feat: Add Azure Key Vault support and validate_key option

- Add Azure Key Vault as a supported provider for GitHub App private
  keys
- Add validate_key option to check key accessibility and suitability at
  startup
- Update Helm chart and documentation for Azure and validate_key,
  bumping version to 0.3.0
- Bump go-github and ghait dependencies to v84

Author: isometry

README.md

@@ -15,7 +15,7 @@ This operator solves the problem by functioning like cert-manager for GitHub tok
 
 ## Features
 
-- **🔐 Zero-Trust Security**: Never store GitHub App private keys in-cluster - integrates with AWS KMS, Google Cloud KMS, and HashiCorp Vault
+- **🔐 Zero-Trust Security**: Never store GitHub App private keys in-cluster - integrates with AWS KMS, Azure Key Vault, Google Cloud KMS, and HashiCorp Vault
 - **⏰ Ephemeral & Auto-Rotating**: Tokens expire in 1 hour and refresh automatically before expiration
 - **🎯 Fine-Grained Permissions**: Each token can have different scopes, down to specific repositories and permissions
 - **🏢 Multi-Tenancy**: Namespace isolation with `Token` CRD, cluster-wide control with `ClusterToken`
@@ -28,7 +28,7 @@ This operator solves the problem by functioning like cert-manager for GitHub tok
 
 - Kubernetes cluster (v1.30+)
 - [GitHub App](https://docs.github.com/en/apps/creating-github-apps) with required permissions (typically: `metadata: read`, `contents: read`, `statuses: write`)
-- GitHub App ID and Installation ID, with private key stored in AWS KMS, Google Cloud KMS, or HashiCorp Vault
+- GitHub App ID and Installation ID, with private key stored in AWS KMS, Azure Key Vault, Google Cloud KMS, or HashiCorp Vault
 
 ### Installation
 
@@ -57,6 +57,22 @@ stringData:
     installation_id: 4567890
     provider: aws
     key: alias/github-token-manager
+    validate_key: true  # optional: validate key on startup
+```
+
+```yaml
+# Azure Key Vault
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gtm-config
+  namespace: github-token-manager
+stringData:
+  gtm.yaml: |
+    app_id: 1234
+    installation_id: 4567890
+    provider: azure
+    key: https://<vault-name>.vault.azure.net/keys/<key-name>
 ```
 
 ```yaml
@@ -78,19 +94,33 @@ stringData:
     -----END RSA PRIVATE KEY-----
 ```
 
+**Configuration Fields:**
+
+| Field | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `app_id` | yes | | GitHub App ID |
+| `installation_id` | yes | | GitHub App Installation ID |
+| `provider` | no | `file` | Key provider: `aws`, `azure`, `gcp`, `vault`, or `file` |
+| `key` | yes | | Key identifier (alias, URI, path, or embedded key depending on provider) |
+| `validate_key` | no | `false` | Validate the key on startup, failing fast on misconfiguration |
+
+When `validate_key` is enabled, the operator verifies at startup that the configured key is accessible and suitable for signing. This requires additional read permissions on the key (e.g., `kms:DescribeKey` for AWS, `keys/get` for Azure, `cloudkms.cryptoKeyVersions.get` for GCP, `read` on the key path for Vault).
+
 **Cloud KMS Permissions Required:**
 
-- **AWS KMS**: IAM permissions `kms:DescribeKey` and `kms:Sign` on the KMS key
-- **GCP KMS**: Permission `cloudkms.cryptoKeyVersions.useToSign` or role `roles/cloudkms.cryptoKeyVersionsSigner`
-- **Vault**: Policy with `write` capability on transit sign path (e.g., `transit/sign/<keyName>`)
+- **AWS KMS**: `kms:Sign` on the KMS key (+ `kms:DescribeKey` if `validate_key` is enabled)
+- **Azure Key Vault**: `keys/sign` on the key (+ `keys/get` if `validate_key` is enabled)
+- **GCP KMS**: `cloudkms.cryptoKeyVersions.useToSign` or role `roles/cloudkms.cryptoKeyVersionsSigner` (+ `cloudkms.cryptoKeyVersions.get` if `validate_key` is enabled)
+- **Vault**: `write` capability on transit sign path, e.g. `transit/sign/<keyName>` (+ `read` on `transit/keys/<keyName>` if `validate_key` is enabled)
 
 **Pod Authentication:**
 
 - **AWS**: IRSA, Pod Identity, or instance profile with above KMS permissions
+- **Azure**: Workload Identity or managed identity with Key Vault access
 - **GCP**: Workload Identity or service account with Cloud KMS access
 - **Vault**: Kubernetes auth method configured with appropriate transit policy
 
-Supported providers: `aws` (KMS), `gcp` (Cloud KMS), `vault` (Transit Engine), `file` (embedded)
+Supported providers: `aws` (KMS), `azure` (Key Vault), `gcp` (Cloud KMS), `vault` (Transit Engine), `file` (embedded)
 
 ### Token Resources
 
@@ -152,6 +182,20 @@ spec:
     statuses: write
 ```
 
