Installing the Kubernetes Secret Store CSI on OpenShift
The Kubernetes Secret Store CSI is a storage driver that allows you to mount secrets from external secret management systems like HashiCorp Vault and AWS Secrets.
It comes in two parts, the Secret Store CSI, and a Secret provider driver. This document covers just the CSI itself.
Prerequisites
- An OpenShift Cluster (ROSA, ARO, OSD, and OCP 4.x all work)
- kubectl
- helm v3
Installing the Kubernetes Secret Store CSI
Create an OpenShift Project to deploy the CSI into
oc new-project k8s-secrets-store-csiSet SecurityContextConstraints to allow the CSI driver to run (otherwise the DaemonSet will not be able to create Pods)
oc adm policy add-scc-to-user privileged \ system:serviceaccount:k8s-secrets-store-csi:secrets-store-csi-driverAdd the Secrets Store CSI Driver to your Helm Repositories
helm repo add secrets-store-csi-driver \ https://kubernetes-sigs.github.io/secrets-store-csi-driver/chartsUpdate your Helm Repositories
helm repo updateInstall the secrets store csi driver
helm install -n k8s-secrets-store-csi csi-secrets-store \ secrets-store-csi-driver/secrets-store-csi-driver \ --version v1.3.2 \ --set "linux.providersDir=/var/run/secrets-store-csi-providers"Check that the Daemonsets is running
oc -n k8s-secrets-store-csi get pods -l "app=secrets-store-csi-driver"You should see the following
NAME READY STATUS RESTARTS AGE csi-secrets-store-secrets-store-csi-driver-cl7dv 3/3 Running 0 57s csi-secrets-store-secrets-store-csi-driver-gbz27 3/3 Running 0 57sAdd pod security profile label for CSI Driver
This is required starting in OpenShift v4.13 oc label csidriver/secrets-store.csi.k8s.io security.openshift.io/csi-ephemeral-volume-profile=restricted
Uninstalling the Kubernetes Secret Store CSI
Delete the secrets store csi driver
helm delete -n k8s-secrets-store-csi csi-secrets-storeDelete the SecurityContextConstraints
oc adm policy remove-scc-from-user privileged \ system:serviceaccount:k8s-secrets-store-csi:secrets-store-csi-driver
