[Feature Request] SSL/TLS termination using Azure Key Vault Non-Exportable Keys

[ssijbabu]

Is your feature request related to a problem? Please describe.
The Ingress currently facilitates SSL/TLS termination by retrieving certificates from Azure Key Vault. While this is a valuable feature, many organizations, particularly those with stringent security and compliance mandates, require that private keys for SSL/TLS certificates are stored as non-exportable within a secure key store like Azure Key Vault (often backed by HSMs).

The current mechanism for retrieving certificates from Key Vault via the Secret Store CSI driver primarily focuses on making the certificate and key material available as Kubernetes secrets. This approach involves exporting the private key from Key Vault, which is not permissible for non-exportable keys. To fully support enterprise security requirements, we needs a mechanism to perform SSL termination using private keys that cannot be exported from Azure Key Vault.

Describe the solution you'd like
Enhance the ingress and its integration with Azure Key Vault to directly utilize private keys stored as non-exportable for SSL termination.

This would involve:

• Allowing users to reference a Key Vault certificate or key that is stored with the non-exportable attribute set.
• The ingress controller managed by the operator (e.g., NGINX) or a component working alongside it must be able to perform the necessary cryptographic operations (like decryption during the TLS handshake) by interacting with Azure Key Vault using the non-exportable key reference, without the private key material ever leaving the Key Vault boundary.
• This interaction should leverage secure authentication methods like Managed Identities assigned to the AKS nodes or the operator/ingress controller components, with appropriate Key Vault permissions (e.g., Get, Sign, Decrypt, WrapKey depending on the exact Key Vault operation needed for TLS).