I'm working on bootstrapping a cluster, and I noticed that when I create a

kubernetes.Provider

with an inline

kubeconfig

string, the string (with cluster access tokens) isn't being treated as a secret. Is there any way to mark this as a secret, so that the cluster's cleartext root credentials aren't available in diffs and the state store?

Yea, I believe this should do it.

const k8sProvider = new k8s.Provider(projectName, {
    kubeconfig: pulumi.secret(kubeconfig), // <-- use pulumi.secret(...)
});

Thanks, that works great! I thought I had tried that earlier and had it fail, but I must have not. 🙂