vault-csi-provider

vault-csi-provider copied to clipboard

The Secrets Store CSI driver supports sending a token as part of the mount request as of 1.1.0 (relevant issue with rollout timeline), which is based on this feature from this KEP.

TL;DR is you use --set tokenRequests[0].audience="vault" when installing the CSI driver, and then it will populate a "csi.storage.k8s.io/serviceAccount.tokens" field in the mount parameters which contains a token generated for the audience "vault". That way, vault-csi-provider doesn't have to generate its own token for the requesting pod, and we can remove those Kubernetes permissions once we're ready to deprecate that way of doing things. However, I don't think we should deprecate immediately, as it still relies on Kubernetes 1.21+ and a pretty recent CSI driver version.

A really nice feature is that it will cache the token, so we'll get the same JWT on each mount request until it expires. This will make it much easier to add Vault Agent as a sidecar in a way that caching will work (i.e. issue #90).