docs(azurekv): cert-manager pushsecret example and cleanups

[illrill]

Problem Statement

Closes issues #5740 and #2589 by providing complete documentation and working examples for cert-manager → Azure Key Vault certificate workflows, addressing PEM-to-PKCS#12 conversion requirements and Azure Key Vault certificate store integration. In addition, enhancements and cleanup of the overall article, including:

• Document and recommend use of RBAC vaults rather than Access Policy vaults (as they're considered legacy).
• Discourage from using Managed Identity / AAD Pod Identity authentication as it's deprecated by Microsoft.
• Spelling, capitalization, structure, etc.

Related Issue

Closes #5740
Closes #2589

Proposed Changes

Format

Please ensure that your PR follows the following format for the title:

feat(scope): add new feature
fix(scope): fix bug
docs(scope): update documentation
chore(scope): update build tool or dependencies
ref(scope): refactor code
clean(scope): provider cleanup
test(scope): add tests
perf(scope): improve performance
desig(scope): improve design

Where scope is optionally one of:

• charts
• release
• testing
• security
• templating

Checklist

• I have read the contribution guidelines
• All commits are signed with git commit --signoff
• My changes have reasonable test coverage
• All tests pass with make test
• I ensured my PR is ready for review with make reviewable

Overview

Expanded documentation and examples for the Azure Key Vault provider to enable cert-manager → Azure Key Vault certificate workflows via PushSecret, including PEM→PKCS#12 conversion and Key Vault certificate store support.

Key Changes

• docs/provider/azure-key-vault.md

  • Reworked provider docs: explicit SecretStore/ClusterSecretStore usage, clarified object types (secret/key/cert) and prefixes.
  • Added cloud environment handling (PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud, AzureStackCloud) with custom cloud guidance and useAzureSDK notes.
  • Authentication expanded: Service Principal (secret & certificate), Workload Identity (recommended), Managed Identity (with identityId support) and deprecation/discouragement of AAD Pod Identity.
  • Permissions guidance updated: recommend RBAC (role-based) vaults and appropriate roles for Secrets/Keys/Certificates over legacy Access Policies.
  • PushSecret workflows clarified for pushing Secrets, Keys, and Certificates; documented Key Vault import requirements (PKCS#12/PFX) and required permissions for certificate import.
  • Template/helper guidance added for PEM→PKCS#12 conversion; cert-manager encoding (PKCS8) notes included.

• Examples and snippets

  • Added cert-manager Certificate example: docs/snippets/azkv-pushsecret-certificate-cert-manager.yaml.
  • Added PushSecret examples:
    • docs/snippets/azkv-pushsecret-certificate-p12.yaml (base64 P12 secret + PushSecret mapping).
    • docs/snippets/azkv-pushsecret-certificate-pem.yaml (template uses fullPemToPkcs12 and base64 handling; maps cert.p12 → remote certificate key).
  • Updated ExternalSecret/SecretStore snippets:
    • docs/snippets/azkv-pkcs12-cert-external-secret.yaml (quote style change).
    • docs/snippets/azkv-secret-store.yaml (added clientCertificate authSecretRef).
    • Added SPN examples (docs/snippets/azkv-secret-store-spn-secret.yaml, docs/snippets/azkv-secret-store-spn-certificate.yaml).
    • Workload identity snippets: minor comment capitalization fixes and identityId placeholder adjustments (00000000-...).
  • Minor spelling, capitalization, structure, and cleanup edits across docs.

Notable details

• Examples now use fullPemToPkcs12 in templates to produce raw PKCS#12 suitable for Key Vault import (addresses cert-manager PEM→PFX limitations).
• Encourages Workload Identity and RBAC-style vaults; discourages AAD Pod Identity due to Microsoft deprecation.
• New clientCertificate option for Service Principal authentication (PEM-formatted client cert) added in snippets.

Impact

Closes issues #5740 and #2589 by documenting conversion guidance and providing working PushSecret examples to import cert-manager–generated certificates (or kubernetes.io/tls secrets) into Azure Key Vault certificates (PKCS#12 import). Also includes contributor checklist confirmations and doc cleanups.

[coderabbitai]

Walkthrough

Replaced generic Azure Key Vault docs with provider-specific guidance for azurekv, adding SecretStore/ClusterSecretStore usage, cloud environment options, expanded authentication (Service Principal, Managed Identity, Workload Identity), object-type mappings, PushSecret push flows (including PEM→PKCS#12), and multiple updated/added YAML snippets.

