1. Using kubernetes secrets-store.csi.x-k8s.io with spinnaker.io

    TypeScript

    To use Kubernetes secrets stored via secrets-store.csi.x-k8s.io in Spinnaker for managing applications and pipelines, you can follow these general steps. It involves creating Kubernetes secrets using the CSI driver, which Spinnaker can then reference.

    How It Works

    1. Install CSI Secret Store Driver: Ensure the CSI Secrets Store Driver is installed in your Kubernetes cluster. This driver allows Kubernetes to mount multiple secrets stores as volumes that can be used by your applications.

    2. Create Kubernetes Secret Provider Class: Create a SecretProviderClass that references the external secrets store you are using (like Azure Key Vault, AWS Secrets Manager, etc.). This class defines how secrets should be retrieved.

    3. Create Kubernetes Secret: Mount the secrets as volumes in your Kubernetes pod. The CSI driver reads the SecretProviderClass and fetches the secrets, which are then made available to the pod as files in a volume.

    4. Reference Secrets in Spinnaker: Configure Spinnaker to read the files from the mounted volume and use them in your deployments or pipeline definitions.

    Now let's dive into how you can define a Kubernetes Secret in Pulumi TypeScript which uses the CSI driver.

    Pulumi TypeScript Program

    In this program, we'll set up the resources assuming the CSI driver is already installed and configured in your Kubernetes cluster.

    import * as kubernetes from "@pulumi/kubernetes"; // Define a Kubernetes Secret using the CSI driver const secretProviderClass = new kubernetes.apiextensions.CustomResource("my-secret-provider-class", { apiVersion: "secrets-store.csi.x-k8s.io/v1", kind: "SecretProviderClass", metadata: { name: "my-secret-provider", }, spec: { provider: "azure", // Change this to the provider you're using parameters: { usePodIdentity: "false", // Specify parameters for your secrets provider }, secretObjects: [{ secretName: "my-k8s-secret", type: "Opaque", data: [{ objectName: "secret1", key: "username" // References a secret from the external secrets provider }, { objectName: "secret2", key: "password" }] }] }, }, { provider: kubeProvider }); // kubeProvider should be configured with your Kubernetes cluster information // Output the name of the SecretProviderClass export const secretProviderClassName = secretProviderClass.metadata.name;

    Explanation:

    • The secretProviderClass resource is a custom resource provided by the CSI driver. It defines where to fetch the actual secrets from.
    • We specify provider as "azure" assuming you're using Azure Key Vault; adjust accordingly for other secret stores.
    • The spec.secretObjects attribute mirrors the secrets from the external secrets store into Kubernetes Secret objects.
    • Replace objectName with the actual secret names you wish to reference from the external secrets store.
    • The exported secretProviderClassName allows you to reference this within other parts of your infrastructure code.

    Using the Secret in Spinnaker

    To use the Kubernetes secrets in Spinnaker, you'll need to configure Spinnaker to access these mounted secrets. Typically, this involves modifying your Spinnaker service deployment to include volumes that mount the secrets from the volume provided by the CSI driver, and pointing your Spinnaker configuration to these mounted paths.

    Please note, the above Pulumi code gives a starting point for provisioning a SecretProviderClass which Spinnaker will need to be configured to use. The details of configuring Spinnaker to use Kubernetes secrets is beyond the scope of this Pulumi program and requires direct manipulation of your Spinnaker configuration files. Refer to the Spinnaker documentation on how to configure secrets for this part.

    The Pulumi program above will get you started with creating Kubernetes secrets using the CSI secrets-store. Integrating these with Spinnaker would require additional steps specific to your Spinnaker setup and how it accesses Kubernetes resources.