feat: Master Kubernetes Secrets with Pulumi ESC + Secrets Store CSI D…

…river (#13660)

* feat: Master Kubernetes Secrets with Pulumi ESC + Secrets Store CSI Driver

* feat: Master Kubernetes Secrets with Pulumi ESC + Secrets Store CSI Driver

static/programs/kubernetes-csi-driver-csharp/Program.cs

@@ -0,0 +1,211 @@
+using Pulumi;
+using Pulumi.Kubernetes.Core.V1;
+using Pulumi.Kubernetes.Types.Inputs.Core.V1;
+using Pulumi.Kubernetes.Helm.V3;
+using Pulumi.Kubernetes.Helm;
+using Pulumi.Kubernetes.Types.Inputs.Meta.V1;
+using Pulumi.Kubernetes.ApiExtensions;
+using System.Collections.Generic;
+
+
+
+return await Deployment.RunAsync(() =>
+{
+    var secretsStoreCsiDriver = new Release("secrets-store-csi-driver", new()
+    {
+        Chart = "secrets-store-csi-driver",
+        Namespace = "kube-system",
+        RepositoryOpts = new Pulumi.Kubernetes.Types.Inputs.Helm.V3.RepositoryOptsArgs
+        {
+            Repo = "https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts",
+        },
+        Values = new Dictionary<string, object>
+        {
+            { "nodeSelector", new Dictionary<string, object>
+            {
+                { "kubernetes.io/os", "linux" },
+            } },
+        },
+    });
+
+    var secretsStoreCsiPulumiEscProvider = new Release("secrets-store-csi-pulumi-esc-provider", new()
+    {
+        Chart = "oci://ghcr.io/pulumi/helm-charts/pulumi-esc-csi-provider",
+        Namespace = "kube-system",
+        Values = new Dictionary<string, object>
+        {
+            { "nodeSelector",  new Dictionary<string, object>
+            {
+                { "kubernetes.io/os", "linux" },
+            } },
+        },
+    }, new CustomResourceOptions { DependsOn = { secretsStoreCsiDriver } });
+
+    var config = new Config();
+    var pulumiPAT = config.Require("pulumi-pat");
+
+    var mySecret = new Secret("my-secret", new SecretArgs
+    {
+        Metadata = new ObjectMetaArgs
+        {
+            Namespace = "default",
+            Name = "pulumi-access-token",
+        },
+        StringData =
+        {
+            { "pulumi-access-token", pulumiPAT }
+        },
+        Type = "Opaque",
+    }, new CustomResourceOptions { DependsOn = { secretsStoreCsiPulumiEscProvider } });
+
+    var secretProviderClass = new Pulumi.Kubernetes.ApiExtensions.CustomResource("example-provider-pulumi-esc", new SecretProviderClassArgs
+    {
+        Metadata = new ObjectMetaArgs
+        {
+            Name = "example-provider-pulumi-esc",
+            Namespace = "default",
+        },
+        Spec = new SecretProviderClassSpecArgs
+        {
+            Provider = "pulumi",
+            Parameters = new InputMap<object>
+            {
+                { "apiUrl", "https://api.pulumi.com/api/esc" },
+                { "organization", "dirien" },
+                { "project", "esc-secrets-store-csi-driver-demo" },
+                { "environment", "csi-secrets-store-app" },
+                { "authSecretName", mySecret.Metadata.Apply(metadata => metadata.Name) },
+                { "authSecretNamespace", mySecret.Metadata.Apply(metadata => metadata.Namespace) },
+                { "secrets", "- secretPath: \"/\"\n  fileName: \"hello\"\n  secretKey: \"app.hello\"\n" }
+            },
+        },
+    }, new CustomResourceOptions { DependsOn = { secretsStoreCsiPulumiEscProvider } });
+
+    var deployment = new Pulumi.Kubernetes.Apps.V1.Deployment("example-provider-pulumi-esc", new Pulumi.Kubernetes.Types.Inputs.Apps.V1.DeploymentArgs
+    {
+        Metadata = new ObjectMetaArgs
+        {
+            Name = "example-provider-pulumi-esc",
+            Namespace = "default",
+            Labels =
+            {
+                { "app", "example-provider-pulumi-esc" },
+            },
+        },
+        Spec = new Pulumi.Kubernetes.Types.Inputs.Apps.V1.DeploymentSpecArgs
+        {
+            Replicas = 1,
+            Selector = new Pulumi.Kubernetes.Types.Inputs.Meta.V1.LabelSelectorArgs
+            {
+                MatchLabels =
+                {
+                    { "app", "example-provider-pulumi-esc" },
+                },
+            },
+            Template = new Pulumi.Kubernetes.Types.Inputs.Core.V1.PodTemplateSpecArgs
+            {
+                Metadata = new ObjectMetaArgs
+                {
+                    Labels =
+                    {
+                        { "app", "example-provider-pulumi-esc" },
+                    },
+                },
+                Spec = new Pulumi.Kubernetes.Types.Inputs.Core.V1.PodSpecArgs
+                {
+                    Containers =
+                    {
+                        new Pulumi.Kubernetes.Types.Inputs.Core.V1.ContainerArgs
+                        {
+                            Name = "client",
+                            Image = "busybox:latest",
+                            Command =
+                            {
+                                "sh",
+                                "-c",
+                            },
+                            Args =
+                            {
+                                "set -eux\nls /run/secrets\nfind /run/secrets/ -mindepth 1 -maxdepth 1 -not -name '.*' | xargs -t -I {} sh -c 'echo \"$(cat \"{}\")\"'\ntail -f /dev/null",
+                            },
+                            VolumeMounts =
+                            {
+                                new Pulumi.Kubernetes.Types.Inputs.Core.V1.VolumeMountArgs
+                                {
+                                    Name = "data",
+                                    MountPath = "/run/secrets",
+                                },
+                            },
+                        },
+                    },
+                    Volumes =
+                    {
+                        new Pulumi.Kubernetes.Types.Inputs.Core.V1.VolumeArgs
+                        {
+                            Name = "data",
+                            Csi = new Pulumi.Kubernetes.Types.Inputs.Core.V1.CSIVolumeSourceArgs
+                            {
+                                Driver = "secrets-store.csi.k8s.io",
+                                ReadOnly = true,
+                                VolumeAttributes =
+                                {
+                                    { "secretProviderClass", secretProviderClass.Metadata.Apply(metadata => metadata.Name) },
+                                },
+                            },
+                        },
+                    },
+                },
+            },
+        },
+    }, new CustomResourceOptions { DependsOn = { secretProviderClass } });
+
+    return new Dictionary<string, object?>
+    {
+        { "deploymentName", deployment.Metadata.Apply(metadata => metadata.Name) },
+    };
+});
+
+
+class SecretProviderClassArgs : CustomResourceArgs
+{
+    public SecretProviderClassArgs(): base("secrets-store.csi.x-k8s.io/v1", "SecretProviderClass")
+    {
+    }
+
+    [Input("spec")]
+    public Input<SecretProviderClassSpecArgs>? Spec { get; set; }
+}
+
+
+class SecretProviderClassSpecArgs : ResourceArgs
+{
+    [Input("provider")]
+    public Input<string>? Provider { get; set; }
+
+    [Input("parameters")]
+    public Input<InputMap<object>>? Parameters { get; set; }
+}
+
+class SecretProviderParametersArgs : ResourceArgs
+{
+    [Input("apiUrl")]
+    public Input<string>? ApiUrl { get; set; }
+
+    [Input("organization")]
+    public Input<string>? Organization { get; set; }
+
+    [Input("project")]
+    public Input<string>? Project { get; set; }
+
+    [Input("environment")]
+    public Input<string>? Environment { get; set; }
+
+    [Input("authSecretName")]
+    public Input<string>? AuthSecretName { get; set; }
+
+    [Input("authSecretNamespace")]
+    public Input<string>? AuthSecretNamespace { get; set; }
+
+    [Input("secrets")]
+    public Input<string>? Secrets { get; set; }
+}

