1. Using kubernetes external-secrets.io with apiregistration.k8s.io

    TypeScript

    To use external-secrets.io with the Kubernetes API, you'll typically need to perform the following steps:

    1. Deploy the ExternalSecrets controller to your Kubernetes cluster. This controller will be responsible for converting ExternalSecret resources into actual Secret resources within your cluster, by fetching the sensitive data from external secret stores like AWS Secrets Manager, Azure Key Vault, or Google Secret Manager.

    2. Create an APIService resource to register the external-secrets.io API with your Kubernetes API server, which allows Kubernetes to understand and manage ExternalSecret resources.

    3. Define an ExternalSecret resource that specifies the details about the external secret store and the secret data to manage.

    In this guide, I'll focus on the second step. We'll create an APIService resources using Pulumi to register the external-secrets.io API with the Kubernetes API server. This assumes that the controller has already been deployed and the external secrets infrastructure is set up. If you'd like to see those steps as well, please let me know.

    Below is a TypeScript program using Pulumi to create an APIService:

    import * as k8s from '@pulumi/kubernetes'; // This example assumes that you have configured your Pulumi Kubernetes provider // and that you have the necessary context set for your target cluster where the // ExternalSecrets controller would be deployed. // Create a new APIService resource to register external-secrets.io const externalSecretsAPIService = new k8s.apiregistration.v1.APIService('externalSecretsAPIService', { metadata: { // Name of the APIService, typically follows the pattern "v1alpha1.<group>" name: 'v1alpha1.external-secrets.io', // Replace with the correct version and group }, spec: { // Specifications of the APIService service: { // The service that implements the API name: 'external-secrets-service', // Replace with the actual service name namespace: 'external-secrets', // Replace with the namespace where the service runs }, group: 'external-secrets.io', // The API group of the ExternalSecret resources version: 'v1alpha1', // The API version caBundle: 'CERTIFICATE-BYTE-STRING', // Base64-encoded certificate for this APIService groupPriorityMinimum: 1000, // Priority of this API group versionPriority: 15, // Ordering of this version inside its group }, }); // Export the APIService name so we can easily access it from the Pulumi CLI export const apiServiceName = externalSecretsAPIService.metadata.name;

    In this program:

    • We import the Pulumi Kubernetes SDK to interact with Kubernetes resources.
    • We define a new APIService resource called externalSecretsAPIService.
    • The metadata.name field is the name of the API service.
    • The spec field details include:
      • service: references the service that serves the API endpoints.
      • group: is the API group name for the ExternalSecret resources.
      • version: specifies the version of the API you wish to use.
      • caBundle: contains a base64-encoded certificate authority bundle that validates the serving certificate of the service.
      • groupPriorityMinimum: a priority number that determines the order of this API group in relation to other groups.
      • versionPriority: a number that determines the order of this version within its group (lower value takes precedence).

    Remember to replace placeholder values (like external-secrets-service, CERTIFICATE-BYTE-STRING, etc.) with the actual values corresponding to your cluster's configuration and the certificate you've obtained.

    After setting up the APIService, you will be able to use ExternalSecret resources in your Kubernetes cluster, which the ExternalSecrets controller will recognize and handle appropriately.

    To apply this Pulumi code, you would typically navigate to your Pulumi project directory, ensuring you have the Pulumi CLI installed. Ensure your Kubernetes context is set to the cluster where you wish to deploy the APIService. Run pulumi up to preview and apply the changes. The command will output the changes it plans to make, asking for your confirmation before it proceeds to make the changes.