Vault
Vault CSI provider configurations
The following command line arguments are supported by the Vault CSI provider. Most settings support being set by, in ascending order of precedence:
- Environment variables
- Command line arguments
- Secret Provider Class parameters
If installing via the helm chart, they can be set using e.g.
--set "csi.extraArgs={-debug=true}"
.
-cache-size
(int: 1000)
- Set the maximum number of Vault tokens that will be cached in-memory. One Vault token will be stored for each pod on the same node that mounts secrets. Setting to 0 will disable the cache and force each volume mount request to reauthenticate to Vault.-debug
(bool: false)
- Set to true to enable debug level logging.-endpoint
(string: "/tmp/vault.sock")
- Path to unix socket on which the provider will listen for gRPC calls from the driver.-health-addr
(string: ":8080")
- The address of the HTTP listener for reporting health.-hmac-secret-name
(string: "vault-csi-provider-hmac-key")
- Configure the Kubernetes secret name that the provider creates to store an HMAC key for generating secret version hashes.-vault-addr
(string: "https://127.0.0.1:8200")
- Default address for connecting to Vault. Can also be specified via theVAULT_ADDR
environment variable. Note: It is highly recommended to only set the Vault address when installing the helm chart. The helm chart will install Vault Agent as a sidecar to the Vault CSI Provider for caching and renewals, but setting-vault-addr
here will cause the Vault CSI Provider to bypass the Agent's cache.-vault-mount
(string: "kubernetes")
- Default Vault mount path for Kubernetes authentication. Can be overridden per Secret Provider Class object.-vault-namespace
(string: "")
- (v1.1.0+) Default Vault namespace for Vault requests. Can also be specified via theVAULT_NAMESPACE
environment variable.-vault-tls-ca-cert
(string: "")
- (v1.1.0+) Path on disk to a single PEM-encoded CA certificate to trust for Vault. Takes precedence over-vault-tls-ca-directory
. Can also be specified via theVAULT_CACERT
environment variable.-vault-tls-ca-directory
(string: "")
- (v1.1.0+) Path on disk to a directory of PEM-encoded CA certificates to trust for Vault. Can also be specified via theVAULT_CAPATH
environment variable.-vault-tls-server-name
(string: "")
- (v1.1.0+) Name to use as the SNI host when connecting to Vault via TLS. Can also be specified via theVAULT_TLS_SERVER_NAME
environment variable.-vault-tls-client-cert
(string: "")
- (v1.1.0+) Path on disk to a PEM-encoded client certificate for mTLS communication with Vault. If set, also requires-vault-tls-client-key
. Can also be specified via theVAULT_CLIENT_CERT
environment variable.-vault-tls-client-key
(string: "")
- (v1.1.0+) Path on disk to a PEM-encoded client key for mTLS communication with Vault. If set, also requires-vault-tls-client-cert
. Can also be specified via theVAULT_CLIENT_KEY
environment variable.-vault-tls-skip-verify
(bool: false)
- (v1.1.0+) Disable verification of TLS certificates. Can also be specified via theVAULT_SKIP_VERIFY
environment variable.-version
(bool: false)
- print version information and exit.
Secret provider class parameters
The following parameters are supported by the Vault provider. Each parameter is
an entry under spec.parameters
in a SecretProviderClass object. The full
structure is illustrated in the examples.
roleName
(string: "")
- Name of the role to be used during login with Vault.vaultAddress
(string: "")
- The address of the Vault server. Note: It is highly recommended to only set the Vault address when installing the helm chart. The helm chart will install Vault Agent as a sidecar to the Vault CSI Provider for caching and renewals, but settingvaultAddress
here will cause the Vault CSI Provider to bypass the Agent's cache.vaultNamespace
(string: "")
- The Vault namespace to use.vaultSkipTLSVerify
(string: "false")
- When set to true, skips verification of the Vault server certificate. Setting this to true is not recommended for production.vaultCACertPath
(string: "")
- The path on disk where the Vault CA certificate can be found when verifying the Vault server certificate.vaultCADirectory
(string: "")
- The directory on disk where the Vault CA certificate can be found when verifying the Vault server certificate.vaultTLSClientCertPath
(string: "")
- The path on disk where the client certificate can be found for mTLS communications with Vault.vaultTLSClientKeyPath
(string: "")
- The path on disk where the client key can be found for mTLS communications with Vault.vaultTLSServerName
(string: "")
- The name to use as the SNI host when connecting via TLS.vaultAuthMountPath
(string: "kubernetes")
- The name of the auth mount used for login. Can be a Kubernetes or JWT auth mount. Mutually exclusive withvaultKubernetesMountPath
.vaultKubernetesMountPath
(string: "kubernetes")
- The name of the auth mount used for login. Can be a Kubernetes or JWT auth mount. Mutually exclusive withvaultAuthMountPath
.audience
(string: "")
- Specifies a custom audience for the requesting pod's service account token, generated using the TokenRequest API. The resulting token is used to authenticate to Vault, so if you specify an audience for your Kubernetes auth role, it must match the audience specified here. If not set, the token audiences will default to the Kubernetes cluster's default API audiences.objects
(array)
- An array of secrets to retrieve from Vault.objectName
(string: "")
- The alias of the object which can be referenced within the secret provider class and the name of the secret file.method
(string: "GET")
- The type of HTTP request. Supported values include "GET" and "PUT".secretPath
(string: "")
- The path in Vault where the secret is located. For secrets that are retrieved via HTTP GET method, thesecretPath
can include optional URI parameters, for example, the version of the KV2 secret:objects: | - objectName: "app-secret" secretPath: "secret/data/test?version=1" secretKey: "password"
secretKey
(string: "")
- The key in the Vault secret to extract. If omitted, the whole response from Vault will be written as JSON.filePermission
(integer: 0o644)
- The file permissions to set for this secret's file.encoding
(string: "utf-8")
- The encoding of the secret value. Supports decodingutf-8
(default),hex
, andbase64
values.secretArgs
(map: {})
- Additional arguments to be sent to Vault for a specific secret. Arguments can vary for different secret engines. For example:secretArgs: common_name: 'test.example.com' ttl: '24h'
secretArgs
are sent as part of the HTTP request body. Therefore, they are only effective for HTTP PUT/POST requests, for instance, the request used to generate a new certificate. To supply additional parameters for secrets retrieved via HTTP GET, include optional URI parameters insecretPath
.