The following Secret Provider Class retrieves your database password credential from Vault and extracts the password. The secrets are then synced to Kubernetes secrets so that they can be mounted as environment variables in the containers. You did not provide Vault names/keys/paths in the question, and so you need to update the below according to your name usage.
---
apiVersion: secrets-store.csi.x-k8s.io/v1alpha1
kind: SecretProviderClass
metadata:
name: vault-database
spec:
provider: vault
secretObjects:
- secretName: vault-db-password
type: Opaque
data:
- objectName: vaultDBPassword
key: password
parameters:
roleName: <vault role>
objects: |
- objectName: vaultDBPassword
secretPath: <vault secret path>
secretKey: <vault secret key>
You can then utilize the secrets as environment variables in your Deployment as per usual (below manifest abbreviated for relevant content):
apiVersion: apps/v1
kind: Deployment
spec:
template:
spec:
containers:
- env:
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: vault-db-password
key: password
volumeMounts:
- name: 'secrets-store-inline'
mountPath: '/mnt/secrets-store'
readOnly: true
volumes:
- name: secrets-store-inline
csi:
driver: 'secrets-store.csi.k8s.io'
readOnly: true
volumeAttributes:
secretProviderClass: 'vault-database'
