»Installing the Vault CSI Provider

»Prerequisites

• Kubernetes 1.16+ for both the master and worker nodes (Linux-only)
• Secrets store CSI driver installed
• TokenRequest endpoint available, which requires setting the flags --service-account-signing-key-file and --service-account-issuer for kube-apiserver. Set by default from 1.20+ and earlier in most managed services.

»Installation using helm

The Vault Helm chart is the recommended way to install and configure the Vault CSI Provider in Kubernetes.

To install a new instance of Vault and the Vault CSI Provider, first add the HashiCorp helm repository and ensure you have access to the chart:

$ helm repo add hashicorp https://helm.releases.hashicorp.com
"hashicorp" has been added to your repositories

$ helm search repo hashicorp/vault
NAME            CHART VERSION   APP VERSION DESCRIPTION
hashicorp/vault 0.10.0          1.7.0       Official HashiCorp Vault Chart

$ helm repo add hashicorp https://helm.releases.hashicorp.com"hashicorp" has been added to your repositories
$ helm search repo hashicorp/vaultNAME            CHART VERSION   APP VERSION DESCRIPTIONhashicorp/vault 0.10.0          1.7.0       Official HashiCorp Vault Chart

Then install the chart and enable the CSI feature by setting the csi.enabled value to true:

# Note: this will also install the Vault server and Agent Injector.
helm install vault hashicorp/vault --set="csi.enabled=true"

# Note: this will also install the Vault server and Agent Injector.helm install vault hashicorp/vault --set="csi.enabled=true"

Upgrades may be performed with helm upgrade on an existing install. Please always run Helm with --dry-run before any install or upgrade to verify changes.

You can see all the available values settings by running helm inspect values hashicorp/vault or by reading the Vault Helm Configuration Docs. Commonly used values in the Helm chart include limiting the namespaces the Vault CSI Provider runs in, TLS options and more.