apiVersion: v1 kind: ServiceAccount metadata: namespace: csi-secrets-store name: vault-csi-provider namespace: csi --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: namespace: csi-secrets-store name: vault-csi-provider-clusterrole rules: - apiGroups: - "" resources: - serviceaccounts/token verbs: - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: namespace: csi-secrets-store name: vault-csi-provider-clusterrolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: vault-csi-provider-clusterrole subjects: - kind: ServiceAccount name: vault-csi-provider namespace: csi --- apiVersion: apps/v1 kind: DaemonSet metadata: namespace: csi-secrets-store labels: app: vault-csi-provider name: vault-csi-provider namespace: csi spec: updateStrategy: type: RollingUpdate selector: matchLabels: app: vault-csi-provider template: metadata: labels: app: vault-csi-provider spec: serviceAccountName: vault-csi-provider tolerations: containers: - name: provider-vault-installer image: hashicorp/vault-csi-provider:0.1.0 imagePullPolicy: Always args: - --endpoint=/provider/vault.sock - --debug=false resources: requests: cpu: 50m memory: 100Mi limits: cpu: 50m memory: 100Mi volumeMounts: - name: providervol mountPath: "/provider" - name: mountpoint-dir mountPath: /var/lib/kubelet/pods mountPropagation: HostToContainer livenessProbe: httpGet: path: "/health/ready" port: 8080 scheme: "HTTP" failureThreshold: 2 initialDelaySeconds: 5 periodSeconds: 5 successThreshold: 1 timeoutSeconds: 3 readinessProbe: httpGet: path: "/health/ready" port: 8080 scheme: "HTTP" failureThreshold: 2 initialDelaySeconds: 5 periodSeconds: 5 successThreshold: 1 timeoutSeconds: 3 volumes: - name: providervol hostPath: path: "/etc/kubernetes/secrets-store-csi-providers" - name: mountpoint-dir hostPath: path: /var/lib/kubelet/pods nodeSelector: beta.kubernetes.io/os: linux