1. Answers
  2. Mounting external secrets into Kubernetes pods

How do I mount external secrets into Kubernetes pods?

To mount external secrets into Kubernetes pods using Pulumi, you can use Kubernetes Secret and ConfigMap resources. These resources allow you to manage sensitive data and configuration data, respectively, and inject them into your Kubernetes pods.

Here’s a step-by-step guide on how to do this with Pulumi:

  1. Create a Kubernetes Secret: This will store the sensitive data.
  2. Create a Kubernetes ConfigMap: This will store configuration data.
  3. Create a Kubernetes Pod: This pod will mount the secret and config map as volumes.

Explanation

  1. Kubernetes Secret: Secrets are intended to hold sensitive information, such as passwords, OAuth tokens, and ssh keys. You can create a secret using Pulumi and then mount it into a pod.

  2. Kubernetes ConfigMap: ConfigMaps are used to store non-confidential data in key-value pairs. You can create a ConfigMap using Pulumi and mount it into a pod.

  3. Kubernetes Pod: The pod will be configured to use the secret and config map as volumes. This allows the application running in the pod to access the sensitive data and configuration data.

Code

Below is the TypeScript code to achieve this using Pulumi:

import * as pulumi from "@pulumi/pulumi";
import * as k8s from "@pulumi/kubernetes";

// Create a Kubernetes Secret
const mySecret = new k8s.core.v1.Secret("my-secret", {
    metadata: { name: "my-secret" },
    stringData: {
        "username": "admin",
        "password": "s3cr3t",
    },
});

// Create a Kubernetes ConfigMap
const myConfigMap = new k8s.core.v1.ConfigMap("my-configmap", {
    metadata: { name: "my-configmap" },
    data: {
        "configKey": "configValue",
    },
});

// Create a Kubernetes Pod that mounts the Secret and ConfigMap
const myPod = new k8s.core.v1.Pod("my-pod", {
    metadata: { name: "my-pod" },
    spec: {
        containers: [{
            name: "my-container",
            image: "nginx",
            volumeMounts: [
                {
                    name: "secret-volume",
                    mountPath: "/etc/secret",
                },
                {
                    name: "configmap-volume",
                    mountPath: "/etc/configmap",
                },
            ],
        }],
        volumes: [
            {
                name: "secret-volume",
                secret: {
                    secretName: "my-secret",
                },
            },
            {
                name: "configmap-volume",
                configMap: {
                    name: "my-configmap",
                },
            },
        ],
    },
});

// Export the pod name and namespace
export const podName = myPod.metadata.name;
export const podNamespace = myPod.metadata.namespace;

Detailed Explanation

  1. Creating the Secret:

    • k8s.core.v1.Secret: This resource creates a Kubernetes Secret.
    • metadata: Specifies the name of the secret.
    • stringData: Contains the key-value pairs for the secret data.
  2. Creating the ConfigMap:

    • k8s.core.v1.ConfigMap: This resource creates a Kubernetes ConfigMap.
    • metadata: Specifies the name of the config map.
    • data: Contains the key-value pairs for the configuration data.
  3. Creating the Pod:

    • k8s.core.v1.Pod: This resource creates a Kubernetes Pod.
    • metadata: Specifies the name of the pod.
    • spec.containers: Defines the containers within the pod.
    • volumeMounts: Specifies the volumes to mount into the container.
    • volumes: Defines the sources of the volumes (Secret and ConfigMap).

This code will create a Kubernetes Secret and ConfigMap, and then create a Pod that mounts these resources as volumes. The application running in the pod can then access the sensitive data and configuration data from the mounted paths.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up