Kubernetes Secrets for Secure AI API Key Storage

Question

Pulumi · Accepted Answer

To securely store API keys for your AI applications within a Kubernetes cluster, you can use Kubernetes secrets. These secrets provide a mechanism to hold sensitive information, such as passwords, OAuth tokens, and ssh keys, avoiding the need to store them in your application code.

Here's how you can create a Kubernetes Secret using Pulumi and the Kubernetes SDK:

1. **Define the Secret**: Kubernetes secrets are represented as dictionaries where the keys are the secret names, and the values are the secrets, base64 encoded. 
2. **Create a Secret Resource**: You will define a Secret resource for Kubernetes using the `pulumi_kubernetes.core.v1.Secret` class.
3. **Use the Secret in Your Application**: After creating the secret, you can reference it in your Kubernetes Pod or any other resource that needs to use these secrets.

Below is a Pulumi program in Python which demonstrates this process:

```python
import pulumi
import pulumi_kubernetes as kubernetes

# Step 1: Define your secret data here. You would typically get this from a safe place like a Pulumi config or environment variable.
ai_api_key = "your-ai-service-api-key"

# Convert it to a base-64 encoded string, as required by Kubernetes secrets
encoded_api_key = ai_api_key.encode('utf-8').hex()

# Step 2: Define the Kubernetes Secret resource.
secret = kubernetes.core.v1.Secret(
    "ai-api-key-secret",
    metadata={"name": "ai-api-key"},
    # Secrets are typically provided as base64 encoded strings.
    # However, Pulumi automatically encodes the stringData entries for you,
    # so you can pass them as plain text.
    string_data={
        "api_key": ai_api_key
    }
)

# pulumi.export to export the name of the secret. Not the actual secret!
pulumi.export('secret_name', secret.metadata['name'])
```

In this program:

- We import the required Pulumi and Kubernetes modules.
- We define an API key. In a real-world scenario, you should secure this key outside of your version control, for instance using Pulumi Config secrets, environment variables, or a secret manager.
- We then create a Kubernetes `Secret` resource, by providing a name and the data that constitutes the secret—the API key in this case. Note that while we put a plain API key in the `string_data` of the secret, Pulumi handles the proper base64 encoding for you.
- Finally, we use `pulumi.export` to output the name of the secret after it's been created, which you can use to reference in your Kubernetes workloads. Make sure never to export the sensitive data itself.

Remember, you would need to have `kubectl` configured to point to your Kubernetes cluster for Pulumi to interact with it.

To use this secret within your Kubernetes workloads (like a Pod), you'll reference the secret name `ai-api-key` and the key `api_key` that has been set in the secret's data.

Please let me know if you would like an example of how to reference and use this secret within a Kubernetes Pod definition or any other Kubernetes object.