Cloudzero · evan-cz · Apr 15, 2026 · May 15, 2026
@@ -150,7 +150,7 @@ Below is a summary of these settings and how they are used:
 | cloudAccountId     | string | `nil`                 | Account ID in AWS, subscription ID in Azure, or project number in GCP. Auto-detected via IMDS when available; required if IMDS is blocked.           |
 | clusterName        | string | `nil`                 | Name of the cluster (RFC 1123). Mandatory on EKS and AKS; auto-detected on GKE; required on any provider if IMDS is blocked.                         |
 | host               | string | `"api.cloudzero.com"` | CloudZero host to send metrics to. Override only for non-production or custom environments.                                                          |
-| apiKey             | string | `nil`                 | CloudZero API key used for exporting metrics. Required unless `existingSecretName` is set.                                                           |
+| apiKey             | string | `nil`                 | CloudZero API key used for exporting metrics. Required unless `existingSecretName` or `components.apiKey` is configured.                             |
 | existingSecretName | string | `nil`                 | Name of the Secret that contains the CloudZero API key. Required when not providing the API key via `apiKey`.                                        |
 | region             | string | `nil`                 | Cloud provider region (e.g., `us-east-1`, `eastus`). Auto-detected via IMDS; required if IMDS is blocked or you want to override the detected value. |
 
@@ -255,6 +255,22 @@ kubectl create secret -n example-namespace generic example-secret-name --from-li
 
 The secret can then be used with `existingSecretName`.
 
+#### CSI-based Secret Delivery
+
+For environments using the [Secrets Store CSI Driver](https://secrets-store-csi-driver.sigs.k8s.io/), you can mount the API key directly from an external vault (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, etc.) without creating a Kubernetes Secret object.
+
+1. Install the Secrets Store CSI Driver and the appropriate cloud provider plugin on your cluster.
+2. Create a `SecretProviderClass` in the same namespace as the CloudZero Agent that fetches your API key and produces a file matching `serverConfig.containerSecretFileName` (default: `value`).
+3. Reference it in your values:
+
+```yaml
+components:
+  apiKey:
+    secretProviderClass: "your-secret-provider-class-name"
+```
+
+When `components.apiKey.secretProviderClass` is set and both `apiKey` and `existingSecretName` are null, the chart mounts the API key via the CSI driver. The top-level `apiKey` and `existingSecretName` properties take priority when set.
+
 ### Update Helm Chart
 
 If you are updating an existing installation, pull the latest chart information:

@@ -53,6 +53,23 @@ Returns: string (e.g., "my-release-api-key" or custom existing secret name)
 {{ .Values.existingSecretName | default (printf "%s-api-key" .Release.Name) }}
 {{- end}}
 
+{{/*
+Determine the API key provisioning mode.
+
+Returns one of: "inline", "secret", "csi", "none"
+*/}}
+{{- define "cloudzero-agent.apiKey.mode" -}}
+{{- if .Values.apiKey -}}
+  {{- print "inline" -}}
+{{- else if .Values.existingSecretName -}}
+  {{- print "secret" -}}
+{{- else if and .Values.components .Values.components.apiKey .Values.components.apiKey.secretProviderClass -}}
+  {{- print "csi" -}}
+{{- else -}}
+  {{- print "none" -}}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Define the path and filename on the container filesystem which holds the CloudZero API key.
 
@@ -772,17 +789,41 @@ Name for the secret holding TLS certificates
 {{- end }}
 
 {{/*
-Volume mount for the API key
+Volume mount for the API key.
+Renders for inline, secret, and csi modes. No output for "none".
 */}}
 {{- define "cloudzero-agent.apiKeyVolumeMount" -}}
-{{- if or .Values.existingSecretName .Values.apiKey -}}
+{{- $mode := include "cloudzero-agent.apiKey.mode" . -}}
+{{- if ne $mode "none" -}}
 - name: cloudzero-api-key
   mountPath: {{ .Values.serverConfig.containerSecretFilePath }}
   subPath: ""
   readOnly: true
 {{- end }}
 {{- end }}
 
