updated>
+    <updated>2024-10-18T14:22:41+00:00</updated>
     
     
     <author>
diff --git a/cloud/aks-azure-key-vault-csi.md.save b/cloud/aks-azure-key-vault-csi.md.save
new file mode 100644
index 0000000000..062893762e
--- /dev/null
+++ b/cloud/aks-azure-key-vault-csi.md.save
@@ -0,0 +1,357 @@
+---
+title: "Azure Key Vault AKS integration with CSI Driver"
+date: "2023-03-08"
+thumbnail: "img/aks2.webp"
+disable_myintraments: false # Optional, disable Disqus myintraments if true
+authorbox: true # Optional, enable authorbox for specific post
+toc: true # Optional, enable Table of Contents for specific post
+mathjax: true # Optional, enable MathJax for specific post
+tags:
+  - "Azure"
+  - "AKS"
+  - "Kubernetes"
+  - "K8S"
+draft: false
+coffeebox: yes
+keywords:
+  - "Azure"
+  - "AKS"
+  - "streaming"
+---
+
+
+In this Post I will show you how you can use CSI Driver to mount secrets from Azure Key Vault to AKS.
+<!--more-->
+
+## Create key vault and add keys
+
+First we need to create a key vault
+
+```bash
+az aks enable-addons \
+--addons=azure-keyvault-secrets-provider \
+--name=$CLUSTER \
+--resource-group=$RG
+
+# create the key vault and turn on Azure RBAC; we will grant a managed identity access to this key vault below
+az keyvault create \
+--name $KV \
+--resource-group $RG \
+--location westeurope \
+--enable-rbac-authorization true
+
+# get the subscription id
+SUBSCRIPTION_ID=$(az account show --query id -o tsv)
+ 
+# get your user object id
+USER_OBJECT_ID=$(az ad signed-in-user show --query objectId -o tsv)
+ 
+# grant yourself access to key vault
+az role assignment create \
+--assignee-object-id $USER_OBJECT_ID \
+--role "Key Vault Administrator" \
+--scope /subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RG/providers/Microsoft.KeyVault/vaults/$KV
+ 
+# add a secret to the key vault
+az keyvault secret set --vault-name $KV --name $SECRET --value $VALUE
+```
+
+Create secret in keyvault:
+
+```bash
+az keyvault secret set \
+--vault-name "$KV" \
+--name "sqldatabase" \
+--value 'kvdemo'
+
+az keyvault secret set \
+--vault-name "$KV" \
+--name "sqlusername" \
+--value 'root'
+
+az keyvault secret set \
+--vault-name "$KV" \
+--name "sqlpassword" \
+--value 'Password1'
+```
+
+## Acces key vault with AKS's managed identity
+
+If you created your AKS cluster with managed identity you need to grant access to a managed identity:
+
+```bash
+# grab the managed identity principalId assuming it is in the default
+# MC_ group for your cluster and resource group
+IDENTITY_ID=$(az identity show -g MC\_$RG\_$CLUSTER\_westeurope --name azurekeyvaultsecretsprovider-$CLUSTER --query principalId -o tsv)
+ 
+# grant access rights on Key Vault
+az role assignment create \
+--assignee-object-id $IDENTITY_ID \
+--role "Key Vault Administrator" \
+--scope /subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RG/providers/Microsoft.KeyVault/vaults/$KV
+```
+
+Create a SecretProviderClass:
+
+```bash
+AZURE_TENANT_ID=$(az account show --query tenantId -o tsv)
+CLIENT_ID=$(az aks show -g $RG -n $CLUSTER --query addonProfiles.azureKeyvaultSecretsProvider.identity.clientId -o tsv)
+```
+
+```yaml
+cat <<EOF | kubectl apply -f -
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: demo-secret
+  namespace: default
+spec:
+  provider: azure
+  parameters:
+    usePodIdentity: "false"
+    # use managed identity
+    useVMManagedIdentity: "true"
+    # add managed identity id manually
+    userAssignedIdentityID: "$CLIENT_ID"
+    tenantId: "$AZURE_TENANT_ID"
+    keyvaultName: "$KV"
+    # name and type in keyvault
+    objects: |
+      array:
+        - |
+          objectName: "sqldatabase"
+          objectType: secret
+        - |
+          objectName: "sqlusername"
+          objectType: secret
+        - |
+          objectName: "sqlpassword"
+          objectType: secret
+  secretObjects:
+  - secretName: databasesecrets
+    type: Opaque
+    # name and key in secret
+    data:
+    - objectName: "sqldatabase"
+      key: sqldatabase
+    - objectName: "sqlusername"
+      key: sqlusername
+    - objectName: "sqlpassword"
+      key: sqlpassword
+EOF
+```
+
+Mount the secrets in pods
+
+```yaml
+cat <<EOF | kubectl apply -f -
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: secretpods
+  name: secretpods
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: secretpods
+  template:
+    metadata:
+      labels:
+        app: secretpods
+    spec:
+      containers:
+      - image: nginx
+        name: nginx
+        # get as environment variables
+        env:
+          - name:  sqldatabase
+            valueFrom:
+              secretKeyRef:
+                name:  databasesecrets
+                key:  sqldatabase
+          - name:  sqlusername
+            valueFrom:
+              secretKeyRef:
+                name:  databasesecrets
+                key:  sqlusername
+          - name:  sqlpassword
+            valueFrom:
+              secretKeyRef:
+                name:  databasesecrets
+                key:  sqlpassword
+        # mount as file
+        volumeMounts:
+          - name:  secret-store
+            mountPath:  "mnt/secret-store"
+            readOnly: true
+      # get the SecretProviderClass object
+      volumes:
+        - name:  secret-store
+          csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: "demo-secret"
+EOF
+```
+
+## Acces key vault with service principal
+
+Create an identity in Azure
+
+```bash
+export CLIENT_SECRET=$(az ad sp create-for-rbac \
+--role Contributor --scopes /subscriptions/$SUBSCRIPTION_ID \
+--name http://secrets-store-test --query 'password' -otsv)
+
+export CLIENT_ID=$(az ad sp show --id http://secrets-store-test --query 'appId' -otsv)
+```
+
+Provide the identity to access the Azure key vault
+
+```bash
+az keyvault set-policy -n $KV --secret-permissions get --spn $CLIENT_ID
+```
+
+Create the Kubernetes secret with credentials
+
+```yaml
+cat <<EOF | kubectl apply -f -
+apiVersion: v1
+data:
+  clientid: $CLIENT_ID
+  clientsecret: $CLIENT_SECRET
+kind: Secret
+metadata:
+  labels:
+    secrets-store.csi.k8s.io/used: "true"
+  name: secrets-store-creds
+  namespace: default
+type: Opaque
+EOF
+```
+
+Create and apply your own SecretProviderClass object
+
+```yaml
+cat <<EOF | kubectl apply -f -
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: demo-secret
+  namespace: default
+spec:
+  provider: azure
+  parameters:
+    usePodIdentity: "false"
+    useVMManagedIdentity: "false"
+    tenantId: "$AZURE_TENANT_ID"
+    keyvaultName: "$KV"
+    # name and type in keyvault
+    objects: |
+      array:
+        - |
+          objectName: "sqldatabase"
+          objectType: secret
+        - |
+          objectName: "sqlusername"
+          objectType: secret
+        - |
+          objectName: "sqlpassword"
+          objectType: secret
+  secretObjects:
+  - secretName: databasesecrets
+    type: Opaque
+    # name and key in secret
+    data:
+    - objectName: "sqldatabase"
+      key: sqldatabase
+    - objectName: "sqlusername"
+      key: sqlusername
+    - objectName: "sqlpassword"
+      key: sqlpassword
+EOF
+```
+
+Mount the secrets in pods
+
+```yaml
+cat <<EOF | kubectl apply -f -
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: secretpods
+  name: secretpods
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: secretpods
+  template:
+    metadata:
+      labels:
+        app: secretpods
+    spec:
+      containers:
+      - image: nginx
+        name: nginx
+        # get as environment variables
+        env:
+          - name:  sqldatabase
+            valueFrom:
+              secretKeyRef:
+                name:  databasesecrets
+                key:  sqldatabase
+          - name:  sqlusername
+            valueFrom:
+              secretKeyRef:
+                name:  databasesecrets
+                key:  sqlusername
+          - name:  sqlpassword
+            valueFrom:
+              secretKeyRef:
+                name:  databasesecrets
+                key:  sqlpassword
+        # mount as file
+        volumeMounts:
+          - name:  secret-store
+            mountPath:  "mnt/secret-store"
+            readOnly: true
+      # get the SecretProviderClass object
+      volumes:
+        - name:  secret-store
+          csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: "demo-secret"
+            # Only required when using service principal mode
+            nodePublishSecretRef:
+              name: secrets-store-creds
+EOF
+```
+
+
+## Demo time
+
+Now we you can werify the secret in the pod:
+
+```bash
+export POD_NAME=$(kubectl get pods -l "app=secretpods" -o jsonpath="{.items[0].metadata.name}")
+ 
+# if this does not work, check the status of the pod
+# if still in ContainerCreating there might be an issue
+kubectl exec -it $POD_NAME -- sh
+ 
+cd /mnt/secret-store
+ls
+sqldatabase  sqlpassword  sqlusername
+# the file containing the secret is listed
+cat sqldatabase
+ 
+# echo the value of the environment variable
+echo $sqldatabase
+```
diff --git a/cloud/aks-azure-key-vault-csi/index.html b/cloud/aks-azure-key-vault-csi/index.html
index d6ed338d54..8ac30b8964 100644
--- a/cloud/aks-azure-key-vault-csi/index.html
+++ b/cloud/aks-azure-key-vault-csi/index.html
@@ -29,7 +29,7 @@
     "datePublished": "2023-03-08",
     "dateModified" : "2023-03-08",
     "url" : "https://devopstales.github.io/cloud/aks-azure-key-vault-csi/",
-    "wordCount" : "856",
+    "wordCount" : "1357",
     "keywords" : [ "Azure", "AKS", "streaming", "Blog" ]
     
