Hashicorp Vault Secrets in Kubernetes with CSI Driver

Vault with Kubernetes CSI Driver. Image Credits: Google Images

What is the entire story all about? (TLDR)

  1. Deploying CSI Provider in Kubernetes.
  2. Integrate Vault with CSI Provider in Kubernetes.
  3. Mount the secrets as an ephemeral volume to the Pod from the Vault.

Prerequisites

  1. A Kubernetes Cluster ( EKS, AKS, Kind, etc ).
  2. Integrate Vault with CSI Provider

Story Resources

  1. GitHub Link: https://github.com/pavan-kumar-99/medium-manifests
  2. GitHub Branch: vault-csi

Installing Hashicorp vault using Helm Chart

We will install the official helm chart for the vault and unseal it manually. However, this is not the Ideal way for running a vault in Production. You may want to unseal the vault using a KMS Key ( If being installed in AWS ) or a Google KMS key ( If being installed in GCP ).

Enabling Kubernetes Auth Method

The Kubernetes auth method can be used to authenticate with the vault using the Kubernetes service account token. This will help the vault to inject the vault token into the Kubernetes Pod. For this let us enable the vault Kubernetes backend by exec into the pod, since the token_reviewer_jwt has to be passed from the vault pod.

Install the secrets store CSI driver

The Secrets Store CSI driver secrets-store.csi.k8s.io allows Kubernetes to mount multiple secrets, keys, and certs stored in enterprise-grade external secrets stores into their pods as a volume. Once the Volume is attached, the data in it is mounted into the container’s file system.

CSI Driver

Injecting the Secrets using Secret Provider Class

Creating a Deployment

Let us now create a deployment that will use this Secret Provider class to mount the secrets as a volume to the deployment. Once you apply then you should find the secrets mounted as a volume to the Pod. Let us now examine the deployment.

$ git clone https://github.com/pavan-kumar-99/medium-manifests.git \
-b vault-csi
$ cd medium-manifests$ kubectl apply -f vault-csi.yaml
Secrets mounted to the Pod
Secret synced from Vault
$ git clone https://github.com/pavan-kumar-99/medium-manifests.git \
-b vault-csi
$ cd medium-manifests$ kubectl apply -f vault-csi-sync.yaml

Recommended

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Pavan Kumar

Pavan Kumar

585 Followers

Cloud DevOps Engineer at Informatica || CKA | CKS | CSA | CRO | AWS | ISTIO | AZURE | GCP | DEVOPS Linkedin:https://www.linkedin.com/in/pavankumar1999/