Changes

Cohort / File(s)	Summary
Provider documentation docs/provider/azure-key-vault.md	Full restructure to document azurekv provider: SecretStore/ClusterSecretStore usage, environmentType cloud options, custom cloud config, auth methods (Service Principal, Managed Identity, Workload Identity), RBAC/access policy notes, object type prefixes (key, secret, cert), ExternalSecret and PushSecret workflows, and general reorganization.
SecretStore & auth snippets docs/snippets/azkv-secret-store.yaml, docs/snippets/azkv-secret-store-spn-secret.yaml, docs/snippets/azkv-secret-store-spn-certificate.yaml, docs/snippets/azkv-secret-store-mi.yaml	Added clientCertificate under authSecretRef; clarified clientId/clientSecret references and comments; adjusted identityId placeholder/value and vault URL comment; added SPN certificate and SPN secret SecretStore examples.
Workload identity snippets docs/snippets/azkv-workload-identity-mounted.yaml, docs/snippets/azkv-workload-identity-secretref.yaml	Only comment capitalization/wording edits in ServiceAccount and SecretStore examples; no functional or structural changes.
PushSecret & certificate snippets docs/snippets/azkv-pushsecret-certificate-pem.yaml, docs/snippets/azkv-pushsecret-certificate-p12.yaml, docs/snippets/azkv-pushsecret-certificate-cert-manager.yaml, docs/snippets/azkv-pkcs12-cert-external-secret.yaml	Added PushSecret examples for pushing certificates (PEM→PKCS#12 and P12), cert-manager Certificate manifest, and PKCS#12 ExternalSecret template. Templates updated to use fullPemToPkcs12, adjusted quoting for PKCS12 template, and clarified remoteKey mappings and permissions.
Minor edits docs/snippets/...	Various small formatting and comment tweaks across snippet files (capitalization, wording); no behavioral or API changes.

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	The PR successfully addresses both linked issues by providing cert-manager PushSecret examples with PEM-to-PKCS#12 conversion and clear documentation for syncing kubernetes.io/tls secrets to Azure Key Vault certificates.
Out of Scope Changes check	✅ Passed	All changes are documentation-related and directly support the linked issues. No unrelated code modifications or out-of-scope changes were introduced.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (3)

docs/snippets/azkv-secret-store.yaml (1)

12-24: Consider adding a comment noting that clientSecret and clientCertificate are mutually exclusive.

Showing all three auth fields together is fine for documenting available options, but users might try to specify both clientSecret and clientCertificate simultaneously. A brief inline comment (e.g., # Use either clientSecret or clientCertificate, not both) would prevent confusion.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/snippets/azkv-secret-store.yaml` around lines 12 - 24, Add a brief
inline note to the authSecretRef block clarifying mutual exclusivity between
clientSecret and clientCertificate: indicate that clientId is always provided
but use either clientSecret or clientCertificate, not both (e.g., add a comment
above clientSecret/clientCertificate). Reference the authSecretRef, clientId,
clientSecret and clientCertificate keys so maintainers can locate and update the
YAML snippet.

docs/provider/azure-key-vault.md (2)

210-210: Minor style improvement: hyphenate compound modifier.

Consider changing "PEM encoded PKIX" to "PEM-encoded PKIX" for consistency with standard English compound modifier style.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/provider/azure-key-vault.md` at line 210, Update the compound modifier
in the table cell that currently reads "PEM encoded PKIX ASN.1 DER format" to
use the hyphenated form "PEM-encoded PKIX ASN.1 DER format"; locate the table
row containing the Key column value "`key`" and replace the phrase accordingly
to maintain consistent compound-modifier styling.

---

250-250: Optional: simplify "In order to" phrases.

For more concise documentation, consider simplifying "In order to" to "To" in the permission notes at lines 250, 260, and 285. This is a minor style preference.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/provider/azure-key-vault.md` at line 250, Replace the verbose phrase "In
order to" with the concise "To" in the permission note sentences (the instances
currently reading "In order to create a PushSecret..." and the similar notes at
the other two locations) in azure-key-vault.md so the text reads e.g. "To create
a PushSecret targeting Secrets, the Key Vault Secrets Officer role..." while
preserving the links and role/permission names exactly as-is.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/provider/azure-key-vault.md`:
- Line 250: The markdown contains a typo: "Secretsmust" should be two words;
update the sentence referencing Key Vault roles so "Secretsmust" becomes
"Secrets must". Locate the sentence mentioning "PushSecret", "Key Vault Secrets
Officer", and "SecretStore" and insert a space between "Secrets" and "must" to
correct the phrase.
- Line 264: Fix the subject-verb agreement in the sentence beginning
"Certificates in P12 (also known as PKCS12 or PFX) is the most stable format..."
by rephrasing to use a singular subject (preferred) or make the verb plural;
e.g., change to "The P12 format (also known as PKCS12 or PFX) is the most stable
format for importing certificates to Azure Key Vault." Keep the rest of the
paragraph intact (mentions of PKCS8, PKCS1, and password-less P12 files).

