mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-25 00:21:07 +02:00
0660ea6fac
* Update README Let contributors know that docs will now be located in UDR * Add comments to each mdx doc Comment has been added to all mdx docs that are not partials * chore: added changelog changelog check failure * wip: removed changelog * Fix content errors * Doc spacing * Update website/content/docs/deploy/kubernetes/vso/helm.mdx Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> --------- Co-authored-by: jonathanfrappier <92055993+jonathanfrappier@users.noreply.github.com> Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com>
169 lines
4.9 KiB
Plaintext
169 lines
4.9 KiB
Plaintext
---
|
|
layout: docs
|
|
page_title: Vault CSI provider examples
|
|
description: Examples of using the Vault CSI provider.
|
|
---
|
|
|
|
> [!IMPORTANT]
|
|
> **Documentation Update:** Product documentation, which were located in this repository under `/website`, are now located in [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs), colocated with all other product documentation. Contributions to this content should be done in the `web-unified-docs` repo, and not this one. Changes made to `/website` content in this repo will not be reflected on the developer.hashicorp.com website.
|
|
|
|
# Vault CSI provider examples
|
|
|
|
The following examples demonstrate how the Vault CSI Provider can be used.
|
|
|
|
~> A common mistake is to not install the CSI Secret Store Driver before using the Vault CSI Provider.
|
|
|
|
## File based dynamic database credentials
|
|
|
|
The following Secret Provider Class retrieves dynamic database credentials from Vault and
|
|
extracts the generated username and password. The secrets are then mounted as files in the
|
|
configured mount location.
|
|
|
|
```yaml
|
|
---
|
|
apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
|
|
kind: SecretProviderClass
|
|
metadata:
|
|
name: vault-db-creds
|
|
spec:
|
|
provider: vault
|
|
parameters:
|
|
roleName: 'app'
|
|
objects: |
|
|
- objectName: "dbUsername"
|
|
secretPath: "database/creds/db-app"
|
|
secretKey: "username"
|
|
- objectName: "dbPassword"
|
|
secretPath: "database/creds/db-app"
|
|
secretKey: "password"
|
|
```
|
|
|
|
Next, a pod can be created to use this Secret Provider Class to populate the secrets in the pod:
|
|
|
|
```yaml
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: app
|
|
labels:
|
|
app: demo
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
app: demo
|
|
replicas: 1
|
|
template:
|
|
metadata:
|
|
annotations:
|
|
labels:
|
|
app: demo
|
|
spec:
|
|
serviceAccountName: app
|
|
containers:
|
|
- name: app
|
|
image: my-app:1.0.0
|
|
volumeMounts:
|
|
- name: 'vault-db-creds'
|
|
mountPath: '/mnt/secrets-store'
|
|
readOnly: true
|
|
volumes:
|
|
- name: vault-db-creds
|
|
csi:
|
|
driver: 'secrets-store.csi.k8s.io'
|
|
readOnly: true
|
|
volumeAttributes:
|
|
secretProviderClass: 'vault-db-creds'
|
|
```
|
|
|
|
The pod mounts a CSI volume and specifies the Secret Provider Class (`vault-db-creds`) created above.
|
|
The secrets created from that provider class are mounted to `/mnt/secrets-store`. When this pod is
|
|
created the containers will find two files containing secrets:
|
|
|
|
- `/mnt/secrets-store/dbUsername`
|
|
- `/mnt/secrets-store/dbPassword`
|
|
|
|
## Environment variable dynamic database credentials
|
|
|
|
The following Secret Provider Class retrieves dynamic database credentials from Vault and
|
|
extracts the generated username and password. The secrets are then synced to Kubernetes secrets
|
|
so that they can be mounted as environment variables in the containers.
|
|
|
|
```yaml
|
|
---
|
|
apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
|
|
kind: SecretProviderClass
|
|
metadata:
|
|
name: vault-db-creds
|
|
spec:
|
|
provider: vault
|
|
secretObjects:
|
|
- secretName: vault-db-creds-secret
|
|
type: Opaque
|
|
data:
|
|
- objectName: dbUsername # References dbUsername below
|
|
key: username # Key within k8s secret for this value
|
|
- objectName: dbPassword
|
|
key: password
|
|
parameters:
|
|
roleName: 'app'
|
|
objects: |
|
|
- objectName: "dbUsername"
|
|
secretPath: "database/creds/db-app"
|
|
secretKey: "username"
|
|
- objectName: "dbPassword"
|
|
secretPath: "database/creds/db-app"
|
|
secretKey: "password"
|
|
```
|
|
|
|
Next, a pod can be created which uses this Secret Provider Class to populate the secrets in the pod's environment:
|
|
|
|
```yaml
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: app
|
|
labels:
|
|
app: demo
|
|
spec:
|
|
selector:
|
|
matchLabels:
|
|
app: demo
|
|
replicas: 1
|
|
template:
|
|
metadata:
|
|
annotations:
|
|
labels:
|
|
app: demo
|
|
spec:
|
|
serviceAccountName: app
|
|
containers:
|
|
- name: app
|
|
image: my-app:1.0.0
|
|
env:
|
|
- name: DB_USERNAME
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: vault-db-creds-secret
|
|
key: username
|
|
- name: DB_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: vault-db-creds-secret
|
|
key: password
|
|
volumeMounts:
|
|
- name: 'vault-db-creds'
|
|
mountPath: '/mnt/secrets-store'
|
|
readOnly: true
|
|
volumes:
|
|
- name: vault-db-creds
|
|
csi:
|
|
driver: 'secrets-store.csi.k8s.io'
|
|
readOnly: true
|
|
volumeAttributes:
|
|
secretProviderClass: 'vault-db-creds'
|
|
```
|
|
|
|
The pod mounts a CSI volume and specifies the Secret Provider Class (`vault-db-creds`) created above.
|
|
The secrets created from that provider class are mounted to `/mnt/secrets-store`, additionally a Kubernetes
|
|
secret called `vault-db-creds` is created and referenced in two environment variables.
|