Using kubernetes secrets-store.csi.x-k8s.io with node.k8s.io
TypeScriptUsing the Kubernetes Secrets Store CSI driver with your Kubernetes cluster involves several steps, including setting up the necessary CustomResourceDefinitions (CRDs), deploying the CSI driver, and creating a SecretProviderClass object that defines how secrets should be retrieved.
The Secrets Store CSI driver is an interface that enables Kubernetes pods to mount secrets stored in external secrets stores into the pod's filesystem as a volume. This means that sensitive information such as database credentials, OAuth tokens, and SSH keys can be managed outside of Kubernetes, in systems designed specifically for secure secret storage, and can be consumed by your applications running within Kubernetes.
Here's a step-by-step guide to setting up and using the
secrets-store.csi.x-k8s.io
with thenode.k8s.io
using Pulumi and the Kubernetes provider.Step 1: Setting Up Prerequisites
Before starting, ensure that you have the following prerequisites set up:
- A running Kubernetes cluster.
- The
kubectl
command-line tool, configured to communicate with your cluster. - Pulumi CLI, with the appropriate Kubernetes configurations to deploy resources to your cluster.
Step 2: Installing the Kubernetes Provider
To use Kubernetes resources in your Pulumi TypeScript program, you need to install the Kubernetes provider. You do so by defining it in your
package.json
file or by running the following command in your project directory:npm install @pulumi/kubernetes
Step 3: Writing the Pulumi Program
Now we'll write a Pulumi program to deploy the Secrets Store CSI driver and configure a SecretProviderClass in TypeScript. Please note that the code below assumes that the CSI driver and associated components are available for deployment in your cluster's environment.
import * as k8s from "@pulumi/kubernetes"; // Create a namespace for the Secrets Store CSI driver resources const namespace = new k8s.core.v1.Namespace("csi-secrets-store", { metadata: { name: "csi-secrets-store", }, }); // Deploy the Secrets Store CSI driver using a pre-defined YAML manifest or Helm chart. // The example below assumes a Helm chart is available for the CSI driver. const csiSecretsStoreDriver = new k8s.helm.v3.Chart("csi-secrets-store-driver", { chart: "secrets-store-csi-driver", version: "0.0.20", // Specify the desired chart version namespace: namespace.metadata.name, fetchOpts: { repo: "https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/master/charts", }, }, { dependsOn: namespace }); // Create a SecretProviderClass resource which specifies how the secrets should be retrieved. const secretProviderClass = new k8s.apiextensions.CustomResource("my-secret-provider-class", { apiVersion: "secrets-store.csi.x-k8s.io/v1alpha1", kind: "SecretProviderClass", metadata: { name: "my-provider", namespace: namespace.metadata.name, }, spec: { provider: "azure", // Replace with your provider, e.g., Azure, GCP, AWS, or Vault. secretObjects: [{ secretName: "my-k8s-secret", type: "Opaque", data: [{ objectName: "my-secret", key: "username", }, { objectName: "my-secret", key: "password", }], }], // Additional provider-specific parameters go here. }, }, { dependsOn: [csiSecretsStoreDriver, namespace] }); export const secretProviderClassName = secretProviderClass.metadata.name;
Explanation:
- We begin by importing the necessary Pulumi Kubernetes package.
- A dedicated namespace
csi-secrets-store
is created to organize all resources related to the CSI driver. - The CSI driver is deployed using a Helm chart, with version
0.0.20
assumed to be the desired version. - The
SecretProviderClass
is a critical resource that tells the CSI driver how to retrieve secrets. You'll need to customize theprovider
andspec
sections according to your secrets provider (like Azure Key Vault, Google Secret Manager, AWS Secrets Manager, or HashiCorp Vault). - Lastly, we're exporting the name of the
SecretProviderClass
that you could use elsewhere or obtain from the Pulumi stack outputs.
This is a general layout to get you started. You will need to adjust details based on your specific environment, secrets provider configurations, and values for secrets you desire to manage. Always refer to the official secrets-store-csi-driver documentation for specific details about deploying and configuring the CSI driver and SecretProviderClass for your chosen secrets management platform.