Using kubernetes secrets-store.csi.x-k8s.io with secrets.doppler.com
TypeScriptThe goal you're looking to achieve is to utilize Kubernetes with the
secrets-store.csi.x-k8s.io
driver alongsidesecrets.doppler.com
. Integrating external secrets management systems like Doppler with Kubernetes Secrets Store CSI Driver allows you to securely and automatically inject secrets into your Kubernetes pods.To accomplish this, there are several steps and resources you will need to utilize:
- Secret Provider Class: This Kubernetes custom resource, used by the Secrets Store CSI Driver, tells the driver where to retrieve secrets from. It defines the provider to use (Doppler, in this case) and the configuration for that provider.
- Kubernetes Secret: This is a Kubernetes-native resource that stores sensitive data such as password, OAuth token, SSH key, etc., securely. You'd typically create a Kubernetes secret to hold data retrieved by the CSI driver from Doppler.
- Pod: This is the smallest deployable unit in Kubernetes that encapsulates your application workload. Your pod definition will reference the Secret Provider Class and Kubernetes Secret.
The following Pulumi TypeScript program will set up a Kubernetes Secret using the
secrets-store.csi.x-k8s.io
driver and secrets from Doppler:import * as k8s from "@pulumi/kubernetes"; // Configuration for connecting to Doppler const dopplerProviderSpec: k8s.types.input.apiextensions.CustomResource = { apiVersion: "secrets-store.csi.x-k8s.io/v1", kind: "SecretProviderClass", metadata: { name: "doppler-secrets-provider", // Name of the SecretProviderClass }, spec: { provider: "doppler", // Set to Doppler provider parameters: { // Doppler-specific parameters can be added here // Consult the Doppler CSI driver documentation for the parameters it supports // For example, you might define an 'apiToken' parameter if supported and required // apiToken: "your-doppler-api-token", }, }, }; // Creating SecretProviderClass resource const secretProviderClass = new k8s.apiextensions.CustomResource( "doppler-secret-provider-class", dopplerProviderSpec ); // Create a Kubernetes Secret to hold data retrieved by the CSI driver const secret = new k8s.core.v1.Secret("my-app-secret", { metadata: { name: "my-app-secret", // Name of the Kubernetes Secret }, type: "Opaque", // The type of Secret; "Opaque" indicates an arbitrary user-defined data // Note: The actual data field should not be defined here since it will be managed by the CSI driver }); // Pod definition that uses the SecretProviderClass and the Kubernetes Secret const pod = new k8s.core.v1.Pod("my-app-pod", { metadata: { name: "my-app" }, spec: { containers: [ { name: "my-app", image: "my-app-image", // Replace with the actual image you want to use envFrom: [ { secretRef: { name: secret.metadata.name, // Reference to the Kubernetes Secret created above }, }, ], // Other container configuration... }, ], // Additional pod spec details... volumes: [ { name: "secrets-store-inline", csi: { driver: "secrets-store.csi.k8s.io", readOnly: true, volumeAttributes: { secretProviderClass: secretProviderClass.metadata.name, }, // Optional: Define nodePublishSecretRef if the CSI driver requires credentials to communicate with Doppler // nodePublishSecretRef: { // name: "csi-driver-secret", // }, }, }, ], }, }); // Export the name of the pod export const podName = pod.metadata.name;
This program will:
- Define the
SecretProviderClass
that tells thesecrets-store.csi.k8s.io
driver to retrieve secrets from Doppler. - Create an empty Kubernetes
Secret
resource that will later be populated by the CSI driver. - Define a
Pod
that has a container using the defined secret.
Note that you will need to replace
"my-app-image"
with the proper image you want to use for your application, and you'll need to configuredopplerProviderSpec
's parameters as per Doppler's CSI driver's specification.Before applying this program, ensure you have the Secrets Store CSI Driver installed in your cluster, which is compatible with the Doppler secret provider.
Assuming you have already set up Pulumi and have access to a Kubernetes cluster, this program can simply be deployed using
pulumi up
. The program doesn't include Doppler-specific configuration details like an API token or other authentication mechanisms required to fetch the secrets. Those will need to be provided according to the Doppler provider's documentation for Kubernetes Secrets Store CSI Driver.