Oct 19-21 HashiConf Global is live. Join Now
Type '/' to Search

Mount Vault Secrets through Container Storage Interface (CSI) Volume

This tutorial also appears in: Interactive.

Kubernetes application pods that rely on Vault to manage their secrets can retrieve them directly via network requests or maintained on a mounted file system through the Vault Injector service via annotations or attached as ephemeral volumes. This approach of employing ephemeral volumes to store secrets is a feature of the Secrets Store extension to the Kubernetes Container Storage Interface (CSI) driver.

In this tutorial, you will setup Vault and its dependencies with a Helm chart. Then enable and configure the secrets store CSI driver to create a volume that contains a secret that you will mount to an application pod.

ยปPrerequisites

This tutorial requires the Kubernetes command-line interface (CLI) and the Helm CLI installed, Minikube, and additional configuration to bring it all together.

Online tutorial: An interactive tutorial is also available if you do not wish to install the following resources. Click the Show Terminal button to start.

This tutorial was last tested 30 Mar 2021 on macOS 10.15.7 using this configuration.

Docker version.

$ docker version
Client: Docker Engine - Community
  Version:          20.10.2
  # ...

$ docker versionClient: Docker Engine - Community  Version:          20.10.2  # ...

Minikube version.

$ minikube version
minikube version: v1.18.1
commit: 09ee84d530de4a92f00f1c5dbc34cead092b95bc

$ minikube versionminikube version: v1.18.1commit: 09ee84d530de4a92f00f1c5dbc34cead092b95bc

Helm version.

$ helm version
version.BuildInfo{Version:"v3.5.3", GitCommit:"041ce5a2c17a58be0fcd5f5e16fb3e7e95fea622", GitTreeState:"dirty", GoVersion:"go1.16"}

$ helm versionversion.BuildInfo{Version:"v3.5.3", GitCommit:"041ce5a2c17a58be0fcd5f5e16fb3e7e95fea622", GitTreeState:"dirty", GoVersion:"go1.16"}

These are recommended software versions and the output displayed may vary depending on your environment and the software versions you use.

First, follow the directions to install Minikube, including VirtualBox or similar.

Next, install kubectl CLI and helm CLI.

Install kubectl with Homebrew.

$ brew install kubernetes-cli

$ brew install kubernetes-cli

Install helm with Homebrew.

$ brew install helm

$ brew install helm

ยปStart Minikube

Minikube is a CLI tool that provisions and manages the lifecycle of single-node Kubernetes clusters. These clusters are run locally inside Virtual Machines (VM).

Start a Kubernetes cluster.

$ minikube start
๐Ÿ˜„  minikube v1.18.1 on Darwin 11.2.3
โœจ  Using the docker driver based on existing profile
๐Ÿ‘  Starting control plane node minikube in cluster minikube
๐Ÿ”„  Restarting existing docker container for "minikube" ...
๐Ÿณ  Preparing Kubernetes v1.20.2 on Docker 20.10.3 ...
๐Ÿ”Ž  Verifying Kubernetes components...
    โ–ช Using image gcr.io/k8s-minikube/storage-provisioner:v4
๐ŸŒŸ  Enabled addons: default-storageclass
๐Ÿ„  Done! kubectl is now configured to use "minikube" cluster and "default" namespace by default

$ minikube start๐Ÿ˜„  minikube v1.18.1 on Darwin 11.2.3โœจ  Using the docker driver based on existing profile๐Ÿ‘  Starting control plane node minikube in cluster minikube๐Ÿ”„  Restarting existing docker container for "minikube" ...๐Ÿณ  Preparing Kubernetes v1.20.2 on Docker 20.10.3 ...๐Ÿ”Ž  Verifying Kubernetes components...    โ–ช Using image gcr.io/k8s-minikube/storage-provisioner:v4๐ŸŒŸ  Enabled addons: default-storageclass๐Ÿ„  Done! kubectl is now configured to use "minikube" cluster and "default" namespace by default

Display the version of the Kubernetes cluster.

