Skip to main content

Command line arguments

The following command line arguments are supported by the OpenBao CSI provider. Most settings support being set by, in ascending order of precedence:

  • Environment variables
  • Command line arguments
  • Secret Provider Class parameters

If installing via the helm chart, they can be set using e.g. --set "csi.extraArgs={-debug=true}".

  • -cache-size (int: 1000) - Set the maximum number of OpenBao tokens that will be cached in-memory. One OpenBao token will be stored for each pod on the same node that mounts secrets. Setting to 0 will disable the cache and force each volume mount request to reauthenticate to OpenBao.

  • -debug (bool: false) - Set to true to enable debug level logging.

  • -endpoint (string: "/tmp/openbao.sock") - Path to unix socket on which the provider will listen for gRPC calls from the driver.

  • -health-addr (string: ":8080") - The address of the HTTP listener for reporting health.

  • -hmac-secret-name (string: "openbao-csi-provider-hmac-key") - Configure the Kubernetes secret name that the provider creates to store an HMAC key for generating secret version hashes.

  • -openbao-addr (string: "https://127.0.0.1:8200") - Default address for connecting to OpenBao. Can also be specified via the OPENBAO_ADDR environment variable. Note: It is highly recommended to only set the OpenBao address when installing the helm chart. The helm chart will install OpenBao Agent as a sidecar to the OpenBao CSI Provider for caching and renewals, but setting -openbao-addr here will cause the OpenBao CSI Provider to bypass the Agent's cache.

  • -openbao-mount (string: "kubernetes") - Default OpenBao mount path for Kubernetes authentication. Can be overridden per Secret Provider Class object.

  • -openbao-namespace (string: "") - (v1.1.0+) Default OpenBao namespace for OpenBao requests. Can also be specified via the OPENBAO_NAMESPACE environment variable.

  • -openbao-tls-ca-cert (string: "") - (v1.1.0+) Path on disk to a single PEM-encoded CA certificate to trust for OpenBao. Takes precendence over -openbao-tls-ca-directory. Can also be specified via the OPENBAO_CACERT environment variable.

  • -openbao-tls-ca-directory (string: "") - (v1.1.0+) Path on disk to a directory of PEM-encoded CA certificates to trust for OpenBao. Can also be specified via the OPENBAO_CAPATH environment variable.

  • -openbao-tls-server-name (string: "") - (v1.1.0+) Name to use as the SNI host when connecting to OpenBao via TLS. Can also be specified via the OPENBAO_TLS_SERVER_NAME environment variable.

  • -openbao-tls-client-cert (string: "") - (v1.1.0+) Path on disk to a PEM-encoded client certificate for mTLS communication with OpenBao. If set, also requires -openbao-tls-client-key. Can also be specified via the OPENBAO_CLIENT_CERT environment variable.

  • -openbao-tls-client-key (string: "") - (v1.1.0+) Path on disk to a PEM-encoded client key for mTLS communication with OpenBao. If set, also requires -openbao-tls-client-cert. Can also be specified via the OPENBAO_CLIENT_KEY environment variable.

  • -openbao-tls-skip-verify (bool: false) - (v1.1.0+) Disable verification of TLS certificates. Can also be specified via the OPENBAO_SKIP_VERIFY environment variable.

  • -version (bool: false) - print version information and exit.

Secret provider class parameters

The following parameters are supported by the OpenBao provider. Each parameter is an entry under spec.parameters in a SecretProviderClass object. The full structure is illustrated in the examples.

  • roleName (string: "") - Name of the role to be used during login with OpenBao.

  • openbaoAddress (string: "") - The address of the OpenBao server. Note: It is highly recommended to only set the OpenBao address when installing the helm chart. The helm chart will install OpenBao Agent as a sidecar to the OpenBao CSI Provider for caching and renewals, but setting openbaoAddress here will cause the OpenBao CSI Provider to bypass the Agent's cache.

  • openbaoSkipTLSVerify (string: "false") - When set to true, skips verification of the OpenBao server certificate. Setting this to true is not recommended for production.

  • openbaoCACertPath (string: "") - The path on disk where the OpenBao CA certificate can be found when verifying the OpenBao server certificate.

  • openbaoCADirectory (string: "") - The directory on disk where the OpenBao CA certificate can be found when verifying the OpenBao server certificate.

  • openbaoTLSClientCertPath (string: "") - The path on disk where the client certificate can be found for mTLS communications with OpenBao.

  • openbaoTLSClientKeyPath (string: "") - The path on disk where the client key can be found for mTLS communications with OpenBao.

  • openbaoTLSServerName (string: "") - The name to use as the SNI host when connecting via TLS.

  • openbaoAuthMountPath (string: "kubernetes") - The name of the auth mount used for login. Can be a Kubernetes or JWT auth mount. Mutually exclusive with openbaoKubernetesMountPath.

  • openbaoKubernetesMountPath (string: "kubernetes") - The name of the auth mount used for login. Can be a Kubernetes or JWT auth mount. Mutually exclusive with openbaoAuthMountPath.

  • audience (string: "") - Specifies a custom audience for the requesting pod's service account token, generated using the TokenRequest API. The resulting token is used to authenticate to OpenBao, so if you specify an audience for your Kubernetes auth role, it must match the audience specified here. If not set, the token audiences will default to the Kubernetes cluster's default API audiences.

  • objects (array) - An array of secrets to retrieve from OpenBao.

    • objectName (string: "") - The alias of the object which can be referenced within the secret provider class and the name of the secret file.

    • method (string: "GET") - The type of HTTP request. Supported values include "GET" and "PUT".

    • secretPath (string: "") - The path in OpenBao where the secret is located. For secrets that are retrieved via HTTP GET method, the secretPath can include optional URI parameters, for example, the version of the KV2 secret:

      objects: |
        - objectName: "app-secret"
          secretPath: "secret/data/test?version=1"
          secretKey: "password"

    • secretKey (string: "") - The key in the OpenBao secret to extract. If omitted, the whole response from OpenBao will be written as JSON.

    • filePermission (integer: 0o644) - The file permissions to set for this secret's file.

    • encoding (string: "utf-8") - The encoding of the secret value. Supports decoding utf-8 (default), hex, and base64 values.

    • secretArgs (map: {}) - Additional arguments to be sent to OpenBao for a specific secret. Arguments can vary for different secret engines. For example:

      secretArgs:
        common_name: 'test.example.com'
        ttl: '24h'

secretArgs are sent as part of the HTTP request body. Therefore, they are only effective for HTTP PUT/POST requests, for instance, the request used to generate a new certificate. To supply additional parameters for secrets retrieved via HTTP GET, include optional URI parameters in secretPath.