 }
@@ -203,8 +203,9 @@ <h1 class="post__title">Azure Key Vault AKS integration with CSI Driver</h1>
 		<nav id="TableOfContents">
   <ul>
     <li><a href="#create-key-vault-and-add-keys">Create key vault and add keys</a></li>
-    <li><a href="#acces-key-vault-with-managed-identity">Acces key vault with managed identity</a></li>
+    <li><a href="#acces-key-vault-with-system-assigned-managed-identity">Acces key vault with system-assigned managed identity</a></li>
     <li><a href="#acces-key-vault-with-service-principal">Acces key vault with service principal</a></li>
+    <li><a href="#acces-key-vault-with-federated-workload-identity">Acces key vault with federated workload identity</a></li>
     <li><a href="#demo-time">Demo time</a></li>
   </ul>
 </nav>
@@ -254,8 +255,8 @@ <h2 id="create-key-vault-and-add-keys">Create key vault and add keys</h2>
 </span><span style="color:#ae81ff"></span>--vault-name <span style="color:#e6db74">&#34;</span>$KV<span style="color:#e6db74">&#34;</span> <span style="color:#ae81ff">\
 </span><span style="color:#ae81ff"></span>--name <span style="color:#e6db74">&#34;sqlpassword&#34;</span> <span style="color:#ae81ff">\
 </span><span style="color:#ae81ff"></span>--value <span style="color:#e6db74">&#39;Password1&#39;</span>
-</code></pre></div><h2 id="acces-key-vault-with-managed-identity">Acces key vault with managed identity</h2>
-<p>If you created your AKS cluster with managed identity you need to grant access to a managed identity:</p>
+</code></pre></div><h2 id="acces-key-vault-with-system-assigned-managed-identity">Acces key vault with system-assigned managed identity</h2>
+<p>If you created your AKS cluster with managed identity you can go to grant access to a managed identity:</p>
 <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash"><span style="color:#75715e"># grab the managed identity principalId assuming it is in the default</span>
 <span style="color:#75715e"># MC_ group for your cluster and resource group</span>
 IDENTITY_ID<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>az identity show -g MC<span style="color:#ae81ff">\_</span>$RG<span style="color:#ae81ff">\_</span>$CLUSTER<span style="color:#ae81ff">\_</span>westeurope --name azurekeyvaultsecretsprovider-$CLUSTER --query principalId -o tsv<span style="color:#66d9ef">)</span>
@@ -265,6 +266,11 @@ <h2 id="create-key-vault-and-add-keys">Create key vault and add keys</h2>
 </span><span style="color:#ae81ff"></span>--assignee-object-id $IDENTITY_ID <span style="color:#ae81ff">\
 </span><span style="color:#ae81ff"></span>--role <span style="color:#e6db74">&#34;Key Vault Administrator&#34;</span> <span style="color:#ae81ff">\
 </span><span style="color:#ae81ff"></span>--scope /subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RG/providers/Microsoft.KeyVault/vaults/$KV
+</code></pre></div><p>If not yet enabled you need to enable system-assigned managed identity on AKS:</p>
+<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">az aks update <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--resource-group $RG <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--name  $CLUSTER <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--enable-managed-identity
 </code></pre></div><p>Create a SecretProviderClass:</p>
 <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">AZURE_TENANT_ID<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>az account show --query tenantId -o tsv<span style="color:#66d9ef">)</span>
 CLIENT_ID<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>az aks show -g $RG -n $CLUSTER --query addonProfiles.azureKeyvaultSecretsProvider.identity.clientId -o tsv<span style="color:#66d9ef">)</span>
@@ -316,6 +322,7 @@ <h2 id="create-key-vault-and-add-keys">Create key vault and add keys</h2>
   <span style="color:#f92672">labels</span>:
     <span style="color:#f92672">app</span>: <span style="color:#ae81ff">secretpods</span>
   <span style="color:#f92672">name</span>: <span style="color:#ae81ff">secretpods</span>
+  <span style="color:#f92672">namespace</span>: <span style="color:#ae81ff">default</span>
 <span style="color:#f92672">spec</span>:
   <span style="color:#f92672">replicas</span>: <span style="color:#ae81ff">1</span>
   <span style="color:#f92672">selector</span>:
@@ -367,7 +374,7 @@ <h2 id="create-key-vault-and-add-keys">Create key vault and add keys</h2>
 </span><span style="color:#ae81ff"></span>--name http://secrets-store-test --query <span style="color:#e6db74">&#39;password&#39;</span> -otsv<span style="color:#66d9ef">)</span>
 
