The kgateway documentation currently lacks an Azure-specific deployment guide. Existing guides and examples are oriented toward AWS and GCP environments, leaving Azure users without a reference for deploying kgateway on AKS with Azure-native integrations.
The primary focus of this guide is documenting the end-to-end TLS certificate flow from Azure Key Vault to a kgateway Gateway listener — a pattern that is meaningfully different from cert-manager or static Secret references and is not covered anywhere in the current docs.
Motivation
The Key Vault → Gateway TLS gap
TLS termination at the gateway is a day-one production requirement. On Azure, the standard pattern for managing certificates is Azure Key Vault — but getting a certificate from Key Vault into a kgateway Gateway listener involves a chain of Azure and Kubernetes resources that is not obvious and not documented:
Azure Key Vault (certificate store)
↓ CSI driver sync
SecretProviderClass (defines what to pull and how to project it)
↓ mounts as volume on a Pod, materialises as
Kubernetes Secret (kubernetes.io/tls type)
↓ referenced by
Gateway listener (certificateRefs)
↓ terminates TLS at
Envoy proxy (kgateway data plane)
Each step in this chain has Azure-specific configuration that is not covered by the existing kgateway TLS docs.
The kgateway documentation currently lacks an Azure-specific deployment guide. Existing guides and examples are oriented toward AWS and GCP environments, leaving Azure users without a reference for deploying kgateway on AKS with Azure-native integrations.
The primary focus of this guide is documenting the end-to-end TLS certificate flow from Azure Key Vault to a kgateway Gateway listener — a pattern that is meaningfully different from cert-manager or static Secret references and is not covered anywhere in the current docs.
Motivation
The Key Vault → Gateway TLS gap
TLS termination at the gateway is a day-one production requirement. On Azure, the standard pattern for managing certificates is Azure Key Vault — but getting a certificate from Key Vault into a kgateway Gateway listener involves a chain of Azure and Kubernetes resources that is not obvious and not documented:
Each step in this chain has Azure-specific configuration that is not covered by the existing kgateway TLS docs.