Installation
Install the Secrets Store CSI Driver and the Azure Keyvault Provider
Note
The helm chart repository URL has changed tohttps://azure.github.io/secrets-store-csi-driver-provider-azure/chartsPrerequisites
Recommended Kubernetes version:
- For Linux - v1.16.0+
- For Windows - v1.18.0+
For Kubernetes version 1.15 and below, please use Azure Keyvault Flexvolume
Deployment using Helm
Azure Key Vault Provider for Secrets Store CSI Driver allows users to customize their installation via Helm.
Recommended to use Helm3
helm repo add csi-secrets-store-provider-azure https://azure.github.io/secrets-store-csi-driver-provider-azure/charts
helm install csi csi-secrets-store-provider-azure/csi-secrets-store-provider-azure
Important: It’s recommended to install the Azure Key Vault Provider for Secrets Store CSI Driver in the
kube-systemnamespace using Helm.
helm install csi csi-secrets-store-provider-azure/csi-secrets-store-provider-azure --namespace kube-system
Why kube-system
- The driver and provider are installed as a DaemonSet with the ability to mount kubelet hostPath volumes and view pod service account tokens. It should be treated as privileged and regular cluster users should not have permissions to deploy or modify the driver.
- For AKS clusters with limited egress traffic, installing the driver and provider in
kube-systemis required to be able to establish connectivity to thekube-apiserver. Refer to #488 for more details. - The driver pods need to run as root to mount the volume as tmpfs in the pod. Deploying the driver and provider in
kube-systemwill prevent ASC from generating alert “Running containers as root user should be avoided”. Refer to #327 for more details.
The helm charts hosted in Azure/secrets-store-csi-driver-provider-azure repo include the Secrets Store CSI Driver helm charts as a dependency. Running the above helm install command will install both the Secrets Store CSI Driver and Azure Key Vault provider.
Refer to doc for installing the Azure Key Vault Provider for Secrets Store CSI Driver on Azure RedHat OpenShift (ARO)
Values
For a list of customizable values that can be injected when invoking helm install, please see the Helm chart configurations.
Using Deployment yamls
Install the Secrets Store CSI Driver
💡 Follow the Installation guide for the Secrets Store CSI Driver to install the driver.
Result
csidriver.storage.k8s.io/secrets-store.csi.k8s.io created serviceaccount/secrets-store-csi-driver created clusterrole.rbac.authorization.k8s.io/secretproviderclasses-role created clusterrolebinding.rbac.authorization.k8s.io/secretproviderclasses-rolebinding created clusterrole.rbac.authorization.k8s.io/secretprovidersyncing-role created clusterrolebinding.rbac.authorization.k8s.io/secretprovidersyncing-rolebinding created daemonset.apps/csi-secrets-store-windows created daemonset.apps/csi-secrets-store created customresourcedefinition.apiextensions.k8s.io/secretproviderclasses.secrets-store.csi.x-k8s.io created customresourcedefinition.apiextensions.k8s.io/secretproviderclasspodstatuses.secrets-store.csi.x-k8s.io createdTo validate the driver is running as expected, run the following command:
kubectl get pods -l app=csi-secrets-store -n kube-systemYou should see the driver pods running on each agent node:
NAME READY STATUS RESTARTS AGE csi-secrets-store-bp4f4 3/3 Running 0 24sInstall the Azure Key Vault provider
For linux nodes
kubectl apply -f https://raw.githubusercontent.com/Azure/secrets-store-csi-driver-provider-azure/master/deployment/provider-azure-installer.yamlFor windows nodes
kubectl apply -f https://raw.githubusercontent.com/Azure/secrets-store-csi-driver-provider-azure/master/deployment/provider-azure-installer-windows.yamlNOTE: Installing the provider using the deployment yamls from master will always install the latest version. If you want to deploy a specific version of the provider use the tagged release yamls.
To validate the provider’s installer is running as expected, run the following commands:
kubectl get pods -l app=csi-secrets-store-provider-azureYou should see the provider pods running on each agent node:
NAME READY STATUS RESTARTS AGE csi-secrets-store-provider-azure-4ngf4 1/1 Running 0 8s csi-secrets-store-provider-azure-bxr5k 1/1 Running 0 8s
In addition, if you are using Secrets Store CSI Driver and the Azure Keyvault Provider in a cluster with pod security policy enabled, review and create the following policy that enables the spec required for Secrets Store CSI Driver and the Azure Keyvault Provider to work:
kubectl apply -f https://raw.githubusercontent.com/Azure/secrets-store-csi-driver-provider-azure/master/deployment/pod-security-policy.yaml
Uninstall
Using Helm
If you deployed the Secrets Store CSI Driver and Azure Key Vault provider using the helm charts from Azure/secrets-store-csi-driver-provider-azure, then run the following command to uninstall:
helm delete <release name>
Refer to doc to uninstall the Azure Key Vault Provider for Secrets Store CSI Driver on Azure RedHat OpenShift (ARO)
Using deployment yamls
If the driver and provider were installed using deployment yamls, then you can delete all the components with the following commands:
# To delete AKV provider pods from Linux nodes
kubectl delete -f https://raw.githubusercontent.com/Azure/secrets-store-csi-driver-provider-azure/master/deployment/provider-azure-installer.yaml
# To delete AKV provider pods from Windows nodes
kubectl delete -f https://raw.githubusercontent.com/Azure/secrets-store-csi-driver-provider-azure/master/deployment/provider-azure-installer-windows.yaml
Delete the Secrets Store CSI Driver by running kubectl delete with all the manifests in here. If the Secrets Store CSI Driver was installed using the helm charts hosted in kubernetes-sigs/secrets-store-csi-driver, then run the following command to delete the driver components:
helm delete <release name>
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.