1. Inject a TLS private key into a pod using Kubernetes Secrets

    TypeScript

    To inject a TLS private key into a Kubernetes Pod, you will create a Kubernetes Secret to safely store the TLS private key and then reference this Secret from within the Pod definition. This technique ensures that sensitive data is managed securely by Kubernetes and only accessible to the Pods that need to access it. Here's how you can achieve it with Pulumi and TypeScript.

    The program will consist of the following steps:

    1. Create a Kubernetes Secret that contains the encoded TLS private key.
    2. Define a Kubernetes Pod that mounts this Secret as a volume or exposes it as an environment variable to the container within the Pod.

    Let's start by creating a new Pulumi program written in TypeScript:

    import * as k8s from "@pulumi/kubernetes"; // The encoded TLS private key data, usually you would load it from a secure location. // Ensure that the private key string is base64-encoded as required by Kubernetes Secrets. const tlsPrivateKeyData = "base64-encoded-private-key"; // Create a Kubernetes Secret resource that contains the TLS private key. const tlsPrivateKeySecret = new k8s.core.v1.Secret("tlsPrivateKeySecret", { // The secret's data field stores the actual secret data - in this case, the TLS private key. // The data needs to be in a key-value format, where the value is base64-encoded. data: { "tls.key": tlsPrivateKeyData, }, // The type of the secret can be set to 'kubernetes.io/tls' for TLS secrets, which can // contain TLS certificates and private keys. Here, we're only storing the private key. type: "Opaque", // Use "kubernetes.io/tls" if you're including the certificate as well. }); // Define the Pod that will use the TLS private key. const appPod = new k8s.core.v1.Pod("appPod", { metadata: { name: "app-pod", }, spec: { containers: [ { name: "app-container", image: "your-app-image:latest", // ... // Additional container configuration (ports, env vars, etc) goes here. // ... volumeMounts: [ { // Mount the secret as a file in the Pod's filesystem. name: "tls-key-volume", readOnly: true, // Recommended to be read-only for secrets. mountPath: "/etc/tls", // The path where the secret will be mounted. }, ], }, ], volumes: [ { // Define a volume that references the Kubernetes Secret by name. name: "tls-key-volume", secret: { secretName: tlsPrivateKeySecret.metadata.name, }, }, ], // ... // Additional Pod configuration (affinity, tolerations, etc) goes here. // ... }, }); // Export the Pod name export const podName = appPod.metadata.name;

    In this program:

    • We import the @pulumi/kubernetes package, which contains the necessary functionality to interact with Kubernetes resources.
    • We create a Secret resource named tlsPrivateKeySecret that includes the TLS private key. Here, you must provide the base64-encoded private key as the value for the "tls.key" key within the data object.
    • We define a Pod named appPod. Inside the pod specification, we add a volumeMounts section to the container definition that specifies where the secret will be mounted within the container, and ensure it's read-only.
    • We define a volumes section within the Pod spec to create a volume tied to the secret. The secret is referenced by name, linking the previously defined Secret resource to the volume.
    • The TLS private key will then be mounted into /etc/tls/tls.key within the container, where your application can use it as needed.
    • Finally, we export the name of the Pod for easy retrieval later.

    After writing and deploying this Pulumi program, your Kubernetes Pod would have access to the TLS private key, injected securely through a Kubernetes Secret.