 export CLIENT_ID<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>az ad sp show --id http://secrets-store-test --query <span style="color:#e6db74">&#39;appId&#39;</span> -otsv<span style="color:#66d9ef">)</span>
-</code></pre></div><p>Provide the identity to access the Azure key vault</p>
+</code></pre></div><p>Provide policy to the identity to access the Azure key vault</p>
 <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">az keyvault set-policy -n $KV --secret-permissions get --spn $CLIENT_ID
 </code></pre></div><p>Create the Kubernetes secret with credentials</p>
 <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-yaml" data-lang="yaml"><span style="color:#ae81ff">cat &lt;&lt;EOF | kubectl apply -f -</span>
@@ -429,6 +436,7 @@ <h2 id="create-key-vault-and-add-keys">Create key vault and add keys</h2>
   <span style="color:#f92672">labels</span>:
     <span style="color:#f92672">app</span>: <span style="color:#ae81ff">secretpods</span>
   <span style="color:#f92672">name</span>: <span style="color:#ae81ff">secretpods</span>
+  <span style="color:#f92672">namespace</span>: <span style="color:#ae81ff">default</span>
 <span style="color:#f92672">spec</span>:
   <span style="color:#f92672">replicas</span>: <span style="color:#ae81ff">1</span>
   <span style="color:#f92672">selector</span>:
@@ -476,9 +484,146 @@ <h2 id="create-key-vault-and-add-keys">Create key vault and add keys</h2>
             <span style="color:#f92672">nodePublishSecretRef</span>:
               <span style="color:#f92672">name</span>: <span style="color:#ae81ff">secrets-store-creds</span>
 <span style="color:#ae81ff">EOF</span>
+</code></pre></div><h2 id="acces-key-vault-with-federated-workload-identity">Acces key vault with federated workload identity</h2>
+<p><a href="https://medium.com/@er.singh.nitin/integrate-azure-keyvault-with-aks-using-workload-identity-51e92d0e5063">https://medium.com/@er.singh.nitin/integrate-azure-keyvault-with-aks-using-workload-identity-51e92d0e5063</a></p>
+<p>This scanario is similar to the previous one, but instead of using managed identities we use the AKS cluster&rsquo;s workload identity to authenticate. In normal situation the identity is autenticates with a password. Password authentication is not the safest option. Instad we will use a federation to authenticate with OIDC SSO authentication.</p>
+<p>Enable OIDC issuer and Workload identity in an existing AKS cluster.</p>
+<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">az aks update <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--resource-group $RG <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--name  $CLUSTER <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--enable-oidc-issuer <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--enable-workload-identity
+</code></pre></div><p>Create a managed identity:</p>
+<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">az identity create <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--name secrets-store-test <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--resource-group $RG <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--location $RG_LOCATION <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--subscription $SUBSCRIPTION
+</code></pre></div><p>Get the OIDC issuer url and export it as an environment variable.</p>
+<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">export AKS_OIDC_ISSUER<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>az aks show --name $CLUSTER --resource-group $RG --query <span style="color:#e6db74">&#34;oidcIssuerProfile.issuerUrl&#34;</span> -o tsv<span style="color:#66d9ef">)</span>
+</code></pre></div><p>Export managed identity variable. We will assign this to the AKS service account.</p>
+<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">export USER_ASSIGNED_CLIENT_ID<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>az identity show --resource-group $RG --name secrets-store-test --query <span style="color:#e6db74">&#39;clientId&#39;</span> -otsv<span style="color:#66d9ef">)</span>
+export IDENTITY_TENANT<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>az aks show --name $CLUSTER --resource-group $RG<span style="color:#66d9ef">)</span>
+</code></pre></div><p>Create AKS service account and we will assign the Managed Identity ClientID to it using <code>azure.workload.identity/client-id</code> annotation.</p>
+<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-yaml" data-lang="yaml"><span style="color:#ae81ff">az aks get-credentials -n $CLUSTER -g $RG</span>
+
+<span style="color:#ae81ff">cat &lt;&lt;EOF | kubectl apply -f -</span>
+<span style="color:#f92672">apiVersion</span>: <span style="color:#ae81ff">v1</span>
+<span style="color:#f92672">kind</span>: <span style="color:#ae81ff">ServiceAccount</span>
+<span style="color:#f92672">metadata</span>:
+  <span style="color:#f92672">annotations</span>:
+    <span style="color:#f92672">azure.workload.identity/client-id</span>: <span style="color:#ae81ff">${USER_ASSIGNED_CLIENT_ID}</span>
+  <span style="color:#f92672">labels</span>:
+    <span style="color:#f92672">azure.workload.identity/use</span>: <span style="color:#e6db74">&#34;true&#34;</span>
+  <span style="color:#f92672">name</span>: <span style="color:#ae81ff">keyvault-sa</span>
+  <span style="color:#f92672">namespace</span>: <span style="color:#ae81ff">default</span>
+<span style="color:#ae81ff">EOF</span>
+</code></pre></div><p>Create the federated identity credential between the managed identity, service account issuer and subject.</p>
+<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">export FEDERATED_IDENTITY_NAME<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;aksfederatedidentity&#34;</span> <span style="color:#75715e"># can be changed as needed</span>
+az identity federated-credential create <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--name $FEDERATED_IDENTITY_NAME <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--identity-name secrets-store-test <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--resource-group $RG <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--issuer <span style="color:#e6db74">${</span>AKS_OIDC_ISSUER<span style="color:#e6db74">}</span> <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--subject system:serviceaccount:default:keyvault-sa
+</code></pre></div><p>Provide policy to the identity to access the Azure key vault</p>
+<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">az keyvault set-policy -n $KV --secret-permissions get --spn $USER_ASSIGNED_CLIENT_ID
+</code></pre></div><p>Create a SecretProviderClass:</p>
+<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">AZURE_TENANT_ID<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>az account show --query tenantId -o tsv<span style="color:#66d9ef">)</span>
+</code></pre></div><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-yaml" data-lang="yaml"><span style="color:#ae81ff">cat &lt;&lt;EOF | kubectl apply -f -</span>
+<span style="color:#f92672">apiVersion</span>: <span style="color:#ae81ff">secrets-store.csi.x-k8s.io/v1</span>
+<span style="color:#f92672">kind</span>: <span style="color:#ae81ff">SecretProviderClass</span>
+<span style="color:#f92672">metadata</span>:
+  <span style="color:#f92672">name</span>: <span style="color:#ae81ff">demo-secret</span>
+  <span style="color:#f92672">namespace</span>: <span style="color:#ae81ff">default</span>
+<span style="color:#f92672">spec</span>:
+  <span style="color:#f92672">provider</span>: <span style="color:#ae81ff">azure</span>
+  <span style="color:#f92672">parameters</span>:
+    <span style="color:#75715e"># use managed identity</span>
+    <span style="color:#f92672">useVMManagedIdentity</span>: <span style="color:#e6db74">&#34;false&#34;</span>
+    <span style="color:#f92672">clientID</span>: <span style="color:#e6db74">&#34;$USER_ASSIGNED_CLIENT_ID&#34;</span>
+    <span style="color:#f92672">tenantId</span>: <span style="color:#e6db74">&#34;$AZURE_TENANT_ID&#34;</span>
+    <span style="color:#f92672">keyvaultName</span>: <span style="color:#e6db74">&#34;$KV&#34;</span>
+    <span style="color:#75715e"># name and type in keyvault</span>
+    <span style="color:#f92672">objects</span>: |<span style="color:#e6db74">
+</span><span style="color:#e6db74">      array:
+</span><span style="color:#e6db74">        - |
+</span><span style="color:#e6db74">          objectName: &#34;sqldatabase&#34;
+</span><span style="color:#e6db74">          objectType: secret
+</span><span style="color:#e6db74">        - |
+</span><span style="color:#e6db74">          objectName: &#34;sqlusername&#34;
+</span><span style="color:#e6db74">          objectType: secret
+</span><span style="color:#e6db74">        - |
+</span><span style="color:#e6db74">          objectName: &#34;sqlpassword&#34;
+</span><span style="color:#e6db74">          objectType: secret</span>      
+  <span style="color:#f92672">secretObjects</span>:
+  - <span style="color:#f92672">secretName</span>: <span style="color:#ae81ff">databasesecrets</span>
+    <span style="color:#f92672">type</span>: <span style="color:#ae81ff">Opaque</span>
+    <span style="color:#75715e"># name and key in secret</span>
+    <span style="color:#f92672">data</span>:
+    - <span style="color:#f92672">objectName</span>: <span style="color:#e6db74">&#34;sqldatabase&#34;</span>
+      <span style="color:#f92672">key</span>: <span style="color:#ae81ff">sqldatabase</span>
+    - <span style="color:#f92672">objectName</span>: <span style="color:#e6db74">&#34;sqlusername&#34;</span>
+      <span style="color:#f92672">key</span>: <span style="color:#ae81ff">sqlusername</span>
+    - <span style="color:#f92672">objectName</span>: <span style="color:#e6db74">&#34;sqlpassword&#34;</span>
+      <span style="color:#f92672">key</span>: <span style="color:#ae81ff">sqlpassword</span>
+<span style="color:#ae81ff">EOF</span>
+</code></pre></div><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-yaml" data-lang="yaml"><span style="color:#ae81ff">cat &lt;&lt;EOF | kubectl apply -f -</span>
+<span style="color:#f92672">apiVersion</span>: <span style="color:#ae81ff">apps/v1</span>
+<span style="color:#f92672">kind</span>: <span style="color:#ae81ff">Deployment</span>
+<span style="color:#f92672">metadata</span>:
+  <span style="color:#f92672">labels</span>:
+    <span style="color:#f92672">app</span>: <span style="color:#ae81ff">secretpods</span>
+  <span style="color:#f92672">name</span>: <span style="color:#ae81ff">secretpods</span>
+  <span style="color:#f92672">namespace</span>: <span style="color:#ae81ff">default</span>
+<span style="color:#f92672">spec</span>:
+  <span style="color:#f92672">replicas</span>: <span style="color:#ae81ff">1</span>
+  <span style="color:#f92672">selector</span>:
+    <span style="color:#f92672">matchLabels</span>:
+      <span style="color:#f92672">app</span>: <span style="color:#ae81ff">secretpods</span>
+  <span style="color:#f92672">template</span>:
+    <span style="color:#f92672">metadata</span>:
+      <span style="color:#f92672">labels</span>:
+        <span style="color:#f92672">app</span>: <span style="color:#ae81ff">secretpods</span>
+    <span style="color:#f92672">spec</span>:
+      <span style="color:#f92672">serviceAccountName</span>: <span style="color:#ae81ff">keyvault-sa</span>
+      <span style="color:#f92672">containers</span>:
+      - <span style="color:#f92672">image</span>: <span style="color:#ae81ff">nginx</span>
+        <span style="color:#f92672">name</span>: <span style="color:#ae81ff">nginx</span>
+        <span style="color:#75715e"># get as environment variables</span>
+        <span style="color:#f92672">env</span>:
+          - <span style="color:#f92672">name</span>:  <span style="color:#ae81ff">sqldatabase</span>
+            <span style="color:#f92672">valueFrom</span>:
+              <span style="color:#f92672">secretKeyRef</span>:
+                <span style="color:#f92672">name</span>:  <span style="color:#ae81ff">databasesecrets</span>
+                <span style="color:#f92672">key</span>:  <span style="color:#ae81ff">sqldatabase</span>
+          - <span style="color:#f92672">name</span>:  <span style="color:#ae81ff">sqlusername</span>
+            <span style="color:#f92672">valueFrom</span>:
+              <span style="color:#f92672">secretKeyRef</span>:
+                <span style="color:#f92672">name</span>:  <span style="color:#ae81ff">databasesecrets</span>
+                <span style="color:#f92672">key</span>:  <span style="color:#ae81ff">sqlusername</span>
+          - <span style="color:#f92672">name</span>:  <span style="color:#ae81ff">sqlpassword</span>
+            <span style="color:#f92672">valueFrom</span>:
+              <span style="color:#f92672">secretKeyRef</span>:
+                <span style="color:#f92672">name</span>:  <span style="color:#ae81ff">databasesecrets</span>
+                <span style="color:#f92672">key</span>:  <span style="color:#ae81ff">sqlpassword</span>
+        <span style="color:#75715e"># mount as file</span>
+        <span style="color:#f92672">volumeMounts</span>:
+          - <span style="color:#f92672">name</span>:  <span style="color:#ae81ff">secret-store</span>
+            <span style="color:#f92672">mountPath</span>:  <span style="color:#e6db74">&#34;mnt/secret-store&#34;</span>
+            <span style="color:#f92672">readOnly</span>: <span style="color:#66d9ef">true</span>
+      <span style="color:#75715e"># get the SecretProviderClass object</span>
+      <span style="color:#f92672">volumes</span>:
+        - <span style="color:#f92672">name</span>:  <span style="color:#ae81ff">secret-store</span>
+          <span style="color:#f92672">csi</span>:
+            <span style="color:#f92672">driver</span>: <span style="color:#ae81ff">secrets-store.csi.k8s.io</span>
+            <span style="color:#f92672">readOnly</span>: <span style="color:#66d9ef">true</span>
+            <span style="color:#f92672">volumeAttributes</span>:
+              <span style="color:#f92672">secretProviderClass</span>: <span style="color:#e6db74">&#34;demo-secret&#34;</span>
+<span style="color:#ae81ff">EOF</span>
 </code></pre></div><h2 id="demo-time">Demo time</h2>
 <p>Now we you can werify the secret in the pod:</p>
-<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">export POD_NAME<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>kubectl get pods -l <span style="color:#e6db74">&#34;app=secretpods&#34;</span> -o jsonpath<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;{.items[0].metadata.name}&#34;</span><span style="color:#66d9ef">)</span>
+<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">export POD_NAME<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>kubectl get pods -n default -l <span style="color:#e6db74">&#34;app=secretpods&#34;</span> -o jsonpath<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;{.items[0].metadata.name}&#34;</span><span style="color:#66d9ef">)</span>
  
