Hi there. Rightly or wrongly, I'm currently using pulumi to deploy/configure infrastructure (a K8s cluster and the stuff outside of K8s) whilst using Flux to deploy the stuff inside the cluster. For some of the items deployed by flux, they have a secret that is encrypted via sops; one example of this is the object storage creds. What I'd ideally be able to do is have pulumi create and manage the object storage, generate the access/secret on the cloud service, generate the yaml for the Secret and written to a file in the repo, which would in turn be encrypted by sops and, once committed, would be applied by flux. Other "secret" values could of course come from secrets in the pulumi stack but would go through the same pipeline of steps. Is what I've described possible? Does it make sense or am I crazy? 😀

I don’t think you could do this without a “sops” provider for Pulumi

Thanks, that's what I thought might be the case. Is it possible for anyone to write a provider or do they come from pulumi?

you can “bridge” terraform providers, and there’s a sop terraform provider but it doesn’t do the encryption part, just reads the encrypted value. Would that be helpful? I can bridge that for you

Ok, good to know. It's the encryption bit that sops does that I need. I did wonder about the Command Provider but that only appears to run on create or destroy based on the docs. I.e. if I updated a secret stack config value, I'd ideally want that change to update the appropriate Secret yaml and have it encrypted.