+{{/*
+Volume definition for the API key.
+- inline/secret: Kubernetes Secret volume
+- csi: Secrets Store CSI Driver volume
+- none: no output
+*/}}
+{{- define "cloudzero-agent.apiKeyVolume" -}}
+{{- $mode := include "cloudzero-agent.apiKey.mode" . -}}
+{{- if or (eq $mode "inline") (eq $mode "secret") -}}
+- name: cloudzero-api-key
+  secret:
+    secretName: {{ include "cloudzero-agent.secretName" . }}
+{{- else if eq $mode "csi" -}}
+- name: cloudzero-api-key
+  csi:
+    driver: secrets-store.csi.k8s.io
+    readOnly: true
+    volumeAttributes:
+      secretProviderClass: {{ .Values.components.apiKey.secretProviderClass }}
+{{- end }}
+{{- end }}
+
 {{/*
 Return the URL for the agent and insights controller to send metrics to.
 

@@ -183,7 +183,7 @@ spec:
             - name: cloudzero-agent-storage-volume
               mountPath: /data
               subPath: ""
-            {{- include "cloudzero-agent.apiKeyVolumeMount" . | nindent 12 }}  
+            {{- include "cloudzero-agent.apiKeyVolumeMount" . | nindent 12 }}
       {{- include "cloudzero-agent.generatePodSecurityContext" (mergeOverwrite
           (.Values.defaults.securityContext | default (dict))
           (.Values.components.agent.federatedNode.securityContext | default (dict))
@@ -201,11 +201,7 @@ spec:
             name: {{ .Release.Name }}-daemonset-cm
         - name: processed-config-volume
           emptyDir: {}
-        {{- if or .Values.existingSecretName .Values.apiKey }}
-        - name: cloudzero-api-key
-          secret:
-            secretName: {{ include "cloudzero-agent.secretName" . }}
-        {{- end }}
+        {{- include "cloudzero-agent.apiKeyVolume" . | nindent 8 }}
         - name: cloudzero-agent-storage-volume
           emptyDir:
           {{- if .Values.server.emptyDir.sizeLimit }}

@@ -234,7 +234,7 @@ spec:
             - name: validator-config-volume
               mountPath: /checks/app/config/
             {{- include "cloudzero-agent.apiKeyVolumeMount" . | nindent 12 }}
-        {{- end }}{{/* End Prometheus container */}}
+          {{- end }}{{/* End Prometheus container */}}
         {{- if eq (include "cloudzero-agent.Values.components.agent.mode" .) "clustered" }}
         # CloudZero Alloy container (binary embedded in agent image)
         - name: {{ template "cloudzero-agent.name" . }}-alloy
@@ -315,7 +315,7 @@ spec:
             - name: alloy-tmp
               mountPath: /tmp
             {{- include "cloudzero-agent.apiKeyVolumeMount" . | nindent 12 }}
-        {{- end }}{{/* End Alloy container */}}
+          {{- end }}{{/* End Alloy container */}}
       {{- include "cloudzero-agent.generatePodSecurityContext" (mergeOverwrite
           (.Values.defaults.securityContext | default (dict))
           (.Values.components.agent.securityContext | default (dict))
@@ -343,11 +343,7 @@ spec:
         - name: alloy-tmp
           emptyDir: {}
         {{- end }}
-        {{- if or .Values.existingSecretName .Values.apiKey }}
-        - name: cloudzero-api-key
-          secret:
-            secretName: {{ include "cloudzero-agent.secretName" . }}
-        {{- end }}
+        {{- include "cloudzero-agent.apiKeyVolume" . | nindent 8 }}
         - name: cloudzero-agent-storage-volume
         {{- if .Values.server.persistentVolume.enabled }}
           persistentVolumeClaim:

@@ -186,11 +186,7 @@ spec:
             name: {{ template "cloudzero-agent.validatorConfigMapName" . }}
         - name: lifecycle-volume
           emptyDir: {}
-        {{- if or .Values.existingSecretName .Values.apiKey }}
-        - name: cloudzero-api-key
-          secret:
-            secretName: {{ include "cloudzero-agent.secretName" . }}
-        {{- end }}
+        {{- include "cloudzero-agent.apiKeyVolume" . | nindent 8 }}
         - name: aggregator-config-volume
           configMap:
             name: {{ include "cloudzero-agent.aggregator.name" . }}

