1Password as a Kubernetes External Secrets Store

Question

Pulumi · Accepted Answer

Using 1Password as an external secrets store for Kubernetes involves a few steps that revolve around integrating 1Password secrets management with Kubernetes Secrets.

While Pulumi itself doesn't provide a direct integration with 1Password, you can still achieve the setup by:

1. Creating a 1Password Secrets Automation workflow which provides a token to access the secrets.
2. Using the generated token to retrieve secrets from 1Password.
3. Creating Kubernetes Secret resources in your cluster using the Pulumi Kubernetes Provider with the retrieved secrets.

Unfortunately, Pulumi does not have an existing provider or resource that works with 1Password out of the box as of my knowledge cutoff in early 2023. Typically, the process would involve using the APIs provided by 1Password to fetch the secrets and store them into Kubernetes Secrets.

Given these constraints, I will outline a hypothetical Pulumi program that demonstrates the pattern you would use to create Kubernetes Secrets in Python. You will have to replace the placeholders with actual logic to retrieve secrets from your 1Password account. The retrieval could potentially be implemented using a custom provider, but that is beyond the scope of this example.

**Detailed Explanation of the Program:**

The program below uses the `pulumi_kubernetes` package to create Kubernetes Secret resources. These resources would typically contain sensitive information like API keys, passwords, etc. In a real-world scenario, you should fetch this sensitive information from 1Password using their APIs or integration tools.

- `pulumi_kubernetes.core.v1.Secret`: This resource is used to manage Kubernetes secrets. These secrets are meant to hold sensitive information, such as passwords, OAuth tokens, and SSH keys. We use this resource to create a new secret in the Kubernetes cluster. The data you provide to this `Secret` resource should be the actual data you retrieve from 1Password.

Remember, any storages or retrievals of secrets should be handled with maximum security in mind, including but not limited to using secure communication, access control, and avoiding logging secrets in plaintext.

Note that to interact with external systems like 1Password, you'd need to use their SDK or API, which you would typically do outside of the Pulumi program, or via dynamic providers if you want to include it within the Pulumi workflow.

Here's the Pulumi program structure written in Python:

```python
import pulumi
import pulumi_kubernetes as k8s

# Here we assume you've extracted the required secrets from 1Password
# You would replace the following dictionary with the secrets you've retrieved
onepassword_secrets = {
    'DATABASE_PASSWORD': 'your-secret-password',
    # ... any additional secrets
}

# Convert secrets to base64 encoding required by Kubernetes Secret
encoded_secrets = {key: pulumi.Output.secret(value).apply(lambda v: v.encode('utf-8')) for key, value in onepassword_secrets.items()}

# Kubernetes Secret resource
k8s_secret = k8s.core.v1.Secret(
    "onepassword-secret",
    metadata=k8s.meta.v1.ObjectMetaArgs(
        name="onepassword-secret",
    ),
    type="Opaque",
    string_data=encoded_secrets
)

# Export the Kubernetes Secret name
pulumi.export('k8s_secret_name', k8s_secret.metadata['name'])
```

In this program, replace `'your-secret-password'` with the actual secret from 1Password. The `pulumi.Output.secret()` function marks the data as a secret, meaning Pulumi will treat it as sensitive and hide it in logs. We use `apply()` to base64 encode the secret because Kubernetes expects secrets to be base64 encoded.

Please remember that you'll need the Python Pulumi SDK set up and authenticated with your Kubernetes cluster to use this code effectively. Additionally, since this code is interfacing with sensitive data, ensure your Pulumi stack is properly secured and that you're following best practices for managing secrets.

For the actual integration logic for fetching secrets from 1Password, you'd need to refer to the 1Password API documentation and potentially create a script that uses their SDK or API to fetch the secrets and pass them to Pulumi.

Always refer to each service's documentation for the best security practices, especially when handling secrets. For Pulumi's Kubernetes Secrets management, you can find up-to-date information on the [Pulumi Kubernetes Secrets documentation page](https://www.pulumi.com/registry/packages/kubernetes/api-docs/core/v1/secret/).