 <span style="color:#75715e"># if this does not work, check the status of the pod</span>
 <span style="color:#75715e"># if still in ContainerCreating there might be an issue</span>
diff --git a/cloud/atom.xml b/cloud/atom.xml
index f2f191c1a0..269372a37e 100644
--- a/cloud/atom.xml
+++ b/cloud/atom.xml
@@ -9,7 +9,7 @@
             <link href="https://devopstales.github.io/cloud/" rel="alternate" type="text/html" title="HTML" />
             <link href="https://devopstales.github.io/cloud/index.xml" rel="alternate" type="application/rss+xml" title="RSS" />
             <link href="https://devopstales.github.io/cloud/atom.xml" rel="self" type="application/atom+xml" title="Atom" />
-    <updated>2024-10-14T13:44:33+00:00</updated>
+    <updated>2024-10-18T14:22:41+00:00</updated>
     
     
     <author>
diff --git a/devops/atom.xml b/devops/atom.xml
index 690869c342..d3a9f1f0b8 100644
--- a/devops/atom.xml
+++ b/devops/atom.xml
@@ -9,7 +9,7 @@
             <link href="https://devopstales.github.io/devops/" rel="alternate" type="text/html" title="HTML" />
             <link href="https://devopstales.github.io/devops/index.xml" rel="alternate" type="application/rss+xml" title="RSS" />
             <link href="https://devopstales.github.io/devops/atom.xml" rel="self" type="application/atom+xml" title="Atom" />
-    <updated>2024-10-14T13:44:33+00:00</updated>
+    <updated>2024-10-18T14:22:41+00:00</updated>
     
     
     <author>
diff --git a/home/aks-azure-key-vault-csi/index.html b/home/aks-azure-key-vault-csi/index.html
index 1ab761284b..60af9c35a9 100644
--- a/home/aks-azure-key-vault-csi/index.html
+++ b/home/aks-azure-key-vault-csi/index.html
@@ -29,7 +29,7 @@
     "datePublished": "2023-03-08",
     "dateModified" : "2023-03-08",
     "url" : "https://devopstales.github.io/home/aks-azure-key-vault-csi/",
-    "wordCount" : "856",
+    "wordCount" : "1357",
     "keywords" : [ "devops", "tales", "Azure", "AKS", "streaming", "Blog" ]
     
 }
@@ -203,8 +203,9 @@ <h1 class="post__title">Azure Key Vault AKS integration with CSI Driver</h1>
 		<nav id="TableOfContents">
   <ul>
     <li><a href="#create-key-vault-and-add-keys">Create key vault and add keys</a></li>
-    <li><a href="#acces-key-vault-with-managed-identity">Acces key vault with managed identity</a></li>
+    <li><a href="#acces-key-vault-with-system-assigned-managed-identity">Acces key vault with system-assigned managed identity</a></li>
     <li><a href="#acces-key-vault-with-service-principal">Acces key vault with service principal</a></li>
+    <li><a href="#acces-key-vault-with-federated-workload-identity">Acces key vault with federated workload identity</a></li>
     <li><a href="#demo-time">Demo time</a></li>
   </ul>
 </nav>
@@ -254,8 +255,8 @@ <h2 id="create-key-vault-and-add-keys">Create key vault and add keys</h2>
 </span><span style="color:#ae81ff"></span>--vault-name <span style="color:#e6db74">&#34;</span>$KV<span style="color:#e6db74">&#34;</span> <span style="color:#ae81ff">\
 </span><span style="color:#ae81ff"></span>--name <span style="color:#e6db74">&#34;sqlpassword&#34;</span> <span style="color:#ae81ff">\
 </span><span style="color:#ae81ff"></span>--value <span style="color:#e6db74">&#39;Password1&#39;</span>
-</code></pre></div><h2 id="acces-key-vault-with-managed-identity">Acces key vault with managed identity</h2>
-<p>If you created your AKS cluster with managed identity you need to grant access to a managed identity:</p>
+</code></pre></div><h2 id="acces-key-vault-with-system-assigned-managed-identity">Acces key vault with system-assigned managed identity</h2>
+<p>If you created your AKS cluster with managed identity you can go to grant access to a managed identity:</p>
 <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash"><span style="color:#75715e"># grab the managed identity principalId assuming it is in the default</span>
 <span style="color:#75715e"># MC_ group for your cluster and resource group</span>
 IDENTITY_ID<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>az identity show -g MC<span style="color:#ae81ff">\_</span>$RG<span style="color:#ae81ff">\_</span>$CLUSTER<span style="color:#ae81ff">\_</span>westeurope --name azurekeyvaultsecretsprovider-$CLUSTER --query principalId -o tsv<span style="color:#66d9ef">)</span>
@@ -265,6 +266,11 @@ <h2 id="create-key-vault-and-add-keys">Create key vault and add keys</h2>
 </span><span style="color:#ae81ff"></span>--assignee-object-id $IDENTITY_ID <span style="color:#ae81ff">\
 </span><span style="color:#ae81ff"></span>--role <span style="color:#e6db74">&#34;Key Vault Administrator&#34;</span> <span style="color:#ae81ff">\
 </span><span style="color:#ae81ff"></span>--scope /subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RG/providers/Microsoft.KeyVault/vaults/$KV
+</code></pre></div><p>If not yet enabled you need to enable system-assigned managed identity on AKS:</p>
+<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">az aks update <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--resource-group $RG <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--name  $CLUSTER <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--enable-managed-identity
 </code></pre></div><p>Create a SecretProviderClass:</p>
 <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">AZURE_TENANT_ID<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>az account show --query tenantId -o tsv<span style="color:#66d9ef">)</span>
 CLIENT_ID<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>az aks show -g $RG -n $CLUSTER --query addonProfiles.azureKeyvaultSecretsProvider.identity.clientId -o tsv<span style="color:#66d9ef">)</span>
@@ -316,6 +322,7 @@ <h2 id="create-key-vault-and-add-keys">Create key vault and add keys</h2>
   <span style="color:#f92672">labels</span>:
     <span style="color:#f92672">app</span>: <span style="color:#ae81ff">secretpods</span>
   <span style="color:#f92672">name</span>: <span style="color:#ae81ff">secretpods</span>
+  <span style="color:#f92672">namespace</span>: <span style="color:#ae81ff">default</span>
 <span style="color:#f92672">spec</span>:
   <span style="color:#f92672">replicas</span>: <span style="color:#ae81ff">1</span>
   <span style="color:#f92672">selector</span>:
@@ -367,7 +374,7 @@ <h2 id="create-key-vault-and-add-keys">Create key vault and add keys</h2>
 </span><span style="color:#ae81ff"></span>--name http://secrets-store-test --query <span style="color:#e6db74">&#39;password&#39;</span> -otsv<span style="color:#66d9ef">)</span>
 