---

Nitpick comments:
In `@docs/provider/azure-key-vault.md`:
- Line 210: Update the compound modifier in the table cell that currently reads
"PEM encoded PKIX ASN.1 DER format" to use the hyphenated form "PEM-encoded PKIX
ASN.1 DER format"; locate the table row containing the Key column value "`key`"
and replace the phrase accordingly to maintain consistent compound-modifier
styling.
- Line 250: Replace the verbose phrase "In order to" with the concise "To" in
the permission note sentences (the instances currently reading "In order to
create a PushSecret..." and the similar notes at the other two locations) in
azure-key-vault.md so the text reads e.g. "To create a PushSecret targeting
Secrets, the Key Vault Secrets Officer role..." while preserving the links and
role/permission names exactly as-is.

In `@docs/snippets/azkv-secret-store.yaml`:
- Around line 12-24: Add a brief inline note to the authSecretRef block
clarifying mutual exclusivity between clientSecret and clientCertificate:
indicate that clientId is always provided but use either clientSecret or
clientCertificate, not both (e.g., add a comment above
clientSecret/clientCertificate). Reference the authSecretRef, clientId,
clientSecret and clientCertificate keys so maintainers can locate and update the
YAML snippet.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/provider/azure-key-vault.md`:
- Line 48: Change the sentence that currently starts "Regardless which
authentication method is used to authenticate to Azure Key Vault..." to read
"Regardless of which authentication method is used to authenticate to Azure Key
Vault..." (replace "Regardless which" with "Regardless of which") so the grammar
is correct; locate the sentence by its exact phrase "Regardless which
authentication method is used to authenticate to Azure Key Vault" in the
azure-key-vault provider doc and update it accordingly.
- Line 253: Change the uppercase "AND" to lowercase "and" in the supported
formats sentence (the backticked phrase showing `PRIVATE KEY`, `RSA PRIVATE KEY`
AND `EC PRIVATE KEY`) so it reads `PRIVATE KEY`, `RSA PRIVATE KEY` and `EC
PRIVATE KEY`; locate the occurrence in docs/provider/azure-key-vault.md (the
line containing the backticked list of supported formats) and update the casing
for consistency.

[Skarlso]

Couple of remarks. Thanks!

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/provider/azure-key-vault.md`:
- Line 8: The docs describe environmentType as both mandatory and defaulting to
PublicCloud, which is contradictory; update the azure-key-vault.md text to
clarify that environmentType is optional and defaults to "PublicCloud" unless
you need a different cloud flavour (e.g., `USGovernmentCloud`, `ChinaCloud`,
`GermanCloud`, `AzureStackCloud`), and remove the wording that implies it is
required so users understand they only need to set `environmentType` when
targeting a non-default cloud.
- Around line 209-210: The docs incorrectly state that both ExternalSecret and
PushSecret use spec.data[].remoteRef.key for object-type prefixes; update the
wording to note ExternalSecret uses spec.data[].remoteRef.key while PushSecret
expects the prefix on spec.data[].match.remoteRef.remoteKey (refer to the
snippet azkv-pushsecret-certificate-pem.yaml showing
spec.data[].match.remoteRef.remoteKey), and clarify that if no prefix is
provided the operator defaults to secret.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6564a6e2-2768-4580-bccb-52bfd25cc23e

📥 Commits

Reviewing files that changed from the base of the PR and between 782748a and 260b909.

📒 Files selected for processing (6)

• docs/provider/azure-key-vault.md
• docs/snippets/azkv-pushsecret-certificate-cert-manager.yaml
• docs/snippets/azkv-pushsecret-certificate-p12.yaml
• docs/snippets/azkv-pushsecret-certificate-pem.yaml
• docs/snippets/azkv-secret-store-spn-certificate.yaml
• docs/snippets/azkv-secret-store-spn-secret.yaml

🚧 Files skipped from review as they are similar to previous changes (2)

• docs/snippets/azkv-pushsecret-certificate-cert-manager.yaml
• docs/snippets/azkv-pushsecret-certificate-p12.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Object-type key path is wrong for PushSecret.

spec.data[].remoteRef.key is correct for ExternalSecret, but PushSecret uses spec.data[].match.remoteRef.remoteKey (as shown in docs/snippets/azkv-pushsecret-certificate-pem.yaml, Lines 31-34). Current wording can cause users to place prefixes in the wrong field.