@@ -166,18 +166,13 @@ spec:
               volumeMounts:
                 - name: insights-server-config
                   mountPath: {{ include "cloudzero-agent.insightsController.configurationMountPath" $ }}
+                {{- include "cloudzero-agent.apiKeyVolumeMount" $ | nindent 16 }}
               {{- if or $.Values.insightsController.volumeMounts $.Values.insightsController.tls.enabled }}
-              {{- if or $.Values.existingSecretName $.Values.apiKey }}
-                - name: cloudzero-api-key
-                  mountPath: {{ $.Values.serverConfig.containerSecretFilePath }}
-                  subPath: ""
-                  readOnly: true
-              {{- end }}
                 {{- with $.Values.insightsController.volumeMounts }}
                   {{- toYaml . | nindent 16 }}
                 {{- end }}
               {{- end }}
-          {{- if or $.Values.insightsController.volumes $.Values.insightsController.tls.enabled }}
+          {{- if or $.Values.insightsController.volumes $.Values.insightsController.tls.enabled (ne (include "cloudzero-agent.apiKey.mode" $) "none") }}
           volumes:
             - name: insights-server-config
               configMap:
@@ -187,11 +182,7 @@ spec:
               secret:
                 secretName: {{ include "cloudzero-agent.tlsSecretName" $ }}
             {{- end }}
-            {{- if or $.Values.existingSecretName $.Values.apiKey }}
-            - name: cloudzero-api-key
-              secret:
-                secretName: {{ include "cloudzero-agent.secretName" $ }}
-            {{- end }}
+            {{- include "cloudzero-agent.apiKeyVolume" $ | nindent 12 }}
             {{- with $.Values.insightsController.volumes }}
               {{- toYaml . | nindent 12 }}
             {{- end }}

@@ -122,11 +122,7 @@ spec:
         - name: config-aggregator
           configMap:
             name: {{ include "cloudzero-agent.aggregator.name" . }}
-        {{- if or .Values.existingSecretName .Values.apiKey }}
-        - name: cloudzero-api-key
-          secret:
-            secretName: {{ include "cloudzero-agent.secretName" . }}
-        {{- end }}
+        {{- include "cloudzero-agent.apiKeyVolume" . | nindent 8 }}
         {{- with .Values.insightsController.volumes }}
           {{- toYaml . | nindent 8 }}
         {{- end }}

@@ -131,18 +131,13 @@ spec:
           volumeMounts:
             - name: insights-server-config
               mountPath: {{ include "cloudzero-agent.insightsController.configurationMountPath" . }}
+            {{- include "cloudzero-agent.apiKeyVolumeMount" . | nindent 12 }}
           {{- if or .Values.insightsController.volumeMounts .Values.insightsController.tls.enabled }}
             {{- if .Values.insightsController.tls.enabled }}
             - name: tls-certs
               mountPath: {{ .Values.insightsController.tls.mountPath }}
               readOnly: true
             {{- end }}
-          {{- if or .Values.existingSecretName .Values.apiKey }}
-            - name: cloudzero-api-key
-              mountPath: {{ .Values.serverConfig.containerSecretFilePath }}
-              subPath: ""
-              readOnly: true
-          {{- end }}
             {{- with .Values.insightsController.volumeMounts }}
               {{- toYaml . | nindent 12 }}
             {{- end }}
@@ -169,7 +164,7 @@ spec:
             successThreshold: {{ .Values.insightsController.server.healthCheck.successThreshold }}
             failureThreshold: {{ .Values.insightsController.server.healthCheck.failureThreshold }}
           {{- end }}
-      {{- if or .Values.insightsController.volumes .Values.insightsController.tls.enabled }}
+      {{- if or .Values.insightsController.volumes .Values.insightsController.tls.enabled (ne (include "cloudzero-agent.apiKey.mode" .) "none") }}
       volumes:
         - name: insights-server-config
           configMap:
@@ -179,11 +174,7 @@ spec:
           secret:
             secretName: {{ include "cloudzero-agent.tlsSecretName" . }}
         {{- end }}
-        {{- if or .Values.existingSecretName .Values.apiKey }}
-        - name: cloudzero-api-key
-          secret:
-            secretName: {{ include "cloudzero-agent.secretName" . }}
-        {{- end }}
+        {{- include "cloudzero-agent.apiKeyVolume" . | nindent 8 }}
         {{- with .Values.insightsController.volumes }}
           {{- toYaml . | nindent 8 }}
         {{- end }}