This project features a pluggable provider interface developers can implement that defines the actions of the Secrets Store CSI driver. This enables retrieval of sensitive objects stored in an enterprise-grade external secrets store into Kubernetes while continue to manage these objects outside of Kubernetes.
Here is a list of criteria for supported provider:
- Code audit of the provider implementation to ensure it adheres to the required provider-driver interface - Implementing a Provider for Secrets Store CSI Driver
- Add provider to the e2e test suite to demonstrate it functions as expected. Please use existing providers e2e tests as a reference.
- If any update is made by a provider (not limited to security updates), the provider is expected to update the provider’s e2e test in this repo.
Failure to adhere to the Criteria for Supported Providers will result in the removal of the provider from the supported list and subject to another review before it can be added back to the list of supported providers.
When a provider’s e2e tests are consistently failing with the latest version of the driver, the driver maintainers will coordinate with the provider maintainers to provide a fix. If the test failures are not resolved within 4 weeks, then the provider will be removed from the list of supported providers.
This document highlights the implementation steps for adding a secrets-store-csi-driver provider.
The driver as of
v0.0.14 adds an option to use gRPC to communicate with the provider. This is an alpha feature and is introduced with a feature flag
--grpc-supported-providers is a
; delimited list of all providers that support gRPC for communication. This flag will not be necessary after
v0.0.21 since this is the only supported communication mechanism.
To implement a secrets-store-csi-driver provider, you can develop a new provider gRPC server using the stub file available for Go.
- Use the functions and data structures in the stub file: service.pb.go to develop the server code
- The stub file and proto file are shared and hosted in the driver. Vendor-in the stub file and proto file in the provider
- fake server example
- Provider runs as a daemonset and is deployed on the same host(s) as the secrets-store-csi-driver pods
- Provider Unix Domain Socket volume path. The default volume path for providers is /etc/kubernetes/secrets-store-csi-providers. Add the Unix Domain Socket to the dir in the format
<provider name>.sockmust match the regular expression
- Provider mounts
<kubelet root dir>/pods(default:
HostToContainermount propagation to be able to write the external secrets store content to the volume target path
See design doc for more details.