 export CLIENT_ID<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>az ad sp show --id http://secrets-store-test --query <span style="color:#e6db74">&#39;appId&#39;</span> -otsv<span style="color:#66d9ef">)</span>
-</code></pre></div><p>Provide the identity to access the Azure key vault</p>
+</code></pre></div><p>Provide policy to the identity to access the Azure key vault</p>
 <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">az keyvault set-policy -n $KV --secret-permissions get --spn $CLIENT_ID
 </code></pre></div><p>Create the Kubernetes secret with credentials</p>
 <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-yaml" data-lang="yaml"><span style="color:#ae81ff">cat &lt;&lt;EOF | kubectl apply -f -</span>
@@ -429,6 +436,7 @@ <h2 id="create-key-vault-and-add-keys">Create key vault and add keys</h2>
   <span style="color:#f92672">labels</span>:
     <span style="color:#f92672">app</span>: <span style="color:#ae81ff">secretpods</span>
   <span style="color:#f92672">name</span>: <span style="color:#ae81ff">secretpods</span>
+  <span style="color:#f92672">namespace</span>: <span style="color:#ae81ff">default</span>
 <span style="color:#f92672">spec</span>:
   <span style="color:#f92672">replicas</span>: <span style="color:#ae81ff">1</span>
   <span style="color:#f92672">selector</span>:
@@ -476,9 +484,146 @@ <h2 id="create-key-vault-and-add-keys">Create key vault and add keys</h2>
             <span style="color:#f92672">nodePublishSecretRef</span>:
               <span style="color:#f92672">name</span>: <span style="color:#ae81ff">secrets-store-creds</span>
 <span style="color:#ae81ff">EOF</span>
+</code></pre></div><h2 id="acces-key-vault-with-federated-workload-identity">Acces key vault with federated workload identity</h2>
+<p><a href="https://medium.com/@er.singh.nitin/integrate-azure-keyvault-with-aks-using-workload-identity-51e92d0e5063">https://medium.com/@er.singh.nitin/integrate-azure-keyvault-with-aks-using-workload-identity-51e92d0e5063</a></p>
+<p>This scanario is similar to the previous one, but instead of using managed identities we use the AKS cluster&rsquo;s workload identity to authenticate. In normal situation the identity is autenticates with a password. Password authentication is not the safest option. Instad we will use a federation to authenticate with OIDC SSO authentication.</p>
+<p>Enable OIDC issuer and Workload identity in an existing AKS cluster.</p>
+<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">az aks update <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--resource-group $RG <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--name  $CLUSTER <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--enable-oidc-issuer <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--enable-workload-identity
+</code></pre></div><p>Create a managed identity:</p>
+<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">az identity create <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--name secrets-store-test <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--resource-group $RG <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--location $RG_LOCATION <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--subscription $SUBSCRIPTION
+</code></pre></div><p>Get the OIDC issuer url and export it as an environment variable.</p>
+<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">export AKS_OIDC_ISSUER<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>az aks show --name $CLUSTER --resource-group $RG --query <span style="color:#e6db74">&#34;oidcIssuerProfile.issuerUrl&#34;</span> -o tsv<span style="color:#66d9ef">)</span>
+</code></pre></div><p>Export managed identity variable. We will assign this to the AKS service account.</p>
+<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">export USER_ASSIGNED_CLIENT_ID<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>az identity show --resource-group $RG --name secrets-store-test --query <span style="color:#e6db74">&#39;clientId&#39;</span> -otsv<span style="color:#66d9ef">)</span>
+export IDENTITY_TENANT<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>az aks show --name $CLUSTER --resource-group $RG<span style="color:#66d9ef">)</span>
+</code></pre></div><p>Create AKS service account and we will assign the Managed Identity ClientID to it using <code>azure.workload.identity/client-id</code> annotation.</p>
+<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-yaml" data-lang="yaml"><span style="color:#ae81ff">az aks get-credentials -n $CLUSTER -g $RG</span>
+
+<span style="color:#ae81ff">cat &lt;&lt;EOF | kubectl apply -f -</span>
+<span style="color:#f92672">apiVersion</span>: <span style="color:#ae81ff">v1</span>
+<span style="color:#f92672">kind</span>: <span style="color:#ae81ff">ServiceAccount</span>
+<span style="color:#f92672">metadata</span>:
+  <span style="color:#f92672">annotations</span>:
+    <span style="color:#f92672">azure.workload.identity/client-id</span>: <span style="color:#ae81ff">${USER_ASSIGNED_CLIENT_ID}</span>
+  <span style="color:#f92672">labels</span>:
+    <span style="color:#f92672">azure.workload.identity/use</span>: <span style="color:#e6db74">&#34;true&#34;</span>
+  <span style="color:#f92672">name</span>: <span style="color:#ae81ff">keyvault-sa</span>
+  <span style="color:#f92672">namespace</span>: <span style="color:#ae81ff">default</span>
+<span style="color:#ae81ff">EOF</span>
+</code></pre></div><p>Create the federated identity credential between the managed identity, service account issuer and subject.</p>
+<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">export FEDERATED_IDENTITY_NAME<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;aksfederatedidentity&#34;</span> <span style="color:#75715e"># can be changed as needed</span>
+az identity federated-credential create <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--name $FEDERATED_IDENTITY_NAME <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--identity-name secrets-store-test <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--resource-group $RG <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--issuer <span style="color:#e6db74">${</span>AKS_OIDC_ISSUER<span style="color:#e6db74">}</span> <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--subject system:serviceaccount:default:keyvault-sa
+</code></pre></div><p>Provide policy to the identity to access the Azure key vault</p>
+<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">az keyvault set-policy -n $KV --secret-permissions get --spn $USER_ASSIGNED_CLIENT_ID
+</code></pre></div><p>Create a SecretProviderClass:</p>
+<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">AZURE_TENANT_ID<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>az account show --query tenantId -o tsv<span style="color:#66d9ef">)</span>
+</code></pre></div><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-yaml" data-lang="yaml"><span style="color:#ae81ff">cat &lt;&lt;EOF | kubectl apply -f -</span>
+<span style="color:#f92672">apiVersion</span>: <span style="color:#ae81ff">secrets-store.csi.x-k8s.io/v1</span>
+<span style="color:#f92672">kind</span>: <span style="color:#ae81ff">SecretProviderClass</span>
+<span style="color:#f92672">metadata</span>:
+  <span style="color:#f92672">name</span>: <span style="color:#ae81ff">demo-secret</span>
+  <span style="color:#f92672">namespace</span>: <span style="color:#ae81ff">default</span>
+<span style="color:#f92672">spec</span>:
+  <span style="color:#f92672">provider</span>: <span style="color:#ae81ff">azure</span>
+  <span style="color:#f92672">parameters</span>:
+    <span style="color:#75715e"># use managed identity</span>
+    <span style="color:#f92672">useVMManagedIdentity</span>: <span style="color:#e6db74">&#34;false&#34;</span>
+    <span style="color:#f92672">clientID</span>: <span style="color:#e6db74">&#34;$USER_ASSIGNED_CLIENT_ID&#34;</span>
+    <span style="color:#f92672">tenantId</span>: <span style="color:#e6db74">&#34;$AZURE_TENANT_ID&#34;</span>
+    <span style="color:#f92672">keyvaultName</span>: <span style="color:#e6db74">&#34;$KV&#34;</span>
+    <span style="color:#75715e"># name and type in keyvault</span>
+    <span style="color:#f92672">objects</span>: |<span style="color:#e6db74">
+</span><span style="color:#e6db74">      array:
+</span><span style="color:#e6db74">        - |
+</span><span style="color:#e6db74">          objectName: &#34;sqldatabase&#34;
+</span><span style="color:#e6db74">          objectType: secret
+</span><span style="color:#e6db74">        - |
+</span><span style="color:#e6db74">          objectName: &#34;sqlusername&#34;
+</span><span style="color:#e6db74">          objectType: secret
+</span><span style="color:#e6db74">        - |
+</span><span style="color:#e6db74">          objectName: &#34;sqlpassword&#34;
+</span><span style="color:#e6db74">          objectType: secret</span>      
+  <span style="color:#f92672">secretObjects</span>:
+  - <span style="color:#f92672">secretName</span>: <span style="color:#ae81ff">databasesecrets</span>
+    <span style="color:#f92672">type</span>: <span style="color:#ae81ff">Opaque</span>
+    <span style="color:#75715e"># name and key in secret</span>
+    <span style="color:#f92672">data</span>:
+    - <span style="color:#f92672">objectName</span>: <span style="color:#e6db74">&#34;sqldatabase&#34;</span>
+      <span style="color:#f92672">key</span>: <span style="color:#ae81ff">sqldatabase</span>
+    - <span style="color:#f92672">objectName</span>: <span style="color:#e6db74">&#34;sqlusername&#34;</span>
+      <span style="color:#f92672">key</span>: <span style="color:#ae81ff">sqlusername</span>
+    - <span style="color:#f92672">objectName</span>: <span style="color:#e6db74">&#34;sqlpassword&#34;</span>
+      <span style="color:#f92672">key</span>: <span style="color:#ae81ff">sqlpassword</span>
+<span style="color:#ae81ff">EOF</span>
+</code></pre></div><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-yaml" data-lang="yaml"><span style="color:#ae81ff">cat &lt;&lt;EOF | kubectl apply -f -</span>
+<span style="color:#f92672">apiVersion</span>: <span style="color:#ae81ff">apps/v1</span>
+<span style="color:#f92672">kind</span>: <span style="color:#ae81ff">Deployment</span>
+<span style="color:#f92672">metadata</span>:
+  <span style="color:#f92672">labels</span>:
+    <span style="color:#f92672">app</span>: <span style="color:#ae81ff">secretpods</span>
+  <span style="color:#f92672">name</span>: <span style="color:#ae81ff">secretpods</span>
+  <span style="color:#f92672">namespace</span>: <span style="color:#ae81ff">default</span>
+<span style="color:#f92672">spec</span>:
+  <span style="color:#f92672">replicas</span>: <span style="color:#ae81ff">1</span>
+  <span style="color:#f92672">selector</span>:
+    <span style="color:#f92672">matchLabels</span>:
+      <span style="color:#f92672">app</span>: <span style="color:#ae81ff">secretpods</span>
+  <span style="color:#f92672">template</span>:
+    <span style="color:#f92672">metadata</span>:
+      <span style="color:#f92672">labels</span>:
+        <span style="color:#f92672">app</span>: <span style="color:#ae81ff">secretpods</span>
+    <span style="color:#f92672">spec</span>:
+      <span style="color:#f92672">serviceAccountName</span>: <span style="color:#ae81ff">keyvault-sa</span>
+      <span style="color:#f92672">containers</span>:
+      - <span style="color:#f92672">image</span>: <span style="color:#ae81ff">nginx</span>
+        <span style="color:#f92672">name</span>: <span style="color:#ae81ff">nginx</span>
+        <span style="color:#75715e"># get as environment variables</span>
+        <span style="color:#f92672">env</span>:
+          - <span style="color:#f92672">name</span>:  <span style="color:#ae81ff">sqldatabase</span>
+            <span style="color:#f92672">valueFrom</span>:
+              <span style="color:#f92672">secretKeyRef</span>:
+                <span style="color:#f92672">name</span>:  <span style="color:#ae81ff">databasesecrets</span>
+                <span style="color:#f92672">key</span>:  <span style="color:#ae81ff">sqldatabase</span>
+          - <span style="color:#f92672">name</span>:  <span style="color:#ae81ff">sqlusername</span>
+            <span style="color:#f92672">valueFrom</span>:
+              <span style="color:#f92672">secretKeyRef</span>:
+                <span style="color:#f92672">name</span>:  <span style="color:#ae81ff">databasesecrets</span>
+                <span style="color:#f92672">key</span>:  <span style="color:#ae81ff">sqlusername</span>
+          - <span style="color:#f92672">name</span>:  <span style="color:#ae81ff">sqlpassword</span>
+            <span style="color:#f92672">valueFrom</span>:
+              <span style="color:#f92672">secretKeyRef</span>:
+                <span style="color:#f92672">name</span>:  <span style="color:#ae81ff">databasesecrets</span>
+                <span style="color:#f92672">key</span>:  <span style="color:#ae81ff">sqlpassword</span>
+        <span style="color:#75715e"># mount as file</span>
+        <span style="color:#f92672">volumeMounts</span>:
+          - <span style="color:#f92672">name</span>:  <span style="color:#ae81ff">secret-store</span>
+            <span style="color:#f92672">mountPath</span>:  <span style="color:#e6db74">&#34;mnt/secret-store&#34;</span>
+            <span style="color:#f92672">readOnly</span>: <span style="color:#66d9ef">true</span>
+      <span style="color:#75715e"># get the SecretProviderClass object</span>
+      <span style="color:#f92672">volumes</span>:
+        - <span style="color:#f92672">name</span>:  <span style="color:#ae81ff">secret-store</span>
+          <span style="color:#f92672">csi</span>:
+            <span style="color:#f92672">driver</span>: <span style="color:#ae81ff">secrets-store.csi.k8s.io</span>
+            <span style="color:#f92672">readOnly</span>: <span style="color:#66d9ef">true</span>
+            <span style="color:#f92672">volumeAttributes</span>:
+              <span style="color:#f92672">secretProviderClass</span>: <span style="color:#e6db74">&#34;demo-secret&#34;</span>
+<span style="color:#ae81ff">EOF</span>
 </code></pre></div><h2 id="demo-time">Demo time</h2>
 <p>Now we you can werify the secret in the pod:</p>
-<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">export POD_NAME<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>kubectl get pods -l <span style="color:#e6db74">&#34;app=secretpods&#34;</span> -o jsonpath<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;{.items[0].metadata.name}&#34;</span><span style="color:#66d9ef">)</span>
+<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">export POD_NAME<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>kubectl get pods -n default -l <span style="color:#e6db74">&#34;app=secretpods&#34;</span> -o jsonpath<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;{.items[0].metadata.name}&#34;</span><span style="color:#66d9ef">)</span>
  
