Command line arguments
The following command line arguments are supported by the Vault CSI provider.
If installing via the helm chart, they can be set using e.g.
--set "csi.extraArgs={-debug=true}"
.
-debug
(bool: false)
- Set to true to enable debug level logging.-endpoint
(string: "/tmp/vault.sock")
- Path to unix socket on which the provider will listen for gRPC calls from the driver.-health-addr
(string: ":8080")
- (v0.3.0+) The address of the HTTP listener for reporting health.-health_addr
(string: "")
- Deprecated, please use -health-addr. Slated for removal in 0.5.0.-vault-addr
(string: "https://127.0.0.1:8200")
- (v0.3.0+) Default address for connecting to Vault. Can be overridden per Secret Provider Class object.-vault-mount
(string: "kubernetes")
- (v0.3.0+) Default Vault mount path for Kubernetes authentication. Can be overridden per Secret Provider Class object.-version
(bool: false)
- prints the version information-write-secrets
(bool: true)
- (v0.3.0+) Write secrets directly to filesystem (true), or send secrets to CSI driver in gRPC response (false). Setting to false requires Secrets Store CSI Driver v0.0.21+. This flag will default to false from v0.4.0, and setting it to false will be required when using Secrets Store CSI Driver v0.0.24+.
Secret Provider Class Configurations
The following parameters are supported by the Vault provider:
roleName
(string: "")
- Name of the role to be used during login with Vault.vaultAddress
(string: "")
- The address of the Vault server.vaultNamespace
(string: "")
- The Vault namespace to use.vaultSkipTLSVerify
(string: "false")
- When set to true, skips verification of the Vault server certificate. Setting this to true is not recommended for production.vaultCACertPath
(string: "")
- The path on disk where the Vault CA certificate can be found when verifying the Vault server certificate.vaultCADirectory
(string: "")
- The directory on disk where the Vault CA certificate can be found when verifying the Vault server certificate.vaultTLSClientCertPath
(string: "")
- The path on disk where the client certificate can be found for mTLS communications with Vault.vaultTLSClientKeyPath
(string: "")
- The path on disk where the client key can be found for mTLS communications with Vault.vaultTLSServerName
(string: "")
- The name to use as the SNI host when connecting via TLS.vaultKubernetesMountPath
(string: "kubernetes")
- The name of the auth mount used for login. At this time only the Kubernetes auth method is supported.objects
(array)
- An array of secrets to retrieve from Vault.objectName
(string: "")
- The alias of the object which can be referenced within the secret provider class and the name of the secret file.method
(string: "GET")
- The type of HTTP request. Supported values include "GET" and "PUT".secretPath
(string: "")
- The path in Vault where the secret is located. For secrets that are retrieved via HTTP GET method, thesecretPath
can include optional URI parameters, for example, the version of the KV2 secret:objects: | - objectName: "app-secret" secretPath: "secret/data/test?version=1" secretKey: "password"
secretKey
(string: "")
- The key in the Vault secret to extract. If omitted, the whole response from Vault will be written as JSON.secretArgs
(map: {})
- Additional arguments to be sent to Vault for a specific secret. Arguments can vary for different secret engines. For example:secretArgs: common_name: 'test.example.com' ttl: '24h'
secretArgs
are sent as part of the HTTP request body. Therefore, they are only effective for HTTP PUT/POST requests, for instance, the request used to generate a new certificate. To supply additional parameters for secrets retrieved via HTTP GET, include optional URI paramters insecretPath
.