IMPORTANT NOTE: This site is not official Red Hat documentation and is provided for informational purposes only. These guides may be experimental, proof of concept, or early adoption. Officially supported documentation is available at docs.openshift.com and access.redhat.com.

Installing the Kubernetes Secret Store CSI on OpenShift

The Kubernetes Secret Store CSI is a storage driver that allows you to mount secrets from external secret management systems like HashiCorp Vault and AWS Secrets.

It comes in two parts, the Secret Store CSI, and a Secret provider driver. This document covers just the CSI itself.

Prerequisites

  1. An OpenShift Cluster (ROSA, ARO, OSD, and OCP 4.x all work)
  2. kubectl
  3. helm v3

Installing the Kubernetes Secret Store CSI

  1. Create an OpenShift Project to deploy the CSI into

    oc new-project k8s-secrets-store-csi
    
  2. Set SecurityContextConstraints to allow the CSI driver to run (otherwise the DaemonSet will not be able to create Pods)

    oc adm policy add-scc-to-user privileged \
      system:serviceaccount:k8s-secrets-store-csi:secrets-store-csi-driver
    
  3. Add the Secrets Store CSI Driver to your Helm Repositories

    helm repo add secrets-store-csi-driver \
      https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
    
  4. Update your Helm Repositories

    helm repo update
    
  5. Install the secrets store csi driver

    helm install -n k8s-secrets-store-csi csi-secrets-store \
      secrets-store-csi-driver/secrets-store-csi-driver \
      --version v1.0.1 \
      --set "linux.providersDir=/var/run/secrets-store-csi-providers"
    
  6. Check that the Daemonsets is running

    kubectl --namespace=k8s-secrets-store-csi get pods -l "app=secrets-store-csi-driver"
    

    You should see the following

    NAME                                               READY   STATUS    RESTARTS   AGE
    csi-secrets-store-secrets-store-csi-driver-cl7dv   3/3     Running   0          57s
    csi-secrets-store-secrets-store-csi-driver-gbz27   3/3     Running   0          57s
    

Uninstalling the Kubernetes Secret Store CSI

  1. Delete the secrets store csi driver

    helm delete -n k8s-secrets-store-csi csi-secrets-store
    
  2. Delete the SecurityContextConstraints

    oc adm policy remove-scc-from-user privileged \
      system:serviceaccount:k8s-secrets-store-csi:secrets-store-csi-driver
    

Provider Specifics

HashiCorp Vault