$ kubectl version
Client Version: version.Info{Major:"1", Minor:"20+", GitVersion:"v1.20.4-dirty", GitCommit:"e87da0bd6e03ec3fea7933c4b5263d151aafd07c", GitTreeState:"dirty", BuildDate:"2021-03-15T09:58:13Z", GoVersion:"go1.16.2", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.2", GitCommit:"faecb196815e248d3ecfb03c680a4507229c2a56", GitTreeState:"clean", BuildDate:"2021-01-13T13:20:00Z", GoVersion:"go1.15.5", Compiler:"gc", Platform:"linux/amd64"}

$ kubectl versionClient Version: version.Info{Major:"1", Minor:"20+", GitVersion:"v1.20.4-dirty", GitCommit:"e87da0bd6e03ec3fea7933c4b5263d151aafd07c", GitTreeState:"dirty", BuildDate:"2021-03-15T09:58:13Z", GoVersion:"go1.16.2", Compiler:"gc", Platform:"darwin/amd64"}Server Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.2", GitCommit:"faecb196815e248d3ecfb03c680a4507229c2a56", GitTreeState:"clean", BuildDate:"2021-01-13T13:20:00Z", GoVersion:"go1.15.5", Compiler:"gc", Platform:"linux/amd64"}

Kubernetes version 1.19.0 and lower requires a local Kubernetes cluster started with two additional arguments to set the apiserver service account credentials.

Stop the cluster.

$ minikube delete

$ minikube delete

Start a Kubernetes cluster with additional arguments.

$ minikube start \
    --extra-config=apiserver.service-account-signing-key-file=/var/lib/minikube/certs/sa.key \
    --extra-config=apiserver.service-account-issuer=https://kubernetes.default.svc.cluster.local

$ minikube start \    --extra-config=apiserver.service-account-signing-key-file=/var/lib/minikube/certs/sa.key \    --extra-config=apiserver.service-account-issuer=https://kubernetes.default.svc.cluster.local

Verify the status of the Minikube cluster.

$ minikube status
minikube
type: Control Plane
host: Running
kubelet: Running
apiserver: Running
kubeconfig: Configured

$ minikube statusminikubetype: Control Planehost: Runningkubelet: Runningapiserver: Runningkubeconfig: Configured

Additional waiting: Even if this last command completed successfully, you may have to wait for Minikube to be available. If an error is displayed, try again after a few minutes.

The host, kubelet, apiserver report that they are running. The kubectl, a command line interface (CLI) for running commands against Kubernetes cluster, is also configured to communicate with this recently started cluster.

ยปInstall the Vault Helm chart

Vault manages the secrets that are written to these mountable volumes. To provide these secrets a single Vault server is required. For this demonstration Vault can be run in development mode to automatically handle initialization, unsealing, and setup of a KV secrets engine.

Add the HashiCorp Helm repository.

$ helm repo add hashicorp https://helm.releases.hashicorp.com
"hashicorp" has been added to your repositories

$ helm repo add hashicorp https://helm.releases.hashicorp.com"hashicorp" has been added to your repositories

Update all the repositories to ensure helm is aware of the latest versions.

$ helm repo update
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "hashicorp" chart repository
Update Complete. โŽˆHappy Helming!โŽˆ

$ helm repo updateHang tight while we grab the latest from your chart repositories......Successfully got an update from the "hashicorp" chart repositoryUpdate Complete. โŽˆHappy Helming!โŽˆ

Install the latest version of the Vault Helm chart running in development mode with the injector service disabled and CSI enabled.

$ helm install vault hashicorp/vault \
    --set "server.dev.enabled=true" \
    --set "injector.enabled=false" \
    --set "csi.enabled=true"
NAME: vault
## ...

$ helm install vault hashicorp/vault \    --set "server.dev.enabled=true" \    --set "injector.enabled=false" \    --set "csi.enabled=true"NAME: vault## ...

The Vault server runs in development mode on a single pod server.dev.enabled=true. The Vault Agent Injector pod is disabled injector.enabled=false and the Vault CSI Provider pod csi.enabled=true is enabled.

Display all the pods within the default namespace.

