HashiCorp Vault provider for the Secrets Store CSI driver allows you to get secrets stored in Vault and use the Secrets Store CSI driver interface to mount them into Kubernetes pods.
This project is currently supported as a Beta product, but relies on Alpha Kubernetes APIs and the CSI secrets store driver which is also Alpha. Where possible we will provide upgrade paths and deprecation notices for future releases, but cannot guarantee a stable API.
- Kubernetes 1.16+ for both the master and worker nodes (Linux-only)
- Secrets store CSI driver installed
TokenRequestendpoint available, which requires setting the flags--service-account-signing-key-fileand--service-account-issuerforkube-apiserver. Set by default from 1.20+ and earlier in most managed services.
The recommended installation method is via helm 3:
helm repo add hashicorp https://helm.releases.hashicorp.com
# Just installs Vault CSI provider. Adjust `server.enabled` and `injector.enabled`
# if you also want helm to install Vault and the Vault Agent injector.
helm install vault hashicorp/vault \
--set "server.enabled=false" \
--set "injector.enabled=false" \
--set "csi.enabled=true"You can also install using the deployment config in the deployment folder:
kubectl apply -f deployment/vault-csi-provider.yamlSee the learn tutorial and documentation pages for full details of deploying, configuring and using Vault CSI provider. The integration tests in test/bats/provider.bats also provide a good set of fully worked and tested examples to build on.
To troubleshoot issues with Vault CSI provider, look at logs from the Vault CSI provider pod running on the same node as your application pod:
kubectl get pods -o wide
# find the Vault CSI provider pod running on the same node as your application pod
kubectl logs vault-csi-provider-7x44tPass --debug=true to the provider to get more detailed logs. When installing
via helm, you can achieve this with --set "csi.debug=true".