⚠️ Please note: We take Vault's security and our users' trust very seriously. If you believe you have found a security issue in Vault CSI Provider, please responsibly disclose by contacting us at [email protected].
HashiCorp Vault provider for the Secrets Store CSI driver allows you to get secrets stored in Vault and use the Secrets Store CSI driver interface to mount them into Kubernetes pods.
- Supported Kubernetes version, see the documentation (runs on Linux nodes only)
- Secrets store CSI driver installed
The recommended installation method is via helm 3:
helm repo add hashicorp https://helm.releases.hashicorp.com
# Just installs Vault CSI provider. Adjust `server.enabled` and `injector.enabled`
# if you also want helm to install Vault and the Vault Agent injector.
helm install vault hashicorp/vault \
--set "server.enabled=false" \
--set "injector.enabled=false" \
--set "csi.enabled=true"You can also install using the deployment config in the deployment folder:
kubectl apply -f deployment/vault-csi-provider.yamlSee the learn tutorial and documentation pages for full details of deploying, configuring and using Vault CSI provider. The integration tests in test/bats/provider.bats also provide a good set of fully worked and tested examples to build on.
To troubleshoot issues with Vault CSI provider, look at logs from the Vault CSI provider pod running on the same node as your application pod:
kubectl get pods -o wide
# find the Vault CSI provider pod running on the same node as your application pod
kubectl logs vault-csi-provider-7x44tWarning
The -debug=true flag has been deprecated, please use -log-level=debug instead.
Available log levels are info, debug, trace, warn, error, and off.
The Makefile has targets to automate building and testing:
make build testThe project also uses some linting and formatting tools. To install the tools:
make bootstrapYou can then run the additional checks:
make fmt lint modTo run a full set of integration tests on a local kind cluster, ensure you have the following additional dependencies installed:
You can then run:
make setup-kind e2e-image e2e-setup e2e-testFinally tidy up the resources created in the kind cluster with:
make e2e-teardownTo test on OpenShift, install the Secrets Store CSI Driver
Operator, and follow the
instructions to create a ClusterCSIDriver instance.
You can then run:
make ci-build e2e-image-ubi GOOS=linux GOARCH=arm64
# tag the e2e image and upload it somewhere accessible from OpenShift
docker tag e2e/vault-csi-provider:latest <image:tag>
docker push <image:tag>
make e2e-setup-openshift e2e-test EXTRA_VAULT_VALUES="--set csi.image.repository=<image>,csi.image.tag=<tag>,csi.daemonSet.securityContext.container.privileged=true"Finally tidy up the resources created in the OpenShift cluster with:
make e2e-teardown-openshift
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}
![@hashicorp-tsccr[bot]](https://avatars.githubusercontent.com/in/312369?s=64&v=4){kind=small}
![@hashicorp-copywrite[bot]](https://avatars.githubusercontent.com/u/761456?s=64&v=4){kind=small}