$ kubectl get pods
NAME                       READY   STATUS    RESTARTS   AGE
vault-0                    1/1     Running   0          58s
vault-csi-provider-t874l   1/1     Running   0          58s

$ kubectl get podsNAME                       READY   STATUS    RESTARTS   AGEvault-0                    1/1     Running   0          58svault-csi-provider-t874l   1/1     Running   0          58s

Wait until the vault-0 pod is running and ready (1/1).

ยปSet a secret in Vault

The volume mounted to the pod in the Create a pod with secret mounted section expects a secret stored at the path secret/data/db-pass. When Vault is run in development a KV secret engine is enabled at the path /secret.

First, start an interactive shell session on the vault-0 pod.

$ kubectl exec -it vault-0 -- /bin/sh
/ $

$ kubectl exec -it vault-0 -- /bin/sh/ $

Your system prompt is replaced with a new prompt / $. Commands issued at this prompt are executed on the vault-0 container.

Create a secret at the path secret/db-pass with a password.

$ vault kv put secret/db-pass password="db-secret-password"
Key              Value
---              -----
created_time     2020-05-30T16:58:54.295890646Z
deletion_time    n/a
destroyed        false
version          1

$ vault kv put secret/db-pass password="db-secret-password"Key              Value---              -----created_time     2020-05-30T16:58:54.295890646Zdeletion_time    n/adestroyed        falseversion          1

Verify that the secret is readable at the path secret/db-pass.

$ vault kv get secret/db-pass
====== Metadata ======
Key              Value
---              -----
created_time     2020-05-30T16:58:54.295890646Z
deletion_time    n/a
destroyed        false
version          1

====== Data ======
Key         Value
---         -----
password    db-secret-password

$ vault kv get secret/db-pass====== Metadata ======Key              Value---              -----created_time     2020-05-30T16:58:54.295890646Zdeletion_time    n/adestroyed        falseversion          1
====== Data ======Key         Value---         -----password    db-secret-password

Lastly, exit the vault-0 pod.

$ exit

$ exit

ยปConfigure Kubernetes authentication

Vault provides a Kubernetes authentication method that enables clients to authenticate with a Kubernetes Service Account Token. The Kubernetes resources that access the secret and create the volume authenticate through this method through a role.

First, start an interactive shell session on the vault-0 pod.

$ kubectl exec -it vault-0 -- /bin/sh
/ $

$ kubectl exec -it vault-0 -- /bin/sh/ $

Your system prompt is replaced with a new prompt / $. Commands issued at this prompt are executed on the vault-0 container.

Enable the Kubernetes authentication method.

$ vault auth enable kubernetes
Success! Enabled kubernetes auth method at: kubernetes/

$ vault auth enable kubernetesSuccess! Enabled kubernetes auth method at: kubernetes/

Configure the Kubernetes authentication method to use the service account token, the location of the Kubernetes host, and its certificate.

$ vault write auth/kubernetes/config \
    issuer="https://kubernetes.default.svc.cluster.local" \
    token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
    kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \
    kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
Success! Data written to: auth/kubernetes/config

$ vault write auth/kubernetes/config \    issuer="https://kubernetes.default.svc.cluster.local" \    token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \    kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \    kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crtSuccess! Data written to: auth/kubernetes/config

The token_reviewer_jwt and kubernetes_ca_cert files written to the container by Kubernetes. The environment variable KUBERNETES_PORT_443_TCP_ADDR references the internal network address of the Kubernetes host.

For the Kubernetes-Secrets-Store-CSI-Driver to read the secrets requires that it has read permissions of all mounts and access to the secret itself.

Write out the policy named internal-app.

$ vault policy write internal-app - <<EOF
path "secret/data/db-pass" {
  capabilities = ["read"]
}
EOF

$ vault policy write internal-app - <<EOFpath "secret/data/db-pass" {  capabilities = ["read"]}EOF

The data of kv-v2 requires that an additional path element of data is included after its mount path (in this case, secret/).

Finally, create a Kubernetes authentication role named database that binds this policy with a Kubernetes service account named webapp-sa.

