From 42ed12a88c10beb47e4e4b6baa14f57b4ba70a45 Mon Sep 17 00:00:00 2001 From: Engin Diri Date: Mon, 16 Dec 2024 16:04:41 +0100 Subject: [PATCH 1/6] feat: add Secrets Store CSI Driver integration page --- .../esc/integrations/kubernetes/_index.md | 9 +- .../kubernetes/secret-store-csi-driver.md | 109 ++++++++++++++++++ 2 files changed, 114 insertions(+), 4 deletions(-) create mode 100644 content/docs/esc/integrations/kubernetes/secret-store-csi-driver.md diff --git a/content/docs/esc/integrations/kubernetes/_index.md b/content/docs/esc/integrations/kubernetes/_index.md index 6a6278e0b540..27282ead31e7 100644 --- a/content/docs/esc/integrations/kubernetes/_index.md +++ b/content/docs/esc/integrations/kubernetes/_index.md @@ -16,7 +16,8 @@ Pulumi ESC's rich metadata and support for popular configuration formats enables To learn how to configure Kubernetes with Pulumi ESC, see the following topics: -| Tool | Description | -|------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------| -| [Kubernetes](/docs/esc/integrations/kubernetes/kubernetes) | Pulumi ESC integrates with Kubernetes to manage configurations, credentials, and kubeconfig files, with kubectl and helm, and Pulumi Kubernetes provider. | -| [External Secrets Operator (ESO)](/docs/esc/integrations/kubernetes/external-secrets-operator) | Pulumi ESC integrates with the External Secrets Operator (ESO) to manage and deliver secrets in Kubernetes clusters. | | +| Tool | Description | +|---------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------| +| [Kubernetes](/docs/esc/integrations/kubernetes/kubernetes) | Pulumi ESC integrates with Kubernetes to manage configurations, credentials, and kubeconfig files, with kubectl and helm, and Pulumi Kubernetes provider. | +| [External Secrets Operator (ESO)](/docs/esc/integrations/kubernetes/external-secrets-operator) | Pulumi ESC integrates with the External Secrets Operator (ESO) to manage and deliver secrets in Kubernetes clusters. | | +| [Secrets Store CSI Driver](/docs/esc/integrations/kubernetes/secrets-store-csi-driver) | Pulumi ESC integrates with the Secrets Store CSI driver to mount Pulumi ESC secrets directly into Kubernetes pods. | | diff --git a/content/docs/esc/integrations/kubernetes/secret-store-csi-driver.md b/content/docs/esc/integrations/kubernetes/secret-store-csi-driver.md new file mode 100644 index 000000000000..81c9887c7fa5 --- /dev/null +++ b/content/docs/esc/integrations/kubernetes/secret-store-csi-driver.md @@ -0,0 +1,109 @@ +--- +title: Secrets Store CSI Driver +title_tag: Integrate with Secrets Store CSI Driver | Pulumi ESC +h1: "Pulumi ESC: Integrate with Secrets Store CSI Driver" +meta_desc: Pulumi ESC integrates with the Secrets Store CSI driver to mount Pulumi ESC secrets directly into Kubernetes pods. +weight: 2 +menu: + esc: + identifier: esc-secrets-store-csi-driver + parent: esc-kubernetes-integrations +aliases: +- /docs/esc/integrations/kubernetes/secrets-store-csi-driver/ +--- + +## Overview + +[Sensitive Store CSI Driver](https://secrets-store-csi-driver.sigs.k8s.io/introduction) is a Kubernetes project that allows you to mount secrets stored in external secret management systems into your Kubernetes pods. By using the Secrets Store CSI Driver, you can: + +- Store and manage sensitive data in an external service outside the Kubernetes cluster, which leads to better security and compliance. +- Use the same driver to manage secrets and configuration from different sources. +- Take advantage of advanced features of the secret provider, such as encryption of data at rest and scenarios like secret rotation. +- Mount Pulumi ESC secrets directly into your Kubernetes pods without using Kubernetes-native secrets. + +## Authentication + +Pulumi [Access Tokens](/docs/pulumi-cloud/access-management/access-tokens/) are recommended to access Pulumi ESC. + +## Installation + +Install the Secrets Store CSI Driver using Helm: + +```bash +helm repo add secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts +helm install csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver --namespace kube-system +``` + +Running the above