Home GitHub

IMPORTANT NOTE: This site is not official Red Hat documentation and is provided for informational purposes only. These guides may be experimental, proof of concept, or early adoption. Officially supported documentation is available at docs.openshift.com and access.redhat.com.

Installing the Kubernetes Secret Store CSI on OpenShift

The Kubernetes Secret Store CSI is a storage driver that allows you to mount secrets from external secret management systems like HashiCorp Vault and AWS Secrets.

It comes in two parts, the Secret Store CSI, and a Secret provider driver. This document covers just the CSI itself.


  1. An OpenShift Cluster (ROSA, ARO, OSD, and OCP 4.x all work)
  2. kubectl
  3. helm v3

Installing the Kubernetes Secret Store CSI

  1. Create an OpenShift Project to deploy the CSI into

     oc new-project k8s-secrets-store-csi
  2. Set SecurityContextConstraints to allow the CSI driver to run (otherwise the DaemonSet will not be able to create Pods)

     oc adm policy add-scc-to-user privileged \
  3. Add the Secrets Store CSI Driver to your Helm Repositories

     helm repo add secrets-store-csi-driver \
  4. Update your Helm Repositories

     helm repo update
  5. Install the secrets store csi driver

     helm install -n k8s-secrets-store-csi csi-secrets-store \
       secrets-store-csi-driver/secrets-store-csi-driver \
       --version v1.0.1 \
       --set "linux.providersDir=/var/run/secrets-store-csi-providers"
  6. Check that the Daemonsets is running

     kubectl --namespace=k8s-secrets-store-csi get pods -l "app=secrets-store-csi-driver"

    You should see the following

     NAME                                               READY   STATUS    RESTARTS   AGE
     csi-secrets-store-secrets-store-csi-driver-cl7dv   3/3     Running   0          57s
     csi-secrets-store-secrets-store-csi-driver-gbz27   3/3     Running   0          57s

Uninstalling the Kubernetes Secret Store CSI

  1. Delete the secrets store csi driver

     helm delete -n k8s-secrets-store-csi csi-secrets-store
  2. Delete the SecurityContextConstraints

     oc adm policy remove-scc-from-user privileged \

Provider Specifics

HashiCorp Vault