This chapter covers
- Using the Container Storage Interface (CSI) and the Secrets Store CSI Driver to inject secrets as volumes from cloud secrets stores
- Populating cloud secrets into Kubernetes clusters as Kubernetes Secrets
- Using auto rotation of secrets in the Secret Storage CSI Driver to improve security posture
- Consuming sensitive information from cloud secrets stores
Chapter 5 introduced HashiCorp Vault, which can be used for securely storing and managing sensitive assets for applications deployed to Kubernetes and demonstrated how both applications and Vault can be configured to provide seamless integration with one another. This chapter expands the idea introduced in the previous chapter of using an external secrets management tool to store secrets and injecting them inside the Pod, either as a volume or as an environment variable. But in this chapter we’ll focus on cloud secrets stores, like Google Secret Manager, Azure Key Vault, and AWS Secrets Manager.
First you’ll learn about the Container Storage Interface (CSI) and the Secrets Store CSI Driver, using them to inject secrets stored in HashiCorp Vault. Then you’ll learn about injecting Kubernetes Secrets using the Secrets Store CSI Driver as well as secret auto rotation. Finally, we’ll discuss the integration between the CSI driver and Google Secret Manager, Azure Key Vault, and AWS Secrets Manager, so secrets can be injected directly from the secrets store to the Pod.