helm install command will install the Secrets Store CSI Driver on Linux nodes in the kube-system namespace. + +Install the [Pulumi ESC Secret Store CSI Driver](https://github.com/pulumi/pulumi-esc-csi-provider.git) using Helm: + +```bash +helm install pulumi-esc-csi-provider oci://ghcr.io/pulumi/helm-charts/pulumi-esc-csi-provider --version 0.1.5 --namespace kube-system +``` + +After a few seconds, the `pulumi-esc-csi-provider` should be running. + +## Creating a SecretProviderClass + +Configuration is passed to the Pulumi ESC via a [`SecretProviderClass`](https://secrets-store-csi-driver.sigs.k8s.io/concepts#secretproviderclass) through the `spec.parameters` field. + +```yaml +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: example-provider-pulumi-esc + namespace: default +spec: + provider: pulumi + parameters: + apiUrl: https://api.pulumi.com/api/esc + organization: + project: + environment: + authSecretName: + authSecretNamespace: + secrets: | + - secretPath: "" + fileName: "" + secretKey: +``` + +See the [SecretProviderClass configuration](#secretproviderclass) table for additional customization options. + +**Note:** `secretKey` is not following the JSON Path syntax, but rather the Pulumi path syntax. + +### `SecretProviderClass` + +The following table lists the configurable parameters on the Conjur Provider's +`SecretProviderClass` instances. + +| Field | Description | Example | +|---------------------------------------|-----------------------------------------------------------------------|----------------------------------------------------------------------| +| `spec.parameters.apiUrl` | Pulumi API URL | `https://api.pulumi.com/api/esc` | +| `spec.parameters.organization` | Pulumi organization name | `my-org` | +| `spec.parameters.project` | Pulumi project name | `my-project` | +| `spec.parameters.environment` | Pulumi environment name | `my-env` | +| `spec.parameters.authSecretName` | Name of the Kubernetes secret containing the Pulumi access token | `pulumi-esc-access-token` | +| `spec.parameters.authSecretNamespace` | Namespace of the Kubernetes secret containing the Pulumi access token | `default` | +| `spec.parameters.secrets` | List of secrets to retrieve from Pulumi ESC | `- secretPath: "/" fileName: "my-secret-file" secret: "root.nested"` | + +### Examples + +- `root` +- `root.nested` +- `root["nested"]` +- `root.double.nest` +- `root["double"].nest` +- `root["double"]["nest"]` +- `root.array[0]` +- `root.array[100]` +- `root.array[0].nested` +- `root.array[0][1].nested` +- `root.nested.array[0].double[1]` +- `root["key with \"escaped\" quotes"]` +- `root["key with a ."]` +- `["root key with \"escaped\" quotes"].nested` +- `["root key with a ."][100]` +- `root.array[*].field` +- `root.array["*"].field` From a1e66a10fee20e3338be2ad460f74178db655fa0 Mon Sep 17 00:00:00 2001 From: Engin Diri Date: Mon, 16 Dec 2024 18:53:33 +0100 Subject: [PATCH 2/6] Update content/docs/esc/integrations/kubernetes/secret-store-csi-driver.md Co-authored-by: James Denyer --- .../docs/esc/integrations/kubernetes/secret-store-csi-driver.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/docs/esc/integrations/kubernetes/secret-store-csi-driver.md b/content/docs/esc/integrations/kubernetes/secret-store-csi-driver.md index 81c9887c7fa5..c0f8d153e55a 100644 --- a/content/docs/esc/integrations/kubernetes/secret-store-csi-driver.md +++ b/content/docs/esc/integrations/kubernetes/secret-store-csi-driver.md @@ -1,7 +1,7 @@ --- title: Secrets Store CSI Driver title_tag: Integrate with Secrets Store CSI Driver | Pulumi ESC -h1: "Pulumi ESC: Integrate with Secrets Store CSI Driver" +h1: "Pulumi ESC Integration with the Kubernetes Secrets Store CSI Driver" meta_desc: Pulumi ESC integrates with the Secrets Store CSI driver to mount Pulumi ESC secrets directly into Kubernetes pods. weight: 2 menu: From b0500586a7e5864e847ce1fe7542d701e4833294 Mon Sep 17 00:00:00 2001 From: Engin Diri Date: Mon, 16 Dec 2024 18:53:41 +0100 Subject: [PATCH 3/6] Update content/docs/esc/integrations/kubernetes/secret-store-csi-driver.md Co-authored-by: James Denyer --- .../docs/esc/integrations/kubernetes/secret-store-csi-driver.