Secure Kubernetes Environment Variables with 1Password

Question

Pulumi · Accepted Answer

Using environment variables to store sensitive data and credentials directly in the code or deployment manifests is not recommended due to security concerns. A better approach is to use a secrets management system like 1Password to securely store and manage these secrets. Then you can reference these secrets in your Kubernetes Deployment or other resources without exposing the sensitive data.

To accomplish this, you would typically use a secrets manager like 1Password and a Kubernetes Secret, which is not directly supported by Pulumi as an integration. However, you can achieve this by creating a Kubernetes Secret resource in Pulumi, which will hold the values pulled from 1Password, and then mounting those values as environment variables in your containers.

Here's a general approach, which includes manually retrieving secrets from 1Password and then injecting them into Kubernetes Secret resources:

1. You would need to manually retrieve your secrets from 1Password. This could involve using the 1Password CLI or any existing API integrations they provide. Note that this manual step would occur outside of your Pulumi program and is a part of your secrets management workflow.

2. With the retrieved secrets, you can then define a Kubernetes Secret resource in Pulumi that includes these sensitive values.

3. Lastly, you would reference this Kubernetes Secret in the environment variables of your container specification within your Kubernetes Deployment or other workload resources.

Let's walk through a Pulumi program that sets up a dummy Kubernetes Secret in Python (as we do not have direct access to your 1Password secrets):

```python
import pulumi
from pulumi_kubernetes.core.v1 import Secret

# Assuming we have already retrieved a sensitive value from 1Password in some manner
# Here, it's hardcoded for demonstration, but you should retrieve it from 1Password's secure store
sensitive_value = "super_secret_value"  # Replace with dynamic retrieval from 1Password

# Create a Kubernetes Secret resource
secret = Secret("my-secure-secret",
                metadata={"name": "my-secure-secret"},
                type="Opaque",
                data={
                    # Secrets data must be base64 encoded
                    "password": pulumi.Output.secret(sensitive_value).apply(
                        lambda value: str(value).encode("utf-8").hex())  # Base64 encoding
                })

# Securely reference the secret in an environment variable in your Kubernetes Deployment
pulumi.export('secret-name', secret.metadata['name'])
```

In this example:
- We create a Kubernetes Secret named `my-secure-secret` with one key-value pair where the key is `password`, and the value is a sensitive value that we pretend to have retrieved from 1Password.
- We use Pulumi's `Output.secret` to mark `sensitive_value` as secret, which ensures that it is treated securely by Pulumi. Pulumi will automatically manage and base64 encode the `sensitive_value`.
- The `pulumi.export` statement makes the secret's name available as an output of our Pulumi stack. This can be used to reference the Secret from other resources securely.

In a real-world scenario, you need to integrate the 1Password retrieval into your deployment process securely, likely using the 1Password CLI or SDK to pull secret values into your Pulumi program. Pulumi does not log secret values in plaintext at any point, ensuring that your sensitive data remains secure.

Remember to always avoid hardcoding sensitive values in your Pulumi code, configuration files, or source code repositories. Always use a secure method to retrieve sensitive data at runtime.

Providers like Vault, AWS Secrets Manager, or Azure Key Vault do offer a more direct way to integrate with Pulumi, allowing you to pull secrets directly from the secrets manager into your Pulumi application. If 1Password is a must for your workflow, it's worth looking into whether they provide a similar SDK that can be used with Pulumi.

If 1Password offers an API or official integration for Kubernetes secrets management, you would substitute the manual retrieval steps in the program with code that uses their API/SDK. This is not demonstrated here since such integration details or SDK specifics are outside the provided Pulumi Registry Results and the example is meant to illustrate the use of the Kubernetes Secret resource and the general pattern.