 <span style="color:#75715e"># if this does not work, check the status of the pod</span>
 <span style="color:#75715e"># if still in ContainerCreating there might be an issue</span>
diff --git a/home/atom.xml b/home/atom.xml
index 7d0ddbac2e..3f5f27c424 100644
--- a/home/atom.xml
+++ b/home/atom.xml
@@ -9,7 +9,7 @@
             <link href="https://devopstales.github.io/home/" rel="alternate" type="text/html" title="HTML" />
             <link href="https://devopstales.github.io/home/index.xml" rel="alternate" type="application/rss+xml" title="RSS" />
             <link href="https://devopstales.github.io/home/atom.xml" rel="self" type="application/atom+xml" title="Atom" />
-    <updated>2024-10-14T13:44:33+00:00</updated>
+    <updated>2024-10-18T14:22:41+00:00</updated>
     
     
     <author>
@@ -7437,8 +7437,8 @@ az keyvault secret set <span style="color:#ae81ff">\
 </span><span style="color:#ae81ff"></span>--vault-name <span style="color:#e6db74">&#34;</span>$KV<span style="color:#e6db74">&#34;</span> <span style="color:#ae81ff">\
 </span><span style="color:#ae81ff"></span>--name <span style="color:#e6db74">&#34;sqlpassword&#34;</span> <span style="color:#ae81ff">\
 </span><span style="color:#ae81ff"></span>--value <span style="color:#e6db74">&#39;Password1&#39;</span>
-</code></pre></div><h2 id="acces-key-vault-with-managed-identity">Acces key vault with managed identity</h2>
-<p>If you created your AKS cluster with managed identity you need to grant access to a managed identity:</p>
+</code></pre></div><h2 id="acces-key-vault-with-system-assigned-managed-identity">Acces key vault with system-assigned managed identity</h2>
+<p>If you created your AKS cluster with managed identity you can go to grant access to a managed identity:</p>
 <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash"><span style="color:#75715e"># grab the managed identity principalId assuming it is in the default</span>
 <span style="color:#75715e"># MC_ group for your cluster and resource group</span>
 IDENTITY_ID<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>az identity show -g MC<span style="color:#ae81ff">\_</span>$RG<span style="color:#ae81ff">\_</span>$CLUSTER<span style="color:#ae81ff">\_</span>westeurope --name azurekeyvaultsecretsprovider-$CLUSTER --query principalId -o tsv<span style="color:#66d9ef">)</span>
@@ -7448,6 +7448,11 @@ az role assignment create <span style="color:#ae81ff">\
 </span><span style="color:#ae81ff"></span>--assignee-object-id $IDENTITY_ID <span style="color:#ae81ff">\
 </span><span style="color:#ae81ff"></span>--role <span style="color:#e6db74">&#34;Key Vault Administrator&#34;</span> <span style="color:#ae81ff">\
 </span><span style="color:#ae81ff"></span>--scope /subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RG/providers/Microsoft.KeyVault/vaults/$KV
+</code></pre></div><p>If not yet enabled you need to enable system-assigned managed identity on AKS:</p>
+<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">az aks update <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--resource-group $RG <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--name  $CLUSTER <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--enable-managed-identity
 </code></pre></div><p>Create a SecretProviderClass:</p>
 <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">AZURE_TENANT_ID<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>az account show --query tenantId -o tsv<span style="color:#66d9ef">)</span>
 CLIENT_ID<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>az aks show -g $RG -n $CLUSTER --query addonProfiles.azureKeyvaultSecretsProvider.identity.clientId -o tsv<span style="color:#66d9ef">)</span>
@@ -7499,6 +7504,7 @@ CLIENT_ID<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</spa
   <span style="color:#f92672">labels</span>:
     <span style="color:#f92672">app</span>: <span style="color:#ae81ff">secretpods</span>
   <span style="color:#f92672">name</span>: <span style="color:#ae81ff">secretpods</span>
+  <span style="color:#f92672">namespace</span>: <span style="color:#ae81ff">default</span>
 <span style="color:#f92672">spec</span>:
   <span style="color:#f92672">replicas</span>: <span style="color:#ae81ff">1</span>
   <span style="color:#f92672">selector</span>:
@@ -7550,7 +7556,7 @@ CLIENT_ID<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</spa
 </span><span style="color:#ae81ff"></span>--name http://secrets-store-test --query <span style="color:#e6db74">&#39;password&#39;</span> -otsv<span style="color:#66d9ef">)</span>
 
