Use protected secrets in Kubernetes with CSI

Appropriate Vault Enterprise license required

While the Vault Secrets Operator lets you store Vault secrets in clusters as native Kubernetes Secrets, you must install the Vault Secrets Operator CSI driver to provide secrets directly to Kubernetes pods as protected secrets.

The CSI driver hooks into the Pod volume lifecycle so applications can receive secret data from Vault mounted directly to containers as ephemeral volumes with the same lifecycle as the application Pod itself.

Secret information updates whenever either new requesting Pods come online, or a container in a requesting Pod crashes or exits.

The Vault Secrets Operator CSI driver supports:

Syncing multiple secrets from multiple plugins. Supported plugins include:
- Key/Value v1
- Key/Value v2
Automatic generation and mounting of response-wrapped AppRole secret IDs as a trusted orchestrator for authentication between application Pods and Vault.
Helm-based installation.
Secret data transformation.

The Vault Secrets Operator CSI driver does not support:

Instant updates

Refer to the Vault Secrets Operator CSI driver setup guide to use protected secrets with your Vault Secrets Operator instance.

Secrets flow: Traditional VSO vs CSI driver

In the traditional workflow, the Vault Secrets Operator caches Vault secrets as Kubernetes Secrets stored in etcd
and watches for changes to custom resources such as VaultStaticSecret or VaultDynamicSecret. When the resource definition changes, Vault Secrets Operator overwrites secret data in the associated Kubernetes Secret with the new information.

In the CSI driver workflow, Vault Secrets Operator never stores secrets in etcd because the driver does not cache secrets as Kubernetes Secrets. Instead, the driver watches for changes to a custom resource (CR) called CSISecrets. The CSISecrets resource contains a declarative list of secrets to fetch and an access control configuration that only allows the designated Pods to mount those secrets. When an approved Pod starts with a reference to the CSISecrets resource as a volume mount, the Vault Secrets Operator CSI driver populates that volume with the associated secrets for all referencing containers in the Pod.

The Pod starts with all of the secrets from the CSISecrets resource mounted at the configured path (for example, /var/run/csi-secrets) as individual files. The driver indexes each file with a number representing its position in the vaultStaticSecrets or vaultAppRoleSecretIDs list, starting at 0. For example, static_secret_0_secret, static_secret_1_secret, ..., static_secret_N_secret, or app_role_N_wrap_info.json.