Recommended Kubernetes version:
For Kubernetes version 1.15 and below, please use Azure Keyvault Flexvolume
Azure Key Vault Provider for Secrets Store CSI Driver allows users to customize their installation via Helm.
Recommended to use Helm3
helm repo add csi-secrets-store-provider-azure https://raw.githubusercontent.com/Azure/secrets-store-csi-driver-provider-azure/master/charts helm install csi csi-secrets-store-provider-azure/csi-secrets-store-provider-azure
Important: It’s recommended to install the Azure Key Vault Provider for Secrets Store CSI Driver in the
kube-systemnamespace using Helm.
helm install csi csi-secrets-store-provider-azure/csi-secrets-store-provider-azure --namespace kube-system
kube-systemis required to be able to establish connectivity to the
kube-apiserver. Refer to #488 for more details.
kube-systemwill prevent ASC from generating alert “Running containers as root user should be avoided”. Refer to #327 for more details.
The helm charts hosted in Azure/secrets-store-csi-driver-provider-azure repo include the Secrets Store CSI Driver helm charts as a dependency. Running the above
helm install command will install both the Secrets Store CSI Driver and Azure Key Vault provider.
Refer to doc for installing the Azure Key Vault Provider for Secrets Store CSI Driver on Azure RedHat OpenShift (ARO)
For a list of customizable values that can be injected when invoking helm install, please see the Helm chart configurations.
Install the Secrets Store CSI Driver
💡 Follow the Installation guide for the Secrets Store CSI Driver to install the driver.
csidriver.storage.k8s.io/secrets-store.csi.k8s.io created serviceaccount/secrets-store-csi-driver created clusterrole.rbac.authorization.k8s.io/secretproviderclasses-role created clusterrolebinding.rbac.authorization.k8s.io/secretproviderclasses-rolebinding created clusterrole.rbac.authorization.k8s.io/secretprovidersyncing-role created clusterrolebinding.rbac.authorization.k8s.io/secretprovidersyncing-rolebinding created daemonset.apps/csi-secrets-store-windows created daemonset.apps/csi-secrets-store created customresourcedefinition.apiextensions.k8s.io/secretproviderclasses.secrets-store.csi.x-k8s.io created customresourcedefinition.apiextensions.k8s.io/secretproviderclasspodstatuses.secrets-store.csi.x-k8s.io created
To validate the driver is running as expected, run the following command:
kubectl get pods -l app=csi-secrets-store -n kube-system
You should see the driver pods running on each agent node:
NAME READY STATUS RESTARTS AGE csi-secrets-store-bp4f4 3/3 Running 0 24s
Install the Azure Key Vault provider
For linux nodes
kubectl apply -f https://raw.githubusercontent.com/Azure/secrets-store-csi-driver-provider-azure/master/deployment/provider-azure-installer.yaml
For windows nodes
kubectl apply -f https://raw.githubusercontent.com/Azure/secrets-store-csi-driver-provider-azure/master/deployment/provider-azure-installer-windows.yaml
NOTE: Installing the provider using the deployment yamls from master will always install the latest version. If you want to deploy a specific version of the provider use the tagged release yamls.
To validate the provider’s installer is running as expected, run the following commands:
kubectl get pods -l app=csi-secrets-store-provider-azure
You should see the provider pods running on each agent node:
NAME READY STATUS RESTARTS AGE csi-secrets-store-provider-azure-4ngf4 1/1 Running 0 8s csi-secrets-store-provider-azure-bxr5k 1/1 Running 0 8s
In addition, if you are using Secrets Store CSI Driver and the Azure Keyvault Provider in a cluster with pod security policy enabled, review and create the following policy that enables the spec required for Secrets Store CSI Driver and the Azure Keyvault Provider to work:
kubectl apply -f https://raw.githubusercontent.com/Azure/secrets-store-csi-driver-provider-azure/master/deployment/pod-security-policy.yaml
If you deployed the Secrets Store CSI Driver and Azure Key Vault provider using the helm charts from Azure/secrets-store-csi-driver-provider-azure, then run the following command to uninstall:
helm delete <release name>
Refer to doc to uninstall the Azure Key Vault Provider for Secrets Store CSI Driver on Azure RedHat OpenShift (ARO)
If the driver and provider were installed using deployment yamls, then you can delete all the components with the following commands:
# To delete AKV provider pods from Linux nodes kubectl delete -f https://raw.githubusercontent.com/Azure/secrets-store-csi-driver-provider-azure/master/deployment/provider-azure-installer.yaml # To delete AKV provider pods from Windows nodes kubectl delete -f https://raw.githubusercontent.com/Azure/secrets-store-csi-driver-provider-azure/master/deployment/provider-azure-installer-windows.yaml
Delete the Secrets Store CSI Driver by running
kubectl delete with all the manifests in here. If the Secrets Store CSI Driver was installed using the helm charts hosted in kubernetes-sigs/secrets-store-csi-driver, then run the following command to delete the driver components:
helm delete <release name>
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.