 export CLIENT_ID<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>az ad sp show --id http://secrets-store-test --query <span style="color:#e6db74">&#39;appId&#39;</span> -otsv<span style="color:#66d9ef">)</span>
-</code></pre></div><p>Provide the identity to access the Azure key vault</p>
+</code></pre></div><p>Provide policy to the identity to access the Azure key vault</p>
 <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">az keyvault set-policy -n $KV --secret-permissions get --spn $CLIENT_ID
 </code></pre></div><p>Create the Kubernetes secret with credentials</p>
 <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-yaml" data-lang="yaml"><span style="color:#ae81ff">cat &lt;&lt;EOF | kubectl apply -f -</span>
@@ -7612,6 +7618,7 @@ export CLIENT_ID<span style="color:#f92672">=</span><span style="color:#66d9ef">
   <span style="color:#f92672">labels</span>:
     <span style="color:#f92672">app</span>: <span style="color:#ae81ff">secretpods</span>
   <span style="color:#f92672">name</span>: <span style="color:#ae81ff">secretpods</span>
+  <span style="color:#f92672">namespace</span>: <span style="color:#ae81ff">default</span>
 <span style="color:#f92672">spec</span>:
   <span style="color:#f92672">replicas</span>: <span style="color:#ae81ff">1</span>
   <span style="color:#f92672">selector</span>:
@@ -7659,9 +7666,146 @@ export CLIENT_ID<span style="color:#f92672">=</span><span style="color:#66d9ef">
             <span style="color:#f92672">nodePublishSecretRef</span>:
               <span style="color:#f92672">name</span>: <span style="color:#ae81ff">secrets-store-creds</span>
 <span style="color:#ae81ff">EOF</span>
+</code></pre></div><h2 id="acces-key-vault-with-federated-workload-identity">Acces key vault with federated workload identity</h2>
+<p><a href="https://medium.com/@er.singh.nitin/integrate-azure-keyvault-with-aks-using-workload-identity-51e92d0e5063">https://medium.com/@er.singh.nitin/integrate-azure-keyvault-with-aks-using-workload-identity-51e92d0e5063</a></p>
+<p>This scanario is similar to the previous one, but instead of using managed identities we use the AKS cluster&rsquo;s workload identity to authenticate. In normal situation the identity is autenticates with a password. Password authentication is not the safest option. Instad we will use a federation to authenticate with OIDC SSO authentication.</p>
+<p>Enable OIDC issuer and Workload identity in an existing AKS cluster.</p>
+<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">az aks update <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--resource-group $RG <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--name  $CLUSTER <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--enable-oidc-issuer <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--enable-workload-identity
+</code></pre></div><p>Create a managed identity:</p>
+<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">az identity create <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--name secrets-store-test <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--resource-group $RG <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--location $RG_LOCATION <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--subscription $SUBSCRIPTION
+</code></pre></div><p>Get the OIDC issuer url and export it as an environment variable.</p>
+<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">export AKS_OIDC_ISSUER<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>az aks show --name $CLUSTER --resource-group $RG --query <span style="color:#e6db74">&#34;oidcIssuerProfile.issuerUrl&#34;</span> -o tsv<span style="color:#66d9ef">)</span>
+</code></pre></div><p>Export managed identity variable. We will assign this to the AKS service account.</p>
+<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">export USER_ASSIGNED_CLIENT_ID<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>az identity show --resource-group $RG --name secrets-store-test --query <span style="color:#e6db74">&#39;clientId&#39;</span> -otsv<span style="color:#66d9ef">)</span>
+export IDENTITY_TENANT<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>az aks show --name $CLUSTER --resource-group $RG<span style="color:#66d9ef">)</span>
+</code></pre></div><p>Create AKS service account and we will assign the Managed Identity ClientID to it using <code>azure.workload.identity/client-id</code> annotation.</p>
+<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-yaml" data-lang="yaml"><span style="color:#ae81ff">az aks get-credentials -n $CLUSTER -g $RG</span>
+
+<span style="color:#ae81ff">cat &lt;&lt;EOF | kubectl apply -f -</span>
+<span style="color:#f92672">apiVersion</span>: <span style="color:#ae81ff">v1</span>
+<span style="color:#f92672">kind</span>: <span style="color:#ae81ff">ServiceAccount</span>
+<span style="color:#f92672">metadata</span>:
+  <span style="color:#f92672">annotations</span>:
+    <span style="color:#f92672">azure.workload.identity/client-id</span>: <span style="color:#ae81ff">${USER_ASSIGNED_CLIENT_ID}</span>
+  <span style="color:#f92672">labels</span>:
+    <span style="color:#f92672">azure.workload.identity/use</span>: <span style="color:#e6db74">&#34;true&#34;</span>
+  <span style="color:#f92672">name</span>: <span style="color:#ae81ff">keyvault-sa</span>
+  <span style="color:#f92672">namespace</span>: <span style="color:#ae81ff">default</span>
+<span style="color:#ae81ff">EOF</span>
+</code></pre></div><p>Create the federated identity credential between the managed identity, service account issuer and subject.</p>
+<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">export FEDERATED_IDENTITY_NAME<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;aksfederatedidentity&#34;</span> <span style="color:#75715e"># can be changed as needed</span>
+az identity federated-credential create <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--name $FEDERATED_IDENTITY_NAME <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--identity-name secrets-store-test <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--resource-group $RG <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--issuer <span style="color:#e6db74">${</span>AKS_OIDC_ISSUER<span style="color:#e6db74">}</span> <span style="color:#ae81ff">\
+</span><span style="color:#ae81ff"></span>--subject system:serviceaccount:default:keyvault-sa
+</code></pre></div><p>Provide policy to the identity to access the Azure key vault</p>
+<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">az keyvault set-policy -n $KV --secret-permissions get --spn $USER_ASSIGNED_CLIENT_ID
+</code></pre></div><p>Create a SecretProviderClass:</p>
+<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">AZURE_TENANT_ID<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>az account show --query tenantId -o tsv<span style="color:#66d9ef">)</span>
+</code></pre></div><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-yaml" data-lang="yaml"><span style="color:#ae81ff">cat &lt;&lt;EOF | kubectl apply -f -</span>
+<span style="color:#f92672">apiVersion</span>: <span style="color:#ae81ff">secrets-store.csi.x-k8s.io/v1</span>
+<span style="color:#f92672">kind</span>: <span style="color:#ae81ff">SecretProviderClass</span>
+<span style="color:#f92672">metadata</span>:
+  <span style="color:#f92672">name</span>: <span style="color:#ae81ff">demo-secret</span>
+  <span style="color:#f92672">namespace</span>: <span style="color:#ae81ff">default</span>
+<span style="color:#f92672">spec</span>:
+  <span style="color:#f92672">provider</span>: <span style="color:#ae81ff">azure</span>
+  <span style="color:#f92672">parameters</span>:
+    <span style="color:#75715e"># use managed identity</span>
+    <span style="color:#f92672">useVMManagedIdentity</span>: <span style="color:#e6db74">&#34;false&#34;</span>
+    <span style="color:#f92672">clientID</span>: <span style="color:#e6db74">&#34;$USER_ASSIGNED_CLIENT_ID&#34;</span>
+    <span style="color:#f92672">tenantId</span>: <span style="color:#e6db74">&#34;$AZURE_TENANT_ID&#34;</span>
+    <span style="color:#f92672">keyvaultName</span>: <span style="color:#e6db74">&#34;$KV&#34;</span>
+    <span style="color:#75715e"># name and type in keyvault</span>
+    <span style="color:#f92672">objects</span>: |<span style="color:#e6db74">
+</span><span style="color:#e6db74">      array:
+</span><span style="color:#e6db74">        - |
+</span><span style="color:#e6db74">          objectName: &#34;sqldatabase&#34;
+</span><span style="color:#e6db74">          objectType: secret
+</span><span style="color:#e6db74">        - |
+</span><span style="color:#e6db74">          objectName: &#34;sqlusername&#34;
+</span><span style="color:#e6db74">          objectType: secret
+</span><span style="color:#e6db74">        - |
+</span><span style="color:#e6db74">          objectName: &#34;sqlpassword&#34;
+</span><span style="color:#e6db74">          objectType: secret</span>      
+  <span style="color:#f92672">secretObjects</span>:
+  - <span style="color:#f92672">secretName</span>: <span style="color:#ae81ff">databasesecrets</span>
+    <span style="color:#f92672">type</span>: <span style="color:#ae81ff">Opaque</span>
+    <span style="color:#75715e"># name and key in secret</span>
+    <span style="color:#f92672">data</span>:
+    - <span style="color:#f92672">objectName</span>: <span style="color:#e6db74">&#34;sqldatabase&#34;</span>
+      <span style="color:#f92672">key</span>: <span style="color:#ae81ff">sqldatabase</span>
+    - <span style="color:#f92672">objectName</span>: <span style="color:#e6db74">&#34;sqlusername&#34;</span>
+      <span style="color:#f92672">key</span>: <span style="color:#ae81ff">sqlusername</span>
+    - <span style="color:#f92672">objectName</span>: <span style="color:#e6db74">&#34;sqlpassword&#34;</span>
+      <span style="color:#f92672">key</span>: <span style="color:#ae81ff">sqlpassword</span>
+<span style="color:#ae81ff">EOF</span>
+</code></pre></div><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-yaml" data-lang="yaml"><span style="color:#ae81ff">cat &lt;&lt;EOF | kubectl apply -f -</span>
+<span style="color:#f92672">apiVersion</span>: <span style="color:#ae81ff">apps/v1</span>
+<span style="color:#f92672">kind</span>: <span style="color:#ae81ff">Deployment</span>
+<span style="color:#f92672">metadata</span>:
+  <span style="color:#f92672">labels</span>:
+    <span style="color:#f92672">app</span>: <span style="color:#ae81ff">secretpods</span>
+  <span style="color:#f92672">name</span>: <span style="color:#ae81ff">secretpods</span>
+  <span style="color:#f92672">namespace</span>: <span style="color:#ae81ff">default</span>
+<span style="color:#f92672">spec</span>:
+  <span style="color:#f92672">replicas</span>: <span style="color:#ae81ff">1</span>
+  <span style="color:#f92672">selector</span>:
+    <span style="color:#f92672">matchLabels</span>:
+      <span style="color:#f92672">app</span>: <span style="color:#ae81ff">secretpods</span>
+  <span style="color:#f92672">template</span>:
+    <span style="color:#f92672">metadata</span>:
+      <span style="color:#f92672">labels</span>:
+        <span style="color:#f92672">app</span>: <span style="color:#ae81ff">secretpods</span>
+    <span style="color:#f92672">spec</span>:
+      <span style="color:#f92672">serviceAccountName</span>: <span style="color:#ae81ff">keyvault-sa</span>
+      <span style="color:#f92672">containers</span>:
+      - <span style="color:#f92672">image</span>: <span style="color:#ae81ff">nginx</span>
+        <span style="color:#f92672">name</span>: <span style="color:#ae81ff">nginx</span>
+        <span style="color:#75715e"># get as environment variables</span>
+        <span style="color:#f92672">env</span>:
+          - <span style="color:#f92672">name</span>:  <span style="color:#ae81ff">sqldatabase</span>
+            <span style="color:#f92672">valueFrom</span>:
+              <span style="color:#f92672">secretKeyRef</span>:
+                <span style="color:#f92672">name</span>:  <span style="color:#ae81ff">databasesecrets</span>
+                <span style="color:#f92672">key</span>:  <span style="color:#ae81ff">sqldatabase</span>
+          - <span style="color:#f92672">name</span>:  <span style="color:#ae81ff">sqlusername</span>
+            <span style="color:#f92672">valueFrom</span>:
+              <span style="color:#f92672">secretKeyRef</span>:
+                <span style="color:#f92672">name</span>:  <span style="color:#ae81ff">databasesecrets</span>
+                <span style="color:#f92672">key</span>:  <span style="color:#ae81ff">sqlusername</span>
+          - <span style="color:#f92672">name</span>:  <span style="color:#ae81ff">sqlpassword</span>
+            <span style="color:#f92672">valueFrom</span>:
+              <span style="color:#f92672">secretKeyRef</span>:
+                <span style="color:#f92672">name</span>:  <span style="color:#ae81ff">databasesecrets</span>
+                <span style="color:#f92672">key</span>:  <span style="color:#ae81ff">sqlpassword</span>
+        <span style="color:#75715e"># mount as file</span>
+        <span style="color:#f92672">volumeMounts</span>:
+          - <span style="color:#f92672">name</span>:  <span style="color:#ae81ff">secret-store</span>
+            <span style="color:#f92672">mountPath</span>:  <span style="color:#e6db74">&#34;mnt/secret-store&#34;</span>
+            <span style="color:#f92672">readOnly</span>: <span style="color:#66d9ef">true</span>
+      <span style="color:#75715e"># get the SecretProviderClass object</span>
+      <span style="color:#f92672">volumes</span>:
+        - <span style="color:#f92672">name</span>:  <span style="color:#ae81ff">secret-store</span>
+          <span style="color:#f92672">csi</span>:
+            <span style="color:#f92672">driver</span>: <span style="color:#ae81ff">secrets-store.csi.k8s.io</span>
+            <span style="color:#f92672">readOnly</span>: <span style="color:#66d9ef">true</span>
+            <span style="color:#f92672">volumeAttributes</span>:
+              <span style="color:#f92672">secretProviderClass</span>: <span style="color:#e6db74">&#34;demo-secret&#34;</span>
+<span style="color:#ae81ff">EOF</span>
 </code></pre></div><h2 id="demo-time">Demo time</h2>
 <p>Now we you can werify the secret in the pod:</p>
-<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">export POD_NAME<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>kubectl get pods -l <span style="color:#e6db74">&#34;app=secretpods&#34;</span> -o jsonpath<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;{.items[0].metadata.name}&#34;</span><span style="color:#66d9ef">)</span>
+<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-bash" data-lang="bash">export POD_NAME<span style="color:#f92672">=</span><span style="color:#66d9ef">$(</span>kubectl get pods -n default -l <span style="color:#e6db74">&#34;app=secretpods&#34;</span> -o jsonpath<span style="color:#f92672">=</span><span style="color:#e6db74">&#34;{.items[0].metadata.name}&#34;</span><span style="color:#66d9ef">)</span>
  