✏️ Proposed wording fix

-Azure Key Vault has different [object types](https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#object-types); Secrets, Keys and Certificates, all of which are supported. To explicitly select which object type to fetch via an `ExternalSecret` or push via a `PushSecret`, prefix the `spec.data[].remoteRef.key` field with either `key`, `secret` or `cert`. If no prefix is provided, the operator defaults to `secret`.
+Azure Key Vault has different [object types](https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#object-types); Secrets, Keys and Certificates, all of which are supported. To explicitly select which object type to fetch via an `ExternalSecret` or push via a `PushSecret`, prefix:
+- `ExternalSecret`: `spec.data[].remoteRef.key`
+- `PushSecret`: `spec.data[].match.remoteRef.remoteKey`
+with either `key`, `secret` or `cert`. If no prefix is provided, the operator defaults to `secret`.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	Azure Key Vault has different [object types](https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#object-types); Secrets, Keys and Certificates, all of which are supported. To explicitly select which object type to fetch via an `ExternalSecret` or push via a `PushSecret`, prefix the `spec.data[].remoteRef.key` field with either `key`, `secret` or `cert`. If no prefix is provided, the operator defaults to `secret`.
	Azure Key Vault has different [object types](https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#object-types); Secrets, Keys and Certificates, all of which are supported. To explicitly select which object type to fetch via an `ExternalSecret` or push via a `PushSecret`, prefix:
	- `ExternalSecret`: `spec.data[].remoteRef.key`
	- `PushSecret`: `spec.data[].match.remoteRef.remoteKey`
	with either `key`, `secret` or `cert`. If no prefix is provided, the operator defaults to `secret`.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/provider/azure-key-vault.md` around lines 209 - 210, The docs
incorrectly state that both ExternalSecret and PushSecret use
spec.data[].remoteRef.key for object-type prefixes; update the wording to note
ExternalSecret uses spec.data[].remoteRef.key while PushSecret expects the
prefix on spec.data[].match.remoteRef.remoteKey (refer to the snippet
azkv-pushsecret-certificate-pem.yaml showing
spec.data[].match.remoteRef.remoteKey), and clarify that if no prefix is
provided the operator defaults to secret.

[coderabbitai]

♻️ Duplicate comments (2)

docs/provider/azure-key-vault.md (2)

8-8: ⚠️ Potential issue | 🟡 Minor

environmentType description is contradictory.

The sentence says you "have to specify" the environmentType but also states it "defaults to PublicCloud". This is confusing—if it defaults, it's not mandatory.

✏️ Proposed fix

-ESO supports connecting to different cloud flavours azure supports: `PublicCloud`, `USGovernmentCloud`, `ChinaCloud`, `GermanCloud` and `AzureStackCloud` (for Azure Stack Hub/Edge). You have to specify the `environmentType` and point to the correct cloud flavour. This defaults to `PublicCloud`.
+ESO supports connecting to different Azure cloud flavours: `PublicCloud`, `USGovernmentCloud`, `ChinaCloud`, `GermanCloud` and `AzureStackCloud` (for Azure Stack Hub/Edge). Set `environmentType` when targeting a non-default cloud; if omitted, it defaults to `PublicCloud`.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/provider/azure-key-vault.md` at line 8, The documentation line about
environmentType is contradictory: change the wording so it clearly states that
environmentType is optional and defaults to PublicCloud rather than saying you
"have to specify" it; mention the supported values (PublicCloud,
USGovernmentCloud, ChinaCloud, GermanCloud, AzureStackCloud) and instruct
readers to set environmentType only when they need a non-default cloud flavour
(e.g., AzureStackCloud) so the doc is unambiguous about the default behavior of
environmentType.

---

209-210: ⚠️ Potential issue | 🟡 Minor

PushSecret uses a different key path than documented.

The documentation states to prefix spec.data[].remoteRef.key for both ExternalSecret and PushSecret, but PushSecret actually uses spec.data[].match.remoteRef.remoteKey (as shown in the included snippets like azkv-pushsecret-certificate-pem.yaml).