static/programs/kubernetes-csi-driver-csharp/Pulumi.yaml

@@ -0,0 +1,7 @@
+name: kubernetes-csi-driver-csharp
+description: Example on how to deploy the Pulumi ESC CSI Provider
+runtime: dotnet
+config:
+  pulumi:tags:
+    value:
+      pulumi:template: kubernetes-csharp

static/programs/kubernetes-csi-driver-csharp/kubernetes-csi-driver-csharp.csproj

@@ -0,0 +1,14 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <OutputType>Exe</OutputType>
+    <TargetFramework>net9.0</TargetFramework>
+    <Nullable>enable</Nullable>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Pulumi" Version="3.*" />
+    <PackageReference Include="Pulumi.Kubernetes" Version="4.*" />
+  </ItemGroup>
+
+</Project>

static/programs/kubernetes-csi-driver-go/Pulumi.yaml

@@ -0,0 +1,7 @@
+name: kubernetes-csi-driver-go
+description: Example on how to deploy the Pulumi ESC CSI Provider
+runtime: go
+config:
+  pulumi:tags:
+    value:
+      pulumi:template: kubernetes-go

static/programs/kubernetes-csi-driver-go/go.mod

@@ -0,0 +1,94 @@
+module kubernetes-csi-driver-go
+
+go 1.21
+
+toolchain go1.23.4
+
+require (
+	github.com/pulumi/pulumi-kubernetes/sdk/v4 v4.12.0
+	github.com/pulumi/pulumi/sdk/v3 v3.117.0
+)
+
+require (
+	dario.cat/mergo v1.0.0 // indirect
+	github.com/Microsoft/go-winio v0.6.1 // indirect
+	github.com/ProtonMail/go-crypto v1.0.0 // indirect
+	github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da // indirect
+	github.com/agext/levenshtein v1.2.3 // indirect
+	github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
+	github.com/atotto/clipboard v0.1.4 // indirect
+	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
+	github.com/blang/semver v3.5.1+incompatible // indirect
+	github.com/charmbracelet/bubbles v0.16.1 // indirect
+	github.com/charmbracelet/bubbletea v0.24.2 // indirect
+	github.com/charmbracelet/lipgloss v0.7.1 // indirect
+	github.com/cheggaaa/pb v1.0.29 // indirect
+	github.com/cloudflare/circl v1.3.7 // indirect
+	github.com/containerd/console v1.0.4-0.20230313162750-1ae8d489ac81 // indirect
+	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
+	github.com/djherbis/times v1.5.0 // indirect
+	github.com/emirpasic/gods v1.18.1 // indirect
+	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
+	github.com/go-git/go-billy/v5 v5.5.0 // indirect
+	github.com/go-git/go-git/v5 v5.12.0 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/glog v1.2.0 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/grpc-ecosystem/grpc-opentracing v0.0.0-20180507213350-8e809c8a8645 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/hashicorp/hcl/v2 v2.17.0 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
+	github.com/kevinburke/ssh_config v1.2.0 // indirect
+	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
+	github.com/mattn/go-isatty v0.0.19 // indirect
+	github.com/mattn/go-localereader v0.0.1 // indirect
+	github.com/mattn/go-runewidth v0.0.15 // indirect
+	github.com/mitchellh/go-ps v1.0.0 // indirect
+	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
+	github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 // indirect
+	github.com/muesli/cancelreader v0.2.2 // indirect
+	github.com/muesli/reflow v0.3.0 // indirect
+	github.com/muesli/termenv v0.15.2 // indirect
+	github.com/opentracing/basictracer-go v1.1.0 // indirect
+	github.com/opentracing/opentracing-go v1.2.0 // indirect
+	github.com/pgavlin/fx v0.1.6 // indirect
+	github.com/pjbgf/sha1cd v0.3.0 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pkg/term v1.1.0 // indirect
+	github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231 // indirect
+	github.com/pulumi/esc v0.6.2 // indirect
+	github.com/rivo/uniseg v0.4.4 // indirect
+	github.com/rogpeppe/go-internal v1.11.0 // indirect
+	github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06 // indirect
+	github.com/santhosh-tekuri/jsonschema/v5 v5.0.0 // indirect
+	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
+	github.com/skeema/knownhosts v1.2.2 // indirect
+	github.com/spf13/cast v1.4.1 // indirect
+	github.com/spf13/cobra v1.8.0 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/texttheater/golang-levenshtein v1.0.1 // indirect
+	github.com/tweekmonster/luser v0.0.0-20161003172636-3fa38070dbd7 // indirect
+	github.com/uber/jaeger-client-go v2.30.0+incompatible // indirect
+	github.com/uber/jaeger-lib v2.4.1+incompatible // indirect
+	github.com/xanzy/ssh-agent v0.3.3 // indirect
+	github.com/zclconf/go-cty v1.13.2 // indirect
+	go.uber.org/atomic v1.9.0 // indirect
+	golang.org/x/crypto v0.23.0 // indirect
+	golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa // indirect
+	golang.org/x/mod v0.14.0 // indirect
+	golang.org/x/net v0.25.0 // indirect
+	golang.org/x/sync v0.6.0 // indirect
+	golang.org/x/sys v0.20.0 // indirect
+	golang.org/x/term v0.20.0 // indirect
+	golang.org/x/text v0.15.0 // indirect
+	golang.org/x/tools v0.17.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240311173647-c811ad7063a7 // indirect
+	google.golang.org/grpc v1.63.2 // indirect
+	google.golang.org/protobuf v1.33.0 // indirect
+	gopkg.in/warnings.v0 v0.1.2 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	lukechampine.com/frand v1.4.2 // indirect
+)