1. Using kubernetes secrets-store.csi.x-k8s.io with solr.apache.org

    TypeScript

    In Kubernetes, the Secrets Store CSI driver integrates secrets stores with Kubernetes via a Container Storage Interface (CSI) volume. This allows you to manage sensitive data like passwords, tokens, and keys, keeping them safe using external secrets stores such as Azure Key Vault, HashiCorp Vault, or AWS Secrets Manager and injecting them directly into your pods' file systems.

    For applications running on Kubernetes, like Apache Solr (with its Kubernetes Operator solr.apache.org), you can leverage the CSI driver to securely supply secrets without exposing them in your deployment configurations.

    Here is an overview of the steps you need to follow:

    1. Set up the Secrets Store CSI driver in your Kubernetes cluster.
    2. Create a SecretProviderClass resource that references the desired external secrets store and the specific secrets.
    3. Update your Solr resource definition to mount the secrets as volumes.

    Below, you’ll find a TypeScript program using Pulumi and the Kubernetes provider to configure the Secrets Store CSI driver and use it within an Apache Solr deployment on Kubernetes:

    import * as k8s from '@pulumi/kubernetes'; // Create a namespace for your application and the secrets CSI driver const namespace = new k8s.core.v1.Namespace("solr-namespace", { metadata: { name: "solr", }, }); // Define a SecretProviderClass that references your secret store configuration. // This example refers to a hypothetical HashiCorp Vault store. const secretProviderClass = new k8s.apiextensions.CustomResource("solr-secret-provider", { apiVersion: "secrets-store.csi.x-k8s.io/v1", kind: "SecretProviderClass", metadata: { // This name should be descriptive of the secrets being accessed name: "solr-vault-secrets", namespace: namespace.metadata.name, }, spec: { // Update this section to reflect your secrets store type and details provider: "vault", secretObjects: [ { secretName: "solr-secret", type: "Opaque", data: [ { objectName: "solr-secret-key", key: "secret-key", }, ], }, ], parameters: { // The parameters for accessing HashiCorp Vault vaultAddress: "https://vault.example.com", roleName: "your-role", objects: [{ objectName: "solr-secret-key", secretPath: "path/to/your/secret", }], }, }, }); // Deploy your Solr instance (e.g., StatefulSet, Deployment) and reference the secrets CSI volume. const solrDeployment = new k8s.apps.v1.Deployment("solr-deployment", { metadata: { name: "solr", namespace: namespace.metadata.name, }, spec: { selector: { matchLabels: { app: "solr", }, }, template: { metadata: { labels: { app: "solr", }, }, spec: { containers: [{ name: "solr", image: "apache/solr:latest", volumeMounts: [{ name: "secrets-store-inline", mountPath: "/mnt/secrets", readOnly: true, }], }], volumes: [{ name: "secrets-store-inline", csi: { driver: "secrets-store.csi.k8s.io", readOnly: true, volumeAttributes: { secretProviderClass: "solr-vault-secrets", }, }, }], }, }, }, }); export const solrDeploymentName = solrDeployment.metadata.name;

    In this Pulumi program:

    • We use the @pulumi/kubernetes package to interact with Kubernetes resources using Pulumi.
    • A Kubernetes Namespace is created to hold all our resources. This is a standard practice to organize resources within a cluster.
    • A SecretProviderClass Custom Resource is defined, specifying the secret store provider (Vault in this case) and the path to the secret.
    • A Deployment resource for Apache Solr points to the SecretProviderClass using a CSI volume under the volumes section of the pod spec. This would mount the secrets in the given pod path (/mnt/secrets in this example).

    The SecretProviderClass should be configured according to the specific secrets backend you're using and the actual secrets you need for Apache Solr. The container image and other specifications for your Solr deployment should match your use case.

    This Pulumi program can be executed via the Pulumi CLI and assumes that your Pulumi setup and Kubernetes cluster are already configured. Remember to replace placeholder values with actual values relevant to your secrets' store and Apache Solr configuration.