$ vault write auth/kubernetes/role/database \
    bound_service_account_names=webapp-sa \
    bound_service_account_namespaces=default \
    policies=internal-app \
    ttl=20m
Success! Data written to: auth/kubernetes/role/database

$ vault write auth/kubernetes/role/database \    bound_service_account_names=webapp-sa \    bound_service_account_namespaces=default \    policies=internal-app \    ttl=20mSuccess! Data written to: auth/kubernetes/role/database

The role connects the Kubernetes service account, webapp-sa, in the namespace, default, with the Vault policy, internal-app. The tokens returned after authentication are valid for 20 minutes. This Kubernetes service account name, webapp-sa, will be created below.

Lastly, exit the vault-0 pod.

$ exit

$ exit

ยปInstall the secrets store CSI driver

The Secrets Store CSI driver secrets-store.csi.k8s.io allows Kubernetes to mount multiple secrets, keys, and certs stored in enterprise-grade external secrets stores into their pods as a volume. Once the Volume is attached, the data in it is mounted into the container's file system.

Add the Secrets Store CSI driver Helm repository.

$ helm repo add secrets-store-csi-driver https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/master/charts
"secrets-store-csi-driver" has been added to your repositories

$ helm repo add secrets-store-csi-driver https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/master/charts"secrets-store-csi-driver" has been added to your repositories

Install the latest version of the Kubernetes-Secrets-Store-CSI-Driver.

$ helm install csi secrets-store-csi-driver/secrets-store-csi-driver
NAME: csi
## ...

$ helm install csi secrets-store-csi-driver/secrets-store-csi-driverNAME: csi## ...

The csi-secrets-store-csi-driver pod is deployed in the default namespace.

Get all the pods within the default namespace.

$ kubectl get pods
NAME                                 READY   STATUS    RESTARTS   AGE
csi-secrets-store-csi-driver-vkppq   3/3     Running   0          20s
vault-0                              1/1     Running   0          3m10s
vault-csi-provider-t874l             1/1     Running   0          3m10s

$ kubectl get podsNAME                                 READY   STATUS    RESTARTS   AGEcsi-secrets-store-csi-driver-vkppq   3/3     Running   0          20svault-0                              1/1     Running   0          3m10svault-csi-provider-t874l             1/1     Running   0          3m10s

Wait until the csi-secrets-store-csi-driver pod is running and ready (3/3).

ยปVerify the Vault CSI provider is running

The Secrets Store CSI driver enables extension through providers. A provider is launched as a Kubernetes DaemonSet alongside of Secrets Store CSI driver DaemonSet.

The Vault CSI provider was installed above alongside Vault by the Vault Helm chart.

This DaemonSet launches its own provider pod and runs a gRPC server which the Secrets Store CSI Driver connects to to make volume mount requests.

Get all the pods within the default namespace to check that the Vault CSI provider is running.

$ kubectl get pods
NAME                                 READY   STATUS    RESTARTS   AGE
csi-secrets-store-csi-driver-vkppq   3/3     Running   0          20s
vault-0                              1/1     Running   0          3m10s
vault-csi-provider-t874l             1/1     Running   0          3m10s

$ kubectl get podsNAME                                 READY   STATUS    RESTARTS   AGEcsi-secrets-store-csi-driver-vkppq   3/3     Running   0          20svault-0                              1/1     Running   0          3m10svault-csi-provider-t874l             1/1     Running   0          3m10s

Wait until the vault-csi-provider pod is running and ready (1/1).

ยปDefine a SecretProviderClass resource

The Kubernetes-Secrets-Store-CSI-Driver Helm chart creates a definition for a SecretProviderClass resource. This resource describes the parameters that are given to the Vault CSI provider. To configure it requires the address of the Vault server, the name of the Vault Kubernetes authentication role, and the secrets.

Define a SecretProviderClass named vault-database.

$ cat > spc-vault-database.yaml <<EOF
apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
  name: vault-database
spec:
  provider: vault
  parameters:
    vaultAddress: "http://vault.default:8200"
    roleName: "database"
    objects: |
      - objectName: "db-password"
        secretPath: "secret/data/db-pass"
        secretKey: "password"
EOF

$ cat > spc-vault-database.yaml <<EOFapiVersion: secrets-store.csi.x-k8s.io/v1alpha1kind: SecretProviderClassmetadata:  name: vault-databasespec:  provider: vault  parameters:    vaultAddress: "http://vault.default:8200"    roleName: "database"    objects: |      - objectName: "db-password"        secretPath: "secret/data/db-pass"        secretKey: "password"EOF

Create the vault-database SecretProviderClass.

