Install the Secrets Store CSI Driver


Supported kubernetes versions

Secrets Store CSI Driver will maintain support for all actively supported Kubernetes minor releases per Kubernetes Supported Versions policy. Check out the Kubernetes releases page for the latest supported Kubernetes releases.

Deployment using Helm

Secrets Store CSI Driver allows users to customize their installation via Helm.

Recommended to use Helm3

helm repo add secrets-store-csi-driver
helm install csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver --namespace kube-system

Running the above helm install command will install the Secrets Store CSI Driver on Linux nodes in the kube-system namespace.

Optional Values

Notably the following feature must be explicitly enabled:

FeatureHelm Parameter
Sync as Kubernetes secretsyncSecret.enabled=true
Secret Auto rotationenableSecretRotation=true

For a list of customizable values that can be injected when invoking helm install, please see the Helm chart configurations.

[Alternatively] Deployment using yamls

kubectl apply -f deploy/rbac-secretproviderclass.yaml
kubectl apply -f deploy/csidriver.yaml
kubectl apply -f deploy/secrets-store.csi.x-k8s.io_secretproviderclasses.yaml
kubectl apply -f deploy/secrets-store.csi.x-k8s.io_secretproviderclasspodstatuses.yaml
kubectl apply -f deploy/secrets-store-csi-driver.yaml

# If using the driver to sync secrets-store content as Kubernetes Secrets, deploy the additional RBAC permissions
# required to enable this feature
kubectl apply -f deploy/rbac-secretprovidersyncing.yaml

# If using the secret rotation feature, deploy the additional RBAC permissions
# required to enable this feature
kubectl apply -f deploy/rbac-secretproviderrotation.yaml

# If using the CSI Driver token requests feature ( to use
# pod/workload identity to request a token and use with providers
kubectl apply -f deploy/rbac-secretprovidertokenrequest.yaml

# [OPTIONAL] To deploy driver on windows nodes
kubectl apply -f deploy/secrets-store-csi-driver-windows.yaml

To validate the installer is running as expected, run the following commands:

kubectl get po --namespace=kube-system

You should see the Secrets Store CSI driver pods running on each agent node:

csi-secrets-store-qp9r8         3/3     Running   0          4m
csi-secrets-store-zrjt2         3/3     Running   0          4m

You should see the following CRDs deployed:

kubectl get crd

Install External Secret Providers

Now that the Secrets Store CSI Driver has been deployed, select a provider from the supported provider list, then follow the installation steps for the provider: