This chapter covers
- Using Container Storage Interface (CSI) and the Secrets Store CSI driver to inject secrets as volumes from cloud secret stores
- Populating cloud secrets into Kubernetes cluster as Kubernetes Secrets
- Using auto rotation of secrets in the Secret Storage CSI driver to increase security posture
- Consuming sensitive information from cloud secret stores
Chapter 5 introduced HashiCorp Vault to securely store and manage sensitive assets for applications deployed to Kubernetes and demonstrate how both applications and Vault can be configured to provide seamless integration with one another.
This chapter expands the idea introduced in the previous chapter of using an external secrets management tool to store secrets and injecting them inside the Pod either as a volume or as an environment variable. But in this chapter we’ll focus on cloud secret stores like Google Secret Manager, Azure Key Vault, or AWS Secrets Manager.
First, we’ll learn about Container Storage Interface (CSI) and Secret Store CSI driver and using them to inject secrets stored in HashiCorp Vault. Then we’ll see how to inject secrets using secret store CSI driver as Kubernetes secrets and the usage of secret auto rotation. Finally, the integration between CSI driver and Google Secret Manager, Azure Key Vault, and AWS Secrets Manager is shown so secrets are injected directly from the secret store to the Pod.