+## Custom Builds
+
+The default build includes all KMS providers (AWS, Azure, GCP, Vault, file). To produce a smaller binary that excludes unwanted providers and their dependencies, use Go build tags:
+
+```bash
+# Exclude AWS and Azure providers
+go build -tags ghait.no_aws,ghait.no_azure ./cmd/manager
+
+# Build with only file and Vault providers
+go build -tags ghait.no_aws,ghait.no_azure,ghait.no_gcp ./cmd/manager
+```
+
+Available opt-out tags: `ghait.no_aws`, `ghait.no_azure`, `ghait.no_gcp`, `ghait.no_vault`, `ghait.no_file`
+
 ## Development
 
 ```bash

api/v1/clustertoken_types.go

@@ -19,7 +19,7 @@ package v1
 import (
 	"time"
 
-	"github.com/google/go-github/v80/github"
+	"github.com/google/go-github/v84/github"
 	"github.com/isometry/github-token-manager/internal/ghapp"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

api/v1/clustertoken_types_test.go

@@ -4,7 +4,7 @@ import (
 	"testing"
 	"time"
 
-	"github.com/google/go-github/v80/github"
+	"github.com/google/go-github/v84/github"
 	v1 "github.com/isometry/github-token-manager/api/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )

api/v1/helpers_test.go

@@ -3,7 +3,7 @@ package v1_test
 import (
 	"testing"
 
-	"github.com/google/go-github/v80/github"
+	"github.com/google/go-github/v84/github"
 	v1 "github.com/isometry/github-token-manager/api/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )

api/v1/permissions.go

@@ -1,7 +1,7 @@
 package v1
 
 import (
-	"github.com/google/go-github/v80/github"
+	"github.com/google/go-github/v84/github"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 

api/v1/token_types.go

@@ -19,7 +19,7 @@ package v1
 import (
 	"time"
 
-	"github.com/google/go-github/v80/github"
+	"github.com/google/go-github/v84/github"
 	"github.com/isometry/github-token-manager/internal/ghapp"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

api/v1/token_types_test.go

@@ -4,7 +4,7 @@ import (
 	"testing"
 	"time"
 
-	"github.com/google/go-github/v80/github"
+	"github.com/google/go-github/v84/github"
 	v1 "github.com/isometry/github-token-manager/api/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )

deploy/charts/github-token-manager/Chart.yaml

@@ -4,4 +4,4 @@ name: github-token-manager
 description: A Helm chart for github-token-manager
 
 type: application
-version: 0.2.0
+version: 0.3.0

deploy/charts/github-token-manager/README.md

@@ -28,16 +28,20 @@ config.app_id | GitHub App ID | `0`                   |
 config.installation_id | GitHub App Installation ID | `0`                   |
 config.provider | GitHub App Private Key Provider | `aws`                 |
 config.key | GitHub App Private Key Path | `alias/github-token-manager` |
+config.validate_key | Validate the key on startup | `false`               |
 rbac.serviceAccount.annotations | Annotations for the service account | `{}`                  |
 commonAnnotations | Common annotations for all resources | `{}`                  |
 
 The `config.provider` field supported options are:
 - `aws`: The GitHub App private key is stored in AWS KMS (asymmetric, RSA_2048, sign and verify key) and the `config.key` field should be set to the alias of this KMS key.
+- `azure`: The GitHub App private key is stored in Azure Key Vault and the `config.key` field should be set to the key URI (e.g. `https://<vault-name>.vault.azure.net/keys/<key-name>`).
 - `file`: The GitHub App private key is embedded by YAML multiline string in the `config.key` field.
 - `gcp`: The GitHub App private key is stored in GCP KMS.
-- `vault`: The GitHub App private key is stored in HashiCorp Vault.
+- `vault`: The GitHub App private key is stored in HashiCorp Vault Transit Engine.
 
-When using external providers like `aws`, `gcp`, or `vault`, the controller's `ServiceAccount` must be configured with the necessary permissions to access the external store.
+When `config.validate_key` is set to `true`, the operator validates that the configured key is accessible and suitable for signing at startup, failing fast on misconfiguration. This may require additional read permissions on the key.
+
+When using external providers like `aws`, `azure`, `gcp`, or `vault`, the controller's `ServiceAccount` must be configured with the necessary permissions to access the external store.
 
 ### Example values.yaml configuration for aws provider
 

deploy/charts/github-token-manager/templates/config.yaml

@@ -18,6 +18,9 @@ stringData:
     app_id: {{ .Values.config.app_id | int }}
     installation_id: {{ .Values.config.installation_id | int }}
     provider: "{{ .Values.config.provider }}"
+  {{- if .Values.config.validate_key }}
+    validate_key: true
+  {{- end }}
   {{- if ne .Values.config.provider "file" }}
     key: "{{ .Values.config.key }}"
   {{- else }}