Installing the OpenBao CSI provider
Prerequisites
- Kubernetes 1.16+ for both the master and worker nodes (Linux-only)
- Secrets store CSI driver installed
TokenRequestendpoint available, which requires setting the flags--service-account-signing-key-fileand--service-account-issuerforkube-apiserver. Set by default from 1.20+ and earlier in most managed services.
Installation using helm
The OpenBao Helm chart is the recommended way to install and configure the OpenBao CSI Provider in Kubernetes.
To install a new instance of OpenBao and the OpenBao CSI Provider, first add the OpenBao helm repository and ensure you have access to the chart:
Note: OpenBao CSI Provider Helm installation requires OpenBao Helm 0.10.0+.
$ helm repo add openbao https://openbao.github.io/openbao-helm
"openbao" has been added to your repositories
$ helm search repo openbao/openbao
NAME CHART VERSION APP VERSION DESCRIPTION
openbao/openbao 0.4.0 v2.0.0-alpha20240329 Official OpenBao Chart
Then install the chart and enable the CSI feature by setting the
csi.enabled value to true:
Note: this will also install the OpenBao server and Agent Injector.
$ helm install openbao openbao/openbao --set="csi.enabled=true"
Upgrades may be performed with helm upgrade on an existing installation. Please
always run Helm with --dry-run before any install or upgrade to verify
changes.
You can see all the available values settings by running helm inspect values openbao/openbao or by reading the OpenBao Helm Configuration
Docs. Commonly used values in the Helm
chart include limiting the namespaces the OpenBao CSI Provider runs in, TLS options and
more.