Usage

Create your own SecretProviderClass Object

To use the Secrets Store CSI driver, create a SecretProviderClass custom resource to provide driver configurations and provider-specific parameters to the CSI driver.

A SecretProviderClass custom resource should have the following components:

apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: my-provider
spec:
  provider: vault                             # accepted provider options: akeyless or azure or vault or gcp
  parameters:                                 # provider-specific parameters

Here is a sample SecretProviderClass custom resource

Update your Deployment Yaml

To ensure your application is using the Secrets Store CSI driver, update your deployment yaml to use the secrets-store.csi.k8s.io driver and reference the SecretProviderClass resource created in the previous step.

volumes:
  - name: secrets-store-inline
    csi:
      driver: secrets-store.csi.k8s.io
      readOnly: true
      volumeAttributes:
        secretProviderClass: "my-provider"

Here is a sample deployment yaml using the Secrets Store CSI driver.

Secret Content is Mounted on Pod Start

On pod start and restart, the driver will communicate with the provider using gRPC to retrieve the secret content from the external Secrets Store you have specified in the SecretProviderClass custom resource. Then the volume is mounted in the pod as tmpfs and the secret contents are written to the volume.

To validate, once the pod is started, you should see the new mounted content at the volume path specified in your deployment yaml.

kubectl exec secrets-store-inline -- ls /mnt/secrets-store/
foo

Secrets Store CSI Driver

Usage

Create your own SecretProviderClass Object

Update your Deployment Yaml

Secret Content is Mounted on Pod Start

[OPTIONAL] Sync with Kubernetes Secrets

[OPTIONAL] Set ENV VAR

[OPTIONAL] Enable Auto Rotation of Secrets