Using kubernetes secrets-store.csi.x-k8s.io with solr.apache.org
TypeScriptIn Kubernetes, the Secrets Store CSI driver integrates secrets stores with Kubernetes via a Container Storage Interface (CSI) volume. This allows you to manage sensitive data like passwords, tokens, and keys, keeping them safe using external secrets stores such as Azure Key Vault, HashiCorp Vault, or AWS Secrets Manager and injecting them directly into your pods' file systems.
For applications running on Kubernetes, like Apache Solr (with its Kubernetes Operator
solr.apache.org
), you can leverage the CSI driver to securely supply secrets without exposing them in your deployment configurations.Here is an overview of the steps you need to follow:
- Set up the Secrets Store CSI driver in your Kubernetes cluster.
- Create a
SecretProviderClass
resource that references the desired external secrets store and the specific secrets. - Update your Solr resource definition to mount the secrets as volumes.
Below, you’ll find a TypeScript program using Pulumi and the Kubernetes provider to configure the Secrets Store CSI driver and use it within an Apache Solr deployment on Kubernetes:
import * as k8s from '@pulumi/kubernetes'; // Create a namespace for your application and the secrets CSI driver const namespace = new k8s.core.v1.Namespace("solr-namespace", { metadata: { name: "solr", }, }); // Define a SecretProviderClass that references your secret store configuration. // This example refers to a hypothetical HashiCorp Vault store. const secretProviderClass = new k8s.apiextensions.CustomResource("solr-secret-provider", { apiVersion: "secrets-store.csi.x-k8s.io/v1", kind: "SecretProviderClass", metadata: { // This name should be descriptive of the secrets being accessed name: "solr-vault-secrets", namespace: namespace.metadata.name, }, spec: { // Update this section to reflect your secrets store type and details provider: "vault", secretObjects: [ { secretName: "solr-secret", type: "Opaque", data: [ { objectName: "solr-secret-key", key: "secret-key", }, ], }, ], parameters: { // The parameters for accessing HashiCorp Vault vaultAddress: "https://vault.example.com", roleName: "your-role", objects: [{ objectName: "solr-secret-key", secretPath: "path/to/your/secret", }], }, }, }); // Deploy your Solr instance (e.g., StatefulSet, Deployment) and reference the secrets CSI volume. const solrDeployment = new k8s.apps.v1.Deployment("solr-deployment", { metadata: { name: "solr", namespace: namespace.metadata.name, }, spec: { selector: { matchLabels: { app: "solr", }, }, template: { metadata: { labels: { app: "solr", }, }, spec: { containers: [{ name: "solr", image: "apache/solr:latest", volumeMounts: [{ name: "secrets-store-inline", mountPath: "/mnt/secrets", readOnly: true, }], }], volumes: [{ name: "secrets-store-inline", csi: { driver: "secrets-store.csi.k8s.io", readOnly: true, volumeAttributes: { secretProviderClass: "solr-vault-secrets", }, }, }], }, }, }, }); export const solrDeploymentName = solrDeployment.metadata.name;
In this Pulumi program:
- We use the
@pulumi/kubernetes
package to interact with Kubernetes resources using Pulumi. - A Kubernetes
Namespace
is created to hold all our resources. This is a standard practice to organize resources within a cluster. - A
SecretProviderClass
Custom Resource is defined, specifying the secret store provider (Vault in this case) and the path to the secret. - A
Deployment
resource for Apache Solr points to theSecretProviderClass
using a CSI volume under thevolumes
section of the pod spec. This would mount the secrets in the given pod path (/mnt/secrets
in this example).
The
SecretProviderClass
should be configured according to the specific secrets backend you're using and the actual secrets you need for Apache Solr. The container image and other specifications for your Solr deployment should match your use case.This Pulumi program can be executed via the Pulumi CLI and assumes that your Pulumi setup and Kubernetes cluster are already configured. Remember to replace placeholder values with actual values relevant to your secrets' store and Apache Solr configuration.