1. Using kubernetes cloud.streamnative.io with secrets.hashicorp.com

    TypeScript

    To integrate Kubernetes with HashiCorp's Vault for secret management, you'll want to set up a Vault instance that can store and manage secrets, and a Kubernetes cluster that can utilize those secrets for various applications.

    Vault is a tool from HashiCorp for securely managing secrets, such as tokens, passwords, certificates, and API keys. Kubernetes is a container orchestration platform that can use Vault to manage and inject secrets into your applications.

    Below is a Pulumi program written in TypeScript that demonstrates how to set up a HashiCorp Vault backend specific to Kubernetes which allows storing and managing secrets that can be used in your Kubernetes cluster. It also shows how to create a Vault role that can generate credentials and how to create a Kubernetes Secret resource which your applications can use.

    First, you need to set up the Vault server and enable the Kubernetes secret backend. You will also need to specify a role that can generate Kubernetes service account tokens.

    Here's a Pulumi program that does this:

    import * as kubernetes from "@pulumi/kubernetes"; import * as pulumi from "@pulumi/pulumi"; import * as vault from "@pulumi/vault"; const config = new pulumi.Config(); const kubeconfig = config.requireSecret("kubeconfig"); // Initialize a Kubernetes provider with the provided kubeconfig const k8sProvider = new kubernetes.Provider("k8sProvider", { kubeconfig }); // Enable the Vault Kubernetes Secret Backend const secretBackend = new vault.kubernetes.SecretBackend("k8sSecretBackend", { path: "kubernetes", // The path to mount the backend kubernetesHost: `https://${config.require("k8sHost")}`, // Kubernetes host URL kubernetesCaCert: config.requireSecret("k8sCaCert"), // Kubernetes CA certificate // Additional settings can be configured as needed. }); // Create a SecretBackendRole specific to Kubernetes that applications can use to authenticate const secretBackendRole = new vault.kubernetes.SecretBackendRole("appRole", { backend: secretBackend.path, name: "app", serviceAccountNames: ["example-app"], // The name of the Kubernetes Service Account serviceAccountNamespaces: ["default"], // The namespace of the Service Account // Additional settings can be configured as needed. }); // Create a Kubernetes Secret that will store the Vault token const appSecret = new kubernetes.core.v1.Secret("appSecret", { metadata: { name: "example-app-secret", }, type: "Opaque", stringData: { // Placeholder for the Vault token, usually fetched in a secure way in real-world scenarios "vault-token": "my-secure-vault-token", }, }, { provider: k8sProvider }); // Export the Kubernetes Secret name export const appSecretName = appSecret.metadata.apply(m => m.name);

    In this program:

    • We're importing the necessary Pulumi libraries for Kubernetes and Vault.
    • The k8sProvider is initialized with your kubeconfig. This provider will be used to create Kubernetes resources.
    • The Vault SecretBackend is enabled at a specified path and configured with the Kubernetes host URL and the CA certificate to establish trust.
    • A SecretBackendRole is defined for a Kubernetes service account that should have access to the secrets. In this case, it's for the example-app in the default namespace. This is where you would adjust the role according to your service account's name and namespace.
    • A Kubernetes Secret resource is created to simulate storing a Vault token. In actual usage, this secret would be created with credentials obtained from Vault.
    • Finally, the name of the Kubernetes secret is exported as a stack output, so you know the name of the secret that was created.

    Please replace "my-secure-vault-token", k8sHost, and k8sCaCert with your actual Vault token, Kubernetes host, and CA certificate data. In a real-world scenario, you would also use Pulumi's secrets management to avoid hardcoding sensitive information in your code.

    This is a basic setup, and in a production scenario, there are other considerations like securing communications, handling secret rotation, and much more. You would also need to have the Vault Kubernetes authentication method setup and configured outside of Pulumi, which isn't shown here.

    For more detailed documentation, you can refer to the Vault official documentation and the Pulumi documentation for the kubernetes and vault packages:

    Remember to substitute the placeholder values with actual data from your environment and use Pulumi's secret management features for sensitive data.