To use the Secrets Store CSI driver, create a
SecretProviderClass custom resource to provide driver configurations and provider-specific parameters to the CSI driver.
SecretProviderClass custom resource should have the following components:
apiVersion: secrets-store.csi.x-k8s.io/v1alpha1 kind: SecretProviderClass metadata: name: my-provider spec: provider: vault # accepted provider options: azure or vault or gcp parameters: # provider-specific parameters
Here is a sample
SecretProviderClass custom resource
To ensure your application is using the Secrets Store CSI driver, update your deployment yaml to use the
secrets-store.csi.k8s.io driver and reference the
SecretProviderClass resource created in the previous step.
volumes: - name: secrets-store-inline csi: driver: secrets-store.csi.k8s.io readOnly: true volumeAttributes: secretProviderClass: "my-provider"
Here is a sample deployment yaml using the Secrets Store CSI driver.
On pod start and restart, the driver will communicate with the provider using gRPC to retrieve the secret content from the external Secrets Store you have specified in the
SecretProviderClass custom resource. Then the volume is mounted in the pod as
tmpfs and the secret contents are written to the volume.
To validate, once the pod is started, you should see the new mounted content at the volume path specified in your deployment yaml.
kubectl exec secrets-store-inline -- ls /mnt/secrets-store/ foo
Refer to Sync as Kubernetes Secret for steps on syncing the secrets-store content as Kubernetes secret in addition to the mount.
Refer to Set as ENV var for steps on syncing the secrets-store content as Kubernetes secret and using the secret for env variables in the deployment.
You can setup the Secrets Store CSI Driver to periodically update the pod mount and Kubernetes Secret with the latest content from external secrets-store. Refer to Secret Auto Rotation for steps on enabling auto rotation.