Cloud Experts Documentation

Installing the Kubernetes Secret Store CSI on OpenShift

This content is authored by Red Hat experts, but has not yet been tested on every supported configuration.

The Kubernetes Secret Store CSI is a storage driver that allows you to mount secrets from external secret management systems like HashiCorp Vault and AWS Secrets.

It comes in two parts, the Secret Store CSI, and a Secret provider driver. This document covers just the CSI itself.

Prerequisites

  1. An OpenShift Cluster (ROSA, ARO, OSD, and OCP 4.x all work)
  2. kubectl
  3. helm v3

Installing the Kubernetes Secret Store CSI

  1. Create an OpenShift Project to deploy the CSI into

  2. Set SecurityContextConstraints to allow the CSI driver to run (otherwise the DaemonSet will not be able to create Pods)

  3. Add the Secrets Store CSI Driver to your Helm Repositories

  4. Update your Helm Repositories

  5. Install the secrets store csi driver

  6. Check that the Daemonsets is running

    You should see the following

  7. Add pod security profile label for CSI Driver

    This is required starting in OpenShift v4.13

Uninstalling the Kubernetes Secret Store CSI

  1. Delete the secrets store csi driver

  2. Delete the SecurityContextConstraints

Provider Specifics

Installing the HashiCorp Vault Secret CSI Driver

The HashiCorp Vault Secret CSI Driver allows you to access secrets stored in HashiCorp Vault as Kubernetes Volumes.

Prerequisites

  1. An OpenShift Cluster (ROSA, ARO, OSD, and OCP 4.x all work)
  2. oc
  3. helm v3

Installing the Kubernetes Secret Store CSI

  1. Create an OpenShift Project to deploy the CSI into

  2. Set SecurityContextConstraints to allow the CSI driver to run (otherwise the DaemonSet will not be able to create Pods)

    Azure Key Vault CSI on Azure Red Hat OpenShift

    This document is adapted from the Azure Key Vault CSI Walkthroughexternal link (opens in new tab) specifically to run with Azure Red Hat OpenShift (ARO).

    Prerequisites

    1. An ARO cluster
    2. The AZ CLI (logged in)
    3. The OC CLI (logged in)
    4. Helm 3.x CLI

    Environment Variables

    1. Run this command to set some environment variables to use throughout

      Note if you created the cluster from the instructions linked above these will re-use the same environment variables, or default them to openshift and eastus.

      Installing the Kubernetes Secret Store CSI

      1. Create an OpenShift Project to deploy the CSI into

      2. Set SecurityContextConstraints to allow the CSI driver to run (otherwise the DaemonSet will not be able to create Pods)

      3. Add the Secrets Store CSI Driver to your Helm Repositories

      4. Update your Helm Repositories

        Uninstalling the Kubernetes Secret Store CSI

        1. Delete the secrets store csi driver

        2. Delete the SecurityContextConstraints

Back to top

Interested in contributing to these docs?

Collaboration drives progress. Help improve our documentation The Red Hat Way.

GitHub Edit this page
Red Hat logo LinkedIn YouTube Facebook Twitter

Products

Tools

Try, buy & sell

Communicate

About Red Hat

We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Subscribe to our newsletter, Red Hat Shares

Sign up now © 2026 Red Hat