 <span style="color:#75715e"># if this does not work, check the status of the pod</span>
 <span style="color:#75715e"># if still in ContainerCreating there might be an issue</span>
@@ -8270,8 +8414,8 @@ notAfter<span style="color:#f92672">=</span>Aug <span style="color:#ae81ff">29</
             
                 <link href="https://devopstales.github.io/home/openshift4-registry/?utm_source=atom_feed" rel="related" type="text/html" title="Configuringure OKD OpenShift 4 registry for bare metal" />
                 <link href="https://devopstales.github.io/home/openshift4-tekton/?utm_source=atom_feed" rel="related" type="text/html" title="Deploying Tekton on OpenShift 4" />
-                <link href="https://devopstales.github.io/devops/openshift4-buildconfig/?utm_source=atom_feed" rel="related" type="text/html" title="Understand OKD OpenShift 4 Buildconfig Configurations" />
                 <link href="https://devopstales.github.io/kubernetes/openshift4-buildconfig/?utm_source=atom_feed" rel="related" type="text/html" title="Understand OKD OpenShift 4 Buildconfig Configurations" />
+                <link href="https://devopstales.github.io/devops/openshift4-buildconfig/?utm_source=atom_feed" rel="related" type="text/html" title="Understand OKD OpenShift 4 Buildconfig Configurations" />
                 <link href="https://devopstales.github.io/home/openshift-log4shell/?utm_source=atom_feed" rel="related" type="text/html" title="Openshift: Log4Shell - Remote Code Execution (CVE-2021-44228) (CVE-2021-4104)" />
             
                 <id>https://devopstales.github.io/home/openshift4-buildconfig/</id>
diff --git a/kubernetes/atom.xml b/kubernetes/atom.xml
index fd47a8387d..cdb4869f25 100644
--- a/kubernetes/atom.xml
+++ b/kubernetes/atom.xml
@@ -9,7 +9,7 @@
             <link href="https://devopstales.github.io/kubernetes/" rel="alternate" type="text/html" title="HTML" />
             <link href="https://devopstales.github.io/kubernetes/index.xml" rel="alternate" type="application/rss+xml" title="RSS" />
             <link href="https://devopstales.github.io/kubernetes/atom.xml" rel="self" type="application/atom+xml" title="Atom" />
-    <updated>2024-10-14T13:44:33+00:00</updated>
+    <updated>2024-10-18T14:22:41+00:00</updated>
     
     
     <author>
diff --git a/linux/atom.xml b/linux/atom.xml
index efaf4d0ea2..d99bb5032b 100644
--- a/linux/atom.xml
+++ b/linux/atom.xml
@@ -9,7 +9,7 @@
             <link href="https://devopstales.github.io/linux/" rel="alternate" type="text/html" title="HTML" />
             <link href="https://devopstales.github.io/linux/index.xml" rel="alternate" type="application/rss+xml" title="RSS" />
             <link href="https://devopstales.github.io/linux/atom.xml" rel="self" type="application/atom+xml" title="Atom" />
-    <updated>2024-10-14T13:44:33+00:00</updated>
+    <updated>2024-10-18T14:22:41+00:00</updated>
     
     
     <author>
diff --git a/mikrotik/atom.xml b/mikrotik/atom.xml
index a900f85af6..e522ae8e7c 100644
--- a/mikrotik/atom.xml
+++ b/mikrotik/atom.xml
@@ -9,7 +9,7 @@
             <link href="https://devopstales.github.io/mikrotik/" rel="alternate" type="text/html" title="HTML" />
             <link href="https://devopstales.github.io/mikrotik/index.xml" rel="alternate" type="application/rss+xml" title="RSS" />
             <link href="https://devopstales.github.io/mikrotik/atom.xml" rel="self" type="application/atom+xml" title="Atom" />
-    <updated>2024-10-14T13:44:33+00:00</updated>
+    <updated>2024-10-18T14:22:41+00:00</updated>
     
     
     <author>
diff --git a/monitoring/atom.xml b/monitoring/atom.xml
index 5e683d664f..e513ebe595 100644
--- a/monitoring/atom.xml
+++ b/monitoring/atom.xml
@@ -9,7 +9,7 @@
             <link href="https://devopstales.github.io/monitoring/" rel="alternate" type="text/html" title="HTML" />
             <link href="https://devopstales.github.io/monitoring/index.xml" rel="alternate" type="application/rss+xml" title="RSS" />
             <link href="https://devopstales.github.io/monitoring/atom.xml" rel="self" type="application/atom+xml" title="Atom" />
-    <updated>2024-10-14T13:44:33+00:00</updated>
+    <updated>2024-10-18T14:22:41+00:00</updated>
     
     
     <author>
diff --git a/sso/atom.xml b/sso/atom.xml
index 02e2ec6e6f..d287c43edf 100644
--- a/sso/atom.xml
+++ b/sso/atom.xml
@@ -9,7 +9,7 @@
             <link href="https://devopstales.github.io/sso/" rel="alternate" type="text/html" title="HTML" />
             <link href="https://devopstales.github.io/sso/index.xml" rel="alternate" type="application/rss+xml" title="RSS" />
             <link href="https://devopstales.github.io/sso/atom.xml" rel="self" type="application/atom+xml" title="Atom" />
-    <updated>2024-10-14T13:44:33+00:00</updated>
+    <updated>2024-10-18T14:22:41+00:00</updated>
     
     
     <author>
diff --git a/virtualization/atom.xml b/virtualization/atom.xml
index c5fc57785c..b04bf245e6 100644
--- a/virtualization/atom.xml
+++ b/virtualization/atom.xml
@@ -9,7 +9,7 @@
             <link href="https://devopstales.github.io/virtualization/" rel="alternate" type="text/html" title="HTML" />
             <link href="https://devopstales.github.io/virtualization/index.xml" rel="alternate" type="application/rss+xml" title="RSS" />
             <link href="https://devopstales.github.io/virtualization/atom.xml" rel="self" type="application/atom+xml" title="Atom" />
-    <updated>2024-10-14T13:44:33+00:00</updated>
+    <updated>2024-10-18T14:22:41+00:00</updated>
     
     
     <author>
diff --git a/windows/atom.xml b/windows/atom.xml
index 3b86a61b73..9b4b9448b1 100644
--- a/windows/atom.xml
+++ b/windows/atom.xml
@@ -9,7 +9,7 @@
             <link href="https://devopstales.github.io/windows/" rel="alternate" type="text/html" title="HTML" />
             <link href="https://devopstales.github.io/windows/index.xml" rel="alternate" type="application/rss+xml" title="RSS" />
             <link href="https://devopstales.github.io/windows/atom.xml" rel="self" type="application/atom+xml" title="Atom" />
-    <updated>2024-10-14T13:44:33+00:00</updated>
+    <updated>2024-10-18T14:22:41+00:00</updated>
     
     
     <author>