Cloud Experts Documentation

Installing the HashiCorp Vault Secret CSI Driver

Last edited
Published
Authors
Connor Wooley
Tags: ARO OCP OSD ROSA

This content is authored by Red Hat experts, but has not yet been tested on every supported configuration.

The HashiCorp Vault Secret CSI Driver allows you to access secrets stored in HashiCorp Vault as Kubernetes Volumes.

Prerequisites

  1. An OpenShift Cluster (ROSA, ARO, OSD, and OCP 4.x all work)
  2. kubectl
  3. helm v3

Install HashiCorp Vault with CSI driver enabled

  1. Add the HashiCorp Helm Repository

    helm repo add hashicorp https://helm.releases.hashicorp.com

  2. Update your Helm Repositories

    helm repo update

  3. Create a namespace for Vault

    oc new-project hashicorp-vault

  4. Create a SCC for the CSI driver

    oc adm policy add-scc-to-user privileged \
  system:serviceaccount:hashicorp-vault:vault-csi-provider

  5. Create a values file for Helm to use

    cat << EOF > values.yaml
global:
  openshift: true
csi:
  enabled: true
  daemonSet:
    providersDir: /var/run/secrets-store-csi-providers
injector:
  enabled: false
server:
  image:
    repository: "registry.connect.redhat.com/hashicorp/vault"
    tag: "1.8.0-ubi"
  dev:
    enabled: true
EOF

  6. Install Hashicorp Vault with CSI enabled

    helm install -n hashicorp-vault vault \
  hashicorp/vault --values values.yaml

  7. Patch the CSI daemonset

    Currently the CSI has a bug in its manifest which we need to patch

    kubectl patch daemonset vault-csi-provider --type='json' \
    -p='[{"op": "add", "path": "/spec/template/spec/containers/0/securityContext", "value": {"privileged": true} }]'

Configure Hashicorp Vault

  1. Get a bash prompt inside the Vault pod

    oc exec -it vault-0 -- bash

  2. Create a Secret in Vault

    vault kv put secret/db-pass password="hunter2"

  3. Configure Vault to use Kubernetes Auth

    vault auth enable kubernetes

  4. Check your Cluster’s token issuer

    oc get authentication.config cluster \
  -o json | jq -r .spec.serviceAccountIssuer

  5. Configure Kubernetes auth method

    If the issuer here does not match the above, update it.

    vault write auth/kubernetes/config \
issuer="https://kubernetes.default.svc.cluster.local" \
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt

  6. Create a policy for our app

    vault policy write internal-app - <<EOF
path "secret/data/db-pass" {
  capabilities = ["read"]
}
EOF

  7. Create an auth role to access it

    vault write auth/kubernetes/role/database \
  bound_service_account_names=webapp-sa \
  bound_service_account_namespaces=default \
  policies=internal-app \
  ttl=20m

  8. exit from the vault-0 pod

    exit

Deploy a sample application

  1. Create a SecretProviderClass in the default namespace

    cat <<EOF | kubectl apply -f -
apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
  name: vault-database
  namespace: default
spec:
  provider: vault
  parameters:
    vaultAddress: "http://vault.hashicorp-vault:8200"
    roleName: "database"
    objects: |
      - objectName: "db-password"
        secretPath: "secret/data/db-pass"
        secretKey: "password"
EOF

  2. Create a service account webapp-sa

    kubectl create serviceaccount -n default webapp-sa

  3. Create a Pod to use the secret

    cat << EOF | kubectl apply -f -
kind: Pod
apiVersion: v1
metadata:
  name: webapp
  namespace: default
spec:
  serviceAccountName: webapp-sa
  containers:
  - image: jweissig/app:0.0.1
    name: webapp
    volumeMounts:
    - name: secrets-store-inline
      mountPath: "/mnt/secrets-store"
      readOnly: true
  volumes:
    - name: secrets-store-inline
      csi:
        driver: secrets-store.csi.k8s.io
        readOnly: true
        volumeAttributes:
          secretProviderClass: "vault-database"
EOF

  4. Check the Pod has the secret

    kubectl -n default exec webapp \
  -- cat /mnt/secrets-store/db-password

    The output should match

    hunter2

Uninstall HashiCorp Vault with CSI driver enabled

  1. Delete the pod and

    kubectl delete -n default pod webapp
kubectl delete -n default secretproviderclass vault-database
kubectl delete -n default serviceaccount webapp-sa

  2. Delete the Hashicorp Vault Helm

    helm delete -n hashicorp-vault vault

  3. Delete the SCC for Hashicorp Vault

    oc adm policy remove-scc-from-user privileged \
  system:serviceaccount:hashicorp-vault:vault-csi-provider

  4. Delete the Hashicorp vault project

    oc delete project hashicorp-vault

Interested in contributing to these docs?

Collaboration drives progress. Help improve our documentation The Red Hat Way.

GitHub Edit this page
Red Hat logo LinkedIn YouTube Facebook Twitter

Products

Tools

Try, buy & sell

Communicate

About Red Hat

We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Subscribe to our newsletter, Red Hat Shares

Sign up now © 2023 Red Hat, Inc.