$ kubectl apply --filename spc-vault-database.yaml

$ kubectl apply --filename spc-vault-database.yaml

The vault-database SecretProviderClass describes one secret object:

  • objectName is a symbolic name for that secret, and the file name to write to.
  • secretPath is the path to the secret defined in Vault.
  • secretKey is a key name within that secret.

Verify that the SecretProviderClass, named vault-database has been defined in the default namespace.

$ kubectl describe SecretProviderClass vault-database
Name:         vault-database
Namespace:    default
## ...

$ kubectl describe SecretProviderClass vault-databaseName:         vault-databaseNamespace:    default## ...

ยปCreate a pod with secret mounted

With the secret stored in Vault, the authentication configured and role created, the provider-vault extension installed and the SecretProviderClass defined it is finally time to create a pod that mounts the desired secret.

Create a service account named webapp-sa.

$ kubectl create serviceaccount webapp-sa

$ kubectl create serviceaccount webapp-sa

Define the webapp pod that mounts the secrets volume.

$ cat > webapp-pod.yaml <<EOF
kind: Pod
apiVersion: v1
metadata:
  name: webapp
spec:
  serviceAccountName: webapp-sa
  containers:
  - image: jweissig/app:0.0.1
    name: webapp
    volumeMounts:
    - name: secrets-store-inline
      mountPath: "/mnt/secrets-store"
      readOnly: true
  volumes:
    - name: secrets-store-inline
      csi:
        driver: secrets-store.csi.k8s.io
        readOnly: true
        volumeAttributes:
          secretProviderClass: "vault-database"
EOF

$ cat > webapp-pod.yaml <<EOFkind: PodapiVersion: v1metadata:  name: webappspec:  serviceAccountName: webapp-sa  containers:  - image: jweissig/app:0.0.1    name: webapp    volumeMounts:    - name: secrets-store-inline      mountPath: "/mnt/secrets-store"      readOnly: true  volumes:    - name: secrets-store-inline      csi:        driver: secrets-store.csi.k8s.io        readOnly: true        volumeAttributes:          secretProviderClass: "vault-database"EOF

The webapp pod defines and mounts a read-only volume to /mnt/secrets-store. The objects defined in the vault-database SecretProviderClass are written as files within that path.

Create the webapp pod.

$ kubectl apply --filename webapp-pod.yaml

$ kubectl apply --filename webapp-pod.yaml

Get all the pods within the default namespace.

$ kubectl get pods
NAME                                     READY   STATUS    RESTARTS   AGE
csi-secrets-store-csi-driver-6rf2k       3/3     Running   0          13m
csi-secrets-store-provider-vault-qm44g   1/1     Running   0          8m
webapp                                   1/1     Running   0          5m
vault-0                                  1/1     Running   0          27m

$ kubectl get podsNAME                                     READY   STATUS    RESTARTS   AGEcsi-secrets-store-csi-driver-6rf2k       3/3     Running   0          13mcsi-secrets-store-provider-vault-qm44g   1/1     Running   0          8mwebapp                                   1/1     Running   0          5mvault-0                                  1/1     Running   0          27m

Wait until the webapp pod is running and ready (1/1).

Display the password secret written to the file system at /mnt/secrets-store/db-password on the webapp pod.

$ kubectl exec webapp -- cat /mnt/secrets-store/db-password
db-secret-password

$ kubectl exec webapp -- cat /mnt/secrets-store/db-passworddb-secret-password

The value displayed matches the password value for the secret secret/db-pass.

ยปNext steps

The Kubernetes Container Storage Interface (CSI) is an extensible approach to the management of storage alongside the lifecycle of containers. Learn more about the Secrets Store CSI driver and the Vault provider in this tutorial to accomplish the secrets management for the container.

Secrets mounted on ephemeral volumes is one approach to manage secrets for applications pods. Explore how pods can retrieve them directly via network requests and through the Vault Injector service via annotations.

stdin: is not a tty