Using kubernetes storage.loft.sh with generators.external-secrets.io
TypeScriptTo interact with Kubernetes resources using Pulumi, we will use the
@pulumi/kubernetes
package, which allows us to create and manage Kubernetes resources. For your request to use storage provided bystorage.loft.sh
and secrets generation usinggenerators.external-secrets.io
, you would typically need to set up theStorageClass
for dynamic provisioning provided by Loft and configure aSecretStore
andExternalSecret
to manage secrets via the external-secrets operator.To begin with, make sure you have
@pulumi/kubernetes
installed:npm install @pulumi/kubernetes
Below is a basic Pulumi program written in TypeScript. It demonstrates how you could define a Kubernetes
StorageClass
for Loft storage and create anExternalSecret
that uses an external generator for creating a secret. Please note that the actual setup forstorage.loft.sh
andgenerators.external-secrets.io
may require additional configurations and secrets which are specific to your environment.import * as k8s from "@pulumi/kubernetes"; // Define a Kubernetes StorageClass using Loft's provisioner const loftStorageClass = new k8s.storage.v1.StorageClass("loftStorageClass", { metadata: { name: "loft-storage", }, provisioner: "storage.loft.sh", // Assuming this is the provisioner for Loft parameters: { // Additional parameters may be required depending on Loft's specifics }, // Define the reclaim policy if necessary reclaimPolicy: "Delete", // or "Retain" based on your needs }); // Define a SecretStore custom resource (assuming the necessary CRDs are already installed) const secretStore = new k8s.apiextensions.CustomResource("externalSecretStore", { apiVersion: "external-secrets.io/v1alpha1", kind: "SecretStore", metadata: { name: "external-secrets-store", }, spec: { // The spec here depends on the kind of backend you're using with generators.external-secrets.io // e.g., AWS Secrets Manager, GCP Secret Manager, Vault, etc. // The storeConfig would have the necessary configurations required for the store type you choose. }, }); // Define an ExternalSecret custom resource which refers to the SecretStore defined above. const externalSecret = new k8s.apiextensions.CustomResource("externalSecret", { apiVersion: "external-secrets.io/v1alpha1", kind: "ExternalSecret", metadata: { name: "example-external-secret", }, spec: { secretStoreRef: { name: "external-secrets-store", }, target: { // Specify how the secret should be synced name: "example-secret", // The name of the k8s secret that will be created creationPolicy: "Owner", // Ensures the secret is created if not present }, data: [ { secretKey: "username", remoteRef: { // Provide the key information to generate secret data key: "username-key", // A key in the external secret store or generator }, }, { secretKey: "password", remoteRef: { key: "password-key", }, }, ], }, }); // Export the storage class and secret names export const storageClassName = loftStorageClass.metadata.name; export const secretName = externalSecret.metadata.name;
Explanation:
-
StorageClass: This is a Kubernetes resource that describes the type of storage to use. Loft provides a provisioner that dynamically provisions storage for you. The
provisioner
field in theStorageClass
spec is where you specify Loft's provisioner name. You can also specify additional parameters and the reclaim policy. -
SecretStore: It's a custom resource from the external-secrets Kubernetes operator. This resource defines where your secrets are stored and how to access them. The spec will vary depending on whether you're storing your secrets in AWS Secrets Manager, Azure Key Vault, Google Secret Manager, Vault, or another supported backend.
-
ExternalSecret: Another custom resource from the external-secrets operator, representing the actual secrets you want to sync to your Kubernetes cluster. The
secretStoreRef
should match the name of theSecretStore
resource you defined. Underspec.data
, you define keys that map to external secret data that you want to fetch. TheremoteRef.key
fields would be the actual keys in your remote secret store or generator.
To create these in your Kubernetes cluster, after defining these resources in your Pulumi program, you would run
pulumi up
. This command instructs Pulumi to provision the resources as described in your program.Please replace placeholders with real values and add any additional configuration required for your specific setup. This program assumes that the CRDs associated with external-secrets are already applied to the cluster and that any required authentication details or secrets are set up correctly in your cluster to interact with
storage.loft.sh
andgenerators.external-secrets.io
.As you evolve in using Pulumi with Kubernetes, you can dynamically pass values, configure more sophisticated resource specifications, and integrate with cloud providers' managed services for sensitive data management.
-