1. Using kubernetes secrets-store.csi.x-k8s.io with node.k8s.io

    TypeScript

    Using the Kubernetes Secrets Store CSI driver with your Kubernetes cluster involves several steps, including setting up the necessary CustomResourceDefinitions (CRDs), deploying the CSI driver, and creating a SecretProviderClass object that defines how secrets should be retrieved.

    The Secrets Store CSI driver is an interface that enables Kubernetes pods to mount secrets stored in external secrets stores into the pod's filesystem as a volume. This means that sensitive information such as database credentials, OAuth tokens, and SSH keys can be managed outside of Kubernetes, in systems designed specifically for secure secret storage, and can be consumed by your applications running within Kubernetes.

    Here's a step-by-step guide to setting up and using the secrets-store.csi.x-k8s.io with the node.k8s.io using Pulumi and the Kubernetes provider.

    Step 1: Setting Up Prerequisites

    Before starting, ensure that you have the following prerequisites set up:

    • A running Kubernetes cluster.
    • The kubectl command-line tool, configured to communicate with your cluster.
    • Pulumi CLI, with the appropriate Kubernetes configurations to deploy resources to your cluster.

    Step 2: Installing the Kubernetes Provider

    To use Kubernetes resources in your Pulumi TypeScript program, you need to install the Kubernetes provider. You do so by defining it in your package.json file or by running the following command in your project directory:

    npm install @pulumi/kubernetes

    Step 3: Writing the Pulumi Program

    Now we'll write a Pulumi program to deploy the Secrets Store CSI driver and configure a SecretProviderClass in TypeScript. Please note that the code below assumes that the CSI driver and associated components are available for deployment in your cluster's environment.

    import * as k8s from "@pulumi/kubernetes"; // Create a namespace for the Secrets Store CSI driver resources const namespace = new k8s.core.v1.Namespace("csi-secrets-store", { metadata: { name: "csi-secrets-store", }, }); // Deploy the Secrets Store CSI driver using a pre-defined YAML manifest or Helm chart. // The example below assumes a Helm chart is available for the CSI driver. const csiSecretsStoreDriver = new k8s.helm.v3.Chart("csi-secrets-store-driver", { chart: "secrets-store-csi-driver", version: "0.0.20", // Specify the desired chart version namespace: namespace.metadata.name, fetchOpts: { repo: "https://raw.githubusercontent.com/kubernetes-sigs/secrets-store-csi-driver/master/charts", }, }, { dependsOn: namespace }); // Create a SecretProviderClass resource which specifies how the secrets should be retrieved. const secretProviderClass = new k8s.apiextensions.CustomResource("my-secret-provider-class", { apiVersion: "secrets-store.csi.x-k8s.io/v1alpha1", kind: "SecretProviderClass", metadata: { name: "my-provider", namespace: namespace.metadata.name, }, spec: { provider: "azure", // Replace with your provider, e.g., Azure, GCP, AWS, or Vault. secretObjects: [{ secretName: "my-k8s-secret", type: "Opaque", data: [{ objectName: "my-secret", key: "username", }, { objectName: "my-secret", key: "password", }], }], // Additional provider-specific parameters go here. }, }, { dependsOn: [csiSecretsStoreDriver, namespace] }); export const secretProviderClassName = secretProviderClass.metadata.name;

    Explanation:

    • We begin by importing the necessary Pulumi Kubernetes package.
    • A dedicated namespace csi-secrets-store is created to organize all resources related to the CSI driver.
    • The CSI driver is deployed using a Helm chart, with version 0.0.20 assumed to be the desired version.
    • The SecretProviderClass is a critical resource that tells the CSI driver how to retrieve secrets. You'll need to customize the provider and spec sections according to your secrets provider (like Azure Key Vault, Google Secret Manager, AWS Secrets Manager, or HashiCorp Vault).
    • Lastly, we're exporting the name of the SecretProviderClass that you could use elsewhere or obtain from the Pulumi stack outputs.

    This is a general layout to get you started. You will need to adjust details based on your specific environment, secrets provider configurations, and values for secrets you desire to manage. Always refer to the official secrets-store-csi-driver documentation for specific details about deploying and configuring the CSI driver and SecretProviderClass for your chosen secrets management platform.