How do I deploy a Kubernetes secrets-store.csi.x-k8s.io secretproviderclass with Pulumi?
In this guide, we will deploy a Kubernetes SecretProviderClass
using Pulumi. SecretProviderClass
is a custom resource definition (CRD) provided by the secrets-store.csi.x-k8s.io
CSI driver, which allows you to mount secrets, keys, and certificates stored in external secret stores into Kubernetes pods.
Steps:
- Install Pulumi and configure your Kubernetes provider: Ensure you have Pulumi installed and configured to work with your Kubernetes cluster.
- Define the
SecretProviderClass
resource: Create a new Pulumi program that defines theSecretProviderClass
resource with the necessary specifications.
Key Points:
- We will use the Pulumi Kubernetes provider to create the
SecretProviderClass
. - The
SecretProviderClass
will be configured to pull secrets from an external secret store.
Pulumi Program
import * as pulumi from "@pulumi/pulumi";
import * as k8s from "@pulumi/kubernetes";
// Define the SecretProviderClass resource
const secretProviderClass = new k8s.apiextensions.CustomResource("example-secretproviderclass", {
apiVersion: "secrets-store.csi.x-k8s.io/v1",
kind: "SecretProviderClass",
metadata: {
name: "example-secretproviderclass",
namespace: "default",
},
spec: {
provider: "azure", // Specify the provider (e.g., azure, aws, gcp)
parameters: {
usePodIdentity: "true",
keyvaultName: "my-keyvault",
cloudName: "AzurePublicCloud",
objects: `
array:
- |
objectName: secret1
objectType: secret
objectVersion: ""
- |
objectName: key1
objectType: key
objectVersion: ""
- |
objectName: cert1
objectType: cert
objectVersion: ""
`,
tenantId: "your-tenant-id",
},
},
});
// Export the name of the SecretProviderClass
export const secretProviderClassName = secretProviderClass.metadata.name;
Explanation:
- Importing Modules: We start by importing the necessary Pulumi and Kubernetes modules.
- Defining
SecretProviderClass
: TheSecretProviderClass
resource is defined usingk8s.apiextensions.CustomResource
. This allows us to specify the provider and parameters needed to fetch secrets from an external secret store (in this case, Azure Key Vault). - Parameters: The
parameters
section includes details such as the Key Vault name, tenant ID, and the objects (secrets, keys, certs) to be pulled from the Key Vault. - Exporting Resource Name: Finally, we export the name of the
SecretProviderClass
for reference.
Conclusion:
In this guide, we have successfully defined and deployed a Kubernetes SecretProviderClass
using Pulumi. This allows Kubernetes pods to securely mount secrets from an external secret store, enhancing the security and management of sensitive data within your Kubernetes cluster.
Deploy this code
Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.
Sign upNew to Pulumi?
Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.
Sign upThank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.