Using kubernetes observability.lemonade.com with generators.external-secrets.io
TypeScriptTo integrate Kubernetes observability with
generators.external-secrets.io
, you need to set up a system where Kubernetes secrets are managed externally using the External Secrets operator. This operator fetches secrets from external secret stores (like AWS Secrets Manager, Azure Key Vault, etc.) and ensures that they are up-to-date in your Kubernetes clusters.Below is a detailed Pulumi program written in TypeScript that demonstrates how you might define an External Secret in Kubernetes, which assumes that you have already set up the External Secrets Operator in your cluster. The program will define a Kubernetes Secret resource that will be populated with the data from an external source.
Explanation
-
Kubernetes Secret: This is a Kubernetes resource that stores sensitive data, such as passwords or OAuth tokens. In this program, instead of putting secrets directly into the resource definition, we are referring to an external source managed by the External Secrets Operator.
-
External Secrets Operator: It reads information from external secret management systems (like AWS Secrets Manager, GCP Secret Manager, etc.) and automates the creation of Kubernetes Secrets.
-
Pulumi Kubernetes Provider: We use the Pulumi Kubernetes Provider to interact with our Kubernetes cluster and define the resources.
Pulumi Program
import * as k8s from "@pulumi/kubernetes"; // Define a Kubernetes Secret resource that refers to an external secret const externalSecret = new k8s.core.v1.Secret("externalSecret", { // Secret metadata and name metadata: { name: "my-external-secret", }, // Annotation to specify the use of external secret // You must first install the External Secrets operator for this to work // It should point to the external secret definition that the operator will use // to fetch and sync the secrets annotations: { "external-secrets.io/generator": "lemonade.com", }, // This `type` can be different based on the type of secret you're managing type: "Opaque", // This is a standard type for generic secret data }); // To successfully deploy this external secret, you would typically also need to // define an ExternalSecret resource that tells the External Secrets Operator where // to source the secret from. The exact details depend on your secret manager of choice, // and you must have the External Secrets Operator installed in your cluster. // Export the name of the secret export const externalSecretName = externalSecret.metadata.name;
What this program does:
- It creates a Kubernetes Secret with an
annotations
field. This annotation indicates that the actual secret values should be fetched by the External Secrets Operator from a specified generator. - It sets the secret
type
asOpaque
, which is used for secrets that contain arbitrary data.
After deploying this program:
You can refer to the generated secret in your Kubernetes workloads by using the secret name
my-external-secret
. Since it's managed externally, any changes to the external secret value will be automatically updated in the Kubernetes Secret by the operator.Remember, for the above Pulumi program to work, the External Secrets Operator must already be installed and configured in your Kubernetes cluster to listen for Secrets with the
external-secrets.io/generator
annotation and know how to fetch secrets fromgenerators.external-secrets.io
.Make sure to consult the documentation and configuration specifics of the External Secrets Operator and your external secret store to ensure that you have the necessary roles, permissions, and settings in place for the Operator to access and synchronize the secrets you define.
-