1. Kubernetes Dynamic Environment Variables from 1Password Secrets.


    Creating a dynamic environment for a Kubernetes application which sources its configuration from secrets managed in 1Password involves a few steps. We will achieve this by deploying a Kubernetes Secret resource and a Deployment that consumes environment variables from this secret.

    Here's an outline of the tasks we will accomplish in the Pulumi program:

    1. Create a Kubernetes Secret: This resource will hold the sensitive data from 1Password. You'll need to have a way to pull your secrets from 1Password and populate them into the Secret resource.

    2. Create a Kubernetes Deployment: The deployment will reference the secret for setting its environment variables. We'll define a container spec that includes environment variables sourced from the secret.

    3. Mount the Secret: The environment variables will be mounted by referencing the secret key within the secret resource inside the container definition.

    Please note that Pulumi does not currently have a native integration for 1Password. Therefore, you would need to use an external script or process to fetch the secrets from 1Password and make them available to the Pulumi program (for example, using environment variables or a file). For the purposes of this walk-through, I'll show you how to create a Kubernetes secret resource with dummy data that you should replace with your actual secrets.

    Below is the Pulumi program in Python that accomplishes these steps:

    import pulumi import pulumi_kubernetes as k8s # Assuming you have fetched secrets from 1Password and available as environment variables # Replace 'dummy-secret' with your actual secret value db_password = 'dummy-secret' # Define the Kubernetes Secret resource secret = k8s.core.v1.Secret( "db-secret", metadata={"name": "db-secret"}, # Secrets data must be base64 encoded in Kubernetes. # Pulumi automatically encodes the string, so you can just provide the raw value. string_data={ "DATABASE_PASSWORD": db_password, } ) # Define the Kubernetes Deployment, referencing the Secret for an environment variable deployment = k8s.apps.v1.Deployment( "app-deployment", metadata={"name": "app"}, spec={ "selector": {"matchLabels": {"app": "backend"}}, "replicas": 1, "template": { "metadata": {"labels": {"app": "backend"}}, "spec": { "containers": [{ "name": "backend-container", "image": "your-backend-image:latest", # Replace with your actual container image # Define environment variables here using the secretKeyRef "env": [{ "name": "DATABASE_PASSWORD", "valueFrom": { "secretKeyRef": { "name": secret.metadata["name"], "key": "DATABASE_PASSWORD", }, }, }], }], }, }, } ) # Make the deployment accessible by exporting the frontend service endpoint pulumi.export('app_endpoint', deployment.metadata['name'])

    In this program:

    • A Kubernetes Secret named db-secret is created which holds the sensitive database password.
    • A Kubernetes Deployment named app-deployment is created with one replica. This deployment contains a container that references the DATABASE_PASSWORD environment variable from the db-secret secret.
    • The sensitive information is not exposed directly in the deployment manifest, and Kubernetes will handle injecting the correct environment variable into the pod based on the secret's data.
    • The Pulumi export function allows us to output the deployment name, which can be helpful for further operations, such as getting logs or describing pods.

    Do remember to replace 'dummy-secret' and 'your-backend-image:latest' with the actual secret from 1Password and the container image for your backend application.

    Note: This program assumes that you have already authenticated with your Kubernetes cluster and that the Pulumi CLI is set up to deploy resources.

    For more details: