»Command line arguments
The following command line arguments are supported by the Vault CSI provider.
If installing via the helm chart, they can be set using e.g.
--set "csi.extraArgs={-debug=true}"
.
-
-debug
(bool: false)
- Set to true to enable debug level logging. -
-endpoint
(string: "/tmp/vault.sock")
- Path to unix socket on which the provider will listen for gRPC calls from the driver. -
-health-addr
(string: ":8080")
- (v0.3.0+) The address of the HTTP listener for reporting health. -
-health_addr
(string: "")
- Deprecated, please use -health-addr. Slated for removal in 0.5.0. -
-vault-addr
(string: "https://127.0.0.1:8200")
- (v0.3.0+) Default address for connecting to Vault. Can be overridden per Secret Provider Class object. -
-vault-mount
(string: "kubernetes")
- (v0.3.0+) Default Vault mount path for Kubernetes authentication. Can be overridden per Secret Provider Class object. -
-version
(bool: false)
- prints the version information -
-write-secrets
(bool: true)
- (v0.3.0+) Write secrets directly to filesystem (true), or send secrets to CSI driver in gRPC response (false). Setting to false requires Secrets Store CSI Driver v0.0.21+. This flag will default to false from v0.4.0, and setting it to false will be required when using Secrets Store CSI Driver v0.0.24+.
»Secret Provider Class Configurations
The following parameters are supported by the Vault provider:
-
roleName
(string: "")
- Name of the role to be used during login with Vault. -
vaultAddress
(string: "")
- The address of the Vault server. -
vaultNamespace
(string: "")
- The Vault namespace to use. -
vaultSkipTLSVerify
(string: "false")
- When set to true, skips verification of the Vault server certificiate. Setting this to true is not recommended for production. -
vaultCACertPath
(string: "")
- The path on disk where the Vault CA certificate can be found when verifying the Vault server certificate. -
vaultCADirectory
(string: "")
- The directory on disk where the Vault CA certificate can be found when verifying the Vault server certificate. -
vaultTLSClientCertPath
(string: "")
- The path on disk where the client certificate can be found for mTLS communications with Vault. -
vaultTLSClientKeyPath
(string: "")
- The path on disk where the client key can be found for mTLS communications with Vault. -
vaultTLSServerName
(string: "")
- The name to use as the SNI host when connecting via TLS. -
vaultKubernetesMountPath
(string: "kubernetes")
- The name of the auth mount used for login. At this time only the Kubernetes auth method is supported. -
objects
(array)
- An array of secrets to retrieve from Vault.-
objectName
(string: "")
- The alias of the object which can be referenced within the secret provider class and the name of the secret file. -
method
(string: "GET")
- The type of HTTP request. Supported values include "GET" and "PUT". -
secretPath
(string: "")
- The path in Vault where the secret is located. -
secretKey
(string: "")
- The key in the Vault secret to extract. If omitted, the whole response from Vault will be written as JSON. -
secretArgs
(map: {})
- Additional arguments to be sent to Vault for a specific secret. Arguments can vary for different secret engines. For example:
-