luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity
open-vault/website/content/docs/platform/k8s/csi/configurations.mdx
Ikko Ashimine dc6924e764
docs: fix typo in configurations.mdx (#15863) 
paramters -> parameters
2022-06-08 09:03:45 -04:00

132 lines
5.7 KiB
Plaintext
Raw Blame History

---
layout: docs
page_title: Vault CSI Provider Configurations
description: This section documents the configurables for the Vault CSI Provider.
---
# Command line arguments
The following command line arguments are supported by the Vault CSI provider.
Most settings support being set by, in ascending order of precedence:
- Environment variables
- Command line arguments
- Secret Provider Class parameters
If installing via the helm chart, they can be set using e.g.
`--set "csi.extraArgs={-debug=true}"`.
- `-debug` `(bool: false)` - Set to true to enable debug level logging.
- `-endpoint` `(string: "/tmp/vault.sock")` - Path to unix socket on which the
provider will listen for gRPC calls from the driver.
- `-health-addr` `(string: ":8080")` - (v0.3.0+) The address of the HTTP listener
for reporting health.
- `-vault-addr` `(string: "https://127.0.0.1:8200")` - (v0.3.0+) Default address
for connecting to Vault. Can also be specified via the `VAULT_ADDR` environment
variable.
- `-vault-mount` `(string: "kubernetes")` - (v0.3.0+) Default Vault mount path
for Kubernetes authentication. Can be overridden per Secret Provider Class
object.
- `-vault-namespace` `(string: "")` - (v1.1.0+) Default Vault namespace for Vault
requests. Can also be specified via the `VAULT_NAMESPACE` environment variable.
- `-vault-tls-ca-cert` `(string: "")` - (v1.1.0+) Path on disk to a single
PEM-encoded CA certificate to trust for Vault. Takes precendence over
`-vault-tls-ca-directory`. Can also be specified via the `VAULT_CACERT`
environment variable.
- `-vault-tls-ca-directory` `(string: "")` - (v1.1.0+) Path on disk to a
directory of PEM-encoded CA certificates to trust for Vault. Can also be
specified via the `VAULT_CAPATH` environment variable.
- `-vault-tls-server-name` `(string: "")` - (v1.1.0+) Name to use as the SNI
host when connecting to Vault via TLS. Can also be specified via the
`VAULT_TLS_SERVER_NAME` environment variable.
- `-vault-tls-client-cert` `(string: "")` - (v1.1.0+) Path on disk to a
PEM-encoded client certificate for mTLS communication with Vault. If set,
also requires `-vault-tls-client-key`. Can also be specified via the
`VAULT_CLIENT_CERT` environment variable.
- `-vault-tls-client-key` `(string: "")` - (v1.1.0+) Path on disk to a
PEM-encoded client key for mTLS communication with Vault. If set, also
requires `-vault-tls-client-cert`. Can also be specified via the
`VAULT_CLIENT_KEY` environment variable.
- `-vault-tls-skip-verify` `(bool: false)` - (v1.1.0+) Disable verification of
TLS certificates. Can also be specified via the `VAULT_SKIP_VERIFY` environment
variable.
- `-version` `(bool: false)` - print version information and exit.
# Secret Provider Class Parameters
The following parameters are supported by the Vault provider. Each parameter is
an entry under `spec.parameters` in a SecretProviderClass object. The full
structure is illustrated in the [examples](/docs/platform/k8s/csi/examples).
- `roleName` `(string: "")` - Name of the role to be used during login with Vault.
- `vaultAddress` `(string: "")` - The address of the Vault server.
- `vaultNamespace` `(string: "")` - The Vault [namespace](/docs/enterprise/namespaces) to use.
- `vaultSkipTLSVerify` `(string: "false")` - When set to true, skips verification of the Vault server
certificate. Setting this to true is not recommended for production.
- `vaultCACertPath` `(string: "")` - The path on disk where the Vault CA certificate can be found
when verifying the Vault server certificate.
- `vaultCADirectory` `(string: "")` - The directory on disk where the Vault CA certificate can be found
when verifying the Vault server certificate.
- `vaultTLSClientCertPath` `(string: "")` - The path on disk where the client certificate can be found
for mTLS communications with Vault.
- `vaultTLSClientKeyPath` `(string: "")` - The path on disk where the client key can be found
for mTLS communications with Vault.
- `vaultTLSServerName` `(string: "")` - The name to use as the SNI host when connecting via TLS.
- `vaultKubernetesMountPath` `(string: "kubernetes")` - The name of the auth mount used for login.
At this time only the Kubernetes auth method is supported.
- `objects` `(array)` - An array of secrets to retrieve from Vault.
- `objectName` `(string: "")` - The alias of the object which can be referenced within the secret provider class and
the name of the secret file.
- `method` `(string: "GET")` - The type of HTTP request. Supported values include "GET" and "PUT".
- `secretPath` `(string: "")` - The path in Vault where the secret is located.
For secrets that are retrieved via HTTP GET method, the `secretPath` can include optional URI parameters,
for example, the [version of the KV2 secret](https://www.vaultproject.io/api-docs/secret/kv/kv-v2#read-secret-version):
```yaml
objects: |
- objectName: "app-secret"
secretPath: "secret/data/test?version=1"
secretKey: "password"
```
- `secretKey` `(string: "")` - The key in the Vault secret to extract. If omitted, the whole response from Vault will be written as JSON.
- `secretArgs` `(map: {})` - Additional arguments to be sent to Vault for a specific secret. Arguments can vary
for different secret engines. For example:
```yaml
secretArgs:
common_name: 'test.example.com'
ttl: '24h'
```
~> `secretArgs` are sent as part of the HTTP request body. Therefore, they are only effective for HTTP PUT/POST requests, for instance,
the [request used to generate a new certificate](https://www.vaultproject.io/api-docs/secret/pki#generate-certificate).
To supply additional parameters for secrets retrieved via HTTP GET, include optional URI parameters in [`secretPath`](#secretpath).
Reference in a new issue View git blame Copy permalink