Cloud Experts Documentation

Installing the HashiCorp Vault Secret CSI Driver

Last edited
Published
Authors
Connor Wooley
Tags: ARO OCP OSD ROSA

This content is authored by Red Hat experts, but has not yet been tested on every supported configuration.

The HashiCorp Vault Secret CSI Driver allows you to access secrets stored in HashiCorp Vault as Kubernetes Volumes.

Prerequisites

  1. An OpenShift Cluster (ROSA, ARO, OSD, and OCP 4.x all work)
  2. oc
  3. helm v3

Installing the Kubernetes Secret Store CSI

  1. Create an OpenShift Project to deploy the CSI into

  2. Set SecurityContextConstraints to allow the CSI driver to run (otherwise the DaemonSet will not be able to create Pods)

  3. Add the Secrets Store CSI Driver to your Helm Repositories

  4. Update your Helm Repositories

  5. Install the secrets store csi driver

  6. Check that the Daemonsets is running

    You should see the following

  7. Add pod security profile label for CSI Driver

    This is required starting in OpenShift v4.13

Install HashiCorp Vault with CSI driver enabled

  1. Add the HashiCorp Helm Repository

  2. Update your Helm Repositories

  3. Create a namespace for Vault

  4. Create a SCC for the CSI driver

  5. Create a values file for Helm to use

  6. Install Hashicorp Vault with CSI enabled

  7. Patch the CSI daemonset

    Currently the CSI has a bug in its manifest which we need to patch

Configure Hashicorp Vault

  1. Get a bash prompt inside the Vault pod

  2. Create a Secret in Vault

  3. Configure Vault to use Kubernetes Auth

  4. Check your Cluster’s token issuer in another terminal

  5. Configure Kubernetes auth method

    If the issuer here does not match the above, update it.

  6. Create a policy for our app

  7. Create an auth role to access it

  8. exit from the vault-0 pod

Deploy a sample application

  1. Create a SecretProviderClass in the default namespace

  2. Create a service account webapp-sa

  3. Create a Pod to use the secret

  4. Check the Pod has the secret

    The output should match

Uninstall HashiCorp Vault with CSI driver enabled

  1. Delete the pod and

  2. Delete the Hashicorp Vault Helm

  3. Delete the SCC for Hashicorp Vault

  4. Delete the Hashicorp vault project

Uninstalling the Kubernetes Secret Store CSI

  1. Delete the secrets store csi driver

  2. Delete the SecurityContextConstraints

Interested in contributing to these docs?

Collaboration drives progress. Help improve our documentation The Red Hat Way.

GitHub Edit this page
Red Hat logo LinkedIn YouTube Facebook Twitter

Products

Tools

Try, buy & sell

Communicate

About Red Hat

We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Subscribe to our newsletter, Red Hat Shares

Sign up now © 2023 Red Hat, Inc.