Using kubernetes secrets-store.csi.x-k8s.io with spinnaker.io
TypeScriptTo use Kubernetes secrets stored via
secrets-store.csi.x-k8s.io
in Spinnaker for managing applications and pipelines, you can follow these general steps. It involves creating Kubernetes secrets using the CSI driver, which Spinnaker can then reference.How It Works
-
Install CSI Secret Store Driver: Ensure the CSI Secrets Store Driver is installed in your Kubernetes cluster. This driver allows Kubernetes to mount multiple secrets stores as volumes that can be used by your applications.
-
Create Kubernetes Secret Provider Class: Create a
SecretProviderClass
that references the external secrets store you are using (like Azure Key Vault, AWS Secrets Manager, etc.). This class defines how secrets should be retrieved. -
Create Kubernetes Secret: Mount the secrets as volumes in your Kubernetes pod. The CSI driver reads the
SecretProviderClass
and fetches the secrets, which are then made available to the pod as files in a volume. -
Reference Secrets in Spinnaker: Configure Spinnaker to read the files from the mounted volume and use them in your deployments or pipeline definitions.
Now let's dive into how you can define a Kubernetes Secret in Pulumi TypeScript which uses the CSI driver.
Pulumi TypeScript Program
In this program, we'll set up the resources assuming the CSI driver is already installed and configured in your Kubernetes cluster.
import * as kubernetes from "@pulumi/kubernetes"; // Define a Kubernetes Secret using the CSI driver const secretProviderClass = new kubernetes.apiextensions.CustomResource("my-secret-provider-class", { apiVersion: "secrets-store.csi.x-k8s.io/v1", kind: "SecretProviderClass", metadata: { name: "my-secret-provider", }, spec: { provider: "azure", // Change this to the provider you're using parameters: { usePodIdentity: "false", // Specify parameters for your secrets provider }, secretObjects: [{ secretName: "my-k8s-secret", type: "Opaque", data: [{ objectName: "secret1", key: "username" // References a secret from the external secrets provider }, { objectName: "secret2", key: "password" }] }] }, }, { provider: kubeProvider }); // kubeProvider should be configured with your Kubernetes cluster information // Output the name of the SecretProviderClass export const secretProviderClassName = secretProviderClass.metadata.name;
Explanation:
- The
secretProviderClass
resource is a custom resource provided by the CSI driver. It defines where to fetch the actual secrets from. - We specify
provider
as "azure" assuming you're using Azure Key Vault; adjust accordingly for other secret stores. - The
spec.secretObjects
attribute mirrors the secrets from the external secrets store into KubernetesSecret
objects. - Replace
objectName
with the actual secret names you wish to reference from the external secrets store. - The exported
secretProviderClassName
allows you to reference this within other parts of your infrastructure code.
Using the Secret in Spinnaker
To use the Kubernetes secrets in Spinnaker, you'll need to configure Spinnaker to access these mounted secrets. Typically, this involves modifying your Spinnaker service deployment to include volumes that mount the secrets from the volume provided by the CSI driver, and pointing your Spinnaker configuration to these mounted paths.
Please note, the above Pulumi code gives a starting point for provisioning a
SecretProviderClass
which Spinnaker will need to be configured to use. The details of configuring Spinnaker to use Kubernetes secrets is beyond the scope of this Pulumi program and requires direct manipulation of your Spinnaker configuration files. Refer to the Spinnaker documentation on how to configure secrets for this part.The Pulumi program above will get you started with creating Kubernetes secrets using the CSI secrets-store. Integrating these with Spinnaker would require additional steps specific to your Spinnaker setup and how it accesses Kubernetes resources.
-