Cloud Experts Documentation

Installing the Kubernetes Secret Store CSI on OpenShift

The Kubernetes Secret Store CSI is a storage driver that allows you to mount secrets from external secret management systems like HashiCorp Vault and AWS Secrets.

It comes in two parts, the Secret Store CSI, and a Secret provider driver. This document covers just the CSI itself.

Prerequisites

  1. An OpenShift Cluster (ROSA, ARO, OSD, and OCP 4.x all work)
  2. kubectl
  3. helm v3

Installing the Kubernetes Secret Store CSI

  1. Create an OpenShift Project to deploy the CSI into

    oc new-project k8s-secrets-store-csi
    
  2. Set SecurityContextConstraints to allow the CSI driver to run (otherwise the DaemonSet will not be able to create Pods)

    oc adm policy add-scc-to-user privileged \
      system:serviceaccount:k8s-secrets-store-csi:secrets-store-csi-driver
    
  3. Add the Secrets Store CSI Driver to your Helm Repositories

    helm repo add secrets-store-csi-driver \
      https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
    
  4. Update your Helm Repositories

    helm repo update
    
  5. Install the secrets store csi driver

    helm install -n k8s-secrets-store-csi csi-secrets-store \
      secrets-store-csi-driver/secrets-store-csi-driver \
      --version v1.3.2 \
      --set "linux.providersDir=/var/run/secrets-store-csi-providers"
    
  6. Check that the Daemonsets is running

    oc -n k8s-secrets-store-csi get pods -l "app=secrets-store-csi-driver"
    

    You should see the following

    NAME                                               READY   STATUS    RESTARTS   AGE
    csi-secrets-store-secrets-store-csi-driver-cl7dv   3/3     Running   0          57s
    csi-secrets-store-secrets-store-csi-driver-gbz27   3/3     Running   0          57s
    
  7. Add pod security profile label for CSI Driver

    This is required starting in OpenShift v4.13
    oc label csidriver/secrets-store.csi.k8s.io security.openshift.io/csi-ephemeral-volume-profile=restricted
    

Uninstalling the Kubernetes Secret Store CSI

  1. Delete the secrets store csi driver

    helm delete -n k8s-secrets-store-csi csi-secrets-store
    
  2. Delete the SecurityContextConstraints

    oc adm policy remove-scc-from-user privileged \
      system:serviceaccount:k8s-secrets-store-csi:secrets-store-csi-driver
    

Provider Specifics

Installing the HashiCorp Vault Secret CSI Driver

The HashiCorp Vault Secret CSI Driver allows you to access secrets stored in HashiCorp Vault as Kubernetes Volumes. Prerequisites An OpenShift Cluster (ROSA, ARO, OSD, and OCP 4.x all work) oc helm v3 Installing the Kubernetes Secret Store CSI Create an OpenShift Project to deploy the CSI into oc new-project k8s-secrets-store-csi Set SecurityContextConstraints to allow the CSI driver to run (otherwise the DaemonSet will not be able to create Pods)

Azure Key Vault CSI on Azure Red Hat OpenShift

This document is adapted from the Azure Key Vault CSI Walkthroughexternal link (opens in new tab) specifically to run with Azure Red Hat OpenShift (ARO). Prerequisites An ARO cluster The AZ CLI (logged in) The OC CLI (logged in) Helm 3.x CLI Environment Variables Run this command to set some environment variables to use throughout Note if you created the cluster from the instructions linked above these will re-use the same environment variables, or default them to openshift and eastus.

Installing the Kubernetes Secret Store CSI Create an OpenShift Project to deploy the CSI into oc new-project k8s-secrets-store-csi Set SecurityContextConstraints to allow the CSI driver to run (otherwise the DaemonSet will not be able to create Pods) oc adm policy add-scc-to-user privileged \ system:serviceaccount:k8s-secrets-store-csi:secrets-store-csi-driver Add the Secrets Store CSI Driver to your Helm Repositories helm repo add secrets-store-csi-driver \ https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts Update your Helm Repositories helm repo update Install the secrets store csi driver

Uninstalling the Kubernetes Secret Store CSI Delete the secrets store csi driver helm delete -n k8s-secrets-store-csi csi-secrets-store Delete the SecurityContextConstraints oc adm policy remove-scc-from-user privileged \ system:serviceaccount:k8s-secrets-store-csi:secrets-store-csi-driver

Interested in contributing to these docs?

Collaboration drives progress. Help improve our documentation The Red Hat Way.

Red Hat logo LinkedIn YouTube Facebook Twitter

Products

Tools

Try, buy & sell

Communicate

About Red Hat

We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Subscribe to our newsletter, Red Hat Shares

Sign up now
© 2023 Red Hat, Inc.