Azure Key Vault provider for Secrets Store CSI driver allows you to get secret contents stored in Azure Key Vault instance and use the Secrets Store CSI driver interface to mount them into Kubernetes pods.
Helm Chart Version | Secrets Store CSI Driver Version | Azure Key Vault Provider Version |
---|---|---|
1.0.0-rc.0 |
1.0.0-rc.0 |
1.0.0-rc.0 |
1.0.0 |
1.0.0 |
1.0.0 |
1.0.1 |
1.0.1 |
1.0.1 |
1.1.0-rc.0 |
1.1.0 |
1.1.0-rc.0 |
1.1.0 |
1.1.0 |
1.1.0 |
1.1.1 |
1.1.1 |
1.1.0 |
1.1.2 |
1.1.2 |
1.1.0 |
1.1.3 |
1.1.2 |
1.1.0 |
1.2.0 |
1.1.2 |
1.2.0 |
1.2.1 |
1.2.0 |
1.2.0 |
1.2.2 |
1.2.2 |
1.2.0 |
1.3.0 |
1.2.3 |
1.3.0 |
1.4.0 |
1.3.0 |
1.4.0 |
1.4.1 |
1.3.2 |
1.4.0 |
1.4.2 |
1.3.2 |
1.4.1 |
1.4.3 |
1.3.3 |
1.4.1 |
1.4.4 |
1.3.4 |
1.4.1 |
1.5.0 |
1.4.0 |
1.5.0 |
1.5.1 |
1.4.1 |
1.5.1 |
1.5.2 |
1.4.1 |
1.5.1 |
1.5.3 |
1.4.2 |
1.5.1 |
1.5.4 |
1.4.3 |
1.5.2 |
Note: The helm chart repository URL has changed from
https://raw.githubusercontent.com/Azure/secrets-store-csi-driver-provider-azure/master/charts
tohttps://azure.github.io/secrets-store-csi-driver-provider-azure/charts
.
Update helm chart repository if using the old URL
Run the following commands to update your Helm chart repositories if using the old URL:
helm repo add csi-secrets-store-provider-azure https://azure.github.io/secrets-store-csi-driver-provider-azure/charts --force-update
helm repo update
Quick start instructions for the setup and configuration of secrets-store-csi-driver and azure keyvault provider using Helm.
- This chart installs the secrets-store-csi-driver and the azure keyvault provider for the driver
helm repo add csi-secrets-store-provider-azure https://azure.github.io/secrets-store-csi-driver-provider-azure/charts
helm install csi-secrets-store-provider-azure/csi-secrets-store-provider-azure --generate-name
The following table lists the configurable parameters of the csi-secrets-store-provider-azure chart and their default values.
Refer to doc for configurable parameters of the secrets-store-csi-driver chart.
Parameter | Description | Default |
---|---|---|
nameOverride |
String to partially override csi-secrets-store-provider-azure.fullname template with a string (will prepend the release name) | "" |
fullnameOverride |
String to fully override csi-secrets-store-provider-azure.fullname template with a string | "" |
imagePullSecrets |
Secrets to be used when pulling images | [] |
logFormatJSON |
Use JSON logging format | false |
logVerbosity |
Log level. Uses V logs (klog) | 0 |
linux.enabled |
Install azure keyvault provider on linux nodes | true |
linux.image.repository |
Linux image repository | mcr.microsoft.com/oss/azure/secrets-store/provider-azure |
linux.image.pullPolicy |
Linux image pull policy | IfNotPresent |
linux.image.tag |
Azure Keyvault Provider Linux image tag | v1.5.2 |
linux.nodeSelector |
Node Selector for the daemonset on linux nodes | {} |
linux.tolerations |
Tolerations for the daemonset on linux nodes | [{"operator": "Exists"}] |
linux.resources |
Resource limit for provider pods on linux nodes | requests.cpu: 50m requests.memory: 100Mi limits.cpu: 50m limits.memory: 100Mi |
linux.podLabels |
Additional pod labels | {} |
linux.podAnnotations |
Additional pod annotations | {} |
linux.priorityClassName |
Indicates the importance of a Pod relative to other Pods. | "" |
linux.updateStrategy |
Configure a custom update strategy for the daemonset on linux nodes | RollingUpdate with 1 maxUnavailable |
linux.privileged |
Enable privileged mode for Linux daemonset | false |
linux.customUserAgent |
Custom user agent to add to adal and keyvault requests | "" |
linux.healthzPort |
port for health check | "8989" |
linux.healthzPath |
path for health check | "/healthz" |
linux.healthzTimeout |
RPC timeout for health check | "5s" |
linux.volumes |
Additional volumes to create for the KeyVault provider pods. | [] |
linux.volumeMounts |
Additional volumes to mount on the KeyVault provider pods. | [] |
linux.affinity |
Configures affinity for provider pods on linux nodes | Match expression type NotIn virtual-kubelet |
