fairmoney · mihaelabalas84 · Jul 8, 2025 · Jul 7, 2025 · Jul 8, 2025
diff --git a/charts/temporal/README.md b/charts/temporal/README.md
@@ -100,9 +100,12 @@ Now, to release a new FM temporal server image, from `fairmoney/temporal-docker-
 
 # Build cross cluster CA trust using Pushsecret from ESO and Bundle from trust-manager
 
-Using `Object.kubernetes.crossplane.io` and `watch` feature from provider-kubernetes, a `PushSecret` resource is created each time `temporal-ca-secret` in `cert-manager` namespace has a new `resourceVersion` (meaning the root CA was renewed or changed for some reason). When this happens, `PushSecret` adds a new key/value in `temporal/non-prod-root-ca-list` secret from AWS Secrets Manager. The key is the `resourceVersion` of the secret and the value is the new root CA (`tls.crt`).
+Using `Object.kubernetes.crossplane.io` and `watch` feature from provider-kubernetes, a `PushSecret` resource is created each time `temporal-ca-secret` in `cert-manager` namespace has a new `resourceVersion` (meaning the root CA was renewed or changed for some reason). When this happens, 
 
-Then, using `externalsecret` from ESO, the Secrets Manager secret is imported into `temporal-root-ca-list` secret in `cert-manager` namespace.
+- [AWS implementation] `PushSecret` adds a new key/value in `temporal/non-prod-root-ca-list` secret from AWS Secrets Manager. The key is the `resourceVersion` of the secret and the value is the new root CA (`tls.crt`).
+- [Azure implementation] `PushSecret` adds a new secret in Azure Key Vault. The secret name is the new `resourceVersion` (8-digit name) and the value is the new root CA in PEM format.
+
+Then, using `externalsecret` from ESO, the Secrets Manager secret (or the Azure Key Vault secrets) are imported into `temporal-root-ca-list` secret in `cert-manager` namespace.
 
 Lastly, a `Bundle.trust.cert-manager.io` resource takes all keys from `temporal-root-ca-list` secret and the local `tls.crt` key from `temporal-ca-secret` and bundles them into a trust bundle written to `temporal-trust-bundle` secret in all namespaces.
 

diff --git a/charts/temporal/templates/certificates.yaml b/charts/temporal/templates/certificates.yaml
@@ -127,8 +127,14 @@ spec:
     name: {{ $.Release.Name }}-selfsigned-issuer
   secretName: {{ $.Release.Name }}-provider-cert
 {{- end }}
+{{- if and $.Values.secretStore }}
+{{- if $.Values.secretStoreSecret }}
+{{/* BEGIN AWS Secrets Manager specific implementation  */}}
+{{/* A single AWS Secrets Manager secret is created */}}
+{{/* AWS Secrets Manager secret name is `Values.secretStoreSecret` */}}
+{{/* The secret will have multiple properties (a.k.a. keys) inside it */}}
+{{/* The keys are the certificate resourceVersion and values are the certificate in PEM format */}}
 ---
-{{- if and $.Values.secretStore $.Values.secretStoreSecret }}
 apiVersion: kubernetes.crossplane.io/v1alpha2
 kind: Object
 metadata:
@@ -188,6 +194,77 @@ spec:
     name: {{ $.Values.secretStore }}
   target:
     name: {{ $.Release.Name }}-root-ca-list
+{{/* END AWS Secrets Manager specific implementation  */}}
+
+
+{{- else }}
+{{/* BEGIN Azure Key Vault specific implementation  */}}
+{{/* Multiple KV secrets are to be created */}}
+{{/* Each secret name is a certificate resourceVersion n 8-digit name */}}
+{{/* Each secret content is the certificate in PEM format */}}
+---
+apiVersion: kubernetes.crossplane.io/v1alpha2
+kind: Object
+metadata:
+  name: {{ $.Release.Name }}-pushsecret
+  annotations:
+    argocd.argoproj.io/sync-wave: "-75"
+spec:
+  watch: true
+  references:
+  - patchesFrom:
+      apiVersion: v1
+      kind: Secret
+      name: {{ $.Release.Name }}-ca-secret
+      namespace: cert-manager
+      fieldPath: metadata.resourceVersion
+    toFieldPath: spec.data[0].match.remoteRef.remoteKey
+  forProvider:
+    manifest:
+      apiVersion: external-secrets.io/v1alpha1
+      kind: PushSecret
+      metadata:
+        name: pushsecret-{{ $.Release.Name }}
+        namespace: cert-manager
+      spec:
+        updatePolicy: Replace
+        refreshInterval: 1h
+        secretStoreRefs:
+          - name: {{ $.Values.secretStore }}
+            kind: ClusterSecretStore
+        selector:
+          secret:
+            name: {{ $.Release.Name }}-ca-secret
+        data:
+          - match:
+              secretKey: tls.crt
+  providerConfigRef:
+    name: provider-kubernetes
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "-70"
+  labels:
+    {{- include "temporal.resourceLabels" (list . "" "") | nindent 4 }}
+  name: {{ $.Release.Name }}-root-ca-list
+  namespace: cert-manager
+spec:
+  dataFrom:
+  - find:
+      name:
+        regexp: "^[0-9]{8}$"
+      tags:
+        managed-by: external-secrets
+  refreshInterval: 3m
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: {{ $.Values.secretStore }}
+  target:
+    name: {{ $.Release.Name }}-root-ca-list
+{{/* END Azure Key Vault specific implementation  */}}
+{{- end }}
 ---
 apiVersion: trust.cert-manager.io/v1alpha1
 kind: Bundle

diff --git a/charts/temporal/values.yaml b/charts/temporal/values.yaml
@@ -539,5 +539,7 @@ hpaBehavior: {}
 #
 # -- root CA bundle settings
 # secretStore: secret-store
-# secretStoreSecret: secret-store-secret
-tctlSecretStoreSecret: eks/temporal-tctl-certificate
+# secretStoreSecret: secret-store-secret # specify only for AWS Secrets Manager Store; omit for Azure Key Vault
+
+# --- tctl access settings
+tctlSecretStoreSecret: eks/temporal-tctl-certificate  # for Azure Key Vault backend, value must be changed to remove the "eks" prefix: "tctlSecretStoreSecret: temporal-tctl-certificate"