I m fetching some secrets that are returned as JSON yet they Pulumi Community #yaml

I'm fetching some secrets that are returned as JSO...

straight-arm-50771

10/05/2022, 7:48 PM

I'm fetching some secrets that are returned as JSON, yet they're classed somewhere as a string. I get this error:

Copy code

Error: kubernetes:core/v1:Secret is not assignable from {type: string, metadata: {name: string, namespace: string}, data: string}
      on Pulumi.yaml line 537:
     537:         ${dockerHubCredentials}
    Cannot assign '{type: string, metadata: {name: string, namespace: string}, data: string}' to 'kubernetes:core/v1:Secret':
      data: Cannot assign type 'string' to type 'Map<string>'

# Pulumi.yaml #

Copy code

variables:
  dockerHubCredentials:
    Fn::Invoke:
      Function: gcp:secretmanager/getSecretVersion:getSecretVersion
      Arguments:
        secret: k8s_global_dockerhub-regcred
        project: myproj
      Return: secretData

resources:
  regcred:
    type: kubernetes:core/v1:Secret
    properties:
      type: <http://kubernetes.io/dockerconfigjson|kubernetes.io/dockerconfigjson>
      metadata:
        name: regcred
        namespace: some-ns
      data:
        ${dockerHubCredentials}

outputs:
  debugRegCred: ${dockerHubCredentials}

# Return #

Copy code

Outputs:
debugRegCred: {".dockerconfigjson": "my-base64-encoded-config"}

billowy-army-68599

10/05/2022, 8:04 PM

I think you need to set a key name:

Copy code

data:
       something: ${dockerHubCredentials}

straight-arm-50771

10/05/2022, 8:09 PM

yea, that's in the json return. looking to leverage this for secrets that have 20+ key/value pairs. If I drop in the JSON in place of the variable

${dockerHubCredentials}

, it works. The pulumi up return recognizes it as a JSON:

Copy code

Outputs:
    debugDeployment: "stage"
    debugDomain    : "<http://example.com|example.com>"
    debugRegCred   : (json) {
        .dockerconfigjson: "my-base64-encoded-config"
    }

    helmDeploy     : "foo/bar"
    k8s            : "10.10.10.10"

straight-arm-50771

10/05/2022, 8:10 PM

this is a work-around to

kubernetes:yaml:ConfigFile

not being available yet

straight-arm-50771

10/05/2022, 8:10 PM

if I could ingest the raw secrets def, that would work too

straight-arm-50771

10/05/2022, 8:12 PM

trying to do something like this: https://www.pulumi.com/docs/reference/yaml/#substitution

straight-arm-50771

10/05/2022, 8:12 PM

(but set the variable from the return of getSecretVersion)

billowy-army-68599

10/05/2022, 8:17 PM

I tnink it would be better to remove the

.dockerconfigjson

part from the retrieved secret, and only have it return the secret itself, then you can do

Copy code

.dockerconfigjson: ${dockerHubCredentials}

billowy-army-68599

10/05/2022, 8:17 PM

it’s going to be tricky to manage if you’re trying to split strings and such like in the YAML config

straight-arm-50771

10/05/2022, 8:19 PM

eh, was afraid of that. we have hundreds of secrets though across multiple namespaces per deployment. was trying to consolidate this down to 1 config per NS

Open in Slack

Previous Next