linux.kubeletRootDir |
Configure the kubelet root dir | /var/lib/kubelet |
linux.providersDir |
Configure the providers root dir | /var/run/secrets-store-csi-providers |
linux.dnsPolicy |
Configure DNS policy for the provider pod | "" |
windows.enabled |
Install azure keyvault provider on windows nodes | false |
windows.image.repository |
Windows image repository | mcr.microsoft.com/oss/azure/secrets-store/provider-azure |
windows.image.pullPolicy |
Windows image pull policy | IfNotPresent |
windows.image.tag |
Azure Keyvault Provider Windows image tag | v1.5.2 |
windows.nodeSelector |
Node Selector for the daemonset on windows nodes | {} |
windows.tolerations |
Tolerations for the daemonset on windows nodes | {} |
windows.resources |
Resource limit for provider pods on windows nodes | requests.cpu: 100m requests.memory: 200Mi limits.cpu: 100m limits.memory: 200Mi |
windows.podLabels |
Additional pod labels | {} |
windows.podAnnotations |
Additional pod annotations | {} |
windows.priorityClassName |
Indicates the importance of a Pod relative to other Pods. | "" |
windows.updateStrategy |
Configure a custom update strategy for the daemonset on windows nodes | RollingUpdate with 1 maxUnavailable |
windows.customUserAgent |
Custom user agent to add to adal and keyvault requests | "" |
windows.healthzPort |
port for health check | "8989" |
windows.healthzPath |
path for health check | "/healthz" |
windows.healthzTimeout |
RPC timeout for health check | "5s" |
windows.volumes |
Additional volumes to create for the KeyVault provider pods. | [] |
windows.affinity |
Configures affinity for provider pods on windows nodes | Match expression type NotIn virtual-kubelet |
windows.volumeMounts |
Additional volumes to mount on the KeyVault provider pods. | [] |
windows.kubeletRootDir |
Configure the kubelet root dir | C:\var\lib\kubelet |
windows.providersDir |
Configure the providers root dir | C:\k\secrets-store-csi-providers |
secrets-store-csi-driver.install |
Install secrets-store-csi-driver with this chart | true |
secrets-store-csi-driver.fullnameOverride |
String to fully override secrets-store-csi-driver.fullname template with a string | secrets-store-csi-driver |
secrets-store-csi-driver.linux.enabled |
Install secrets-store-csi-driver on linux nodes | true |
secrets-store-csi-driver.linux.kubeletRootDir |
Configure the kubelet root dir | /var/lib/kubelet |
secrets-store-csi-driver.linux.metricsAddr |
The address the metric endpoint binds to | :8080 |
secrets-store-csi-driver.linux.tolerations |
Tolerations for driver pods on linux nodes | [] |
secrets-store-csi-driver.linux.priorityClassName |
Indicates the importance of a Pod relative to other Pods | "" |
secrets-store-csi-driver.linux.image.repository |
Driver Linux image repository | mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver |
secrets-store-csi-driver.linux.image.pullPolicy |
Driver Linux image pull policy | IfNotPresent |
secrets-store-csi-driver.linux.image.tag |
Driver Linux image tag | v1.4.3 |
secrets-store-csi-driver.linux.registrarImage.repository |
Driver Linux node-driver-registrar image repository | mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar |
secrets-store-csi-driver.linux.registrarImage.pullPolicy |
Driver Linux node-driver-registrar image pull policy | IfNotPresent |
secrets-store-csi-driver.linux.registrarImage.tag |
Driver Linux node-driver-registrar image tag | v2.10.0 |
secrets-store-csi-driver.linux.livenessProbeImage.repository |
Driver Linux liveness-probe image repository | mcr.microsoft.com/oss/kubernetes-csi/livenessprobe |
secrets-store-csi-driver.linux.livenessProbeImage.pullPolicy |
Driver Linux liveness-probe image pull policy | IfNotPresent |
secrets-store-csi-driver.linux.livenessProbeImage.tag |
Driver Linux liveness-probe image tag | v2.12.0 |
secrets-store-csi-driver.linux.crds.image.repository |
Driver CRDs Linux image repository | mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver-crds |
secrets-store-csi-driver.linux.crds.image.tag |
Driver CRDs Linux image tag | v1.4.3 |
secrets-store-csi-driver.linux.crds.image.pullPolicy |
Driver CRDs Linux image pull policy | IfNotPresent |
secrets-store-csi-driver.windows.enabled |
Install secrets-store-csi-driver on windows nodes | false |
secrets-store-csi-driver.windows.kubeletRootDir |
Configure the kubelet root dir | C:\var\lib\kubelet |
secrets-store-csi-driver.windows.metricsAddr |
The address the metric endpoint binds to | :8080 |
secrets-store-csi-driver.windows.tolerations |
Tolerations for driver pods on windows nodes | [] |
secrets-store-csi-driver.windows.priorityClassName |
Indicates the importance of a Pod relative to other Pods | "" |
secrets-store-csi-driver.windows.image.repository |
Driver Windows image repository | mcr.microsoft.com/oss/kubernetes-csi/secrets-store/driver |
secrets-store-csi-driver.windows.image.pullPolicy |
Driver Windows image pull policy | IfNotPresent |
secrets-store-csi-driver.windows.image.tag |
Driver Windows image tag | v1.4.3 |
secrets-store-csi-driver.windows.registrarImage.repository |
Driver Windows node-driver-registrar image repository | mcr.microsoft.com/oss/kubernetes-csi/csi-node-driver-registrar |
secrets-store-csi-driver.windows.registrarImage.pullPolicy |
Driver Windows node-driver-registrar image pull policy | IfNotPresent |
secrets-store-csi-driver.windows.registrarImage.tag |
Driver Windows node-driver-registrar image tag | v2.10.0 |
secrets-store-csi-driver.windows.livenessProbeImage.repository |
Driver Windows liveness-probe image repository | mcr.microsoft.com/oss/kubernetes-csi/livenessprobe |
secrets-store-csi-driver.windows.livenessProbeImage.pullPolicy |
Driver Windows liveness-probe image pull policy | IfNotPresent |
secrets-store-csi-driver.windows.livenessProbeImage.tag |
Driver Windows liveness-probe image tag | v2.12.0 |
secrets-store-csi-driver.enableSecretRotation |
Enable secret rotation feature [alpha] | false |
secrets-store-csi-driver.rotationPollInterval |
Secret rotation poll interval duration | 2m |
secrets-store-csi-driver.filteredWatchSecret |
Enable filtered watch for NodePublishSecretRef secrets with label secrets-store.csi.k8s.io/used=true . Refer to doc for more details |
true |
secrets-store-csi-driver.syncSecret.enabled |
Enable rbac roles and bindings required for syncing to Kubernetes native secrets | false |
secrets-store-csi-driver.tokenRequests |
Token requests configuration for the csi driver. Refer to doc for more info. | [audience: api://AzureADTokenExchange] |
rbac.install |
Install default service account | true |
rbac.pspEnabled |
If true , create and use a restricted pod security policy for Secrets Store CSI Driver AKV provider pod(s) |
false |
constructPEMChain |
Explicitly reconstruct the pem chain in the order: SERVER, INTERMEDIATE, ROOT | true |
writeCertAndKeyInSeparateFiles |
Write cert and key in separate files. The individual files will be named as .crt and .key. These files will be created in addition to the single file. | false |
metricsAddr |
Port that serves metrics | 8898 |
promMdmConverter.resources |
Resource limit for Arc ext monitoring pod's prom-mdm-converter container | requests.cpu: 50m requests.memory: 100Mi limits.cpu: 50m limits.memory: 100Mi |
mdm.resources |
Resource limit for Arc ext monitoring pod's mdm container | requests.cpu: 50m requests.memory: 100Mi limits.cpu: 50m limits.memory: 100Mi |
msiAdapter.resources |
Resource limit for Arc ext monitoring pod's msi-adapter container | requests.cpu: 50m requests.memory: 100Mi limits.cpu: 50m limits.memory: 100Mi |
telegraf.resources |
Resource limit for Arc ext monitoring pod's telegraf container | requests.cpu: 50m requests.memory: 100Mi limits.cpu: 50m limits.memory: 100Mi |
amacoreagent.resources |
Resource limit for Arc ext monitoring pod's amacoreagent container | requests.cpu: 50m requests.memory: 100Mi limits.cpu: 50m limits.memory: 100Mi |
fluentd.resources |
Resource limit for Arc ext monitoring pod's fluentd container | requests.cpu: 50m requests.memory: 250Mi limits.cpu: 50m limits.memory: 250Mi |