SAP Credential Store provider for the Secrets Store CSI driver enables you to pull passwords and encryption keys from the SAP Credential Store and mount them into Kubernetes pods.
You can use the deployment manifests in deploy which install the following components:
- Secrets Store CSI driver via the Helm chart
- SAP Credential Store provider
You can install them in your current Kubernetes cluster by using Kustomize:
kubectl kustomize --enable-helm deploy/ | kubectl apply -f-Note: This provider requires an mTLS service key to communicate with the SAP Credentials Store (placed in service-key.json). Check this documentation link which explains how to create one. The SAP BTP Service Operator can also be used for automatic creation and rotation of such service keys.
These example manifests demonstrate the basic scenario of mounting a password and key credentials into a pod.
The credential's metadata is described in the secret-provider-class.yaml and follows this syntax:
name- name of the source credential in SAP Credential Storenamespace- namespace of the source credential in SAP Credential Storetype- type of the source credential in SAP Credential Store, either key or passwordfileName- name of the destination file which will be mounted in the K8s podmode- permissions of the destination file, e.g., 0640, 0400, 0777. Defaults to 0644 if omitted
# Build a custom container image
make image
# Setup local K8s cluster with kind: https://kind.sigs.k8s.io/
# The command also deploys the provider and the secrets store csi driver
make setup-kind
kubectl get pod -n csi