Vault
Vault CSI provider examples
The following examples demonstrate how the Vault CSI Provider can be used.
A common mistake is to not install the CSI Secret Store Driver before using the Vault CSI Provider.
File based dynamic database credentials
The following Secret Provider Class retrieves dynamic database credentials from Vault and extracts the generated username and password. The secrets are then mounted as files in the configured mount location.
---
apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
name: vault-db-creds
spec:
provider: vault
parameters:
roleName: 'app'
objects: |
- objectName: "dbUsername"
secretPath: "database/creds/db-app"
secretKey: "username"
- objectName: "dbPassword"
secretPath: "database/creds/db-app"
secretKey: "password"
Next, a pod can be created to use this Secret Provider Class to populate the secrets in the pod:
apiVersion: apps/v1
kind: Deployment
metadata:
name: app
labels:
app: demo
spec:
selector:
matchLabels:
app: demo
replicas: 1
template:
metadata:
annotations:
labels:
app: demo
spec:
serviceAccountName: app
containers:
- name: app
image: my-app:1.0.0
volumeMounts:
- name: 'vault-db-creds'
mountPath: '/mnt/secrets-store'
readOnly: true
volumes:
- name: vault-db-creds
csi:
driver: 'secrets-store.csi.k8s.io'
readOnly: true
volumeAttributes:
secretProviderClass: 'vault-db-creds'
The pod mounts a CSI volume and specifies the Secret Provider Class (vault-db-creds
) created above.
The secrets created from that provider class are mounted to /mnt/secrets-store
. When this pod is
created the containers will find two files containing secrets:
Environment variable dynamic database credentials
The following Secret Provider Class retrieves dynamic database credentials from Vault and extracts the generated username and password. The secrets are then synced to Kubernetes secrets so that they can be mounted as environment variables in the containers.
---
apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
name: vault-db-creds
spec:
provider: vault
secretObjects:
- secretName: vault-db-creds-secret
type: Opaque
data:
- objectName: dbUsername # References dbUsername below
key: username # Key within k8s secret for this value
- objectName: dbPassword
key: password
parameters:
roleName: 'app'
objects: |
- objectName: "dbUsername"
secretPath: "database/creds/db-app"
secretKey: "username"
- objectName: "dbPassword"
secretPath: "database/creds/db-app"
secretKey: "password"
Next, a pod can be created which uses this Secret Provider Class to populate the secrets in the pod's environment:
apiVersion: apps/v1
kind: Deployment
metadata:
name: app
labels:
app: demo
spec:
selector:
matchLabels:
app: demo
replicas: 1
template:
metadata:
annotations:
labels:
app: demo
spec:
serviceAccountName: app
containers:
- name: app
image: my-app:1.0.0
env:
- name: DB_USERNAME
valueFrom:
secretKeyRef:
name: vault-db-creds-secret
key: username
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: vault-db-creds-secret
key: password
volumeMounts:
- name: 'vault-db-creds'
mountPath: '/mnt/secrets-store'
readOnly: true
volumes:
- name: vault-db-creds
csi:
driver: 'secrets-store.csi.k8s.io'
readOnly: true
volumeAttributes:
secretProviderClass: 'vault-db-creds'
The pod mounts a CSI volume and specifies the Secret Provider Class (vault-db-creds
) created above.
The secrets created from that provider class are mounted to /mnt/secrets-store
, additionally a Kubernetes
secret called vault-db-creds
is created and referenced in two environment variables.