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/docs/esc/integrations/kubernetes/secret-store-csi-driver.md b/content/docs/esc/integrations/kubernetes/secret-store-csi-driver.md index c0f8d153e55a..6c4f9bb57cca 100644 --- a/content/docs/esc/integrations/kubernetes/secret-store-csi-driver.md +++ b/content/docs/esc/integrations/kubernetes/secret-store-csi-driver.md @@ -1,6 +1,6 @@ --- title: Secrets Store CSI Driver -title_tag: Integrate with Secrets Store CSI Driver | Pulumi ESC +title_tag: Integrate with Kubernetes Secrets Store CSI Driver | Pulumi ESC h1: "Pulumi ESC Integration with the Kubernetes Secrets Store CSI Driver" meta_desc: Pulumi ESC integrates with the Secrets Store CSI driver to mount Pulumi ESC secrets directly into Kubernetes pods. weight: 2 From e539896d7ffadeada319cb9b53e849c91549d525 Mon Sep 17 00:00:00 2001 From: Engin Diri Date: Mon, 16 Dec 2024 18:53:49 +0100 Subject: [PATCH 4/6] Update content/docs/esc/integrations/kubernetes/secret-store-csi-driver.md Co-authored-by: James Denyer --- .../docs/esc/integrations/kubernetes/secret-store-csi-driver.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/docs/esc/integrations/kubernetes/secret-store-csi-driver.md b/content/docs/esc/integrations/kubernetes/secret-store-csi-driver.md index 6c4f9bb57cca..9deebe5c7a7f 100644 --- a/content/docs/esc/integrations/kubernetes/secret-store-csi-driver.md +++ b/content/docs/esc/integrations/kubernetes/secret-store-csi-driver.md @@ -2,7 +2,7 @@ title: Secrets Store CSI Driver title_tag: Integrate with Kubernetes Secrets Store CSI Driver | Pulumi ESC h1: "Pulumi ESC Integration with the Kubernetes Secrets Store CSI Driver" -meta_desc: Pulumi ESC integrates with the Secrets Store CSI driver to mount Pulumi ESC secrets directly into Kubernetes pods. +meta_desc: Learn how to integrate Pulumi ESC with Kubernetes Secrets Store CSI Driver to securely mount ESC secrets directly into Kubernetes pods and follow K8 security best practices. weight: 2 menu: esc: From f8068f3c35c13b40f293c42d8b0ea56ed15974f8 Mon Sep 17 00:00:00 2001 From: Engin Diri Date: Mon, 16 Dec 2024 18:54:01 +0100 Subject: [PATCH 5/6] Update content/docs/esc/integrations/kubernetes/secret-store-csi-driver.md Co-authored-by: James Denyer --- .../docs/esc/integrations/kubernetes/secret-store-csi-driver.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/docs/esc/integrations/kubernetes/secret-store-csi-driver.md b/content/docs/esc/integrations/kubernetes/secret-store-csi-driver.md index 9deebe5c7a7f..02a8b8e34399 100644 --- a/content/docs/esc/integrations/kubernetes/secret-store-csi-driver.md +++ b/content/docs/esc/integrations/kubernetes/secret-store-csi-driver.md @@ -71,7 +71,7 @@ spec: See the [SecretProviderClass configuration](#secretproviderclass) table for additional customization options. -**Note:** `secretKey` is not following the JSON Path syntax, but rather the Pulumi path syntax. +**Note:** `secretKey` does not follow the JSON Path syntax, but rather the Pulumi path syntax. ### `SecretProviderClass` From fcc65c08caaf846cd1dd3cc34f6de6d82cbdd5de Mon Sep 17 00:00:00 2001 From: Engin Diri Date: Mon, 16 Dec 2024 19:03:46 +0100 Subject: [PATCH 6/6] feat: add Secrets Store CSI Driver integration page --- .../docs/esc/integrations/kubernetes/secret-store-csi-driver.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/docs/esc/integrations/kubernetes/secret-store-csi-driver.md b/content/docs/esc/integrations/kubernetes/secret-store-csi-driver.md index 02a8b8e34399..6806ae00a215 100644 --- a/content/docs/esc/integrations/kubernetes/secret-store-csi-driver.md +++ b/content/docs/esc/integrations/kubernetes/secret-store-csi-driver.md @@ -3,6 +3,7 @@ title: Secrets Store CSI Driver title_tag: Integrate with Kubernetes Secrets Store CSI Driver | Pulumi ESC h1: "Pulumi ESC Integration with the Kubernetes Secrets Store CSI Driver" meta_desc: Learn how to integrate Pulumi ESC with Kubernetes Secrets Store CSI Driver to securely mount ESC secrets directly into Kubernetes pods and follow K8 security best practices. +allow_long_title: true weight: 2 menu: esc: