Create a Kubernetes Secret for VAST CSI Driver

  • Updated on Jan 30, 2026
  • Published on Jan 26, 2026
  • 5 minute(s) read
Prev Next

Create a Kubernetes secret to keep VMS user credentials or authentication token that VAST CSI Driver uses to communicate with the VAST cluster. You need to supply the name of the secret when creating the driver's Helm chart configuration file.

The Kubernetes secret can also specify the VAST cluster on which you want to provision volumes for a particular storage class or snapshot class.

Create a Kubernetes Secret to Provision Storage on Multiple VAST Clusters

Use this procedure to create one or more Kubernetes secrets that can be specified individually per storage class or snapshot class. Each of these Kubernetes secrets specifies the VAST cluster to connect to and the VMS user credentials or an authentication token, enabling you to provision volumes on multiple VAST clusters or using multiple VMS users on the same VAST cluster.

Tip

This type of secret can be used not only when there are multiple VAST clusters, but also anytime when the secretName and secretNamespace parameters in the Helm chart configuration file (values.yaml) are specified within a storage class or under StorageClassDefaults.

Do either of the following:

Create a Secret with a VMS Authentication Token

Note

VMS authentication tokens are supported with VAST Cluster 5.3 or later.

To create a Kubernetes secret with the VMS user's authentication token:

  1. Create a YAML file with the following content:

    apiVersion: v1
kind: Secret
metadata:
  name: <secret name>
type: Opaque
data:
  endpoint: <VAST cluster hostname>
  tenant: <VAST tenant name>
  token: <VMS user's token>
  sslCert: <path to SSL certificate>

    Where:

    • (Required) name is the name of the Kubernetes secret.

    • (Required) endpoint sets the hostname FQDN or IP address of the VMS URL of the VAST cluster where you want to provision block volumes.

    • (Optional) tenant lets you connect to a particular VAST cluster tenant. Supplying a tenant requires that the VMS user has a user type of Tenant Admin for the specified tenant (in VAST Web UI: Administrators -> Managers -> open manager details -> User type: Tenant Admin).

      Note

      The tenant parameter is supported starting with VAST CSI Driver 2.6.3.

    • (Required) token is the VMS authentication token of the VMS user to connect to the VAST cluster. The token must be Base64-encoded.

    • (Optional) sslCert is only required if you are using SSL encryption with a self-signed SSL certificate. It specifies the path to the SSL certificate.

  2. Apply the YAML file:

    kubectl apply -f <path to the YAML file>

    Note

    If you are creating the secret in a namespace that is different from the namespace used to install the driver's Helm chart, specify the secret's namespace on the command: -n <secret's namespace>.

Alternatively, you can create a secret with the following command:

kubectl create secret generic <secret name> \
    --from-literal=endpoint='vms.example.com' \
    --from-literal=tenant='<VAST tenant name>' \
    --from-literal=token='<VMS user token>' \
    --from-file=ssl_cert='<path to SSL certificate>' \
    -n <secret's namespace>

For example:

kubectl create secret generic vast-mgmt \
    --from-literal=endpoint='vms.example.com' \
    --from-literal=tenant='Operations' \
    --from-literal=token='xxxxxxxxxххххххххххххххххххххххххххххххх' \
    --from-file=ssl_cert='VastCerts/RootCA.crt' \
    -n secret_namespace

Create a Secret with VMS User Credentials

To create a Kubernetes secret with VMS user credentials:

  1. Create a YAML file with the following content:

    apiVersion: v1
kind: Secret
metadata:
  name: <secret name>
type: Opaque
data:
  endpoint: <VAST cluster hostname>
  tenant: <VAST tenant name>
  username: <VMS user's username>
  password: <VMS user's password>
  sslCert: <path to SSL certificate>

    Where:

    • (Required) name is the name of the Kubernetes secret.

    • (Required) endpoint sets the hostname FQDN or IP address of the VMS URL of the VAST cluster where you want to provision block volumes.

    • (Optional) tenant lets you connect to a particular VAST cluster tenant. Supplying a tenant requires that the VMS user has a user type of Tenant Admin for the specified tenant (in VAST Web UI: Administrators -> Managers -> open manager details -> User type: Tenant Admin).

      Note

      The tenant parameter is supported starting with VAST CSI Driver 2.6.3.

    • (Required) username is the username of the VMS user to connect to the VAST cluster.  The username must be Base64-encoded.

    • (Required) password is the password for the VMS user connecting to the VAST cluster. The password must be Base64-encoded.

    • (Optional) sslCert is only required if you are using  SSL encryption with a self-signed SSL certificate. It specifies the path to the SSL certificate.

  2. Apply the YAML file:

    kubectl apply -f <path to the YAML file>

    Note

    If you are creating the secret in a namespace that is different from the namespace used to install the driver's Helm chart, specify the secret's namespace on the command: -n <secret's namespace>.

Alternatively, you can create a secret with the following command:

kubectl create secret generic <secret name> \
    --from-literal=endpoint='vms.example.com' \
    --from-literal=tenant='<VAST tenant name>' \
    --from-literal=username='<VMS user's username>' \
    --from-literal=password='<VMS user's password>' \
    --from-file=ssl_cert='<path to SSL certificate>' \
    -n <secret's namespace>

For example:

kubectl create secret generic vast-mgmt \
    --from-literal=endpoint='vms.example.com' \
    --from-literal=tenant='Operations' \
    --from-literal=username='user1' \
    --from-literal=password='xxxxxxxxx' \
    --from-file=ssl_cert='VastCerts/RootCA.crt' \
    -n secret_namespace

Create a Kubernetes Secret to Provision Storage on a Single VAST Cluster

Use this procedure to create a single Kubernetes secret that contains VMS user credentials to connect to a single VAST cluster. The Kubernetes secret will be used for all storage classes and snapshot classes defined in the VAST CSI Driver Helm chart configuration file. The VAST cluster to connect is specified on the endpoint parameter in the configuration file.

To create a Kubernetes secret that will be used to provision storage on a single VAST cluster:

  1. Create a YAML file with the following content. Note that the VMS user's username and password must be Base64-encoded.

    apiVersion: v1
kind: Secret
metadata:
  name: <secret name>
type: Opaque
data:
  username: <VMS user's username>
  password: <VMS user's password>
  tenant: <VAST tenant name>

  2. Apply the YAML file:

    kubectl apply -f <path to the YAML file>

Alternatively, you can create a secret with the following command:

kubectl create secret generic <secret name> \
    --from-literal=username='<VMS user's username>' \
    --from-literal=password='<VMS user's password>' \
    --from-literal=tenant='<VAST tenant name>'

Note

If you are creating the secret in a Kubernetes namespace that is different from the namespace used to install the VAST CSI Driver Helm chart, specify the secret's namespace on the command: -n <secret's namespace>.

Related articles