A new platform for documentation and tutorials is launching soon.

We are migrating Vault documentation into HashiCorp Developer, our new developer experience.

Join Now
Type '/' to Search

»Command line arguments

The following command line arguments are supported by the Vault CSI provider. Most settings support being set by, in ascending order of precedence:

  • Environment variables
  • Command line arguments
  • Secret Provider Class parameters

If installing via the helm chart, they can be set using e.g. --set "csi.extraArgs={-debug=true}".

  • -debug (bool: false) - Set to true to enable debug level logging.

  • -endpoint (string: "/tmp/vault.sock") - Path to unix socket on which the provider will listen for gRPC calls from the driver.

  • -health-addr (string: ":8080") - (v0.3.0+) The address of the HTTP listener for reporting health.

  • -vault-addr (string: "https://127.0.0.1:8200") - (v0.3.0+) Default address for connecting to Vault. Can also be specified via the VAULT_ADDR environment variable.

  • -vault-mount (string: "kubernetes") - (v0.3.0+) Default Vault mount path for Kubernetes authentication. Can be overridden per Secret Provider Class object.

  • -vault-namespace (string: "") - (v1.1.0+) Default Vault namespace for Vault requests. Can also be specified via the VAULT_NAMESPACE environment variable.

  • -vault-tls-ca-cert (string: "") - (v1.1.0+) Path on disk to a single PEM-encoded CA certificate to trust for Vault. Takes precendence over -vault-tls-ca-directory. Can also be specified via the VAULT_CACERT environment variable.

  • -vault-tls-ca-directory (string: "") - (v1.1.0+) Path on disk to a directory of PEM-encoded CA certificates to trust for Vault. Can also be specified via the VAULT_CAPATH environment variable.

  • -vault-tls-server-name (string: "") - (v1.1.0+) Name to use as the SNI host when connecting to Vault via TLS. Can also be specified via the VAULT_TLS_SERVER_NAME environment variable.

  • -vault-tls-client-cert (string: "") - (v1.1.0+) Path on disk to a PEM-encoded client certificate for mTLS communication with Vault. If set, also requires -vault-tls-client-key. Can also be specified via the VAULT_CLIENT_CERT environment variable.

  • -vault-tls-client-key (string: "") - (v1.1.0+) Path on disk to a PEM-encoded client key for mTLS communication with Vault. If set, also requires -vault-tls-client-cert. Can also be specified via the VAULT_CLIENT_KEY environment variable.

  • -vault-tls-skip-verify (bool: false) - (v1.1.0+) Disable verification of TLS certificates. Can also be specified via the VAULT_SKIP_VERIFY environment variable.

  • -version (bool: false) - print version information and exit.

»Secret Provider Class Parameters

The following parameters are supported by the Vault provider. Each parameter is an entry under spec.parameters in a SecretProviderClass object. The full structure is illustrated in the examples.

  • roleName (string: "") - Name of the role to be used during login with Vault.

  • vaultAddress (string: "") - The address of the Vault server.

  • vaultNamespace (string: "") - The Vault namespace to use.

  • vaultSkipTLSVerify (string: "false") - When set to true, skips verification of the Vault server certificate. Setting this to true is not recommended for production.

  • vaultCACertPath (string: "") - The path on disk where the Vault CA certificate can be found when verifying the Vault server certificate.

  • vaultCADirectory (string: "") - The directory on disk where the Vault CA certificate can be found when verifying the Vault server certificate.

  • vaultTLSClientCertPath (string: "") - The path on disk where the client certificate can be found for mTLS communications with Vault.

  • vaultTLSClientKeyPath (string: "") - The path on disk where the client key can be found for mTLS communications with Vault.

  • vaultTLSServerName (string: "") - The name to use as the SNI host when connecting via TLS.

  • vaultKubernetesMountPath (string: "kubernetes") - The name of the auth mount used for login. At this time only the Kubernetes auth method is supported.

  • audience (string: "") - Specifies a custom audience for the requesting pod's service account token, generated using the TokenRequest API. The resulting token is used to authenticate to Vault, so if you specify an audience for your Kubernetes auth role, it must match the audience specified here. If not set, the token audiences will default to the Kubernetes cluster's default API audiences.

  • objects (array) - An array of secrets to retrieve from Vault.

    • objectName (string: "") - The alias of the object which can be referenced within the secret provider class and the name of the secret file.

    • method (string: "GET") - The type of HTTP request. Supported values include "GET" and "PUT".

    • secretPath (string: "") - The path in Vault where the secret is located. For secrets that are retrieved via HTTP GET method, the secretPath can include optional URI parameters, for example, the version of the KV2 secret:

      objects: |
  - objectName: "app-secret"
    secretPath: "secret/data/test?version=1"
    secretKey: "password"

      objects: |
  - objectName: "app-secret"
    secretPath: "secret/data/test?version=1"
    secretKey: "password"

    • secretKey (string: "") - The key in the Vault secret to extract. If omitted, the whole response from Vault will be written as JSON.

    • filePermission (integer: 0o644) - The file permissions to set for this secret's file.

    • secretArgs (map: {}) - Additional arguments to be sent to Vault for a specific secret. Arguments can vary for different secret engines. For example:

      secretArgs:
  common_name: 'test.example.com'
  ttl: '24h'

      secretArgs:
  common_name: 'test.example.com'
  ttl: '24h'

      secretArgs are sent as part of the HTTP request body. Therefore, they are only effective for HTTP PUT/POST requests, for instance, the request used to generate a new certificate. To supply additional parameters for secrets retrieved via HTTP GET, include optional URI paramters in secretPath.