1. Answers
  2. Deploying Kubernetes SecretProviderClass with Pulumi

How do I deploy a Kubernetes secrets-store.csi.x-k8s.io secretproviderclass with Pulumi?

In this guide, we will deploy a Kubernetes SecretProviderClass using Pulumi. SecretProviderClass is a custom resource definition (CRD) provided by the secrets-store.csi.x-k8s.io CSI driver, which allows you to mount secrets, keys, and certificates stored in external secret stores into Kubernetes pods.

Steps:

  1. Install Pulumi and configure your Kubernetes provider: Ensure you have Pulumi installed and configured to work with your Kubernetes cluster.
  2. Define the SecretProviderClass resource: Create a new Pulumi program that defines the SecretProviderClass resource with the necessary specifications.

Key Points:

  • We will use the Pulumi Kubernetes provider to create the SecretProviderClass.
  • The SecretProviderClass will be configured to pull secrets from an external secret store.

Pulumi Program

import * as pulumi from "@pulumi/pulumi";
import * as k8s from "@pulumi/kubernetes";

// Define the SecretProviderClass resource
const secretProviderClass = new k8s.apiextensions.CustomResource("example-secretproviderclass", {
    apiVersion: "secrets-store.csi.x-k8s.io/v1",
    kind: "SecretProviderClass",
    metadata: {
        name: "example-secretproviderclass",
        namespace: "default",
    },
    spec: {
        provider: "azure", // Specify the provider (e.g., azure, aws, gcp)
        parameters: {
            usePodIdentity: "true",
            keyvaultName: "my-keyvault",
            cloudName: "AzurePublicCloud",
            objects: `
              array:
                - |
                  objectName: secret1
                  objectType: secret
                  objectVersion: ""
                - |
                  objectName: key1
                  objectType: key
                  objectVersion: ""
                - |
                  objectName: cert1
                  objectType: cert
                  objectVersion: ""
            `,
            tenantId: "your-tenant-id",
        },
    },
});

// Export the name of the SecretProviderClass
export const secretProviderClassName = secretProviderClass.metadata.name;

Explanation:

  • Importing Modules: We start by importing the necessary Pulumi and Kubernetes modules.
  • Defining SecretProviderClass: The SecretProviderClass resource is defined using k8s.apiextensions.CustomResource. This allows us to specify the provider and parameters needed to fetch secrets from an external secret store (in this case, Azure Key Vault).
  • Parameters: The parameters section includes details such as the Key Vault name, tenant ID, and the objects (secrets, keys, certs) to be pulled from the Key Vault.
  • Exporting Resource Name: Finally, we export the name of the SecretProviderClass for reference.

Conclusion:

In this guide, we have successfully defined and deployed a Kubernetes SecretProviderClass using Pulumi. This allows Kubernetes pods to securely mount secrets from an external secret store, enhancing the security and management of sensitive data within your Kubernetes cluster.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up