1. Docs
  2. Pulumi ESC
  3. Integrations
  4. Kubernetes
  5. Secrets Store CSI Driver

Pulumi ESC Integration with the Kubernetes Secrets Store CSI Driver

    Overview

    Secrets Store CSI Driver is a Kubernetes project that allows you to mount secrets stored in external secret management systems into your Kubernetes pods. By using the Secrets Store CSI Driver, you can:

    • Store and manage sensitive data in an external service outside the Kubernetes cluster, which leads to better security and compliance.
    • Use the same driver to manage secrets and configuration from different sources.
    • Take advantage of advanced features of the secret provider, such as encryption of data at rest and scenarios like secret rotation.
    • Mount Pulumi ESC secrets directly into your Kubernetes pods without using Kubernetes-native secrets.

    Authentication

    Pulumi Access Tokens are recommended to access Pulumi ESC.

    Installation

    Install the Secrets Store CSI Driver using Helm:

    helm repo add secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
    helm install csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver --namespace kube-system
    

    Running the above helm install command will install the Secrets Store CSI Driver on Linux nodes in the kube-system namespace.

    Install the Pulumi ESC Secret Store CSI Driver using Helm:

    helm install pulumi-esc-csi-provider oci://ghcr.io/pulumi/helm-charts/pulumi-esc-csi-provider --version 0.1.5 --namespace kube-system
    

    After a few seconds, the pulumi-esc-csi-provider should be running.

    Creating a SecretProviderClass

    Configuration is passed to the Pulumi ESC via a SecretProviderClass through the spec.parameters field.

    apiVersion: secrets-store.csi.x-k8s.io/v1
    kind: SecretProviderClass
    metadata:
      name: example-provider-pulumi-esc
      namespace: default
    spec:
      provider: pulumi
      parameters:
        apiUrl: https://api.pulumi.com/api/esc
        organization: <NAME_OF_THE_ORGANIZATION>
        project: <NAME_OF_THE_PROJECT>
        environment: <NAME_OF_THE_ENVIRONMENT>
        authSecretName: <NAME_OF_KUBE_SECRET_WITH_ACCESS_TOKEN>
        authSecretNamespace: <NAMESPACE_OF_KUBE_SECRET>
        secrets: |
          - secretPath: "<SECRET_PATH>"
            fileName: "<FILE_NAME>"
            secretKey: <PULUMI_PATH_SYNTAX>      
    

    See the SecretProviderClass configuration table for additional customization options.

    Note: secretKey does not follow the JSON Path syntax, but rather the Pulumi path syntax.

    SecretProviderClass

    The following table lists the configurable parameters on the Conjur Provider’s SecretProviderClass instances.

    FieldDescriptionExample
    spec.parameters.apiUrlPulumi API URLhttps://api.pulumi.com/api/esc
    spec.parameters.organizationPulumi organization namemy-org
    spec.parameters.projectPulumi project namemy-project
    spec.parameters.environmentPulumi environment namemy-env
    spec.parameters.authSecretNameName of the Kubernetes secret containing the Pulumi access tokenpulumi-esc-access-token
    spec.parameters.authSecretNamespaceNamespace of the Kubernetes secret containing the Pulumi access tokendefault
    spec.parameters.secretsList of secrets to retrieve from Pulumi ESC- secretPath: "/" fileName: "my-secret-file" secret: "root.nested"

    Examples

    • root
    • root.nested
    • root["nested"]
    • root.double.nest
    • root["double"].nest
    • root["double"]["nest"]
    • root.array[0]
    • root.array[100]
    • root.array[0].nested
    • root.array[0][1].nested
    • root.nested.array[0].double[1]
    • root["key with \"escaped\" quotes"]
    • root["key with a ."]
    • ["root key with \"escaped\" quotes"].nested
    • ["root key with a ."][100]
    • root.array[*].field
    • root.array["*"].field
      Platform Engineering Workshop Series - Register Now