✏️ Proposed fix

-Azure Key Vault has different [object types](https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#object-types); Secrets, Keys and Certificates, all of which are supported. To explicitly select which object type to fetch via an `ExternalSecret` or push via a `PushSecret`, prefix the `spec.data[].remoteRef.key` field with either `key`, `secret` or `cert`. If no prefix is provided, the operator defaults to `secret`.
+Azure Key Vault has different [object types](https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#object-types); Secrets, Keys and Certificates, all of which are supported. To explicitly select which object type to fetch or push, prefix with `key`, `secret` or `cert`:
+
+- **ExternalSecret**: prefix `spec.data[].remoteRef.key`
+- **PushSecret**: prefix `spec.data[].match.remoteRef.remoteKey`
+
+If no prefix is provided, the operator defaults to `secret`.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/provider/azure-key-vault.md` around lines 209 - 210, Update the docs to
state that PushSecret uses a different remote key path than ExternalSecret:
instead of `spec.data[].remoteRef.key` the PushSecret examples and usage must
reference `spec.data[].match.remoteRef.remoteKey` (as seen in
`azkv-pushsecret-certificate-pem.yaml`) and clarify the same `key|secret|cert`
prefix semantics apply to that field; adjust the paragraph that currently
mentions `spec.data[].remoteRef.key` so it explicitly distinguishes
ExternalSecret vs PushSecret field names and update any example snippets to use
`spec.data[].match.remoteRef.remoteKey` for PushSecret.

🧹 Nitpick comments (1)

docs/provider/azure-key-vault.md (1)

48-48: Minor: Consider hyphenating compound adjective.

"Access Policy based Key Vaults" would read more clearly as "Access Policy-based Key Vaults".

✏️ Proposed fix

-Regardless of which authentication method is used to authenticate to Azure Key Vault, the identity which is assigned to External Secrets Operator needs to have proper permissions to access the Key Vault. Both [RBAC](https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide) and legacy [Access Policy](https://learn.microsoft.com/en-us/azure/key-vault/general/assign-access-policy) based Key Vaults are supported.
+Regardless of which authentication method is used to authenticate to Azure Key Vault, the identity which is assigned to External Secrets Operator needs to have proper permissions to access the Key Vault. Both [RBAC](https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide) and legacy [Access Policy](https://learn.microsoft.com/en-us/azure/key-vault/general/assign-access-policy)-based Key Vaults are supported.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/provider/azure-key-vault.md` at line 48, Update the phrase "Access
Policy based Key Vaults" to the hyphenated form "Access Policy-based Key Vaults"
in the docs content (search for the exact string "Access Policy based Key
Vaults" in azure-key-vault.md and replace it); also scan for any other
occurrences of the same compound adjective in that file and apply the same
hyphenation to keep wording consistent.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@docs/provider/azure-key-vault.md`:
- Line 8: The documentation line about environmentType is contradictory: change
the wording so it clearly states that environmentType is optional and defaults
to PublicCloud rather than saying you "have to specify" it; mention the
supported values (PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud,
AzureStackCloud) and instruct readers to set environmentType only when they need
a non-default cloud flavour (e.g., AzureStackCloud) so the doc is unambiguous
about the default behavior of environmentType.
- Around line 209-210: Update the docs to state that PushSecret uses a different
remote key path than ExternalSecret: instead of `spec.data[].remoteRef.key` the
PushSecret examples and usage must reference
`spec.data[].match.remoteRef.remoteKey` (as seen in
`azkv-pushsecret-certificate-pem.yaml`) and clarify the same `key|secret|cert`
prefix semantics apply to that field; adjust the paragraph that currently
mentions `spec.data[].remoteRef.key` so it explicitly distinguishes
ExternalSecret vs PushSecret field names and update any example snippets to use
`spec.data[].match.remoteRef.remoteKey` for PushSecret.

---

Nitpick comments:
In `@docs/provider/azure-key-vault.md`:
- Line 48: Update the phrase "Access Policy based Key Vaults" to the hyphenated
form "Access Policy-based Key Vaults" in the docs content (search for the exact
string "Access Policy based Key Vaults" in azure-key-vault.md and replace it);
also scan for any other occurrences of the same compound adjective in that file
and apply the same hyphenation to keep wording consistent.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a90639f6-abcb-48d6-b8b7-f4c11a3344ed

📥 Commits

Reviewing files that changed from the base of the PR and between 260b909 and 8d45ac8.

📒 Files selected for processing (6)

• docs/provider/azure-key-vault.md
• docs/snippets/azkv-pushsecret-certificate-cert-manager.yaml
• docs/snippets/azkv-pushsecret-certificate-p12.yaml
• docs/snippets/azkv-pushsecret-certificate-pem.yaml
• docs/snippets/azkv-secret-store-spn-certificate.yaml
• docs/snippets/azkv-secret-store-spn-secret.yaml

🚧 Files skipped from review as they are similar to previous changes (4)

• docs/snippets/azkv-pushsecret-certificate-cert-manager.yaml
• docs/snippets/azkv-pushsecret-certificate-p12.yaml
• docs/snippets/azkv-secret-store-spn-secret.yaml
• docs/snippets/azkv-secret-store-spn-certificate.yaml

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud