131 lines
4.5 KiB
Plaintext
131 lines
4.5 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: Vault CSI Provider
|
|
description: >-
|
|
The Vault CSI Provider allows pods to consume Vault secrets using CSI volumes.
|
|
---
|
|
|
|
# Vault CSI Provider
|
|
|
|
The Vault CSI Provider allows pods to consume Vault secrets using
|
|
[CSI Secrets Store](https://github.com/kubernetes-sigs/secrets-store-csi-driver) volumes.
|
|
|
|
~> The Vault CSI Provider requires the [CSI Secret Store](https://github.com/kubernetes-sigs/secrets-store-csi-driver)
|
|
Driver to be installed.
|
|
|
|
## Overview
|
|
|
|
At a high level, the CSI Secrets Store driver allows users to create `SecretProviderClass` objects.
|
|
This object defines which secret provider to use and what secrets to retrieve. When pods requesting CSI volumes
|
|
are created, the CSI Secrets Store driver will send the request to the Vault CSI Provider if the provider
|
|
is `vault`. The Vault CSI Provider will then use Secret Provider Class specified and the pod's service account to retrieve
|
|
the secrets from Vault, and mount them into the pod's CSI volume.
|
|
|
|
The secret is retrieved from Vault and populated to the CSI secrets store volume during the `ContainerCreation` phase.
|
|
This means that pods will be blocked from starting until the secrets have been read from Vault and written to the volume.
|
|
|
|
### Features
|
|
|
|
The following features are supported by the Vault CSI Provider:
|
|
|
|
- All Vault secret engines supported.
|
|
- Authentication using the requesting pod's service account.
|
|
- TLS/mTLS communications with Vault.
|
|
- Rendering Vault secrets to files.
|
|
- Dynamic lease caching and renewal performed by Agent.
|
|
- Syncing secrets to Kubernetes secrets to be used as environment variables.
|
|
- Installation via [Vault Helm](/vault/docs/platform/k8s/helm)
|
|
|
|
@include 'kubernetes-supported-versions.mdx'
|
|
|
|
## Authenticating with Vault
|
|
|
|
The Vault CSI Provider will authenticate with Vault as the service account of the
|
|
pod that mounts the CSI volume. [Kubernetes](/vault/docs/auth/kubernetes) and
|
|
[JWT](/vault/docs/auth/jwt) auth methods are supported. The pod's service account
|
|
must be bound to a Vault role and a policy granting access to the secrets desired.
|
|
|
|
It is highly recommended to run pods with dedicated Kubernetes service accounts to
|
|
ensure applications cannot access more secrets than they require.
|
|
|
|
## Secret Provider Class Example
|
|
|
|
The following is an example of a Secret Provider Class using the `vault` provider:
|
|
|
|
```yaml
|
|
---
|
|
apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
|
|
kind: SecretProviderClass
|
|
metadata:
|
|
name: vault-db-creds
|
|
spec:
|
|
# Vault CSI Provider
|
|
provider: vault
|
|
parameters:
|
|
# Vault role name to use during login
|
|
roleName: 'app'
|
|
# Vault address and TLS connection config is normally best configured by the
|
|
# helm chart, but can be overridden per SecretProviderClass:
|
|
# Vault's hostname
|
|
#vaultAddress: 'https://vault:8200'
|
|
# TLS CA certification for validation
|
|
#vaultCACertPath: '/vault/tls/ca.crt'
|
|
objects: |
|
|
- objectName: "dbUsername"
|
|
secretPath: "database/creds/db-app"
|
|
secretKey: "username"
|
|
- objectName: "dbPassword"
|
|
secretPath: "database/creds/db-app"
|
|
secretKey: "password"
|
|
# "objectName" is an alias used within the SecretProviderClass to reference
|
|
# that specific secret. This will also be the filename containing the secret.
|
|
# "secretPath" is the path in Vault where the secret should be retrieved.
|
|
# "secretKey" is the key within the Vault secret response to extract a value from.
|
|
```
|
|
|
|
~> Secret Provider Class is a namespaced object in Kubernetes.
|
|
|
|
## Using Secret Provider Classes
|
|
|
|
An application pod uses the example Secret Provider Class above by mounting it as a CSI volume:
|
|
|
|
```yaml
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: app
|
|
labels:
|
|
app: demo
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
app: demo
|
|
replicas: 1
|
|
template:
|
|
spec:
|
|
serviceAccountName: app
|
|
containers:
|
|
- name: app
|
|
image: my-app:1.0.0
|
|
volumeMounts:
|
|
- name: 'vault-db-creds'
|
|
mountPath: '/mnt/secrets-store'
|
|
readOnly: true
|
|
volumes:
|
|
- name: vault-db-creds
|
|
csi:
|
|
driver: 'secrets-store.csi.k8s.io'
|
|
readOnly: true
|
|
volumeAttributes:
|
|
secretProviderClass: 'vault-db-creds'
|
|
```
|
|
|
|
In this example `volumes.csi` is created on the application deployment and references
|
|
the Secret Provider Class named `vault-db-creds`.
|
|
|
|
## Tutorial
|
|
|
|
Refer to the [Vault CSI Provider](/vault/tutorials/kubernetes/kubernetes-secret-store-driver)
|
|
tutorial to learn how to set up Vault and its dependencies with a Helm chart.
|