Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: Update CSI Provider command line arguments #15810

Merged
merged 1 commit into from
Jun 7, 2022
Merged

docs: Update CSI Provider command line arguments #15810

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 43 additions & 13 deletions website/content/docs/platform/k8s/csi/configurations.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,12 @@ description: This section documents the configurables for the Vault CSI Provider
# Command line arguments

The following command line arguments are supported by the Vault CSI provider.
Most settings support being set by, in ascending order of precedence:

- Environment variables
- Command line arguments
- Secret Provider Class parameters

If installing via the helm chart, they can be set using e.g.
`--set "csi.extraArgs={-debug=true}"`.

Expand All @@ -18,28 +24,52 @@ If installing via the helm chart, they can be set using e.g.
- `-health-addr` `(string: ":8080")` - (v0.3.0+) The address of the HTTP listener
for reporting health.

- `-health_addr` `(string: "")` - Deprecated, please use -health-addr. Slated
for removal in 0.5.0.

- `-vault-addr` `(string: "https://127.0.0.1:8200")` - (v0.3.0+) Default address
for connecting to Vault. Can be overridden per Secret Provider Class object.
for connecting to Vault. Can also be specified via the `VAULT_ADDR` environment
variable.

- `-vault-mount` `(string: "kubernetes")` - (v0.3.0+) Default Vault mount path
for Kubernetes authentication. Can be overridden per Secret Provider Class
object.

- `-version` `(bool: false)` - prints the version information
- `-vault-namespace` `(string: "")` - (v1.1.0+) Default Vault namespace for Vault
requests. Can also be specified via the `VAULT_NAMESPACE` environment variable.

- `-vault-tls-ca-cert` `(string: "")` - (v1.1.0+) Path on disk to a single
PEM-encoded CA certificate to trust for Vault. Takes precendence over
`-vault-tls-ca-directory`. Can also be specified via the `VAULT_CACERT`
environment variable.

- `-vault-tls-ca-directory` `(string: "")` - (v1.1.0+) Path on disk to a
directory of PEM-encoded CA certificates to trust for Vault. Can also be
specified via the `VAULT_CAPATH` environment variable.

- `-vault-tls-server-name` `(string: "")` - (v1.1.0+) Name to use as the SNI
host when connecting to Vault via TLS. Can also be specified via the
`VAULT_TLS_SERVER_NAME` environment variable.

- `-vault-tls-client-cert` `(string: "")` - (v1.1.0+) Path on disk to a
PEM-encoded client certificate for mTLS communication with Vault. If set,
also requires `-vault-tls-client-key`. Can also be specified via the
`VAULT_CLIENT_CERT` environment variable.

- `-vault-tls-client-key` `(string: "")` - (v1.1.0+) Path on disk to a
PEM-encoded client key for mTLS communication with Vault. If set, also
requires `-vault-tls-client-cert`. Can also be specified via the
`VAULT_CLIENT_KEY` environment variable.

- `-vault-tls-skip-verify` `(bool: false)` - (v1.1.0+) Disable verification of
TLS certificates. Can also be specified via the `VAULT_SKIP_VERIFY` environment
variable.

- `-write-secrets` `(bool: true)` - (v0.3.0+) Write secrets directly to
filesystem (true), or send secrets to CSI driver in gRPC response (false).
Setting to false requires Secrets Store CSI Driver v0.0.21+. This flag will
default to false from v0.4.0, and setting it to false will be required when
using Secrets Store CSI Driver v0.0.24+.
- `-version` `(bool: false)` - print version information and exit.


# Secret Provider Class Configurations
# Secret Provider Class Parameters

The following parameters are supported by the Vault provider:
The following parameters are supported by the Vault provider. Each parameter is
an entry under `spec.parameters` in a SecretProviderClass object. The full
structure is illustrated in the [examples](/docs/platform/k8s/csi/examples).

- `roleName` `(string: "")` - Name of the role to be used during login with Vault.

Expand Down Expand Up @@ -98,4 +128,4 @@ The following parameters are supported by the Vault provider:

~> `secretArgs` are sent as part of the HTTP request body. Therefore, they are only effective for HTTP PUT/POST requests, for instance,
the [request used to generate a new certificate](https://www.vaultproject.io/api-docs/secret/pki#generate-certificate).
To supply additional parameters for secrets retrieved via HTTP GET, include optional URI paramters in [`secretPath`](#secretpath).
To supply additional parameters for secrets retrieved via HTTP GET, include optional URI paramters in [`secretPath`](#secretpath).
2 changes: 1 addition & 1 deletion website/content/docs/platform/k8s/helm/configuration.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1016,4 +1016,4 @@ and consider if they're appropriate for your deployment.

- `debug` (`bool: false`) - When set to true, enables debug logging on the Vault CSI Provider daemonset.

- `extraArgs` (`string: array`) - The extra arguments to be applied to the CSI pod startup command.
- `extraArgs` (`string: array`) - The extra arguments to be applied to the CSI pod startup command. See [here](/docs/platform/k8s/csi/configurations#command-line-arguments) for available flags.