You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: modules/op-csi-secrets.adoc
+23-4Lines changed: 23 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,10 +3,10 @@
3
3
// * secure/using-csi-secrets.adoc
4
4
5
5
:_mod-docs-content-type: PROCEDURE
6
-
[id="configuring-results_{context}"]
6
+
[id="consuming-secrets-csi_{context}"]
7
7
= Consuming secrets from an external store such as Hashicorp Vault using the Secrets Store CSI Driver
8
8
9
-
If you want to use secrets from an external store that has a CSI (container storage interface) provider, for example, Hashicorp Vault, you can configure {pipelines-shortname} to consume these secrets using the Secrets Store CSI Driver.
9
+
If you want to use secrets from an external store that has a Container Storage Interface (CSI) provider, for example, Hashicorp Vault, you can configure {pipelines-shortname} to consume these secrets using the Secrets Store CSI Driver.
10
10
11
11
.Prerequisites
12
12
@@ -16,7 +16,7 @@ If you want to use secrets from an external store that has a CSI (container stor
16
16
+
17
17
[NOTE]
18
18
====
19
-
If you want to use an instance of Hashicorp Vault running outside your {OCP} cluster, you must provide the address to that instance in the Helm configuration when installing the CSI Provider. For infoamtion about providing an external Vault address, see link:https://developer.hashicorp.com/vault/docs/deploy/kubernetes/helm/configuration#externalvaultaddr[Configuration] in the Hashicorp documentation.
19
+
If you want to use an instance of Hashicorp Vault running outside your {OCP} cluster, you must provide the address to that instance in the Helm configuration when installing the CSI Provider. For information about providing an external Vault address, see link:https://developer.hashicorp.com/vault/docs/deploy/kubernetes/helm/configuration#externalvaultaddr[Configuration] in the Hashicorp documentation.
20
20
====
21
21
22
22
* You configured authentication with the secret store for an {OCP} service account, for example, `pipeline-sa`. For information about configuring Kubernetes authentication with Hashicorp Vault, see link:https://developer.hashicorp.com/vault/docs/auth/kubernetes[Kubernetes auth method] in the Hashicorp documentation.
@@ -88,6 +88,11 @@ spec:
88
88
secretPath: "secret/data/my-secret"
89
89
secretKey: "password"
90
90
----
91
+
+
92
+
[WARNING]
93
+
====
94
+
The `vaultAddress` parameter used in this example uses `http` and `vaultSkipTLSVerify`: `"true"` only for demonstration purposes. For production use, configure Vault with a secure `https` endpoint and do not skip TLS verification.
95
+
====
91
96
92
97
. In the definition of the task that consumes the secrets, define and mount a volume that uses the CSI secrets store driver and specifies the name of the `SecretProviderClass` CR. To minimise security exposure of secrets, mount them in the definition of a task and not of an entire pipeline.
93
98
+
@@ -134,6 +139,18 @@ The mount path that you specify in the pipeline or task definition overrides the
0 commit comments